Veeam Backup for Microsoft Office 365 gathers mailbox data from an Exchange organization using Exchange Web Services and PowerShell, and stores it in the repository; data is transferred using SSL. To carry out these operations automatically, an administrator creates and schedules a backup job.
- At the initial run of the backup job, the mailbox database file and auxiliary files are created in the corresponding subfolder (named <year_of_last_modification>) of the repository. To create and work with that database, Veeam uses the Extensible Storage Engine for Windows (ESE engine). The initial job run creates a full backup of the whole mailbox content for selected mailboxes.
Any items configured as exclusions in job settings will not be backed up. Also, Veeam will not backup items older than the "age" specified in the retention settings.
All data during job session is transferred using the backup proxy.
- At each subsequent backup job run, information about the datastore structure and the mailbox data gets synchronized with the current state of the Exchange Organization, using Exchange Web Services. Each successful job run creates a restore point where the corresponding state of the mailbox datastore is kept.
These are incremental backups, that is, Veeam detects modifications of mailbox data (modified and/or new mailboxes) since the last run, and performs ‘incremental sync’. Database is processed using ESE engine.
This approach allows for increasing the performance and saving storage space.
If you want to switch organization processing from one proxy to another, consider that after this new proxy assignment the organization backup job will perform full sync with Exchange server, that is, perform full backup and create the whole datastore hierarchy in the repository anew. Also, full sync will be performed after you target a backup job to another repository.
Management server controls global configuration for all backup proxies, allowing the administrator to manage the following parameters: email notification settings (including notifications on proxies that went offline), the list of exclusions, retention for job session records, and RESTful API settings.
Veeam Backup for Microsoft Office 365 connects to on-premises Exchange organization in the hybrid or on-premises Exchange deployment using EWS and PowerShell. Authentication and secure communication of user credentials is provided as follows:
- For communication using EWS, SSL secure connection is always utilized.
- For communication using PowerShell, two methods are possible:
- Use SSL with Basic authentication. This method is recommended by Microsoft, as it provides secure communication of user credentials (account and password) inside the encrypted SSL channel (see this TechNet article for details).
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
- Use SPN (Service Principal Name) and Kerberos authentication. To use this method, it is recommended to deploy Veeam Backup for Office 365 management server in the same domain with Exchange server and provide it with access to domain controller. You may also need to map the Exchange Server to the hybrid domain.
This method cannot be used for multiple servers included in CAS.
Use the setspn command-line utility to map the Kerberos service principal name to a Microsoft account:
setspn -A HTTP/Mail.hybridDomain.com ExchangeHost
hybridDomain.com – name of the hybrid domain
ExchangeHost – name of Exchange server.
See this TechNet article for details on setspn utility.