Synology Active Backup for Microsoft 365
Background
Following on from my three-part series on setting up a Synology NAS, I thought I would take a look at some of the other functionality on offer. Most apps available on Synology are free of charge, their Office 365 backup being one of them.
Now I was keen to see what this offered as part of my day job involves scoping and positioning paid-for Office 365 backup solutions. Can Synology do just as good a job for free?
I typically deal with two types of Office 365 backup product, SaaS-based, in that you log onto a webpage, point it to O365 and then it just sorts things out for you. Or something deployed in a virtual machine but can make use of both local storage and object storage.
SaaS backup typically is limited in customisation but usually does the job for 90% of people. Roll your own allows you to do what you want with your data in terms of backup frequency and storage location.
So where does the Synology offering sit in amongst those? When writing this article, it is more of a roll your own solution but you are tied into creating backups on the NAS device itself. I need to investigate if object storage offload is supported.
Deployment
I will run through the steps required to deploy and configure Office 365 backup on a Synology NAS as well as checking out the recovery options available.
Synology Office 365 backup package installation
Log onto the Synology NAS and open the package manager.
Find Active Backup for Microsoft 365 and click install.
Once installed click open.
The package needs to be activated. For this to work you will need to create a free Synology account.
Accept the privacy agreement.
This is where you create a Synology account if you don’t have one already.
Enter your details to create an account.
A verification code will be sent to your e-mail address, so you will need to use a legitimate e-mail account.
Agree to the T&C’s with Synology to create your account.
And you are done.
Back on the NAS, enter the details for your Synology account and click Activate.
And we are good to go.
Backup job creation.
If this is the first time that you have hooked the Synology O365 backup product into your Office 365 environment, you will need to run through some additional steps to authorise the application with Azure AD. I will run this process below.
Create a new backup task. You can link back an orphaned backup set to aid with recovery.
This is where we need to create the Synology application and authorise it with Azure AD. The link below takes us to this webpage, which is very comprehensive.
Here is a sample of the Synology knowledge base article with details instructions for Azure AD application registration.
One of the steps on the KB page asks to download the PowerShell script which automates a lot of the application registration process. It even checks if the Azure AD PowerShell tools are installed.
Once the PowerShell script has completed running, copy the URL I highlighted in red and log into Azure AD to authorise the API access for the Synology application to access Exchange Online, SharePoint Online, etc.
The other details requested below were generated when the PowerShell script was run. Paste the required ID’s in and import the certificate that was genertaed.
The next step is to create a shared folder on the NAS which will act as the backup location for the O365 backups.
Click to create a new shared folder.
Give the folder a name. I chose to hide the folder so no one would accidentally stumble across it.
You can encrypt the contents of the folder. I chose not to but would be worth considering.
There are some options to ensure data integrity.
And apply.
We can then check and change the default permissions on the folder. It can be locked down to a specific user.
Now we have a folder to target the backups to, we can edit the backup job to be more granular in which accounts are backed up and define backup schedules.
We can select which users to backup as well as what information type to backup. Interesting that we can backup archive mailbox as some SaaS providers do not allow this, but there is no Teams integration by the looks of it.
We can choose the default backup behaviour if a new user or SharePoint site is created. Below is the out of the box config.
Here we can set the backup schedule and how many iterations of file version history to keep. SharePoint and OneDrive for business keep previous versions of any files modified by default.
Click apply and then your done creating the job.
We have the option to run the backup now.
Backup job monitoring
When the job is running we can see the progress of the backup as below.
Once complete, we have a more complete overview of when backups have run and how many of each resource type are protected.
Backup recovery
Now for the most important part of any backup, the ability to recover data from it!
Synology offers another package called Active Backup for Microsoft 365 Backup Portal. Not so obvious from the name, but this is the portal where we manage recovery tasks. This can be opened to end users as well if self-service recovery is something you would like to offer.
E-Mail recovery
As an administrator, I have access to all the user accounts backed up from the O365 tenant. I chose myself from the drop-down list and then clicked on the options below to start the mail recovery process.
Then we can drill into the mailbox and use the slide bar at the bottom to scroll through a timeline of backups.
We can select a mail item to recover and either restore it to the mailbox or export the e-mail.
I chose to export the e-mail. It exports it in the familiar *.eml file format which can be opened by Outlook.
OneDrive recovery
In my OneDrive account, I have a very important document.
Launching the OneDrive recovery rather than E-mail, I can see the contents of the backup, which is my important document.
This document will be restored back to OneDrive.
Chose the users OneDrive account to restore to. Note the file will be restored to a newly created subfolder.
The restore shows as succesful.
Back in OneDrive we can see the newly created restore folder alongside the original document.
And in the folder is a copy of the Important Document.
And for quick auditing purposes, we can see what backup and restore tasks were performed.
Conclusion
The setup is straight forward and the basic backup and recovery workflow seems to work well. I can’t comment on how well this scales for a large O365 environment, but when I have spoken to Synology they have told me some organisations are using this to protect O365 tenants with tens of thousands of users, which is impressive. Again it would be interesting to see how this is configured as I know Microsoft impose throughput limits for accessing data in O365 when backing up. Some vendors work around this limitation by deploying multiple Azure AD applications with access to the O365 data and then proxying the backups across multiple apps to increase throughput.
For a free app though, I really can’t fault it and it worked flawlessly in the basic tests above.
Hi
Very good article but ..
You left a complete section out about backing up teams and the use of APIs
Hey there,
Thanks for the comment, Microsoft only changed the way that backup products integrate with Teams starting in February 2023, I wrote this article in 2021 before that and only using Modern Authentication is a thing. 😀
You are right through, Microsoft deprecated EWS access to Teams and replaced it with Graph API. Some info to get started can be found here from Microsoft.