Creating a new connection to Exchange server
To be able to back up your Exchange data in CodeTwo Backup, you first need to configure a connection to your server. The program allows you to configure multiple connections to Office 365 (Exchange Online) and on-premises Exchange servers.
You can configure a new connection to your Exchange server when creating a new backup job or directly from the program’s Dashboard, by clicking the Settings button () on the Defined server connections card and selecting New > Exchange connection (Fig. 1.).
The Exchange connection wizard will open (Fig. 2.). In the Server location step of the wizard, you can choose between connecting to:
Once you make your selection, click Next to proceed.
In the Office 365 cloud step, select if you want to connect to the Office 365 global (or simply Office 365) or Office 365 Germany cloud (Fig. 3.). Since Office 365 and Office 365 Germany are completely independent clouds, it is not possible to use the Office 365 credentials to log in to Office 365 Germany and vice versa. If your Office 365 email address ends with .de, for example firstname.lastname@example.org, you’re using the Office 365 Germany cloud. Read more about Office 365 Germany.
CodeTwo Backup uses Modern Authentication (OAuth 2.0) to connect to Exchange Online. Because of that, you need to register the program in Azure Active Directory of the Office 365 tenant whose Exchange data (mailboxes and public folders) you want to back up. The registration can be performed:
In the Application registration step of the connection wizard, select Automatic registration and click Log in as Office 365 admin (Fig. 4.).
On the Microsoft sign-in page, enter the credentials of your Office 365 tenant's global admin account. When prompted, grant the required permissions to CodeTwo Backup. These are necessary for the program to be able to back up and restore data from and to your Exchange Online environment (Fig. 5.).
CodeTwo Backup will be registered as CodeTwo Backup Exchange in your Azure AD and signed with a unique certificate.
A new CodeTwo Backup Exchange entry will be registered in your Azure AD each time you configure a new connection to Office 365 by using the Automatic registration option. To avoid having multiple registration entries in your tenant, edit the existing connection. If you now select the Manual registration option, all the necessary registration details will be filled out in the Application details step.
The CodeTwo Backup Exchange registration entry will remain in your Azure AD even if you delete the server connection that has created this entry, or if you uninstall the program from your machine. If you want to delete the CodeTwo Backup Exchange entry, you need to do so manually by following these steps.
You can register CodeTwo Backup manually in your Azure Active Directory by following the steps provided in this Knowledge Base article. Once done, select Manual registration in the Application registration step of the server connection wizard (Fig. 6.) and click Next.
- Dedicated application account – the email address of any user from your Office 365 tenant. This account is used get the necessary information about the tenant (name, domain, etc.).
- Client ID – a unique identifier (GUID) assigned to CodeTwo Backup after the program has been registered in your Azure AD. To get this ID, log in to the Azure Active Directory admin center, go to Azure Active Directory > App registrations and select the entry under which you have registered CodeTwo Backup. The ID is found on the Overview page, under Application (client) ID (Fig. 7.).
- Tenant ID – a unique identifier (GUID) assigned to your Office 365 tenant. You can find it on the same Overview page as shown in Fig. 7., under Directory (tenant) ID.
- Certificate thumbprint or Client secret generated in Azure AD to authenticate CodeTwo Backup. You need to provide only one of these credentials. You can add or view certificates and client secrets (app passwords) in the Azure Active Directory admin center, on the Certificates & secrets page of the registered application (Fig. 8.).
To be able to use a certificate, it needs to be signed with a 2048 bits key and placed in the personal certificate store of the currently logged in user and the account under which the CodeTwo Backup Service runs. You can use the Import button to install the certificate in the correct store (use the Import certificate window for that purpose, as shown in Fig. 9.). If the certificate is already installed in that store, you can simply provide its thumbprint in the Certificate thumbprint field.
Client secret is generated in the Azure Active Directory admin center for each registered application, on the Certificates & secrets page (see Fig. 8. above). Be sure to copy it to the clipboard and paste in the right field in the server connection wizard (Fig. 10.). You will not be able to see (or copy) that credential once you leave the Certificates & secrets page.
In the last step, Configuration, the program will attempt to connect to your Office 365 tenant based on the data provided in the previous steps of the wizard. Click Configure and wait for the results (Fig. 11.). During this process, the program is registered in your AD (if you have chosen the Automatic registration option) and verifies connections with Exchange Web Services and Microsoft Graph API (used to perform backup and recovery tasks).
If you have successfully connected to Office 365, click Finish to close the wizard. If you get any errors instead, consult the Troubleshooting section.
After closing the connection wizard, you also need to click OK in the Manage server connections window (Fig. 12.) to save your connection. This will automatically close the window and store your settings. Otherwise, the connection will not be saved, and you will have to start from the beginning.
After confirming your server's connection settings, you will be able to use this connection to create backups of mailboxes and public folders residing on this Office 365 tenant. Furthermore, you can also use this connection to restore backed-up Exchange data to that tenant.
In the Server connection step, select how the program should connect to your Exchange server. To allow the program to locate your server automatically based on admin account credentials provided in the next step of the wizard, select the Autodiscover Exchange Server option. If you want to the program to connect to a specific server, you can select the Configure connection manually option and enter the server's fully qualified domain name (FQDN) or IP address (Fig. 13.). The server's FQDN consists of the server's name followed by the domain name, e.g. myserversname.domain.com. The EWS URL field will be completed automatically.
If you use the IP address of a server instead of its FQDN, you first need to configure its PowerShell Virtual Directory in IIS to allow basic authentication. Otherwise, the program will not be able to grant impersonation rights on users' mailboxes or enumerate target mailboxes. As a result, you will get errors (failure notifications) when your connection settings are verified, and the program will not be able to run any jobs by via such a connection.
In the next step, Admin's credentials, provide the User Principal Name (UPN) and password of the admin account that will be used to connect to your Exchange Server. The Administrator's UPN field is filled in automatically with your local admin credentials, that is the credentials of the user who is currently using the program (Fig. 14.).
Make sure that the provided admin account is mailbox-enabled, has appropriate UPN suffix configured, and has impersonation permissions on users' mailboxes. By default, members of the Organization Management group fulfill these requirements. Read more on how to create an account with the minimum required permissions to be used in CodeTwo software.
To use a different administrator account, enter the UPN manually or select another user via the Browse button. To select an admin account from another domain, in the Select User dialog box click Locations first and select the required domain (Fig. 15.).
The Browse button can only be used to list administrators from the same domain or from different trusted domains. If you want to use an admin account from an untrusted domain, you will have to type the UPN manually.
In the last step, Configuration, the program will attempt to connect to your Exchange Server based on the data provided in previous steps of the wizard. To start the verification process, click Configure and wait for the results (Fig. 16.). During this process, the program checks the server connection, verifies the impersonation rights (and grants them, if necessary), and tries to enumerate mailboxes by using PowerShell.
If you have successfully connected to the selected Exchange Server, click Finish to close the wizard. If you get any errors instead, consult the Troubleshooting section.
After closing the connection wizard, you also need to click OK in the Manage server connections window (Fig. 17.) to save your connection. This will automatically close the window and store your settings. Otherwise, the connection will not be saved, and you will have to start from the beginning.
After confirming your server's connection settings, you will be able to use this connection to create backups of mailboxes and public folders residing on this server. Furthermore, you can also use this connection to restore backed-up Exchange data to that server.