Are you backing up your Office 365? And… why not?
I’m not going into the lengthy and exhausting discussion of why you should take care of your data, even if it’s stored in something unbreakable like “the cloud”, at least not in this post. I would like to focus on one of the features of the new Veeam Backup for Office 365 v4, which was released just the other day. This feature is “object storage support“, as you may have guessed it already from the title of this fine post!
So, this means that you can take Amazon S3, Microsoft Azure Blob Storage or even IBM Cloud Object Storage and use it for your Veeam Backup for Office 365. And even better – you can use any S3-compatible storage to do the same! How cool is that?!
I’ve created a small environment to support this test (and later production, if it works as it should) and basically done the following:
- created a standard Windows Server 2019 VM on top of Microsoft Azure, to hold my Veeam Backup for Office 365 installation
(good people at Microsoft provided me Azure credits, so… why not?!)
- downloaded Veeam Backup for Office 365
(good people at Veeam provided me NFR license for it, so I’ve used it instead of Community Edition)
- created an Exoscale SOS bucket for my backups
(good people at Exoscale/A1TAG/A1.digital/A1HR provided me credits, so… why not?!)
- installed Veeam Backup for Office 365
(it’s a “Next-Next-Finish” type of installation, hard to get it wrong)
- configured Veeam Backup for Office 365 (not so hard, if you know what you are doing and you’ve read the official docs)
- added a new Object Storage Repository
- added a new Backup Repository which offloads the backup data to the previously created Object Storage Repository
- configured a custom AAD app (with the right permissions)
- added a new Office 365 organization with AAD app and Global Admin account credentials (docs)
- created a backup job for this Office 365 organization
- started backing it all up
Now, a few tips on the “configuration part”:
- Microsoft Azure:
- no real prerequisites and tips here – simple Windows VM, on which I’m installing the downloaded software (there is a list of system requirements if want to make sure it’s all “by the book”)
- creating the Exoscale SOS bucket is relatively easy, once you have your account (you can request a trial here) – you choose the bucket name and zone in which data will be stored and… voilà:
- if you need to make adjustments to the ACL of the bucket, you can (quick ACL with private setting is just fine for this one):
- to access your bucket from Veeam, you’ll need your API keys, which you can find in the Account – Profile – API keys section:
- one other thing you’ll need from this section is the Storage API Endpoint, which depends on the zone you’ve created your bucket in (mine was created inside AT-VIE-1 zone, so my endpoint is https://sos-at-vie-1.exo.io):
- Office 365:
- note: I’m using the Modern authentication option because of MFA on my tenant and… it’s the right way to do it!
- for this, I created a custom application in Azure Active Directory (AAD) (under App registrations – New registration) (take a note of the Application (client) ID, as you will need it when configuring Veeam):
- I’ve added a secret (which you should also take a note of, because you’ll need it later) to this app:
- then, I’ve added the minimal required API permissions to this app (as per the official docs) – but note that the official docs have an error (at this time), which I reported to Veeam – you’ll need the SharePoint Online API access permissions even if you don’t use the certificate based authentication(!) – so, the permissions which work for me are:
- UPDATE: Got back the word from Veeam development – additional SharePoint permissions may not be necessary after all, maybe I needed to wait a bit longer… will retry next time without those permissions.
- after that, I’ve enabled the “legacy authentication protocols”, which is still a requirement (you can do it in Office 365 admin center – SharePoint admin center – Access Control – Apps that don’t use modern authentication – Allow access or via PowerShell command “Set-SPOTenant -LegacyAuthProtocolsEnabled $True”):
- lastly, I’ve created an app password for my (global admin) account (which will also be required for Veeam configuration):
- Veeam Backup for Office 365:
- add a new Object Storage Repository:
- add a new Backup Repository (connected to the created Object Storage Repository; this local repository will only store metadata – backup data will be offloaded to the object storage and can be encrypted, if needed):
- add a new Office 365 organization:
- create a backup job:
- start backing up your Office 365 data: