Protecting Microsoft 365 data

Why back up Microsoft 365 data?

Even though Microsoft 365 is a set of cloud services, regular backups provide an additional layer of protection from user errors and intentional malicious actions. You can recover deleted items from a backup even after the Microsoft 365 retention period has expired. Also, you can keep a local copy of the Exchange Online mailboxes if it is required for regulatory compliance.

Backed-up data is automatically compressed and it uses less space on the backup location than on its original location. The compression level for cloud-to-cloud backups is fixed and corresponds to the Normal level of non-cloud-to-cloud backups. For more information about these levels, refer to Compression level.

Cloud agent and local agent

For Microsoft 365 workloads, two agents are available:

  • Cloud agent

    The cloud agent provides extended backup functionality, which is directly accessible in the Cyber Protect console. No installation is required. For more information, see Using the cloud Agent for Microsoft 365.

  • Local agent

    The local agent only provides backup of Exchange online mailboxes. This agent must be installed on a Windows machine that is connected to the Internet. For more information, see Using the locally installed Agent for Office 365.

Azure Information Protection (AIP) is supported with both agents.

For tenants in the Compliance mode, only the local agent is available. These tenants can back up only Microsoft 365 mailboxes. They cannot use the extended functionality provided by the cloud agent.

The following table summarizes the functionality of the agents.

  Local agent Cloud agent
Data items that can be backed up

Exchange Online: user mailboxes and shared mailboxes (including mailboxes of users on a Kiosk plan and mailboxes on litigation hold)
  • Exchange Online:
    • user mailboxes and shared mailboxes (including mailboxes of users on a Kiosk plan and mailboxes on litigation hold)
    • group mailboxes
    • public folders
  • OneDrive: user files and folders
  • SharePoint Online:
    • classic site collections
    • group (team) sites
    • communication sites
    • individual data items
  • Microsoft 365 Teams:
    • entire teams
    • team channels
    • channel files
    • team mailboxes
    • files and email messages in team mailboxes
    • meetings
    • team sites
  • OneNote notebooks: as part of OneDrive, SharePoint Online, and Microsoft 365 Teams backups
Backup of archive mailboxes (In-Place Archive)

No

Yes
Backup schedule

User-defined

Up to six times per day*
Backup locations

Cloud storage, local folder, network folder

Cloud storage only

(including partner-hosted storage)
Automatic protection of new Microsoft 365 users, groups, sites, and teams

No

Yes, by applying a protection plan to the All users, All groups, All sites, All teams groups
Protecting more than one Microsoft 365 organization

No

Yes
Granular recovery

Yes

Yes
Recovery to another user within one organization

Yes

Yes
Recovery to another organization

No

Yes
Recovery to an on-premises Microsoft Exchange Server

No

No
Maximum number of items that can be backed up without performance degradation

When backing up to the cloud storage: 5000 mailboxes per company

When backing up to other destinations: 2000 mailboxes per protection plan (no limitation for number of mailboxes per company)

10 000 protected items (mailboxes, OneDrives, or sites) per company**
Maximum number of manual backup runs

No

10 manual runs during an hour

Maximum number of simultaneous recovery operations

No

10 operations, including Google Workspace recovery operations

* The default option is Once a day. With the Advanced Backup pack, you can schedule up to six backups per day. The backups start at approximate intervals that depend on the current load of the cloud agent, which serves multiple customers in a data center. This ensures even load during the day and equal quality of service for all customers.

The protection schedule might be affected by the operation of third-party services, for example, the accessibility of Microsoft 365 servers, throttling settings on the Microsoft servers, and others. See also https://docs.microsoft.com/en-us/graph/throttling.

** We recommend that you back up your protected items gradually and in this order:

  1. Mailboxes.
  2. After all mailboxes are backed up, proceed with OneDrives.
  3. After OneDrive backup is completed, proceed with the SharePoint Online sites.

The first full backup may take several days, depending on the number of protected items and their size.

Required user rights

In Cyber Protection

The local agent must be registered under a company administrator account and used on the customer tenant level. Company administrators acting on the unit level, unit administrators, and users cannot back up or recover Microsoft 365 data.

The cloud agent can be used both on a customer tenant level and on a unit level. For more information about these levels and their respective administrators, see Administering Microsoft 365 organizations added on different levels.

In Microsoft 365

Your account must be assigned the global administrator role in Microsoft 365.

To discover, back up, and recover Microsoft 365 public folders, at least one of your Microsoft 365 administrator accounts must have a mailbox and read/write rights to the public folders that you want to back up.

  • The local agent will log in to Microsoft 365 by using this account. To enable the agent to access the contents of all mailboxes, this account will be assigned the ApplicationImpersonation management role. If you change the account password, update the password in the Cyber Protect console, as described in Changing the Microsoft 365 access credentials.

  • The cloud agent does not log in to Microsoft 365. You need to log into Microsoft 365 as a global administrator once, in order to grant the cloud agent the permissions required for its operation.

    The following permissions in Microsoft 365 are required:

    • Sign in and read user profiles
    • Read and write files in all site collections
    • Read and write all users' full profiles
    • Read and write all groups
    • Read directory data
    • Read all channel messages
    • Read and write managed metadata
    • Read and write items and lists in all site collections
    • Have full control of all site collection
    • Read and write items in all site collections
    • Use Exchange Web Services with full access to all mailboxes

  • The cloud agent does not store your account credentials and does not use them to perform backup and recovery. Changing the credentials, disabling the account, or deleting the account does not affect the operation of the cloud agent.

Limitations

  • With the local agent, you can protect up to 5000 workloads. With the cloud agent, you can protect up to 50000 workloads.

  • All users with a mailbox or OneDrive are shown in the Cyber Protect console, including users without a Microsoft 365 license and users who are blocked from signing in to the Microsoft 365 services.
  • A mailbox backup includes only folders visible to users. The Recoverable items folder and its subfolders (Deletions, Versions, Purges, Audits, DiscoveryHold, Calendar Logging) are not included in a mailbox backup.
  • Automatic creation of users, public folders, groups, or sites during a recovery is not possible. For example, if you want to recover a deleted SharePoint Online site, first create a new site manually, and then specify it as the target site during a recovery.
  • You cannot simultaneously recover items from different recovering points, even though you can select such items from the search results.

  • During a backup, any sensitivity labels that are applied to the content will be preserved. Therefore, sensitive content might not be shown if it is recovered to a non-original location and its user has different access permissions.

  • You cannot apply more than one individual backup plan to the same workload.

  • When an individual backup plan and a group backup plan are applied to the same workload, the settings in the individual plan take precedence.

Microsoft 365 seats licensing report

Company administrators can download a report about the protected Microsoft 365 seats and their licensing. The report is in the CSV format and includes information about the licensing status of a seat and the reason why a license is used. The report includes also the protected seat name, associated email, group, Microsoft 365 organization, name and type of the protected workload.

This report is only available for tenants in which a Microsoft 365 Organization is registered.

To download the Microsoft 365 seats licensing report

  1. Log in to the Cyber Protect console as a company administrator.
  2. Click the account icon in the upper-right corner.
  3. Click Microsoft 365 seats licensing report.

Logging

Actions with cloud-to-cloud resources, such as viewing the content of backed-up emails, downloading attachments or files, recovering emails to non-original mailboxes, or sending them as emails may violate user privacy. These actions are logged in Monitoring > Audit log in the Management Portal.