Chat now with support
Chat with Support

NetVault Plug-in for Microsoft 365 14.0 - User Guide

Introducing NetVault Plug-in for Microsoft 365 Installing and removing the plug-in Configuring the plug-in Backing up data Restoring data Troubleshooting

Auto configuration of Azure application

Auto configuration of Azure application

Plug-in for Microsoft 365 supports the auto-configuration of the application on the Azure portal. This feature automatically adds API permission, provide grant admin consent, and enable public client flow to the generated application without human intervention.

To auto configure the application
1
In the Navigation Pane, click Create Backup Job, and click next to the Selections list.
2
In the selection tree, open the applicable client node.
3
Click Plug‑in for Microsoft 365, and select Add Tenant from the context menu.
4
On the Add Tenant page, select Auto Config Application from the Configuration Method.
5
Enter the following details for Auto Config:
Application Name
Global Admin Username
Global Admin Password
6
Click OK to automatically configure the application.

 

* 
NOTE: Auto Config application feature works with AzureAD version 2.0.2.140. If you have a higher version of AzureAD (2.0.2.180) already installed on your system, the feature will fail to grant the admin consent to delegated permissions.
 
* 
NOTE: To perform SharePoint Online backup and restore using an application created with the auto-config requires assigning permission to SharePoint Online CSOM API.
Refer procedure mentioned in the section Preparing SharePoint Online for backup and restore.

 

Adding a certificate for configuration

Plug‑in for Microsoft 365 supports certificate-based authentication. NetVault uses certificate thumbprint to fetch the private key from the Windows Certificate Manager.

Microsoft recommends certificate-based authentication over the domain, key, and access key method. Reasons for using a certificate to authenticate include:
Credential rotation is prone to human error.
Certificates last longer than credentials (mostly more than one year).
Using a certificate shares responsibility with Microsoft Credential Manager (Windows OS), Certificate Authority, and Azure AD.
It is the highest level of security for Microsoft Graph Client.
It has reliable credential encryption for compliance.

Before you add the certificate to your configuration as a means for authenticating, complete the following processes.

To add a certificate for configuration
1
Creating a self-signed certificate using PowerShell
2
Adding a certificate in the Azure AD admin portal
3
Importing a self-signed certificate to the local machine certificate store
Creating a self-signed certificate using PowerShell
To create a self-signed certificate using PowerShell
1
Run the following script as an administrator:
# --- config start
$dnsName = "mytenant.sharepoint.com" # Your DNS name
$password = "Come up with something secure!" # Certificate password
$folderPath = "C:\temp" # Where do you want the files to get saved to? The folder needs to exist.
$fileName = "mycert" # What do you want to call the cert files? without the file extension
$yearsValid = 10 # Number of years until you need to renew the certificate
# --- config end
 
$certStoreLocation = "cert:\LocalMachine\My"
$expirationDate = (Get-Date).AddYears($yearsValid)
 
$certificate = New-SelfSignedCertificate -DnsName $dnsName -CertStoreLocation $certStoreLocation -NotAfter $expirationDate -KeyExportPolicy Exportable -KeySpec Signature
 
$certificatePath = $certStoreLocation + '\' + $certificate.Thumbprint
$filePath = $folderPath + '\' + $fileName
$securePassword = ConvertTo-SecureString -String $password -Force -AsPlainText
 
Export-Certificate -Cert $certificatePath -FilePath ($filePath + '.cer')
Export-PfxCertificate -Cert $certificatePath -FilePath ($filePath + '.pfx') -Password $securePassword
Adding a certificate in the Azure AD admin portal
To add a certificate in the Azure AD admin portal
1
Login to the Azure AD admin portal.
2
Go to Certificates & secrets.
3
Click Upload certificate.
4
Select the .cer file you generated with the PowerShell script, and click Add.
5
Note the thumbprint that appears. You will need it for Entering the configuration details in the plug-in.
Importing a self-signed certificate to the local machine certificate store
To import a self-signed certificate to the local machine certificate store
1
In Windows, run MMC.
2
Click File,
3
Click Add/Remove Snap-in.
4
In the Add or Remove Snap-ins window, select Certificates and then click Add.
5
When prompted, select the computer account and then click Next.
6
Select Local computer (selected by default) and then click Finish.
7
In the Add or Remove Snap-ins window, click OK.
8
In the MMC main console, expand the certificate snap-in by clicking the plus (+) symbol.
9
Navigate to the Personal | Certificates pane.
10
Open the Certificate Import Wizard by right-clicking within the Certificates panel and clicking All Tasks | Import.
11
To import the private key alone with a password, follow the Certificate Import Wizard.
 
