March 22, 2021
How to Perform SharePoint Online and OneDrive for Business Backup
SharePoint and OneDrive for Business are important applications for Microsoft 365 users to store data and work with documents. It is important to back up SharePoint Online because data can be lost as a result of ransomware attacks, human error, or other unfortunate events. There are some things you need to consider when performing backup and recovery for SharePoint and OneDrive because Microsoft 365 data is stored in the cloud. This blog post explains how to back up SharePoint and OneDrive for Business.
Native Backup and Restore Methods in Microsoft 365
SharePoint Online uses OneDrive for Business as data storage in the cloud. Content in SharePoint Online is spread across multiple sites, lists, libraries, and OneDrive folders. This makes it more difficult to back up. Microsoft 365 provides some native features that can help you restore deleted or corrupted data.
You can use the Recycle Bin to restore deleted sites, libraries, lists, calendar events, folders, and files in SharePoint Online. Deleted items are stored in the Recycle Bin for a maximum retention period of 93 days (including the second-stage Recycle Bin). When the 93 days have expired, items are deleted permanently. If the size of deleted items exceeds the maximum available size of the Recycle Bin, the oldest deleted items are deleted permanently.
Versioning allows you to save multiple versions of a file after changes are made to the file. If unwanted changes were written to a document, you can restore one of the previous versions. Be aware that storing multiple file versions requires additional storage space in the Microsoft 365 cloud. If your Microsoft 365 subscription plan doesn’t provide unlimited storage, you may need to pay more for storing additional file versions.
The maximum number of versions is limited. By default, the limit is 500 versions for document libraries, and it can be increased to 50,000 versions. Versioning is enabled for document libraries in SharePoint Online (by default) and can be enabled manually for page libraries and SharePoint lists. Versioning is unavailable for site metadata.
When users are editing a document, versions are created periodically and automatically approximately every 30 minutes (but not after each change). A version is saved when a user closes a file. Versions can be deleted by SharePoint users, which can complicate data recovery if an item is lost or modified.
Retention policies is not a backup feature per se. However, this feature allows you to create rules that define how long to preserve documents or other files in SharePoint and OneDrive for Business. Retention policies are used to configure what data can be deleted and when it can be deleted. Retention policies don’t support recovery of deleted list columns in SharePoint.
It is possible to set retention policies for different content types. This way, when you create the certain content, the associated retention policy is automatically applied to this content. Retention policies can be configured for document libraries, folders, and files. Compliance retention policies are available for premium subscription plans.
Traditional backup methods used for SharePoint on-premises don’t work with SharePoint Online. You cannot back up the whole server running SharePoint Online or back up a database used by SharePoint Online directly. Microsoft provides APIs (Application Programming Interfaces) to allow third-party backup applications to interact with Microsoft 365 and transfer data.
Disadvantages of Native Backup Features for SharePoint Online
Built-in features have disadvantages. If you do not notice that an item has been deleted in time, it may be too late to recover the deleted item after the retention period has expired, and the item is deleted permanently. If too many files are corrupted, for example, with ransomware, you have to spend a long time recovering each item by selecting the correct file version to recover.
Microsoft is responsible for the high availability of the services it provides. But it is not responsible for user data loss. The appropriate level of geo-redundancy is ensured in Microsoft datacenters to make it possible to maintain service availability in case of a failure. Microsoft performs a backup of Microsoft 365 data including SharePoint sites of customers every 12 hours in its datacenters. Customers can request Microsoft to restore the entire site collection in SharePoint Online if all else fails in recovering your data. You can send a ticket requesting your data to be restored. This option is available for 14 days after permanent (or hard) data deletion (deletion from Recycle Bin). In this case, there is no granular recovery options, and the latest changes are lost because recovery overwrites existing data in SharePoint (changes made after the recovery point). There is no guarantee of successful data restore according to the Microsoft service level agreement (SLA). If data is not restored within 14 days since it was deleted from the second stage Recycle Bin, the data is gone forever.
Using NAKIVO Backup & Replication for SharePoint Online Backup
NAKIVO Backup & Replication is a universal data protection solution that interacts with Microsoft 365 by using the provided APIs. The solution provides backup and flexible granular recovery for both OneDrive and SharePoint Online for Microsoft 365 business subscription plans.
