How to Back Up Microsoft 365 to AWS: A Comprehensive Guide

Microsoft 365 services are productive and reliable, but data loss can occur for various reasons. For example, a user may accidentally delete data or a ransomware infection may spread from local computers whose folders are synchronized with the cloud storage.

Thus, Microsoft 365 backup is important for data protection and business continuity. With backups, you can recover the needed data and ensure uninterrupted workflows. Amazon Web Services (AWS) is one of the cloud platforms that can be used to store Microsoft 365 backups.

Backup for Microsoft 365 Data

Backup for Microsoft 365 Data

Use the NAKIVO solution to back up Microsoft 365 data in Exchange Online, Teams, OneDrive and SharePoint Online for uninterrupted workflows and zero downtime.

Why Choose AWS for Microsoft 365 Backup?

Amazon S3 is the AWS object storage that provides attractive cloud storage options in terms of price, flexibility, and reliability. There are different tiers, including higher priced ones for quick access and low-cost tiers with slower access speeds used for long-term archival. The pricing model is flexible and suitable for different purposes. AWS ensures the strongest security standards, which are compliant with industry standards and regulations.

The advantages of using Amazon S3 for storing Microsoft 365 backups are:

  • Enhanced redundancy and availability. AWS offers redundant infrastructures in their datacenters located in different regions in different countries. This cloud infrastructure provides better protection against service disruptions or power outages.
  • High scalability. Cloud storage in AWS is scalable with virtually unlimited storage capacity. Amazon S3 buckets are increased when needed, and you don’t need to manually expand storage size or add new storage devices.
  • Cost efficiency. The pay-as-you-go pricing model allows organizations to pay for storage and resources they use in AWS.
  • Backup retention. Using AWS as cloud storage for Microsoft 365 backup allows you to use custom retention policies to ensure compliance with legal, regulatory, and business requirements.

Compliance considerations for Microsoft 365 backup to AWS include the following points:

  • Data sovereignty and regional compliance depend on the location of your AWS data centers. You should ensure that backups comply with data sovereignty laws (for example, GDPR in the EU). AWS allows organizations to choose the region where their backup data is stored, ensuring compliance with specific regional requirements regarding data storage and processing.
  • Regulatory acts often require setting specific retention policies for backups, especially for sensitive information. Organizations using AWS for Microsoft 365 backup can configure retention and data lifecycle policies (including automatic deletion of old unnecessary data). These capabilities allow organizations to comply with legal and regulatory retention requirements.

Preparing Your AWS Environment for Microsoft 365 Backup

Before starting a backup process and running Microsoft Office 365 backup to AWS, you have to prepare the AWS environment, your organization’s Microsoft 365 account and the backup solution you will be using.

You can use NAKIVO Backup & Replication as a data protection solution for Microsoft 365 backup. The NAKIVO solution supports backing up data of Microsoft 365 services, including Exchange Online, OneDrive for Business, SharePoint Online, and Microsoft Teams to AWS and other S3-compatible platforms, for example, backup to Wasabi for Microsoft 365 data.

Configuring permissions in AWS

Ensure that you created the IAM role in AWS and that it has the permissions required to create a bucket in Amazon S3. Generate the access keys in AWS for this purpose. The access keys are used to configure third-party applications, such as backup solutions, to access AWS resources for the appropriate account and IAM role. You can generate and download the access key in the AWS IAM dashboard.

The IAM dashboard in AWS

  1. Open the IAM dashboard in the AWS Console and in the left pane of the AWS web interface, click Users.
  2. Click the IAM user, which you want to use for configuring access and permissions.
  3. Go to the Security Credentials tab and hit Create Access Key.
  4. Click Download Credentials and save the credentials on your computer in a safe place.

For the purpose of this workflow, we have created an Amazon S3 bucket called blog-bucket001 in AWS.

Creating a bucket in Amazon S3

Enabling Object Lock

To use the immutability feature in NAKIVO Backup & Replication for Microsoft Office 365 backups (and other backups) stored in AWS, you should first enable Amazon S3 Object Lock for a bucket.

Select a bucket in the Amazon S3 console and proceed as follows:

  1. Go to the Properties tab for the selected bucket.

    Amazon S3 bucket properties

  2. Scroll down a page and locate the Object Lock section. Click Edit.

    How to enable Amazon S3 object lock

  3. On the Object Lock settings page, you see a warning that enabling versioning is required to enable Object Lock. Click Enable Versioning.
  4. Then, enable Object Lock by selecting the corresponding option. Click Save Changes.

    Enabling versioning and object lock

Adding AWS to the NAKIVO Backup & Replication Inventory

Once you have created an Amazon S3 bucket and configured permissions for the IAM account in AWS, you can add the AWS account to the Inventory of NAKIVO Backup & Replication. You need to add AWS and Microsoft 365 accounts to the Inventory before configuring Microsoft 365 backup jobs to AWS.

Follow the steps below to add the AWS account to the NAKIVO Backup & Replication Inventory:

  1. Log in to the web interface of NAKIVO Backup & Replication.
  2. Click Settings in the left pane of the web interface and click + to add a new item to the Inventory.

