Backing up my Cloud services including Microsoft 365 with a Synology NAS for “Free”

By | October 18, 2020
My DS920+ there are many like it, but this one is mine

G’day, and welcome back to UCMadScientist. Today we are continuing our adventures with my Synology DS920+ that was lovingly sent in for review a few months ago.

Okay, you got me. It’s not “Free” you still need to buy the NAS itself, put drives in and power it. But, there are no ongoing software costs, no license fees and no renewal fees to worry about. So essentially free in this day and age. Especially as you need somewhere to store the data anyway!

As I kinda alluded too in the previous article. My “backup” solution previously wasn’t exactly ideal. My Personal OneDrive, for example, was me just syncing the whole lot to my Storage Server.

Windows Server with the OneDrive client is not a backup
  • My Personal OneDrive was “Backed up” my just syncing it to my server
  • My Business OneDrive’s weren’t backed up at all
  • I didn’t back up my Teams or Sharepoint Sites
  • Or my GitHub Repos
  • And I didn’t differentiate between infrequently changing data (Archives) and frequently Changing data
  • Whilst I was backing up endpoints and VM’s
    • I was backing up the VMs to the same machine
    • The disks with backups on held other VM’s which meant they were always spinning

Thus today, I’m going to check out some of the free methods I can leverage my local storage to keep backups of my important data. Both Online and Offline.

My Personal OneDrive

Synology Cloud Sync

Like I mentioned before, my old backup solution wasn’t great. I was basically syncing a local copy of the live data as a “backup” I know its not… But, “It will never happen to me… right?WRONG.

I store a lot of data in my OneDrive, including all the photos from my phones, our family photo library, out personal documents and even my software library chewing up around 700GB of my OneDrive storage (I might need to clean that one day)

Remember when OneDrive had unlimited storage? So do I

So knowing that let’s take a look at the free OneDrive backup package on the Synology.

If we search the DSM package library, we can see Cloud Sync is a package that might suit our needs, so lets install it and take a look.

Cloud Sync Package on the Synology NAS

Upon opening the package we are greeted with a ton of different cloud providers. OneDrive included, so let’s pick that and hit Next

Synology Cloud Sync Service Provider List including OneDrive

As soon as I click Next, I get an authentication pop up with my OneDrive as I’m already logged in using this browser session, I’ll just authenticate this on my phone and approve the app.

Then we are brought to the Sync Settings page.

Sync Settings Page

A nice thing to see is that I can make this Sync one way only. So it will only download from OneDrive, not upload. Hopefully, preventing a repeat of last time.

Exclude files? I think they might feel left out.

A nice touch is the ability to exclude folders but still grab any new ones.
I don’t exactly need another copy of my Installation Media for Skype.

This might take a while

Now, I’ll just let that run for a while…

I don’t care that you downloaded a file… tell me if something goes wrong!

It would be nice if you could turn this pop up that comes up every 10 seconds during sync off but…

But, its not backup. Is it? Yet.

And there’s no way to sugar coat it. It’s still just a Sync. It’s not a Backup of my OneDrive. As it’s not a Point in Time system it’s always “the latest” unless I use the Schedule to only let it sync once or twice a week.

Even then, I only have 1 copy of the data. So should my OneDrive get compromised just before a sync. My data is all gone (again)

We can address this, by using Active Backup for Business to take backups of the Sync directory at regular intervals.

Synology Active Backup for Business

Same as before, we go to the Package Manager and install the Active Backup for Business package.

Active Backup in the Synology Package Store

Unlike before however, when we launch the application. It needs to call home and grab a free license. Nothing to major to worry about. Hopefully, Synology doesn’t start charging for it in the future. I assume it’s only using it to stop people from selling it as a service.

Active Backup Welcome Screen

The activation wizard was a super painless thing. Agree to terms and conditions, login and press activate.

Next we create a backup Job, navigate to File Server and click Add Server

In the Server Type select SMB Server (you could use Rsync too as the NAS supports that)

New File server Setup page

Then enter the details of the NAS itself as the Remote Server, clicking Apply and Yes when prompted.

Active Backup Server information page
Backup Creation Prompt

I ended up needing to check the documentation as the blurb describing each of the backup modes wasnt 100% clear.

Select your backup type

The “Multi-Versioned” backup allows you to set up the traditional Grandfather-Father-Son backups.

It is important to note, however, that although Active Backup markets it offers Deduplication. This only applies to VM’s, PC’s, and Physical Servers. Not File Servers.

Note: No deduplication for File Server backups!

The manual isn’t very clear on this so I figured I’s point it out.

Picking Multi-Versioned backups

I ended up selecting the Multi-Versioned backup so I could keep multiple copies of the data using retention policies.

Select source files

Point it to the folder on the NAS thats hosting the OneDrive share and click Next

Select Destination and frequency

Then we set the backup target. And as I don’t have oodles of storage, and I have the ability to restore recent file versions from within OneDrive itself. I’ll only configure this to backup once a week.

Retention Policies are fun…

On the next page, we can set retention policies, which we will set to keep the latest week for 1 week and the latest month for 1 month. Allowing at least 30 days of rollback.

Backup Summary

Then we confirm and apply the settings.

Hey look! Files!

After running the backup task, we can see I now have multiple Point in Time versions of my OneDrive. Sorted.

What about my Microsoft 365 Tenant?

Well, this was the main reason Synology opted to send me a unit for a review. To look at their Active Backup for Microsoft 365 product.

To get the most features and best chance at backing up as much configuration as possible. I waited for the Beta version of the product to reach maturity before reviewing the latest release 2.2.1-2324 at the time of writing.

