How to Create Veritas Alta SaaS Protection connectors for Microsoft 365 / Exchange Mailboxes

This article describes how to configure settings specific to Exchange/Exchange Online connectors within the General and Advanced tabs of the connector properties. 

EWS connectors can be used to capture user mailboxes and public folders from Microsoft 365 and Exchange Server on premise versions 2010, 2013, or 2016.

This process only works when configuring the connectors via the Connector Service UI.  This will only apply to customers running the connector service on a server in an environment that they manage.  For all other Veritas managed customers, please refer to this article: How To Create an Exchange Connector in the NetBackup SaaS Protection (NSP) Administration Portal

Pre-requisites: 

1. The connector must be created before these settings can be applied. For information on creating a connector, refer to the article:  How To Create Connectors In Veritas Alta SaaS Protection

1. Steps outlined in the How to prepare a Microsoft 365 tenant for Veritas Alta SaaS Protection article must be completed.  

1. Mode -- Choose from the following 4 modes based on the type of data to be captured with a specific connector.  A separate connector is required for Groups/Teams and Public Folders.  All User Mailboxes and Specific Mailboxes are for 1 connector.  

1. 1. All User Mailboxes --  Auto-discovers all mailboxes in the organization. Note that if the mailbox PrimarySMTPAddress changes, NSP will still recognize it as the same mailbox. This includes Shared mailboxes. 
   2. All Groups/Teams Mailboxes -- Captures all O365 Group mailboxes and Teams Mailboxes as they are all categorized under "Groups" when viewing the O365 Admin Center.  When choosing this option, enable the 'Get Location ACL's' option.  
   3. Specific Mailboxes -- When choosing this option, a new tab will be available called 'Specific Mailboxes' where SMTP addresses are manually entered by the user or can be imported from a file.  Note that if the PrimarySMTPAddress of the user subsequently changes, this will not be detected by NSP therefore, this address must be manually updated. 
   4. Public Folders --  The public folders associated with the user impersonation accounts configured in the 'EWS Auth' tab.  

1. Management API -- By default, PowerShell has always been used to authenticate to O365.  This requires a valid user account that is in the Exchange admin role and has a minimum E1 license.  It also requires additional service accounts to deal with throttling.  The Microsoft Graph option is the preferred option as it simply requires the use of an Azure AD Application that allows authentication to the targeted workloads in O365.  This avoids having to rely on PowerShell and user licenses.  To configure this application, refer to the article:  How To Configure An OAuth Azure AD Application
2. Use Sender and Recipients For ACL -- Overrides item ACLs from inheriting the parent folder ACL and instead assigns permissions based on the sender and recipient SMTP addresses.  This option is only available when choosing Public Folder mode.  For details on this option, refer to article:  Overview of 'Limit ACEs to Domains' Connector Setting
3. Limit ACEs to Domains -- Filters the ACEs applied to the item based on the semicolon delimited list of approved domains.  This option is only available when enabling 'Use Sender and Recipients For ACL' and when choosing Public Folder mode. 
4. Limit Subject as Item Name to N Characters -- Limits the length of the subject as used to populate the item name in NSP for display purposes in the Admin Portal and End User Portal. This setting is used avoid bloating the NSP database in high object count scenarios. Note that NSP always preserves the full non-truncated Subject in blob storage. 
5. Process Recoverable Items -- If enabled, 'Recoverable Items' will be in scope for both the active and, if applicable, archive mailboxes. This setting cannot be enabled if 'Process System Folders' is true since the system folders include recoverable items. This setting is not available for public folders. This folder is used when items on Litigation Hold are deleted from a mailbox. 
6. Process Archive Mailboxes -- If enabled, an 'Archive Mailbox' entry will be added containing the content of the archive mailbox. This setting is not available for public folders. 
7. Process Soft-deleted Mailboxes -- If enabled, it will capture Soft-deleted mailboxes. This setting is not available for public folders. When 'Process Soft Deleted Mailboxes' option is enabled, ASP supports backup of only those soft deleted mailboxes which had any retention/hold policy applied prior to deletion.
8. Process System Folders --  If true all folders (including hidden and system folders) are processed. This setting is not available for public folders. 
9. Process as Journal Mailboxes -- If enabled, the Inbox of all mailboxes specified by the connector will have items containerized based on the date stamp. The structure is Inbox\YYYY\MM-DD\HH. This ensures that even massive journal mailboxes can be processed and not result in NSP folders that are difficult to render due to excessive item counts. This setting is not available for public folders.