* 
NOTE: For SharePoint Online backup and restore, the private key should reside in the Personal folder with certificates managed on the local computer.

Using the Microsoft 365 admin portal to obtain configuration details

Alternatively, you can obtain configuration information from your Microsoft 365 admin portal, and enter the information in the configuration section for the plug-in.

To use the Microsoft 365 admin portal obtain configuration details
1
Go to admin.microsoft.com.
2
In the navigation pane on the left, click Show All and then select Azure Active Directory from the list.
3
In the Azure Active Directory admin center, under All services, click Azure Active Directory.
4
In the MANAGE section, click App registrations, and then click New registration.
5
Complete the following fields:
Name: Enter a name for the NetVault plug-in, such as PluginMicrosoft365.
Supported account types: To specify who can use this application or access this API, select Account in any organizational directory (Any Azure AD directory - Multitenant).
Redirect URI: Enter the URI that you use for interacting with NetVault, such as https://<machineName>:8443.
6
Click Register, and note the Application ID listed on the page that appears.
Quest strongly recommends that you record this information, for example by copying it to a text file and saving that file.
7
On the Overview page, under Manage, click Authentication.
8
In the Advanced settings section, next to Allow public client flows, select Yes.
9
In the Manage section, click API permissions.
10
In API permissions, click Add a permission.
11
Choose one of the following options:
Select an API: To use this method, select Microsoft Graph or SharePoint, and then click Select.
Select permissions: To use this option, complete the following steps:
a
Select Application Permissions, and then select the following items:
Calendars.Read
Calendars.ReadWrite
ChannelMember.ReadWrite.All
ChannelMessage.Read.All
Directory.ReadWrite.All
Files.Read.All
Files.ReadWrite.All
Group.Read.All
Group.ReadWrite.All
Mail.Read
Mail.ReadWrite
MailboxSettings.Read
MailboxSettings.ReadWrite
Reports.Read.All
Sites.FullControl.All
Sites.Manage.All
Sites.Read.All
Sites.ReadWrite.All
Team.ReadBasic.All
TeamMember.ReadWrite.All
TeamSettings.Read.All
TeamSettings.ReadWrite.All
User.Read.All
User.ReadWrite.All
b
Select Delegated Permissions, and then select the following items:
ChannelMessage.Read.All
Group.ReadWrite.All
User.Read (this permission is added by default for the registered App)
c
Click Add permissions.
d
To assign permissions to the Plug‑in for Microsoft 365 after the plug-in is configured, click Grant permissions on the Required permissions tab, and click Yes when the confirmation message appears.
 
* 
NOTE: To back up and restore Azure AD service principals, the registered application used for the configuration of the plug-in must be the Global Administrator and the Application Administrator.
NOTE: Lack of ‘Team’ permission results in inaccessible and partial backup of Microsoft Teams application.
12
On the Manage tab, in the Certificates & secrets section, click New client secret to create passwords for the plug-in to use.
13
Enter a description and select a time period option.
Optionally, you can determine a specific time for when the password is active by selecting a start date and an end date.
14
Click Add and note the information in the VALUE box.
Quest strongly recommends that you record this information, for example by copying it to the same text file that you created and saved earlier.
 
* 
IMPORTANT: You cannot retrieve this key at a later time. If you do not record it for reference when you configure the plug-in, you have to generate a new key.
15
To identify the domain name used for Microsoft 365, click Azure Active Directory again in the navigation pane on the left.
16
Click Overview, and note the domain name.
 
* 
NOTE: Quest recommends that you record this information, for example by copying it to a text file and saving that file.

Preparing SharePoint Online for backup and restore

Preparing SharePoint Online for backup and restore

Before you can protect your SharePoint Online data with Plug‑in for Microsoft 365, you must assign permission for the SharePoint Online CSOM API.

To prepare SharePoint Online for backup and restore
1
Open the SharePoint Online Tenant site with the Tenant Administrator account. For example: https://<tenant>-admin.sharepoint.com/_layouts/15/appinv.aspx.
2
In the App Id text box, enter the Client ID generated from Azure Active Directory.
3
Click Lookup.
4
Under App Domain, enter www.localhost.com.
5
Under Redirect URL, enter https://www.locahost.com.
6
Under Permission Request XML, enter the following XML script:
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> </AppPermissionRequests>
7
Click Create.
8
In the dialog, click Trust It.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating