Configuring o365 mailbox protection with Commvault

With each new service pack released, the process for protecting mailbox content hosted in Microsoft o365 is further refined.  The release of SP12 brings the following changes:

  • Combined & simplified agent install. Rather than choosing “Mailbox” or “Database” etc the binaries are combined into a single “Exchange” client.
  • If you need the OWA proxy enabler or Offline mining tool, these are available as separate installs.
  • No need for the scheduled tasks to update the service account permissions on new mailboxes.

This post will focus on “Exchange Mailbox Agent User Mailbox Office 365 with Exchange Using Azure AD Environment” as detailed on the official documentation here.


There’s a few things to set up before you can start protecting the mailboxes. These are summarised below and detailed in the following sections.


  • Server to install the Commvault Exchange agent
  • Administration account for Office365
  • Exchange Online Service account
    • Must be an online mailbox
    • Setup via
  • Local System Account
    • Member of Local administrators on machine


  • Index Server
  • Job Results Directory
    • Must be a UNC Path
  • Mailbox Configuration Policies
  • Storage Policy


Microsoft Tenant Configuration

  1. Connect to o365 with Powershell
    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session

    You’ll be prompted for a username and password, use the Administration account for Office365 mentioned in the prerequisites.

  2. Run the following commands:
    set-ExecutionPolicy RemoteSigned

    You may at this point see the following:
    enable-orgCustNot a problem, just continue to the next step.

  3. You now need to provide the service account (the one with the online mailbox mentioned earlier) with view only recipient permissions.
    New-RoleGroup -Name "ExchangeonlinebackupGrp" -Roles "ApplicationImpersonation", "View-Only Recipients" -Members svcCommvault
  4. Register the o365 application with Exchange using AzureAD, do this via
    1. Goto Azure Active Directory (left hand side)
    2. Choose App Registrations
    3. Select New Application Registration
    4. Complete the fields as follows (feel free to use a different name)
    5. Click Create.
    6. Note down the Application ID (you’ll need this later to set up the pseudoclient)
    7. Click the Settings button once the app is created, Select the properties button on the right hand side.
    8. Scroll to the bottom and change Multi-tenanted to yes.
    9. Click Save
    10. Select Settings–>Keys
    11. You’re going to create a new key, complete the form as follows, adjust the first two fields as you see fit:
      Click Save.
    12. Copy the Key value & description, you’ll need this later. May be worth remembering the expiry date too.
    13. Now select the Required Permissions menu. Click Add.
    14. Choose Select an API then Microsoft Graph
      Click Select.
    15. Scroll down to Read Directory data, check the box and click Select.
    16. Click Done then Grant Permissions. Click Yes when prompted.
    17. On the left hand side, click Azure Active Directory then Properties. Note down the value in the Directory ID field.

Commvault Configuration

Now it’s time to ensure you have the Exchange Policies, Index Server, Job Results Folder & Storage Policy setup. The latter 3 of these tasks are already well documented however the following should be noted:

  • The Job results directory needs to be shared (i.e. \\UNC Path) visible to all mailbox backup proxies
  • The primary copy retention  Retention for the mailboxes is governed by the Retention Policy and not by the Storage Policy as is typical with other agents. For this reason it is worth having a separate storage policy for the mailbox backups.
  • The mailbox agent index server should not be the MediaAgent responsible for you’re library and storage policies.
  • The mailbox pseudoclient to index server is a 1:1 relationship. It is possible via a registry key to have multiple pseudoclients use the same index server, however; if the multiple pseudoclients have any crossover you will very likely experience data loss.
  • Review the index store requirements before deploying the index server. If you’re doing this in a lab you can ususally start small and ramp up the specs on-the-fly.
  • You must have a web server installed in your environment, typical Commcells have this installed on the CommServe however larger CommCells split this role out to a dedicated server.

Exchange Policies

This is a copy from my previous post but the information is still valid:

The four new policy types are as follows:

  • Archiving – Archive is the new Backup. This policy dictates what messages will be protected, it has no effect on stubbing.
  • Cleanup – If you are archiving, this is where it is configured.
  • Retention – Primary Copy retention is configured here and will override any retention settings configured in the storage policy. Secondary copies will still adhere to the Storage Policy values.
  • Journal – The new compliance archive. Use this for journal mailboxes.

Policies are configured under Policies, Configuration Policies, Exchange policies as shown below:


Only configure the policies you need, for a standard mailbox backup (no archive) setup, your policies listing may look like this:


Creating the Index Server

To create the logical Index Server (assuming you’ve installed the index store package) do the following:

  1. From the Commvault Console, right click Client Computers –> Index Servers and select New Index Server.
  2. Complete the fields on the General tab. If possible ensure the drive nominated for the Index Directory is formatted as 64kb block size. The Storage Policy, although optional; is used to backup the index.
  3. On the Roles tab, click Add, select Exchange Index, and move it to the Include field.
  4. On the Nodes tab; add the server on which you installed the Index Store package.
  5. Click OK. There will be a delay while the index is created, you may notice the following status on the bar at the bottom of the screen
    Cloud reation in Progress

Creating the Mailbox Client

You’ll need to have the Index server & policies ready before continuing to the mailbox client creation.

  1. Right click the CommServe name at the top of the CommCell Browser on the right hand side and select All Tasks –> Add/Remove Software –> New Client.
  2. Expand Exchange Mailbox and select User Mailbox.
  3. Complete the fields as shown below. Note: I have used the index server to host the job results directory which isn’t best practice, but OK for a lab.
  4. On the access nodes page, select a client (or clients) that has the Commvault Exchange package installed.
  5. On the Environment Type page, choose Exchange Online (Access Through Azure Active Directory).
  6. On the Azure App Details page enter the following:
    1. Application ID:  as noted down earlier
    2. Key Value: As described (The auto generated key)
    3. Azure Directory ID: Noted down earlier
  7. On the service account settings page you’ll need to add 2 accounts:
    1. The Exchange online service account, this is the one we granted permission to earlier.
    2. A local system account. This needs to have local admin rights on your exchange proxy(ies).
  8. Optional: On the Recall Service, enter the URL for your web server as shown below. This is only used if Archiving or Content store viewer is implemented.
  9. Click Finish!
  10. To test that you are able to query the instance for its mailboxes navigate to MailboxAgent –> ExchangeMailbox –> User Mailbox and click the Mailbox Tab at the bottom of the screen.
  11. Right Click in the white space above the Tabs and choose New Association – User.
  12. On the Create New Association box, click Configure then Discover (Choose Yes at prompt).
  13. If your expected list of mailboxes appears, you’re doing it right!list mailboxes

The next step is to configure the auto associations. This can be easily achieved by following the official instructions here.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s