Preparing for SaaS application data protection

Before you start protecting your Microsoft OneDrive for Business data, complete the following steps:

Preparing for SaaS application data protection
- Getting familiar with your SaaS application specifics
- Configuring SaaS application data backup options

Getting familiar with your SaaS application specifics

Before you start protecting your Microsoft OneDrive for Business data, you must get familiar with all prerequisites, limitations, considerations, and/or recommendations in this topic to make sure that your module is prepared and configured correctly.

Prerequisites

Before you add module to R-Cloud as a source, you must have the tenant ID of the environment that you want to protect.
When adding the module as a source in R-Cloud:
- Under Application Credentials, select the HYCU-managed application from the drop-down menu.
- If you prefer to use a custom application, first complete the custom application registration in Microsoft Entra.
- Add the cloud account in R-Cloud and select the corresponding application credentials.

For instructions, see Adding an R-Cloud module and Adding OAuth 2.0 application credentials.

Considerations

The backup and restore operations support the latest 50 versions of a file.
Password-protected shared links are restored with the default password qwerty123.

Custom application registration in Microsoft Entra ID

Create the module as a custom application in Microsoft Entra ID. For instructions, see Microsoft Entra ID documentation on how to Register an application in Microsoft Entra ID.

When creating the application, add the redirect URI by using in the following format: https://authentication.r-cloud.hycu.com/api/v2/oauth/callback/handleConsentGrant/. For details, see Microsoft Entra ID documentation on how to add a redirect URI to your application.
The application must be assigned the following permissions:
- Files.ReadWrite.All
- User.Read.All
The client secret must be generated. For instructions, see Microsoft Entra ID documentation on how to add and manage application credentials. Keep a record or the client secret value. It will not be shown again once you navigate away from the page.

 Important The client ID, tenant ID, and client secret are required when adding the module as a source in R-Cloud.

Configuring SaaS application data backup options

Before you start protecting SaaS applications, you can adjust SaaS application protection to the needs of your data protection environment by configuring backup options in R‑Cloud.

 Important Configuring backup options is not supported for all types of SaaS applications. Additionally, the list of available backup options varies depending on the type of your SaaS application.

Backup options

Backup option	Description
Exclude Resources	Enables you to specify one or more resources to be excluded from the backup.
Options	Enables you to use backup options specific to each SaaS application or SaaS application resource (for example, if you are protecting Google Cloud SQL, you can set the offload option that enables R‑Cloud to delegate the export operation to a separate data mover).
Data Movers	Enables you to specify the source, the region, and the subnet where you want R‑Cloud to create a data mover during the backup. If the specified source is an AWS account, you can also select a security group. If the specified source is an Azure resource group, you must select a network.  Important For the SaaS applications that run in an AWS account, in an Azure resource group, or in a Google Cloud project: If you do not configure this backup option, R‑Cloud by default creates the data mover in your AWS account, Azure resource group, or Google Cloud project after you set up a target in R‑Cloud or add a source to R‑Cloud.

Prerequisites

For Google Cloud SaaS applications: Specifically for the HMSA, R‑Cloud requires additional permissions. For details, see Google Cloud permissions required by R‑Cloud.
Only if you plan to configure the data mover and select the Azure resource group as a source for the data mover. The network that you select must allow your Azure service principal or the HMSP to access the specified source and the targets that store the protected data.
The data movers must have access to the SaaS applications that you want to protect and to the targets that store the protected data. To ensure this, configure SaaS application backup options so that the data mover uses the appropriate subnet.

 Tip You can check under which subnet the SaaS applications and the targets are accessible in your cloud provider management console.

Consideration

Only if you plan to store the protected SaaS application data on an Azure target. For security purposes, it is recommended that you configure SaaS application backup options so that R‑Cloud creates the data mover in the Azure resource group to keep the protected data in the same Azure environment during the backup.

Recommendation

If you plan to use targets for storing the protected data, optimize the egress data costs by configuring SaaS application backup options so that the data mover uses the same or the nearest available region as the target.

 Note R‑Cloud performs automatic synchronization of SaaS applications at periodic intervals. However, you can at any time update the list of SaaS applications also manually by clicking Synchronize Refresh.

Procedure

In the SaaS panel, select the SaaS application or the resource for which you want to configure backup options.
Click Configuration. The SaaS Configuration dialog box opens.

Depending on what you want to do, perform the required action:

I want to...	Instructions
Exclude resources from the backup.	On the Exclude Resources tab, select the resources that you want to exclude from the backup.
Use a backup option specific to my SaaS application or resource.	On the Options tab, specify which of the available backup options you want to use and provide the required information.
Specify the source, the region, the subnet, the network, or the security group for a data mover.	On the Data Movers tab, do the following: From the Compute drop-down menu, select the source for the data mover.  Important If the type of the source that you select for the data mover differs from the source where the target specified in the R‑Cloud policy resides, this may result in data egress charges. From the Region drop-down menu, select the preferred region. For Azure resource groups: From the Network drop-down menu, select the preferred network. From the Subnet drop-down menu, select the preferred subnet. For AWS accounts: Optionally, from the Security Group drop-down menu, select the preferred security group. By default, the data mover is created in the default security group of the preferred subnet.

I want to...

Instructions

Exclude resources from the backup.

On the Exclude Resources tab, select the resources that you want to exclude from the backup.

Use a backup option specific to my SaaS application or resource.

On the Options tab, specify which of the available backup options you want to use and provide the required information.

Specify the source, the region, the subnet, the network, or the security group for a data mover.

On the Data Movers tab, do the following:

From the Compute drop-down menu, select the source for the data mover.

 Important If the type of the source that you select for the data mover differs from the source where the target specified in the R‑Cloud policy resides, this may result in data egress charges.
From the Region drop-down menu, select the preferred region.
For Azure resource groups: From the Network drop-down menu, select the preferred network.
From the Subnet drop-down menu, select the preferred subnet.
For AWS accounts: Optionally, from the Security Group drop-down menu, select the preferred security group. By default, the data mover is created in the default security group of the preferred subnet.

Click Save.