    Adding AWS to the NAKIVO inventory

  3. At the first step of the Add Inventory Item wizard, select Cloud storage as a platform. Click Next at each step to continue.

    Selecting Cloud Storage to add AWS to the inventory

  4. Since we will be using an Amazon S3 bucket as storage for Microsoft 365 backups, we have to select Amazon at the Type step.

    Selecting Amazon as the platform type

  5. Configure options to add the AWS inventory item. Enter the display name, select AWS account as the type and enter the credentials generated in the IAM console: the access key ID and secret access key. Click Finish to add the AWS account to the Inventory.

    Specifying options and entering the credentials

Adding your Microsoft 365 account to the Inventory

After adding the AWS account, we must add our Microsoft 365 account to the Inventory. Adding these accounts is required for Microsoft 365 backup with the NAKIVO solution.

  1. Navigate to Settings > Inventory and click the plus (+) icon to add a new item to the Inventory.

    Adding a Microsoft 365 account

  2. At the first step of the Add Inventory Item wizard, select SaaS as a platform to add your Microsoft 365 account.

    Selecting SaaS as the platform

  3. Select Microsoft 365 services, which data you want to backup. You can select specific services or select all services (Exchange Online Users, Exchange Online Groups, OneDrive for Business, SharePoint Online and Microsoft Teams).

    Selecting Microsoft 365 services to add for backup

  4. Select the Use Modern Authentication with enabled MFA account if multi-factor authentication is enabled for your Microsoft 365 account.

    The option to use modern authentication with enabled MFA account

  5. At the Configuration step, choose an option to connect to the Microsoft 365 account. If you are configuring your environment for Microsoft 365 backup for the first time, select Automatically register a new Azure AD application. In this case access for Microsoft 365 services selected at the previous step will be configured in Microsoft Azure Active Directory for NAKIVO Backup & Replication.

    Selecting Azure registering options

  6. Configure authentication for NAKIVO Backup & Replication at the Authentication step.
    • Enter the application name. We use the NAKIVO11-blog name in this example.
    • Click Copy code to copy the generated code. We will use this code to configure authentication for the NAKIVO solution on the Microsoft website.
    • Click the https://microsoft.com/devicelogin link to grant the required permissions using this code.

    Configuring Microsoft 365 authentication for the NAKIVO solution

  7. After opening the appropriate Microsoft page in a web browser, enter the code you have copied and click Next.
  8. When you see the question “Are you trying to sign in to Microsoft Azure CLI?”, click Continue.
  9. Once done, you should see the message:

    You have signed in to the Microsoft Azure Cross-platform Command Line Interface application on your device. You may now close this window.

    Configuring Microsoft 365 authentication and access to Microsoft Azure CLI

  10. Switch back to the tab with NAKIVO Backup & Replication in your web browser and click Manage Certificates at the Authentication step.

    Click Generate Certificate in the Manage Certificates window.

    Creating a certificate for Microsoft 365 connection

  11. Enter a name and description for the new certificate. Click Save.

    Entering a name and description for the certificate

  12. Now, select the recently created certificate in the drop-down list (Client Certificate). If everything is correct, you should see a message that confirms that the Microsoft 365 account is authenticated.

    Hit Finish to save settings and finish adding a Microsoft 365 account to the inventory.

    Completing authentication for the Microsoft 365 account

It may take a while until your Microsoft 365 account is added to the Inventory. The time depends on the number of added items (emails, OneDrive files, etc.) and their size. As a result, you should see the added inventory items, including AWS and Microsoft 365, as displayed in the screenshot below.

AWS and Microsoft 365 accounts are added to the inventory

Installing a Transporter in AWS

Next, you should install a Transporter in AWS. The Transporter is a core component of NAKIVO Backup & Replication (categorized as a Node), and it is responsible for transferring data to/from backup repositories. When using backup storage in Amazon S3 or Amazon EC2, the AWS Transporter is used for processing backup data to/from AWS.

NOTE: Installing a Transporter in AWS is not a required step and you can use the Transporter located locally (not in AWS). A local Transporter can transfer data to AWS. However, installing the Transporter in AWS can provide additional benefits for data protection configurations.

  1. Navigate to Settings > Nodes, then click the + icon and hit Amazon EC2 instance to deploy a Transporter on an EC2 instance in AWS.

    Deploying a Transporter in AWS

  2. Enter a Transporter name, select a region and specify the instance type, depending on the planned loads. In this example, we select t2.medium for our Transporter. Optionally, you can configure networking.

    In the Settings section, configure the operation mode, select a platform (Linux is used in our case) and maximum load. If you select the “Running while required” operation mode, you can save costs spent on a running instance in AWS in contrast to the “Always running” mode. Click Deploy to finish deploying a Transporter in AWS.

    Configuring the options to deploy an AWS Transporter

  3. Once the AWS Transporter is deployed, you should see a screen like the one displayed below.

    The AWS Transporter is deployed

Creating a backup repository in Amazon S3

Now, it’s time to create a backup repository in the Amazon S3 bucket. We will use this backup repository to store Microsoft 365 backups.

