2. Preparation

To achieve the optimal performance when CloudBacko Pro is running on your machine, refer to the following article for the list of hardware requirements.
CloudBacko Pro's Hardware Requirement List

Make sure the operating system where you have the Office 365 installed is compatible with the CloudBacko Pro. Refer to the following article for the list of compatible operating systems and application versions.
CloudBacko Pro's Software Compatibility List

For agent-based backup and restore, make sure that the latest version of CloudBacko Pro is installed on your computer with Internet access for connection to your Office 365 account.

User should also stay up-to-date when newer version of CloudBacko Pro is released. To get our latest product and company news through email, please Follow us on Facebook.

To optimize performance of CloudBacko Pro on Windows, you need to avoid conflict with your antivirus software. Refer to Exclusion of CloudBacko in your Antivirus software for details.

To avoid unexpected java crash, if the Windows machine is a guest VM hosted on a VMware Host then it is highly recommended that the VMware tools version installed on the guest VM must be 10.0.5 or above.

Below is the warning message that will be displayed if the version of the VMware Tools is less than 10.0.5.

CloudBacko Pro licenses are calculated on a per device basis:

Make sure that enough Office 365 Backup modules have been purchased in your CloudBacko Pro license to cover the backup of your users.

The licenses for the Office 365 module are calculated by the number of unique Office 365 accounts.

If you are trying to backup SharePoint Sites under the Site Collections and/or files or folders under Public Folder, only one Office 365 license module is required.

However, if you are trying to backup Items from Outlook, Items from OneDrive, Personal Sites under Users, the Office 365 license count will be calculated based on the number of the user account selected.

A licensed Exchange Administrator or a licensed user with Public Folder permission is required otherwise you will not be able to access the public folder to select items and for backup or restore.

To be able to backup Personal Sites and/or SharePoint Sites, ensure that you use Hybrid Authentication when creating a backup set. Due to the current limitation with Microsoft API, Modern Authentication is currently not suitable for backup sets with Personal Sites and/or SharePoint Sites selected. As backup and restore of SharePoint metadata are not fully supported.

The default Java setting heap 2048M, is sufficient for Office 365 backups based on the default 4 concurrent backup threads.

The Java heap size should only be increased if the number of current backup threads is increased as more backup threads is expected to consume more memory. But this does not guarantee that the overall backup speed will be faster since there will be an increased chance of throttling.

As the value of 4 concurrent backup threads is found to be the optimal setting for Office 365 backups, to ensure best backup performance, minimal resource usage, and lowest probability of throttling of Ahsay backup requests by Microsoft Office 365.

For more detailed information on how to change the Java heap size, please refer to here.

The following subscription plans with Office 365 email services are supported to run backup and restore on CloudBacko Pro.

Make sure your Office 365 subscription with Microsoft is active in order to enjoy all privileges that come along with our backup services. If your account has expired, renew it with Microsoft as soon as possible so that you can continue enjoy the Office 365 backup services provided by CloudBacko.

When your account is expired, depending on your role, certain access restrictions will be applied to your account. Refer to this URL for more details: Microsoft Office 365 Subscription Status

When restoring data of Office 365 user, the account which the data will be restored to requires valid license(s):

The basic permissions required by an Office user account for authentication of an Office 365 backup set is as follows:

To assign the Global Admin role to accounts, follow the steps below:

i. Click the App launcher in the upper left side then click Admin to go to the Microsoft 365 admin center.

ii. In the Microsoft 365 admin center, on the left panel click Users. Find the user you want to assign the Global Admin role and select Manage roles.

iii. In the Manage roles window, select Admin center access then check the box beside Global admin. Click Save Changes to save the role you assigned.

To add Term Store Administrator role to the Office 365 user account used to authenticate the Office 365 backup set.

i. In the SharePoint admin center, under Content services, click Term store.

ii. In the tree view pane on the left, select the Taxonomy.

iii. In the Term store page, for Admins, select Edit. The Edit term store admins panel appears.

iv. Enter the names or email addresses of the Office 365 user who you want to add as term store admins. Select Save.

This permission allows users added under the Members section of the Discovery Management group (refer to 2.12.4 for setup) to back up and/or restore user item(s) not only for their own account, but also the accounts of other users in the same Members section.

i. Open https://outlook.office365.com/ecp

ii. Log in to the Office 365 as an account administrator.

iii. Select the permissions menu on the left, then double click on Discovery Management on the right.

iv. Click the + icon under the Roles section. These are the following roles:

• ApplicationImpersonation
• Legal Hold
• Mailbox Import Export
• Mailbox Search
• Public Folders

v. Click Save to confirm and exit the setting.

i. Open https://outlook.office365.com/ecp

ii. Log in to the Office 365 as an account administrator.

iii. Select the permissions menu on the left, then double click on Discovery Management on the right.

iv. You can now add users to this group. Click the + icon under the Members section.

v. Look for the username(s) of the account that you would like to add permission for, then click add > OK to add the corresponding user(s) to the permission group.

vi. Click Save to confirm and exit the setting.