You can create a Backup Repository on a local machine running on-premises to store Microsoft 365 backups including SharePoint and OneDrive backups. A Backup Repository is well protected (if you don’t share the directory with write permissions for everyone).
You can recover deleted data even if more than 93 days passed by using a SharePoint Online backup created by NAKIVO Backup & Replication. The GFS retention policy helps you preserve multiple recovery points for different point-in-time versions.
Recovery doesn’t take a long time. You just need to select a recovery point for the needed date/time and select recovery options. These operations are performed with a few clicks in the user-friendly web interface.
Granular recovery allows you to recover document libraries and lists. Recovery to a source location or to a different location is supported.
How to Back Up SharePoint Online with NAKIVO Backup & Replication
Now, when you are familiar with the functionality of NAKIVO Backup & Replication, let’s find out how to configure the environment to back up SharePoint and OneDrive for Business with NAKIVO Backup & Replication.
The workflow consists of the following main steps:
- Preparing the Microsoft 365 account in Microsoft Azure – adding API permissions
- Adding your Microsoft 365 account to the inventory of NAKIVO Backup & Replication
- Creating a Backup Repository
- Creating the Microsoft 365 backup job
- Recovering SharePoint Online data
Preparing the Microsoft 365 account
As NAKIVO Backup & Replication uses APIs provided by Microsoft to interact with Microsoft 365 apps, first you should configure API permissions for NAKIVO Backup & Replication on Microsoft’s side for your Microsoft account.
Open https://portal.azure.com, enter the credentials of your Microsoft 365 administrator account to log in to the Azure portal, and go to App registrations.
Click + New registration on the App registrations page to register NAKIVO Backup & Replication as an application that can access Microsoft 365 applications via the provided APIs.
Register an application in the window that opens.
Enter the application name, for example, NAKIVO10-2.
Select who can use this application or access this API by selecting supported account types:
- Accounts in any organizational directory (Any Azure AD directory – Multitenant)
By proceeding, you agree to the Microsoft Platform Policies. Hit Register.
The application is now registered. You have to save identifiers used for application registration in a safe place. You will need them later when configuring NAKIVO Backup & Replication.
Application (client) ID
Directory (tenant) ID
Once you have saved IDs, click View API permissions.
On the API permissions page hit + Add a permission. As you can see, there is only one User.Read permission by default.
Click Microsoft Graph among available Microsoft APIs.
Click Application permissions to request API permissions for your application (NAKIVO Backup & Replication).
The list of permissions required to back up and recover Exchange Online, OneDrive for Business and SharePoint Online data is displayed in the table below.
|Files>Files.Read.All||OneDrive for Business backup|
|Files>Files.ReadWrite.All||OneDrive for Business recovery|
|Group>Group.Read.All||SharePoint Online backup|
|Mail>Mail.Read||Exchange Online backup|
|Mail>Mail.ReadWrite||Exchange Online recovery|
|MailboxSettings>MailboxSettings.Read||Backup and recovery of shared mailboxes|
|Sites>Sites.FullControl.All||SharePoint Online backup and recovery|
|Sites>Sites.Read.All||SharePoint Online backup|
|Sites>Sites.ReadWrite.All||SharePoint Online recovery|
|Sites>Sites.Manage.All||SharePoint Online recovery|
|User>User.Read.All||Exchange Online backup/recovery, OneDrive backup/recovery, SharePoint Online backup|
|User>User.ReadWrite.All||SharePoint and OneDrive recovery|
On the Request API permissions page, select all required permissions necessary for running Microsoft 365-related activities in NAKIVO Backup & Replication. Once you have selected all needed API permissions, hit Add permissions.
API permissions are selected now but their status displayed in the right column is Not granted. Click Grant admin consent for your_organization_name (Nakivo in our case) to change status to Granted.
The following message will be displayed:
Do you want to grant consent for the requested permissions for all accounts in your_organization_name? This will update any existing admin consent records this application already has to match what is listed below.
Now the status of the API permissions is changed to Granted.
In addition to Application (client) ID and Directory (tenant) ID you need to generate a secret ID and save its value.
