Prerequisites to Add Microsoft 365 Organization
To backup Microsoft 365 domain data, a user needs to register Vembu Backup for Microsoft 365 backup application and generate an application ID and secret key.
Steps for registering Vembu 365 Application in the Microsoft Azure portal.
Create a new application in Azure Active Directory to connect to your Microsoft 365 organizations.
By default, all permissions specified under the EWS(Exchange Web Service) API and Microsoft Graph API need to be enabled for performing Microsoft 365 Backup & Recovery.
Enable SharePoint REST API permissions only if you want to backup & restore the SharePoint - List Attachments and Site Pages.
Generate Application ID
Sign in to the Azure Portal using your Microsoft admin account.
Search and locate the Azure Active Directory. On the Active Directory page, select App registrations and click on New registration.
The Register an application page will appear and enter the following details to register your application.
Name -Enter a display name for the application.
Supported account types -Choose the option "Accounts in this organizational directory only"
Redirect URI -Select Web for the type of application and enter the redirect URI as "https://localhost".
Finally, click on the Register button. The Azure AD assigns a unique Application (client) ID, which is shown on the Overview page to which you will be redirected
Generate Application Password
Select Certificates & secrets under Manage on the left pane.
Click on New client secret which opens a page - Add a client secret. On this page, choose Never from the Expires option and click Add. This will generate and display the application password
Note: Make sure you copy the password as the portal will display it only once. (You can use the copy to clipboard icon to copy the password).
Permission for EWS(Exchange Web Service) API
Enable the permissions listed below to recover Microsoft 365 Mails.
Select API Permissions under Manage on the left pane. Click on the Add a permission option. Then, choose the Exchange option listed under Supported legacy APIs.
You need to provide both Delegated permissions and Application permissions.
Initially, select Delegated permissions. Use the search bar to find EWS.AccessAsUser.All API and enable the checkbox to provide permission
Then, select Application permissions and enable the full_access_as_app API permission.
Permission for Microsoft Graph API
Enable the permissions listed below to access Microsoft 365 Mails, Contacts, Calendars, OneDrive, SharePoint, and Teams data.
Choose the Microsoft Graph listed under Commonly used Microsoft APIs. You need to provide both Delegated permissions and Application permissions.
Initially, Select the Delegated permissions option. Use the search bar to filter the below-listed APIs and enable their checkbox to provide the API permissions
Calendars.ReadWrite.Share
Contacts.ReadWrite.Shared
Directory.ReadWrite.All
Files.ReadWrite.All
Group.ReadWrite.All
Mail.ReadWrite.Shared
Mail.Send
Mail.Send.Shared
Offline_access
People.Read.All
Sites.ReadWrite.All
User.ReadWrite.All
Sites.Manage.All
GroupMember.Read.All
GroupMember.ReadWrite.All
Then, select the Application permissions option and enable permission for the below-listed APIs.
Calendars.ReadWrite
Contacts.ReadWrite
Directory.ReadWrite.All
Files.ReadWrite.All
Group.ReadWrite.All
Mail.ReadWrite
Mail.Send
People.Read.All
Sites.ReadWrite.All
User.ReadWrite.All
Sites.Manage.All
Group.Create
GroupMember.Read.All
GroupMember.ReadWrite.All
Confirm if all permissions have been added to your application registration.
Lastly, under Configured permissions, grant admin consent by clicking on the button Grant admin consent for respective companies
Now, you have generated both Application ID and Application password with all the required permissions enabled
 | Note: Application Password is stored in the clipboard and the Application ID is displayed on the Overview page. |
Permission for SharePoint REST API
| Note: Follow these steps only if you want to configure backup and restore for SharePoint List Attachments & Site Pages. |
To Backup & Restore the List Attachments, perform the following steps:
Navigate to appinv.aspx page from your tenant admin site using the URL: https://[tenant]-admin.sharepoint.com/_layouts/15/appinv.aspx
Once the page is loaded, enter the Application (client) ID generated from the Azure application and click on the Lookup button which will auto-fill the other fields.
On the App’s Permission Request XML field, enter the following:
<AppPermissionRequests AllowAppOnlyPolicy="true" >
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" / >
</AppPermissionRequests >
Lastly, click Create which will show a permission consent dialog. On that page, click on the Trust It button.
To perform the restore of site pages, perform the following steps:
Step 1:Download and Install the setup file of Sharepoint Patterns and Practices (PnP) PowerShell cmdlets. You can download using the following link
https://github.com/pnp/PnP-PowerShell/releases/download/3.9.1905.3/SharePointPnPPowerShellOnline.msi.
Step 2:After installing the SharePoint PnP PowerShell cmdlets, execute the following PowerShell commands individually for each site you want to restore
Parameters to be replaced in the command:
TenantUrl = https://<your tenant>-admin.sharepoint.com/
SiteUrl = https://<your tenant>.sharepoint.com/sites/
Your Client ID = Enter your Application (client) ID displayed on the Overview pane
Your Client Secret = Enter the Application Password that you have generated & copied on the clipboard
Connect-PnPOnline -AppId Your Client ID -AppSecret 'Your Client Secret' -Url TenantUrl
$DenyAddAndCustomizePagesStatusEnum = [Microsoft.Online.SharePoint.TenantAdministration.DenyAddAndCustomizePagesStatus]
$context = Get-PnPContext
$site = Get-PnPTenantSite -Detailed -Url SiteUrl
$site.DenyAddAndCustomizePages = $DenyAddAndCustomizePagesStatusEnum::Disabled
$site.Update()
$context.ExecuteQuery()
Disconnect-PnPOnline