To successfully restore all share link types to alternate location of the same organization in Office 365, follow the settings below:

2.12.5.1 Allowing anonymous users to access application pages

i. Go to the alternate Site > in the left pane, select Site Contents > Site Settings

ii. Go to Site Collection features

iii. Deactivate “Limited-Access user permission lockdown mode” feature

2.12.5.2 Allowing sharing to external users

i. Go to your Microsoft 365 Admin Center > All admin centers > in the right pane select SharePoint

ii. Go to Sharing

If using Classic sites view, go to Policies > Sharing.

iii. Under Sharing outside your organization, select “Allow sharing only with the external users that already exist in your organization’s directory” and click OK.

If using Classic sites view, under External sharing the button must be in line with “Existing guests” and click Save.

To compensate for the significant backup performance increase, there is a tradeoff made by the Change Key API, which skips the checking of de-selected files in the backup source, which over time can result in a discrepancy between the items or files/folders selected in the backup sources and the those in the backup destination(s). However, the Change Key API will continue to check for de-selected Office 365 user accounts or Site Collections. Un-selected individual Office 365 user accounts or Site Collections detected during a backup job and will be automatically moved to retention area.

To overcome this, it is necessary in some cases to run a Data Synchronization Check (DSC) periodically. The DSC is similar to a regular Office 365 Change Key API backup job but with the additional checking and handling of de-selected files and/or folders in the backup source. So that it will synchronize the data in the backup source and backup destination(s) to avoid data build-up and the freeing up of storage quota.

Here are the pros and cons of performing the data synchronization check.

To comply with Microsoft’s product roadmap for Office 365, in the latest CloudBacko Pro, Basic Authentication (Authentication using Office 365 login credentials) will no longer be utilized. Instead all new Office 365 backup sets created will use either Modern Authentication or Hybrid Authentication.

By second half of 2021, it will be a mandatory requirement for organizations still using Basic Authentication or Hybrid Authentication to migrate to Modern Authentication.

Modern Authentication provides a more secure user authentication by using app token for authentication aside from using the Office 365 login credentials. In order to use Modern Authentication, the Office 365 account is registered under Global region and the Office 365 backup is configured to use Global region. As both Germany and China region do not support Modern Authentication.

Existing backup sets using Basic Authentication created prior to AhsayOBM v8.3.6.0 can be migrated to Hybrid Authentication or Modern Authentication. However, once the authentication process is completed, the authentication can never be reverted back to Basic Authentication. For more information on how to migrate to Hybrid Authentication or Modern Authentication please refer to Appendix J: Migrating Authentication of Office 365 Backup Set. After the upgrade to AhsayOBM v8.3.6.0 or above, the backup and restore process of existing Office 365 backup sets still using Basic Authentication will not be affected during this transition period since Modern Authentication is not yet enforced by Microsoft.

In order to migrate existing backup sets to Hybrid Authentication or Modern Authentication there are two (2) methods:

• The first method is the Office 365 account used for the backup set is assigned the Global Admin role.
• The second method is the Office 365 account used for the backup set is an ordinary account. When changing the settings of the backup set, the user can ask an Office 365 Global Admin account to login their credentials first to authorize the migration of authentication. This is only required in migrating from Basic Authentication to Modern Authentication. This only needs to be done once per backup set.

To check the current authentication being used in your Office 365 backup set, see criteria below:

If you click on the backup set and the following pop up message is displayed, then the backup set is using Basic Authentication.

Go to Backup Sets > backup set name > General > Change settings.

1. There is no pop up authentication alert.

2. In the Office 365 credentials page, the region is Global and there is a Username and Account password then the backup set is using Hybrid Authentication.

Below are the supported services of Office 365 Backup module. It is also specified in the table some services that are currently not yet supported by the Office 365 Backup module.

Below are the supported Outlook Mailbox types of Office 365 Backup.

Below are the items that you can back up or restore from OneDrive.

Below are the Site Collections/Personal Site items that you can back up or restore from an Office 365 backup set.

Below are the SharePoint Site Collections template that you can back up or restore from an Office 365 backup set.

Below is the Site Column Type that you can back up or restore from an Office 365 backup set.

Below are the items from the Public Folder that you can backup and restore from an Office 365 backup set.

The following table shows the maximum supported file size per item for backup and restore of each service.