Installing and setting up the package

Active Backup for Microsoft 365 in the Synology Package Store

Same as with all the other packages we have installed on the NAS so far, we simply head over to the Package Centre and Install the Active Backup for Microsoft 365 package and open it.

Active Backup for M365 Welcome Screen

Same as with Active Backup for Business we need to let the NAS call home and acquire a license.

So after clicking Activate I’m taken to the Synology website again whereas last time. I’m greeted to a similar treatment as before. Agree to a EULA, sign in and Activate.

Creating a new task in Active Backup for M365

Registering the Azure AD App

We’re then greeted with a new backup wizard which by default lets you backup a new tenant. It’s nice to see the option here to relink data from an existing backup to a tenant so you don’t have to download everything again!

Active Backup for M365 App Setup Wizard

Active Backup for Microsoft 365 then asks you to run through a tutorial to set up an Azure AD app. It’s basically just downloading and running a PowerShell script on your local machine.

AppGenerator.ps1 in ISE

Taking a quick look in the ISE I don’t see anything nefarious going on here. In fact, the cool part is they actually credit their sources in the script and its signed! Nice.

AppGenerator.ps1 password prompt

Running the script in interactive mode automatically installs the AzureAD package via NuGet and then prompts for a password for the certificate. This is because the Azure App is using a cert generated on your machine which must be exported with the private key (Which, needs a password to do so)

So make sure you provide a secure password, this cert can be used to access your whole tenant (at an Exchange, Graph and SharePoint level… more on that later)

AppGenerator.ps1 sign in prompt

After that the script will get you to to sign into your Azure AD Tenant via the usual AAS signin box. It’s nice to see this supports MFA as well.

AppGenerator.ps1 summary screen

Once that is done the script will output some details about the AAD app. As well as providing a link to a page in Azure detailing the app permissions.

AppGenerator.ps1 permissions

We also need to grant admin permissions for the app whilst we are here. so click on Grant admin consent for orgname

AppGenerator.ps1 Admin permissions

A note on Permissions, specifically for Teams

As you can see the app grants itself full access to both SharePoint and Exchange, but very limited access to Graph.

Whilst this is great from a security perspective, it also lacks important settings to backup core Teams workloads such as calling and channel data. just a few of which you can find below.

Some missing Graph permissions

This means that today it’s impossible for Active Backup for Microsoft 365 to backup the collaboration and calling aspects of Teams. Should that feature be added in the future you will need to update the permissions appropriately.

Back to the setup

Using the details from the AppGenerator.ps1 script we can fill in the rest of the setup wizard.

Completed App Setup Wizard

Using the details from the script, fill in the form and hit Next

Connecting to Tenant

Once that’s done, the app will verify it has all the permissions it needs and then prompt for the backup settings

Picking Users and Groups

Backup task screen

On the first page, we set some basic info. but if we take a quick look under the edit button, you can see all the users and groups the app will back up.

Important: In my case, the app by default didn’t select to back up any of my Microsoft 365 Groups. I simply filtered down to M365 groups and selected them all before hitting OK

Groups not selected by default

On the next page, we have settings for New users and groups. the Only change here I made was to backup users “My Site” feature and clicked next

Auto-discovery settings

Backup Retention

As with any decent backup product we get to set how often and how long we keep the data. In this case I’m backing up daily and only keeping files for 30 days

Active Backup for M365 retention settings

We then review the backup settings and apply them

Finally I’m presented with the option to start running the backup now.

More waiting for my slow internet…

Active Backup for M365 running a backup of my Tenant

Caveats

A few things to note here, As you might know, I focus on Teams and UC a lot. In saying that. There is a lot of data that this product (and many others) don’t back up today for Teams specifically that we are used to backing up in Skype for Business deployments.

  • Chat History in Teams (Available in Graph)
  • User Policy Settings (PowerShell)
  • Tenant calling settings (Dial plans, Voice Routes), Policies, Call logs. (PowerShell and Graph)
  • Call Queue and Auto Attendant Settings (PowerShell)
  • User and Meeting Room accounts (PowerShell)

There are some scripts out there that do this but are separate from the Active Backup Product as of right now.

Personal Computers

I’ve long been a fan of Veeam Endpoint protection. It’s an awesome free “gateway drug” into the Veeam ecosystem. Backup your local endpoints to a NAS/USB/SMB share for free and restore images/files as needed.

My Veeam backups running to the NAS

Our business also has a requirement for all data at rest to be encrypted. So we use Bitlocker encryption. Not much good if your backup solution then stores the images un-encrypted on your storage medium. Luckily Veeam supports that too.

Encryption at rest? Check

If you have a Veeam Backup and Recovery installation. You can back up to your backup repository and do things like boot the backup image directly using an associated hypervisor. Allowing you to do things like connecting to that customer’s weird VPN solution when your SSD has died. (yep, has happened. ask me how I know) But I wont go into that here.

Synology Active Backup apparently has similar functionality. But I’ve not tested it yet and its outside the scope of this article.

Final thoughts.

All in all this is a great bundled solution. If you are already looking at a NAS for storing backups or maybe had something backing up your onsite SBS solution. Why not just use this included package to do the backups of your cloud solution?

However, As it stands today it’s still not a full backup solution for Microsoft 365, but then again, considering how many services are delivered in M365 these days. I doubt many products are.

My understanding is however, like most things these days, that this product is still seeing active development. So here’s hoping in the future we can see even more Teams backup features as well.

Products like these will always need careful evaluation by any potential business looking to use them and speaking with each of their workload experts to ensure they meet their backup requirements!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.