Requirements
AhsayOBM Installation
For agent-based backup and restore, make sure that the latest version of AhsayOBM is installed on your computer with Internet access for connection to your Microsoft 365 account.
Users should also stay up to date when a newer version of AhsayOBM is released. To get our latest product and company news, please check out the page Announcements on our website.
AhsayOBM License Requirement
AhsayOBM licenses are calculated on a per device basis:
To back up users with one (1) backup client computer
Example: If one AhsayOBM is installed then, one AhsayOBM license is required.
To back up users with multiple backup client computers, the number of AhsayOBM licenses required is equal to the number of devices.
Example: If there are ten (10) users to be backed-up across three(3) backup client computers, then 3 AhsayOBM licenses are required.
Please contact your backup service provider for more details.
Access for AhsayCBS User Web Console
It is now possible to perform agentless backup and restore, which can be done via the AhsayCBS User Web Console without using the AhsayOBM client agent. In order to access the User Web Console, make sure you have an Internet connection and a web browser installed on your computer or mobile device.
Access to AhsayCBS User Web Console is dependent on the policy set by your administrator. Kindly contact your administrator if you are having trouble logging in the AhsayCBS User Web Console.
Add-on Module Requirement
Make sure that the Microsoft 365 Backup feature has been enabled as an add-on module in your AhsayOBM user account and there is enough Microsoft 365 Backup license quota to cover the backup of your users.
Please contact your backup service provider for more details. Below is a sample screen shot of an AhsayOBM User with an add-on module of Microsoft 365 with ten (10) licenses.
IMAGE HERE
The Ahsay licenses for the Microsoft 365 module are calculated by the number of unique licensed or unlicensed Microsoft 365 user accounts. If same Microsoft 365 account is backed up on multiple backup sets with an AhsayOBM user account would be counted as one Microsoft 365 license.
Each licensed or unlicensed Microsoft 365 user account selected for backup requires one Microsoft 365 license.
Each Equipment Mailbox, Room Mailbox, or Shared Mailbox selected for backup requires one Microsoft 365 license.
If just only SharePoint Sites under the Site Collections and/or files of folders under Public Folder are selected for backup, this requires zero Microsoft 365 license but a minimum of one Microsoft 365 license is needed to perform a backup. The Microsoft 365 license is only needed to start the backup but it will not be counted as used license.
However, if any items from either Outlook, Items from OneDrive, or Personal Sites under Users are selected for backup, the Microsoft 365 license count will be calculated based on the number of user account selected.
For more detailed examples about the Micforosft 365 license requirement and usage, please refer to the Troubleshooting - Example Scenarios for Microsoft 365 License Requirement and Usage.
Backup Quota Requirement
Make sure that your AhsayOBM user account has sufficient quota assigned to accommodate the storage of the Microsoft 365 users for the new backup set and retention policy. Please contact your backup service provider for more details.
To get an accurate estimate of the backup quota requirement, it is recommended to check the actual usage of the Microsoft 365 Organization in the Microsoft 365 Admin Centre. Please refer to the Troubleshooting - How to view Item count and Storage used in Microsoft 365 Admin Center.
Public Folder Backup
A licensed Exchange Administrator or a licensed user with Public Folder permission is required, otherwise you will not be able to access the public folder to select items and for backup or restore.
Java Heap Size
The default Java heap size setting is 2048MB which is sufficient for Microsoft 365 backups based on the default four (4) concurrent backup threads.
The Java heap size should only be increased if the number of current backup threads is increased as more backup threads is expected to consume more memory. But this does not guarantee that the overall backup speed will be faster since there will be an increased chance of throttling.
As the value of four (4) concurrent backup threads is found to be the optimal setting for Microsoft 365 backups, to ensure best backup performance, minimal resource usage, and lowest probability of throttling of Ahsay backup requests by Microsoft 365.
For more detailed information on how to increase the backup thread, please refer to the Troubleshooting - How to Increase the Number of Concurrent Backup Threads section.
Microsoft 365 License Requirement
Microsoft 365 Subscription Plan
The following subscription plans with Microsoft 365 email services are supported to run backup and restore on AhsayOBM or AhsayCBS User Web Console.
Microsoft 365 Business Microsoft 365 Business Essentials Microsoft 365 Business Premium Microsoft 365 Enterprise E1 Microsoft 365 Enterprise E3 Microsoft 365 Enterprise E3 Microsoft 365 Enterprise E5 Microsoft 365 Education Microsoft 365 Subscription Status
Make sure your Microsoft 365 subscription with Microsoft is active in order to enjoy all privileges that come along with our backup services. If your account has expired, renew it with Microsoft as soon as possible so that you can continue enjoy the Microsoft 365 backup services provided by Ahsay.