• Modern Authentication is only supported for Office 365 account that is registered in Global region and the Office 365 backup is configured to use Global region.
• Migration to Modern Authentication is not supported on an Office 365 account without a Global Admin role; or during the migration process, the Office 365 account used to authenticate the migration does not have Global Admin role.
• Backup and restore of the site features setting for SharePoint Site Collection and/or Personal Site using Modern Authentication is not supported.
• Due to limitations in Microsoft API, when using Modern Authentication, backup and restore of SharePoint Web Parts and Metadata are not fully supported.
• Backup sets using Modern Authentication do not support backup of external content types (through the linkage from selected lists).
• Backup sets using Modern Authentication do not support backup and restore of the following:

• Document Libraries, List Items and their default Column Types will be supported, excluding customized Apps and SharePoint App Store applications.
• Most of site lists will be supported, except for certain list types that will be skipped to restore due to API limitation, for example is Microfeed in Classic Team Site.
• Site logos will NOT be restored, it is suggested revisiting the site setting page and manually add the missing images if necessary.
• User-defined workflow templates will NOT be supported for backup and restore.
• Recycle Bin will NOT be supported for backup and restore.
• Most of Site level settings will NOT be restored, except for those essential to support the successful restore of the backup items e.g. Manage Site Feature / Site Collection Feature.
• Most of List level settings (including List view) will NOT be restored, except for those essential to support the successful restore of backup items, e.g. item checkout settings. Following restore, it is suggested revisiting the relevant settings if necessary. This may affect list column ordering and visibility after restoring.
• Restoring External Data column is NOT supported if external content type has been deleted via SharePoint Designer.
• Restoring of multiple Value of managed metadata column when the key name (column name) contains space is NOT supported.
• Restoring of list with local managed metadata column to alternate location is NOT supported.
• The restore of SharePoint documents or folders with the following characters: / \ | * : “ < > in item name to a Windows local computer is not supported. As Windows does not support these characters for either a file or folder name.
• Restoring Newsfeed items in Modern Team Site will not publish the items to Homepage automatically, user will need to navigate to Site Content > Page Library> click on each individual news item and “Post” the news one by one manually.

• Backup and restore of file share links will be supported for OneDrive and SharePoint Documents only, and only for restore to the same Office 365 organization.
• Backup and restore of all versions will be supported for OneDrive and SharePoint Documents only, except for ”.aspx“ files.

• Online Archive Mailbox will NOT be supported for backup and restore.
• For Outlook mail item, after using restore to original location to overwrite a mail item (and hence id of the mail id is changed), then

• Only administrator account or user account with administrative authority can restore backup items to an alternate location.
• If you are trying to restore item(s) from one user to an alternate location user, AhsayOBM will restore the item(s) to their respective destination folder(s) with the same name as the original folder(s).
  Example: Item from Outlook of User-A will be restored to the Outlook of the alternate location User-B; Item from SharePoint of User-A will be restored to the SharePoint of the alternate location User-B.
• Restore of item(s) in public folder to an alternate location public folder is not supported.
  Example: Restore of item(s) in public folder from User-A to alternate location User-B is not supported.
• When restoring to alternate location, data type “Person or Group” will not be restored. Following restore, it is suggested revisiting the relevant settings if necessary. This also affects “Assigned To” column values of some list templates (e.g. Tasks list), and “Target Audience” column values of some list templates (e.g. Content and Structure Reports).
• If you are trying to restore item(s) from several users to an alternate location user, AhsayOBM will restore the item(s) to their respective destination folder(s) in alternate location user with the same name as the original folder(s).

| |

Example: Item from Outlook of User-A and User-B will be restored to the Outlook of the alternate location User-C.

If you are trying to restore item(s) from multiple Office 365 user account to an alternate Office 365 user account, AhsayOBM can only restore one Office 365 user account at a time.

• Restoring of document library (including OneDrive) items 'Share Link to alternate organization will trigger a warning message.
• Skip to restore People and groups and Site permissions to alternate origination.

If you are trying to restore the item to a destination user which has a different language setting than the original user, AhsayOBM will restore item(s) to their respective destination folder based on the translation listed below.

For folders such as ‘Calendar’ or ‘Notes’, a new folder ‘Calendar’ or ‘Notes’ will be created.

For folders in OneDrive and SharePoint, a new folder will be created.

Restoring of existing documents in checked out status is supported only when the user who has checked out the file is the same user who is performing the restore.

