Preparing for SaaS application data protection
Before you start protecting your Microsoft M365 Groups data, complete the following steps:
Getting familiar with your SaaS application specifics
Before you start protecting your Microsoft M365 Groups data, you must get familiar with all prerequisites, limitations, considerations, and/or recommendations in this topic to make sure that your module is prepared and configured correctly.
Prerequisites
-
Before you add the module to R-Cloud as a source:
-
You must have the Microsoft Entra tenant ID of the environment that you want to protect.
-
You must already have an AWS account, an Azure resource group, or a Google Cloud project added as a source. For instructions, see Adding sources.
-
-
When adding the module as a source in R-Cloud:
-
Under Application Credentials, select the HYCU-managed application from the drop-down menu.
-
If you prefer to use a custom application, first complete the custom application registration in Microsoft Entra ID.
-
Add the cloud account in R-Cloud and select the corresponding application credentials.
-
For instructions, see Adding an R-Cloud module and Adding OAuth 2.0 application credentials.
Limitations
Due to Microsoft Graph API limitations:
-
For all the restored posts, the consented user is set as the sender, and the original sender’s name is appended to the post body.
-
During the restore procedure, all To and CC recipients are consolidated and added to the ToRecipients field.
-
The original sent date and time will not be preserved for conversations and posts. Instead, the original timestamp will be appended to the body of the restored post.
-
Protecting the Deleted Items is not supported.
-
Custom folders are not supported for the backup or restore operations.
Considerations
-
The consented user is temporarily added to the group to perform the backup and restore operations, and then removed after the procedure is complete.
-
As a part of the restore process, the recipients list is updated by removing the consented user and all the users who are already members of the group for both the group-level and the conversation-level restores.
-
During the post-level restore, the restored posts will be added as replies to the first post in the conversation.
-
After events are restored, the attendees are added as attachments.
Custom application registration in Microsoft Entra ID
Create the module as a custom application in Microsoft Entra ID. For instructions, see Microsoft Entra ID documentation on how to register an application in Microsoft Entra ID.
-
When creating the custom application, add the redirect URI by using in the following format:
https://authentication.r-cloud.hycu.com/api/v2/oauth/callback/handleConsentGrant/. For details, see Microsoft Entra ID documentation on how to add a redirect URI to your application. -
The application must be assigned the following permissions:
-
Microsoft Graph
-
Group.ReadWrite.All (Delegated) -
GroupMember.ReadWrite.All -
GroupSettings.ReadWrite.All -
LicenseAssignment.Read.All -
User.ReadBasic.All -
Application.Read.All -
User.Read.All -
Only if protecting the role-assignable groups.
-
RoleManagement.ReadWrite.Directory
-
-
-
Office 365 Exchange Online
-
Exchange.ManageAsApp -
full_access_as_app
-
-
-
The client secret must be generated. For instructions, see Microsoft Entra ID documentation on how to add and manage application credentials. Keep a record or the client secret value. It will not be shown again once you navigate away from the page.
Important The client ID, tenant ID, and client secret are required when adding the module as a source in R-Cloud.
Specifying configuration properties for SaaS applications
Before you start protecting SaaS applications, you can adjust SaaS application protection to the needs of your data protection environment by configuring protection settings in R‑Cloud. You can specify configuration properties for a single SaaS application or for multiple SaaS applications at the same time.
Important Specifying configuration properties is not supported for all types of SaaS applications. Additionally, the list of available configuration properties varies depending on the type of your SaaS application.
Configuration properties
| Property | Description |
|---|---|
| Exclude Resources |
Enables you to specify one or more resources to be excluded from the backup. |
| Options |
Enables you to use configuration properties specific to each SaaS application or SaaS application resource (for example, if you are protecting Google Cloud SQL, you can set the offload option that enables R‑Cloud to delegate the export operation to a separate data mover). |
| Data Movers |
Enables you to assign a data mover configuration to specify the location (compute and the networking details) where data movers will be created. |
Prerequisites
-
For SaaS applications in Google Cloud: Specifically for the HMSA, R‑Cloud requires additional permissions. For details, see Google Cloud permissions required by R‑Cloud.
-
The data mover configuration must ensure that the data mover will have access to the SaaS applications that you want to protect and to the targets that store the protected data.
You can check under which subnet the SaaS applications and the targets are accessible in your cloud provider management console.
Considerations
-
Only if you use a data mover configuration with the SaaS instance. Assigning a data mover configuration to SaaS applications by specifying the configuration properties takes precedence over enabling the Use data mover configuration switch as part of adding a SaaS instance.
-
If you do not specify the Data Movers configuration property, the default properties are:
-
For the SaaS applications that do not run natively in AWS, Azure, or Google Cloud and whose R-Cloud module does not require using compute: The HYCU Managed data mover configuration is preselected, which means that the data movers will be created in the HYCU managed cloud accounts.
-
For all other SaaS applications: The Automatic data mover configuration is preselected, which means that the data movers will be created in the original SaaS instance location or in the compute that you added to R‑Cloud as described in Adding compute.
-
-
Only if you plan to store the protected SaaS application data on an Azure target. For security purposes, it is recommended that you specify SaaS application configuration properties so that R‑Cloud creates the data mover in the Azure resource group to keep the protected data in the same Azure environment during the backup.
Recommendation
If you plan to use targets for storing the protected data, optimize the egress data costs by specifying SaaS application configuration properties so that the data mover uses the same region as the target.
Note R‑Cloud performs automatic synchronization of SaaS applications at periodic intervals. However, you can at any time update the list of SaaS applications also manually by clicking 
Refresh.
Accessing the SaaS panel
To access the SaaS panel, in the navigation pane, click 
SaaS.
-
In the SaaS panel, select one or more SaaS applications for which you want to specify configuration properties.
-
Click
Configuration. The SaaS Configuration dialog box opens. -
Depending on what you want to do, perform the required action:
I want to... Instructions Exclude resources from the backup. On the Exclude Resources tab, select the resources that you want to exclude from the backup. Use a configuration property specific to my SaaS application or resource. On the Options tab, specify which of the available configuration properties you want to use and provide the required information. Assign a data mover configuration to the selected SaaS applications. On the Data Movers tab, from the Data Movers drop-down menu, select the preferred data mover configuration.
By clicking
Add New, you are automatically redirected to the dialog box that enables you to add a data mover configuration, if not already added. For details, see Creating a data mover configuration. -
Click Save.