When your account is expired, depending on your role, certain access restrictions will be applied to your account. Refer to the URL below for more details.
Restore Requirement
When restoring data of Microsoft 365 user, the account which the data will be restored to requires valid license(s):
Requires Exchange License
Example: Exchange Online Plan and Microsoft 365 E3 are required when restoring Outlook's / Public Folder's items.
Requires SharePoint License
Example: SharePoint Online Plan and Microsoft 365 E3 are required when restoring OneDrive's / Personal Site's items.
Microsoft 365 Permission Requirement
The basic permissions required by a Microsoft user account for authentication of a Microsoft 365 backup set is as follows:
Global Admin Role
The Microsoft 365 account used for authentication must have Global Admin Role, since Modern Authentication will be used.
This is to ensure that the authorization configuration requirements will be fulfilled (e.g. connect to Microsoft Azure AD to obtain the App Access Token). To assign the role, please refer to Assigning Global Admin Role to Accounts.
Term Store Administrator Role
The Term Store Administrator Role may be required for backup and restore of SharePoint items. To assign the role, please refer to Granting Term Store Administrator Role.
A member of Discovery Management security group
The Discovery Management security group must be assigned the following roles. To assign the role, please refer to Granting Permission Discovery Management Group.
- Legal Hold
- Mailbox Import Export
- Mailbox Search
- Public Folders
Otherwise, proceed to grant all necessary permissions to the Microsoft user account as shown in the following chapters:
- Assigning Global Admin Role to Accounts
- Granting Term Store Administrator Role
- Granting Permission Discovery Management Group
- Granting Permission to Accounts for Creating Backup Set
- Granting Permission to Restore All Share link types to Alternate location in Microsoft 365
Assigning Global Admin Role to Accounts
Click the App launcher in the upper left side.
Click Admin to go to the Microsoft 365 admin center.
In the "Microsoft 365 admin center", on the left panel click Active users under "Users". Find the user you want to assign the Global Admin role and click Manage roles.
In the "Manage admin roles" window, select Admin center access then tick the box beside Global Administrator. Click Save changes to save the role you assigned.
Granting Term Store Administrator Role
To add Term Store Administrator role to the Microsoft 365 user account used to authenticate the Microsoft 365 backup set.
In the "SharePoint admin center", under "Content services", click Term store.
In the tree view pane in the middle, select Taxonomy. Then click Edit in the “Term store” section on the right.
The “Edit term store admins” panel appears. Enter the names or email addresses of the Microsoft 365 user who you want to add as term store admins then click Save.
Granting Permission Discovery Management Group
This permission allows users added under the Assigned section of the “Discovery Management” group (refer to Granting Permission to Accounts for Creating Backup Set for setup) to back up and/or restore user item(s) not only for their account but also the accounts of other users in the same Assigned section.
Log in to Microsoft 365 as an account administrator.
Select Admin roles which is under “Roles” on the left, then click Discovery Management in the middle. Click Permissions on the right.
Tick the box beside the roles you want to add. These are the following roles:
- Legal Hold
- Mailbox Import Export
- Mailbox Search
- Public Folders
You can find the roles above easily by making use of the Search section.
Click Save to confirm and click the X to exit the setting.
Granting Permission to Accounts for Creating Backup Set
Log in to Microsoft 365 as an account administrator.
Select Admin roles which is under “Roles” on the left, then click Discovery Management in the middle. Click Assigned on the right, then click Add.
You can now add users to this group. Search by name or email address then click Add once done.
Granting Permission to Restore All Share link types to Alternate location in Microsoft 365
To successfully restore all share link types to alternate location of the same organization in Microsoft 365, follow the settings below:
Allowing Anonymous Users to Access Application Pages:
Click the App launcher in the upper left side.
Click SharePoint to go to the SharePoint page.
Click Settings>Site Settings
Under "Site Collection Administration", click Site collection features.
Scroll down and look for “Limited-Access user permission lockdown mode”, click the Deactivate button.
Click Deactivate this feature.
Once deactivated, the Deactivate button will no longer be available.
Allowing Sharing to External Users:
Go to your “Microsoft 365 admin center”, click All admin centers, then select SharePoint in the right pane.
Go to Policies>Sharing. Under “External sharing” the button must be in line with “Existing guests” and click Save.
Data Synchronization Check (DSC) Setup
To compensate for the significant backup performance increase, there is a tradeoff made by the Change Key API, which skips the checking of de-selected files in the backup source, which over time can result in a discrepancy between the items or files/folders selected in the backup sources and the those in the backup destination(s). However, the Change Key API will continue to check for de-selected Microsoft 365 user accounts or Site Collections. Un-selected individual Microsoft 365 user accounts or Site Collections detected during a backup job and will be automatically moved to retention area.
To overcome this, it is necessary in some cases to run a Data Synchronization Check (DSC) periodically. The DSC is similar to a regular Microsoft 365 Change Key API backup job but with the additional checking and handling of de-selected files and/or folders in the backup source. So that it will synchronize the data in the backup source and backup destination(s) to avoid data build-up and the freeing up of storage quota.
Here are the pros and cons of performing the DSC.
| Enabled | Disabled | |
|---|---|---|
| Backup time | Since DSC is enabled, it will only run on the set interval. For example, the default number of interval is 60 days. The backup time for the data synchronization job which is triggered every 60 days by default will take longer than the usual backup as it is checking the de-selected files and/or folders in the backup source and data in backup destination(s). |
As DSC is disabled, the backup time will not be affected. |
| Storage | Management of storage quota will be more efficient as it will detect items that are de-selected and move it to retention and will be removed after it exceeds the retention policy freeing up the storage quota. | Management of storage quota will be less efficient even though files and/or folders are already de-selected from the backup source, these files will remain in the data area of backup destination(s). |
To setup the Data Synchronization Check (DSC), refer to the Troubleshooting - Setting the Data Synchronization Check (DSC).
Authentication
To comply with Microsoft’s product roadmap for Microsoft 365, Basic Authentication (Authentication using Microsoft 365 login credentials) will no longer be utilized. Instead, all new Microsoft 365 backup sets created will use Modern Authentication.
Since the second half of 2021, it will be a mandatory requirement for organizations still using Basic Authentication or Hybrid Authentication to migrate to Modern Authentication.
Modern Authentication provides more secure user authentication by using an app token for authentication aside from using Microsoft 365 login credentials. To use Modern Authentication, the Microsoft 365 account is registered under the Global region and the Microsoft 365 backup is configured to use the Global region.
Existing backup sets using Basic Authentication created prior to AhsayOBM v8.3.6.0 can be migrated to Modern Authentication. However, once the authentication process is completed, the authentication can never be reverted to Basic Authentication. For more information on how to migrate to Modern Authentication, please refer to Troubleshooting - Re-Authentication of Microsoft 365 Backup Set. After the upgrade to AhsayOBM v9.1.0.0, the backup and restore process of existing Microsoft 365 backup sets still using Basic Authentication will not be affected during this transition period since Modern Authentication is not yet enforced by Microsoft.
To migrate existing backup sets to Modern Authentication there are two (2) methods:
The first method is the Microsoft 365 account used for the backup set is assigned the Global Admin.
The second method is the Microsoft 365 account used for the backup set is an ordinary account. When changing the settings of the backup set, the user can ask a Microsoft 365 Global Admin to grant permission to authorize the migration of authentication. This is only required in migrating from Basic Authentication to Modern Authentication. This only needs to be done once per backup set.
To check the current authentication being used in your Microsoft 365 backup set, see criteria below:
Basic Authentication
If you click on the backup set and the following pop-up message is displayed, then the backup set is using Basic Authentication.
Modern and Hybrid Authentication
For the backup set using Modern or Hybrid Authentication, there is no pop-up authentication alert.
Supported Devices
Below are the supported services of Microsoft 365 Backup module. It is also specified in the table some services that are currently not yet supported by the Microsoft 365 Backup module.
Below are the supported Outlook Mailbox types of Microsoft 365 Backup.
Below are the items that you can back up or restore from an Outlook mailbox.
Below are the items that you can back up or restore from OneDrive.
Below are the items that you can backup or restore from Teams Chat / Channel.
Below are the Site Collections/Personal Site items that you can back up or restore from a Microsoft 365 backup set.
Below are the SharePoint Site Collections template that you can back up or restore from a Microsoft 365 backup set.
Below is the Site Column Type that you can back up or restore from a Microsoft 365 backup set.
Below are the items from the Public Folder that you can backup and restore from a Microsoft 365 backup set.
Maximum Supported File Size
The following table shows the maximum supported file size per item for backup and restore of each service.
Backup and Restore