For more detailed information on the limitations of Exchange Online, please refer to this Microsoft article, Exchange Online Limits. These are some of the limitations that will be discussed in the Exchange Online Limits article:

• Address book
• Mailbox storage
• Capacity alerts
• Mailbox folder
• Message
• Receiving and sending
• Retention
• Distribution group
• Journal, Transport, and Inbox rule
• Moderation
• Exchange ActiveSync

For more detailed information on the limitations of OneDrive, please refer to this Microsoft article, OneDrive Limits. These are some of the limitations that will be discussed in the OneDrive Limits article:

• File name and path lengths
• Thumbnails and previews
• Number of items to be synced
• Information rights management
• Differential sync
• Libraries with specific columns
• Windows specific limitations

For more detailed information on the limitations of SharePoint Online, please refer to this Microsoft article, SharePoint Online Limits. These are some of the limitations that will be discussed in the SharePoint Online article:

• Limits by plan
  
• Service limits for all plans, such as: items in lists and libraries, file size and file path length, moving and copying across site collections, sync, versions, SharePoint groups, managed metadata, subsites, etc.

The following are some best practices or recommendations we strongly recommend you follow before you start any Office 365 backup and restore.

Temporary directory folder is used by CloudBacko for storing backup set index files and any incremental or differential backup files generated during a backup job. To ensure optimal backup/restoration performance, it is recommended that the temporary directory folder is set to a local drive with sufficient free disk space.

Consider the following best practices for optimized performance of the backup operations:

• Enable schedule backup jobs when system activity is low to achieve the best possible performance.
• Perform test restores periodically to ensure your backup is set up and performed properly. Performing recovery test can also help identify potential issues or gaps in your recovery plan. It is important that you do not try to make the test easier, as the objective of a successful test is not to demonstrate that everything is flawless. There might be flaws identified in the plan throughout the test and it is important to identify those flaws.

To provide maximum data protection and flexible restore options for agent-based backup, it is recommended to configure:

• At least one offsite or cloud destination
• At least one local destination for fast recovery

The periodic backup schedule should be reviewed regularly to ensure that the interval is sufficient to handle the data volume on the machine. Over time, data usage pattern may change on a production server, i.e. the number of new files created, the number of files which are updated/deleted, and new users may be added etc. schedule.

Consider the following key points to efficiently handle backup sets with periodic backup schedule.

• Hardware – to achieve optimal performance, compatible hardware requirements is a must. Ensure you have the backup machine’s appropriate hardware specifications to accommodate frequency of backups,

• Network – make sure to have enough network bandwidth to accommodate the volume of data within the backup interval.
• Retention Policy - also make sure to consider the retention policy settings and retention area storage management which can grow because of the changes in the backup data for each backup job.

Although Microsoft has moved the enforcement date for Modern Authentication from end of 2020 to the second half of 2021, since this new authentication is already available starting with AhsayOBM v8.3.6.0 or above, it is recommended that backup sets are migrated to Modern Authentication. All newly created Office 365 backup sets on AhsayOBM v8.3.6.0 or above automatically use Modern Authentication.

However, due to the current limitation with Microsoft API, Modern Authentication is currently not suitable for backup sets with Personal Sites and/or SharePoint Sites selected. As a temporary workaround for Office 365 backup sets which require backup of Personal Sites and/or SharePoint Sites selected should be migrated to Hybrid Authentication until the issue has been resolved by Microsoft.

In general, we recommend that each Office 365 backup set does not contain more than 2000 Office 365 users, to ensure a daily incremental backup job completes within 24 hours assuming that only small incremental daily changes will be made on the backup set.

However, the actual number of Office 365 users in a backup set may vary depending on the total number of Outlook, OneDrive, and SharePoint items, as well as the total size of these items. The actual number of Office 365 users in a backup set could be considerably less or could be more than 2000.

For details on the actual item count and size of Office 365 user, it is recommended to check in the Microsoft 365 Admin Centre, please refer to Appendix I: Steps on How to view Item count and Storage used in Microsoft 365 Admin Center.

Also, by splitting up all the users into separate backup sets, the more backup sets, the faster the backup process can achieve.

It is also a requirement that for every split backup sets should have its own unique user account for authentication to minimize the probability of throttling from Microsoft.

Example: If there are 10 split backup sets, then there should be 10 unique user accounts for authentication.

For more detailed example, refer to Appendix B: Example for backup of large numbers of Office 365 users.

The value of 4 concurrent backup threads is found to be the optimal setting for Office 365 backups, to ensure best backup performance, minimal resource usage, and lowest probability of throttling of Ahsay backup requests by Microsoft Office 365.

For Office 365 backup sets there are two approaches for backup source selection. Below are the sample screenshots of the selection All Office 365 users and Selective 365 user.

All Office 365 users	Selective Office 365 user

• All Office 365 users
  If you tick the “Users” checkbox, all of the sub Office 365 user accounts will automatically be selected.
• Selective Office 365 user
  If you tick selective Office 365 user accounts, you will notice that the “Users” checkbox is highlighted with gray color. This indicates that not all the users are selected.

These are the Pros and Cons when selecting a backup source from all Office 365 users and selective Office 365 user.