Protecting SharePoint Online with Commvault

CommVault has the ability to protect SharePoint Online. To configure you will need the following.

  • Commvault v11 SP9 (SP8 works but SP9 is revamped & recommended)
  • A proxy client (Cannot be the same client used to protect mailboxes)
  • AD service account with admin rights to the proxy VM
  • A Global Administrator Account for Office365 (portal.office.com)
    • This must also be a Site Collection Administrator
      • This can be done manually or using a script such as http://www.sharepointdiary.com/2015/08/sharepoint-online-add-site-collection-administrator-using-powershell.html
  • An Azure Storage account (portal.azure.com)
  1. Create a proxy VM with internet or direct access to Share Point Online. Server 2012R2 seems to be the safest option compatibility wise (at the time of writing). Update, Domain Join & Add the AD service account to the local administrators group.
  2. Ensure Microsoft .NET Framework 4.5, and PowerShell 3.0 are installed
  3. Install the SharePoint agent, this can be done either interactively or pushed via the CommCell console.
  4. Log onto the proxy VM with your AD service acount. Install the SharePoint Online Management Shell. Navigate to C:\Program Files\Commvault\ContentStore\Base (or wherever the SharePoint agent is installed) and run spoms.msi
  5. Using the Comm Cell console, right click on the SharePoint client under the proxy and click properties. Change the account to use the service account with admin rights to the proxy VM.Client Properties
  6. Back on the proxy VM, run the following command from an elevated command prompt (navigate to the Commvault\ContentStore\Base directory first).
    CVSPWebPartInstallerLauncher.exe /registerassemblies -vm Instance001
  7. Restart the Commvault services on the Proxy VM.
  8. Create the o365 backup set. From the CommCell console, right click on the SharePoint Server client beneath the proxy and choose Create New BackupSet. Select Office365 as the ‘Document Level’.
    backupset
  9. Right click on the new backup set and select properties. Use the Office 365 tab to enter the credentials and Tenant admin site URL.
    1. Login Credential username should be entered in email format.
    2. Tenant Admin site URL should be in the format https://mysitename-admin.sharepoint.com
    3. Azure Credentials refer to the storage account created at portal.azure.com. Note this requires specific azure subscriptions and is used during the restore process only.
      backupset
  10.  You can now configure the subclient content & assign a storage/schedule policy, splitting the subclients can help with throughput. If you experience failures check to ensure the account (the global administrator account) has Site Collection Administrator rights to each of the site collections. This can be done manually via the SharePoint admin center or via a PowerShell script (however I haven’t tried the script at the time of writing).

Backing up Office365 Mailboxes with CommVault

If litigation hold isn’t enough of a retention method for your Office365 mailboxes, Commvault v11 gives you the option  of mailbox  backups using a traditional mailbox agent. At the time of writing this process has much room for improvement; it’s slow and fairly cumbersome to configure; however it does work.

SP8 also introduces the new pseudoclient style agent for mailbox backups, where multiple proxies can be placed under a single client (similar to the virtual server agent) however; as this is still early release this post focuses on the traditional mailbox agent method.

Prerequisites

Proxy Client

The proxy client is used to connect to O365 and use its installed Outlook client to stream messages back to the ContentStore.

  • Windows service account. Needs to be local admin on the proxy.
  • Office 2013 x64 SP1 or above + Updates
  • If you are using a hybrid (On-prem & Online) you must use a separate proxy for both. This guide is aimed at an online-only deployment.
  • dotNET framework 3.5
  • Disable UAC

Commvault Books Online provides the following examples when sizing how many proxies to use:

Example 1
If your Office 365 with Exchange environment includes 300 mailboxes:

  • Create 5 subclients.
  • Assign 60 mailboxes to each subclient.
  • Use one proxy server.
  • Use one Online Service account.

Example 2
If your Office 365 with Exchange environment includes 3000 mailboxes:

  • Create 30 subclients.
  • Assign 100 mailboxes to each subclient.
  • Use two proxy servers (15 subclients per proxy server).
  • Use two Online Service accounts (one per proxy server).

Office365

Office365 requires a few changes to allow mailboxes to be accessed and protected.

  • Global Administrator account with access to all mailboxes
    • Update: Make sure you limit the number of “special” characters in the password. Stick with @ and # if possible, as of SP8 some of the others cause issues.
  • Connection initiated from proxy via powershell – details here

Configuration

Office365

Proxy Client

  • Log on using the windows service account.
  • Install the OS & Outlook x64. In this example i’m using Server 2012R2 with Outlook 2013 64bit SP1. Ensure all updates are installed before continuing. For supported OS’s and Outlook editions click here, note: at present “click to run” editions of office are not supported.
  • Install .NET framework 3.5
  • Connect to Office365 and apply permissions to mailboxes. Using an elevated powershell prompt run the following commands:
Set-ExecutionPolicy Remotesigned
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

This will allow you to run powershell commands on your exchange online environment.