In the Manage section of the left pane of the App registrations page click Certificates & secrets.
Click + New client secret.
Enter a description, for example, Secret ID.
Select the expiration period: 1 year, 2 years, or never.
The secret ID and value are displayed in the Client secrets section of the Certificates & secrets page. Copy these values and save them in a safe location. Be aware that after closing this page you won’t be able to see the secret anymore. If you don’t save the secret value, you will have to generate a new one. In my example, I’m using the secret value generated on this page.
Azure Client secret:
Adding a Microsoft 365 account to the Inventory of NAKIVO Backup & Replication
After you have generated credentials for your Microsoft 365 account in the web interface of the Microsoft Azure portal, and selected API permissions, you should add your Microsoft 365 account to the inventory of NAKIVO Backup & Replication.
Open the web interface of NAKIVO Backup & Replication and go to Settings > Inventory.
Click Add New, and, in the menu that opens, hit Microsoft 365 account.
Add a new Microsoft 365 account. Enter the needed parameters, click the (?) icon to read useful tips for the appropriate field. In the Services field, you can select one, two, or all of the supported Microsoft 365 apps. You have to enter the Tenant ID, Azure Client ID, and Azure Client secret you have saved before when configuring app registration in the web interface of the Azure portal.
The administrator account credentials for your Microsoft 365 account are required for support of SharePoint Online. Enter a user name and password for a user with administrative permissions in Microsoft 365. If you leave the Username and Password fields empty, SharePoint Online data is not added to the Inventory and SharePoint data cannot be backed up.
In my example, I will enter the following values to add our Microsoft 365 account.
Display name: Office 365
Services: Exchange Online, OneDrive for Business, SharePoint Online
Tenant ID: adb12933-1385-31a7-aa4f-b614511df15a
Azure Client ID: vv807d81-5e44-26e5-7621-dd5e21843a6a
Azure Client secret: @DhF4ah3eSj-cF-sJf40_HvhDE5AVbcH
After entering the correct information hit Add.
Wait until your Microsoft 365 account is added to the inventory. It may take a few minutes; time depends on the amount of data and number of objects stored in Microsoft 365. When your Microsoft 365 account is present in your inventory, the information about used space, the number of mailboxes, OneDrives, and SharePoint sites is displayed.
Once the account has been added to the inventory, you can open Inventory, click your Microsoft 365 account (Office 365 in our case), and view added mailboxes, OneDrives and SharePoint sites.
Creating a Backup Repository
A Backup Repository is the place where backups are stored. Create a new directory on the machine on which NAKIVO Backup & Replication is running. If you deployed NAKIVO Backup & Replication on a Linux machine or as a virtual appliance, connect to this machine via SSH and log in to the console. Run commands as root (enter sudo -i to get root privileges).
Go to /opt/nakivo/ and create a new directory to be used for your Microsoft 365 Backup Repository. In our case, we use /opt/nakivo/repo365 for a Backup Repository.
Set the correct owner and permissions for this directory (bhsvc is the name of the user created by NAKIVO Backup & Replication during installation).
chown bhsvc:bhsvc /opt/nakivo/repo365
chmod 0775 /opt/nakivo/repo365
Check the contents of the /opt/nakivo/ directory, and make sure that permissions for the repo365 directory are set properly.
Once the directory for the Backup Repository is prepared, open the web interface of NAKIVO Backup & Replication. Go to Settings > Repositories. Click Add Backup Repository > Create new backup repository.
The Create Backup Repository wizard contains three steps.
1. Type. Select SaaS as the backup repository type for Microsoft 365 objects. Hit Next at each step to continue.
2. Name & Location. Enter a name and select a location for your Microsoft 365 Backup Repository.
Name: Office 365 repo
Assigned transporter: Onboard transporter
Path to the local folder: /opt/nakivo/repo365
Note: You can deploy a Transporter on a remote machine, create a directory on that remote machine, and use it to create a Backup Repository. This approach provides you more flexibility and allows you to store Microsoft 365 data backups on remote machines.
