Don’t Neglect! Protect MS O365!

In my recent Kube Vanguard Vlog I talked about just how important modern day digital communication and data have become. Losing this data can be catastrophic to your business and personal lives. Microsoft does not backup your O365. They have what is known as the shared responsibility model which you can read more about here: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

We have acknowledged that it is essential to protect your O365, and now I will demonstrate one way to do this leveraging Veeam’s Backup for Microsoft 365.

First login and download the install file from Veeam at https://www.veeam.com/kb4347

If you are only testing then you can leverage the free community edition which will limit you to backing up 10 users, otherwise have your license file from Veeam ready!

You can find the system requirements here (on a side note I would always go back and check this just in case to see if there have been any changes after product updates and upgrades): https://helpcenter.veeam.com/docs/vbo365/guide/vbo_system_requirements.html?ver=60

To start the installation run the installer. Here I have mounted the ISO:

Veeam Setup
Installer Screen

You will be given 4 choices but if you want to install everything then choose the first option:

Choices

Accept the License Agreement:

If your system does not meet the requirements it will let you know:

Now choose an installation path or just use the default that is offered:

Go through the simple installation screens and finish the install:

Double click on the Desktop Icon for the console and login. The second icon is for the Veeam Backup PowerShell toolkit. Note: you can also use this console in order to login to remote a Veeam O365 setup.

I was prompted to supply a licence:

License Install

The product will also inform you automatically at login whether or not there are any new updates available:

Available Updates

I am going to setup my infrastructure first before connecting to an organization and my first step will be to take a look at the backup proxy. If you have a large organization then you probably want to have separate servers for your backup proxies and repositories. You can follow the Veeam Architect VBO365 best practices on this site https://bp.veeam.com/vb365

First, I want to add an S3 compatible bucket. I want to send my backups to S3 compatible Object Storage so that I can leverage encryption at rest. For this I will l use Wasabi.

I will create the bucket in Wasabi:

Now I will add this to my Veeam O365 console:

You can limit your consumption which I believe is a useful feature if you want to control your cloud storage costs:

The S3 Compatible repository is now setup and also ready to be used:

Next I will add a repository and extend it to this S3 Object Storage. This means that my backup metadata will be held locally but my backups will be sent off directly to S3.

Here I will extend the repository to S3 choosing my Wasabi Bucket and adding an encryption password:

Next comes a very important decision. You can choose to use either

Snapshot-based retention or Item-Level retention. Make certain that you
understand the implications for both methods as this can not be changed once
set.

For more information on Retention Policy Settings consult the documentation
here: https://helpcenter.veeam.com/docs/vbo365/guide/new_repository_4.html?ver=60

I chose snapshot based retention and my new repository now appears in the
setup:

Now I am going to add my organization: 

It is important to choose Modern Authentication as Basic support has been deprecated:  https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

I am going to create a new AD application and use a self-signed certificate since this is a test but again please consult the documentation and best practices when doing this in production: https://bp.veeam.com/vb365

Now I need to hook in to my organization through Microsoft device login, make that the account you use has enough privileges to do this. You can find a list of the permissions needed here: https://helpcenter.veeam.com/docs/vbo365/guide/vbo_required_permissions.html?ver=60

Now I have to enter the code on the Microsoft login page to proceed further to authentication:

Back in the application things are moving along nicely:

My organization is now connected to the Backup Software:

Now that my organization is in place it is time to create a backup job. I will backup my user:

There is a lot of flexibility for scheduling, like backup windows to prevent your backups from affecting you during working hours:

Now to run it manually for the first time:

The job completed successfully, I am protected!

I can right click on the backup job and use the built in Explores if I need to restore:

Notice the “Add to backup copy job” feature. You can never do too much when it comes to Data Protection:

Let me try a quick restore. Since I have extended my repository, i.e. sent my backups off to S3, Veeam will warn me about potential charges from Cloud Providers:

In a crazy clean up moment of truth I accidentally deleted all of my Veeam Community Hub emails! Luckily they have all been backed up!

For now though I just need one, time to do a restore:

Ah wait I forgot, I don’t have the correct permissions! I will have to contact our O365 wizard Hin Tang to help me out. By the way Hin Tang helped me along with this blog, Thanks Hin!