  • Apply Full access rights to all mailboxes for the service account you will be using for mailbox backup. If you are using more than one proxy, you will need more than one service account.
Get-Mailbox -ResultSize unlimited | Add-MailboxPermission -User "<service_account>" -AccessRights FullAccess -InheritanceType all -AutoMapping: $false
  • If you want to apply permissions to a specific mailbox you can use:
Add-MailboxPermission -Identity "<mailbox_name>" -User "<service_account>" -AccessRights FullAccess -InheritanceType all -AutoMapping:$false

It is not necessary for the powershell session to remain open during the backup process.  Once finished setting permissions you need to close the powershell session using the following command. This will avoid using up the sessions available to you.

Remove-PSSession $Session
  • Create the outlook profile using Control Panel – Mail. Name the profile the same as the O365 account alias (before the @). Profile
  • Ensure the profile doesn’t use cached mode. Once you have created the profile, start Outlook and when prompted for credentials, ensure the “Remember Credentials” option is selected.
  • You now need to ensure outlook uses RPC/HTTP as opposed to MAPI/HTTP to connect. Using regedit navigate to HKEY_CURRENT_USER –> Software –>  Microsoft –> Exchange. Right click Exchange and choose new DWORD.
  • Name the new DWORD MapiHttpDisabled and give it a value of 1Registry
  • Open outlook and use Ctrl+Right click to select the Outlook icon in the taskbar. Click Connection Status.

OutlookTaskbar

  • The protocol Column in the Outlook Connection Status windows should read “RPC/HTTP”. If it doesn’t, double check the previous registry change and restart Outlook.

CommVault Mailbox Agent

The CommVault mailbox agent (traditional not archiver) can be pushed from the central CommServe. Before doing so, you’ll need to add the “bEnableExchangeOnline” additional setting to the ComCell (top level) as shown below:

  • Right click on the CommCell name in the ComCell browser windows and choose properties.
  • On the additional settings tab; add the bEnableExchangeOnline key with a value of true

bEnableExchangeOnline

Once that’s done you’re ready to deploy the mailbox agent to your proxy VM (Same place that you installed outlook. To deploy follow the instructions below:

  • Choose Tools from the CommCell ribbon and Select Add/Remove software.
  • Use the wizard to deploy the Exchange Mailbox software to the proxy, selecting defaults along the way. When prompted for exchange details, ensure the entries are blank & simply click Next.
  • You can monitor the installation progress from the job monitor.

Once the software has been installed; you can configure the proxy client as follows. Do this from the Commvault console, you may have to press F5 to refresh the clients view.

  •  Right Click the Exchange mailbox (Classic) agent under the proxy client and choose properties

MbxProperties

  • Enter the Exchange Administrator account using the “Change Account” button higher up the page. This is the service account you used to log onto the proxy and configure the Outlook profile.
  • Select “Exchange Online”, click OK on the warning.
  • Enter the profile name used on the proxy.
  • Click the lower “Change Account” button. Enter the full SMTP address and password for the exchange online service account.
  • Click OK to return to the main CommServe screen. Right click on the proxy client and choose properties.
  • Click “Advanced” and select the “Additional Settings” tab. Add the following Keys:
    • nMailboxesperSession = 1
    • nRestartMAPIOnNetworkError = 1
    • nSkipUserImpersonation = 1
    • nExchangeOnlineOnly = 1

ProxyRegKeys

Disable User Impersonation

Now that the mailbox client & agent are configured, the logon user for the CommVault services on the proxy need to be adjusted.

  • Log onto the proxy VM. Open services.msc from the Run command.
  • Adjust the Log On As properties for the following services to reflect the windows service account.
    • Commvault Communications Service
    • Commvault Client Event Manager
    • Commvault Communications Service
  • If prompted to allow Log On As rights, click OK. Restart the services once complete.

Services

Add Content

Content is added via subclients in the same way you would many other agents. As descrived in the prerequisites section, in order to get the best throughput from your mauilbox backups, it would be wise to split the mailboxes into multiple subclients. In this example I have split the content into 4 subclients, in a real life scenario I would recommend considerably more.

Subclients

The subclients are split by first letter resulting in any mailboxes with the alias starting with A-F being picked up by the one subclient, any with their alias starting with H-K selected by another etc. This is achieved by enabling “Auto Discover” on the defaultBackupSet properties as shown below.

Auto Discover

Once thats done you can use wildcards (more detail here) to specify the content. Wildcards used for my H-K subclient are shown below:

Subclient Wildcard Content

Run Backup

Now the content is configured you can run the first backup & schedule accordingly. As stated previously if you have a lot of mailboxes this will take a while. Make sure you have sufficient subclients & proxies to suit the size of your environment. If you have multiple proxies, that means multiple accounts need to be created in O365. SP8 brings new functionality to mailbox backup which will be discussed in a later post, some simplification of the process would be a very good thing!