3. Options. There is only one option at this stage and you can skip and leave it unselected. Optionally, it is possible to detach this Backup Repository on schedule when backup jobs are not running to transfer data and preserve data consistency. Hit Finish to save settings and create the Backup Repository.
Creating the Microsoft 365 backup job
The Microsoft 365 account is added to the inventory now and a Backup Repository is created to store Microsoft 365 data. Everything is ready to create a new backup job to back up SharePoint and OneDrive for Business data.
In the web interface of NAKIVO Backup & Replication, open the Dashboard, and click Create > Microsoft 365 backup job.
A new backup job wizard for Microsoft 365 is opened and consists of five steps.
1. Sources. In the left pane you can see Mailboxes, OneDrives and SharePoint sites. Let’s back up a SharePoint site in this walkthrough. Select one or multiple SharePoint sites or subsites. In our example we select the Automation01 site. Hit Next at each step of the wizard to continue.
2. Destination. Select a Backup Repository to store your SharePoint backup. In my case, I’ll select a repository with the name Office 365 repo (that was created before). You can click a site name to expand the advanced setup and select different Backup Repositories for each site if needed.
3. Schedule. This is a traditional step for a backup job with job schedule settings.
4. Retention. Configure retention settings. NAKIVO Backup & Replication uses the grandfather-father-son (GFS) retention policy.
5. Options. Enter a job name, for example, SharePoint Online backup job. Select additional job options if needed. Hit Finish & Run to save job settings, and run this SharePoint Online backup job.
On the dashboard, you can see the progress of the running SharePoint Online backup job. On the screenshot below, 13,635 items have been backed up at that moment of time. Click the link to see details of the backup process. Wait until the SharePoint Online backup job is finished. Time needed to finish the job depends on the internet speed and amount of backed up data.
How to recover SharePoint Online data in NAKIVO Backup & Replication
You have created a SharePoint Online backup with NAKIVO Backup & Replication and you know how to back up OneDrive for Business. Let’s explain how to recover SharePoint Online data from a backup. The process of SharePoint Online recovery and OneDrive recovery is similar.
Open the dashboard in the web interface of NAKIVO Backup & Replication, click Recover > Microsoft 365.
The Object recovery wizard for Microsoft 365 is opened and consists of five steps.
1. Backup. In the left pane select items you want to recover. If your backup contains Exchange Online, OneDrive for Business and SharePoint Online items, they all are displayed in the left pane. As our backup contains only one SharePoint site, we select this site to recover. Once you have selected the needed objects to recover, select the recovery point in the right pane. We select the oldest recovery point in this example. Hit Next at each step to continue.
2. Recovery account. Select the recovery account. This is an account to which you recover data from a backup. In our case the name of the Microsoft 365 account we added to the inventory is Office 365.
3. Objects. Select objects you want to recover. You can select custom SharePoint objects, for example, document libraries. We select Documents and testlibrary1 for our Automation01 site to recover.
4. Options. Select the recovery type and overwrite behavior. Supported options for the recovery type and overwrite behavior are listed below.
- Recover to original location
- Recover to site
- Rename recovered item if such item exists
- Skip recovered item if such item exists
- Overwrite the original item if such item exists
Note: Recover to original location will not be possible if the selected recovery account is different than the original account.
Select the needed options and hit Recover to start the SharePoint Online recovery process. Wait until the data is recovered.
After finishing the recovery process, go to SharePoint and check the recovered items.
You can download the Free Edition of NAKIVO Backup & Replication to get full access to the Pro edition functionality for 5 Microsoft 365 accounts and enjoy robust and reliable data protection at zero cost for one year.
Native features to recover SharePoint and OneDrive data in Microsoft 365 have some disadvantages due to limited functionality. For this reason, Office 365 users and administrators should use third-party backup and recovery software. This blog post covered SharePoint and OneDrive for business backup and explained how to configure your environment to back up Microsoft 365 with NAKIVO Backup & Replication. You have to configure API permissions in the Microsoft Azure portal by using your Microsoft account, add your Microsoft 365 account to the inventory of NAKIVO Backup & Replication, create a backup repository and then run backup and recovery jobs for Exchange Online, SharePoint and OneDrive for Business. Use NAKIVO Backup & Replication to protect your data and get advanced backup and recovery options.