Guide: Using PowerShell to Assist with Backing up Microsoft 365 Data and Settings
If you are aiming for a roll-your-own approach to creating a backup of your data in Microsoft 365, the options are not great for a build-your-own solution. However, when it comes to the configuration of your tenant, there are good options.
Even if you’ve bought a backup product for Microsoft 365 or are relying on the service availability and capabilities to guarantee data is retained – a configuration change can spell a weekend of unwanted extra work, and potentially data loss. As people say, prevention is better than cure.
Sponsored Post Links: Afi.ai provides a modern solution for backing up Office 365 (and Google Workspace too!) including full Teams support, SharePoint and OneDrive file metadata and sharing permissions, and many other advanced and modern features.
Backing up your data in Microsoft 365 using PowerShell
If you must get a copy of a particular users’ data for a belt-and-braces backup, need to perform the same task regularly, and you don’t have a product on hand, then PowerShell can provide the answer.
In the on-premises world of Exchange Server, the closest equivalent to what I’ll describe would often be referred to as a brick-level backup, and via PowerShell as a scheduled task, involve performing PST exports of mailboxes. This was a wildly inefficient way of performing a backup, and often performed for VIP mailboxes where awaiting a full database restore wasn’t desirable.
In Microsoft 365, we’ve got more than just Exchange Online to consider, and the same PowerShell cmdlets used on-premises don’t work in Microsoft 365. Instead, it is necessary to perform a Compliance Search against the users we want to copy both Exchange and OneDrive for Business data, then after the export completes, download the data from Microsoft 365 to a local location.
This can be completed from the web interface, which includes a dedicated tool to both connect to the temporary export location in Azure, and then compose the extract in the requested format, such as ZIP files. When using PowerShell, the AzCopy tool can be used to perform the export of email message files and files.
To demonstrate this, I’ve created a simple PowerShell function, Example_Export designed to create, monitor, and then export the data, then copy the data to a local folder using AzCopy. This isn’t a production-ready script, but it is self-documenting so that you can see the core process and cmdlets required. You’ll see this in action in the screenshot below.
You can download ExampleExportFunction.ps1 from GitHub. To use the script, you’ll need an account with eDiscovery Manager permissions, and you’ll need to connect to the service using the Connect-IPPSSession cmdlet, part of the Exchange Online PowerShell v2 module.
You’ll also need to download AzCopy (version 10 is used in the script), and either place it in the directory you run the function from or update the script to use an absolute path.
The big question of course is – should you use this as a backup solution for Office 365 data? Probably not – you usually don’t need to backup Office 365 data, but if you do, then a wiser idea will be to purchase a solution that will provide a support contract and is developed for the task.
Backing up, monitoring and restoring Microsoft 365 configuration using PowerShell and Desired State Configuration
While backing up your data in Office 365 using PowerShell and native tooling is at best, a workaround, backing up the configuration is not only possible but genuinely worthwhile.
A configuration change, such as an inadvertent change to a retention policy, or removal of a configuration policy in any number of services, whether it is Exchange Online, Azure AD or Intune can have the potential to be as disastrous as a loss of data – by causing data loss or a security breach.
Keeping a backup of the tenant configuration, and monitoring for changes is a valid way to avoid the potential for data loss.
To achieve this, you could roll your own PowerShell script that works through Get-* cmdlets through each Microsoft 365 PowerShell module and collects the configuration into either an export format, such as XML, or into CSV files, and then create a matching script to analyze the tenant, alert for issues, and restore changes.
But we don’t need to do that. Microsoft has an open-source module that is maintained and built upon the PowerShell Desired State Configuration (DSC) framework. DSC allows us to define the configuration of a system and ensure it is configured accordingly.
An example of a widely known, perhaps rudimentary DSC system is the Office 365 Hybrid Configuration Wizard, which contains the desired configuration for Exchange Hybrid, and when running the wizard, applies the configuration to Exchange and Exchange Online.
PowerShell DSC provides far more capabilities than the HCW, and includes not only the configuration and code to apply the configuration, but also includes the ability for an agent to regularly monitor the configuration, auto-correct or alert for changes, and feed data into a dashboard within Azure.
The Microsoft 365 DSC allows a tenant configuration to be defined as code but also has a useful feature for existing tenants – the ability to create the configuration code based on your existing Microsoft 365 tenant. Microsoft 365 DSC can collect information about the current configuration of Exchange, Teams, SharePoint, OneDrive, Azure AD, general Office 365 configuration, Intune, PowerApps, and Security and Compliance configuration. Collecting this data is relatively straightforward, as the software is available within the PowerShell Gallery.
You can install Microsoft 365 DSC from a PowerShell 5.1 or higher prompt using the Install-Module -Name Microsoft365DSC cmdlet. This will install dependencies, including modules for connecting to Microsoft 365 services using PowerShell.
We can then use the Export-M365DSCConfiguration cmdlet, either to launch the GUI interface for export or to perform a silent scripted output to a file. In the example below, we’ve chosen to export select workloads to an export file using Global Admin credentials; however, we can export everything supported and use an Application ID rather than username & password in scripts that run on a regular basis.
The resulting output can then be processed into an Excel or HTML report for local analysis, such as the Excel output shown below; however, the real power comes from the ability to assess the tenant for configuration drift – or setup of ongoing monitoring and remediation.
You can download Microsoft 365 DSC from GitHub. Examples of not only backing up configuration data from the tenant are provided, but also guidance on how to setup ongoing reporting and automated restore of changed configuration.