  1. In the NAKIVO Backup & Replication web interface, navigate to Settings > Repositories, click + and hit Create new backup repository.

    Creating a backup repository in Amazon S3

  2. At the Type screen of the Create Backup Repository wizard, select Cloud & S3-Compatible Storage and go to the next step.

    Selecting Cloud and S3-Compatible storage as the repository type

  3. At the Vendor screen, select Amazon S3.

    Selecting Amazon S3 as the cloud platform vendor

  4. Specify the name and location of the backup repository.
    • Enter a name to be displayed in the NAKIVO Backup & Replication web interface, for example, Amazon S3 Repo.
    • Select the Transporter deployed in AWS or locally.
    • Select the AWS account that was added to the NAKIVO Backup & Replication inventory.
    • Select the AWS region with enough permissions to write data for your AWS account.
    • Select the Amazon S3 bucket where a backup repository will be created. In our case, this is blog-bucket001.

    Setting a name and location for the backup repository

  5. Configure backup repository options. You can leave the default settings. Click Finish to create a backup repository in an Amazon S3 bucket.

    Backup repository options

  6. You should see the added Amazon S3 backup repository in the list of repositories in Settings > Repositories.

    A backup repository is created in Amazon S3

Configuring a Microsoft 365 backup to AWS

The environment is ready to configure a Microsoft 365 backup job and store backups in Amazon S3.

There are two approaches to backing up Microsoft 365 data to AWS:

  • Configuring a backup job and selecting a backup repository in Amazon S3 directly.

    You can watch our video tutorial for this approach:

  • Configuring a backup job to a local backup repository and then configuring a backup copy job to Amazon S3.

    The advantages of using the approach with a backup copy are that a local backup can be created faster and this approach allows you to implement the 3-2-1 backup rule.

    Learn more about the 3-2-1 strategy for Microsoft 365 backups in this video:

For demonstration purposes in this blog post, we are going to create a Microsoft 365 backup job to AWS S3 directly.

  1. Go to Data Protection, hit + and click Backup for Microsoft 365.

    Creating a new Microsoft 365 backup job

  2. Select source Microsoft 365 objects to back up. You can select Exchange Online mailboxes, user OneDrive instances, SharePoint Online sites and Microsoft Teams teams. Then, hit Next to continue.

    Selecting Microsoft 365 source data to back up

  3. Select a destination for a Microsoft 365 backup.

    Selecting an Amazon S3 backup repository

  4. Set up a schedule for Microsoft Office 365 backup to AWS. You can set up a flexible scheduling and retention policy. You can enable immutability for a Microsoft 365 backup in AWS at this step.

    Scheduling and retention settings

  5. Configure backup job options. Enter a job name, for example, Microsoft 365 backup to AWS S3. Enable backup encryption for even better security. Select a change tracking method for incremental backup, for example, use a proprietary method.

    If you selected to back up Exchange Online contents, you can choose mailbox processing options, that is, which object types to back up.

    Select full backup settings. There are two options: Active Full and Synthetic Full. When you back up data to Amazon S3, keep in mind the following statements: the number of read operations from S3 is higher with a synthetic full backup, which increases the costs of using AWS.

    • Synthetic full backup requires simultaneous read/write operations, which reduce performance significantly, compared to active full backup.
    • To create a synthetic full backup, the NAKIVO solution reads repository data, creates a full backup locally on the assigned Transporter and writes data to an Amazon S3 bucket.

    After configuring all needed options, hit Finish & Run.

    Configuring Microsoft 365 AWS backup job options

How to Restore Microsoft 365 Data from AWS

To restore Microsoft 365 data from a backup stored in AWS, perform the following steps:

  1. Go to Data Protection, select your Microsoft 365 Backup job to AWS, click Recover and hit Object recovery for Microsoft 365.

    Recover data from a Microsoft 365 AWS backup

  2. At the first step of the object recovery wizard, select Microsoft 365 user data to recover. You can select a backed-up mailbox, drive, site or team. Select a recovery point in the calendar or table on the right side of the screen.

    Selecting Microsoft 365 data to recover

  3. Select a Microsoft 365 account where to recover data. This account was added to the NAKIVO inventory at the beginning of the configuration.

    Selecting a Microsoft 365 account for recovery

  4. Select objects to recover. Depending on the selected backup type, you can recover emails, contacts, calendar items, folders, files, chat messages, document libraries and more at this step.

    Selecting Microsoft 365 objects to recover

  5. Select recovery options, such as recovery type and overwrite behavior. Once you have selected the needed options, click Recover.

    Selecting recovery type and overwrite behavior

Conclusion

Microsoft 365 backup to Amazon S3 significantly improves a backup strategy and increases the probability of successful data recovery. AWS reliability, availability and data immutability in Amazon S3 ensure a high level of reliability for storing backups. Use NAKIVO Backup & Replication to back up Microsoft 365 to Amazon S3 with immutability support, flexible scheduling and retention settings, as well as advanced data recovery options.

Try NAKIVO Backup & Replication

Try NAKIVO Backup & Replication

Get a free trial to explore all the solution’s data protection capabilities. 15 days for free. Zero feature or capacity limitations. No credit card required.

People also read