Creating a new connection to Exchange server
To be able to back up your Exchange data in CodeTwo Backup you first need to configure a connection to your server. The program allows you to configure multiple connections to Microsoft 365 (Exchange Online) and on-premises Exchange servers.
You can configure a new connection to your Exchange server when creating a new backup job or directly from the program’s Dashboard, by clicking the Settings button () on the Defined server connections card and selecting New > Exchange connection (Fig. 1.).
Fig. 1. Creating a new Exchange connection.
The Exchange connection wizard will open (Fig. 2.). In the Server location step of the wizard, you can choose between connecting to:
Fig. 2. The Exchange connection wizard.
Once you make your selection, click Next to proceed.
Connecting to Microsoft 365 (Exchange Online)
CodeTwo Backup uses Modern Authentication (OAuth 2.0) to connect to Exchange Online. Because of that, you need to register the program in Microsoft Entra ID (Azure Active Directory) of the Microsoft 365 tenant whose Exchange data (mailboxes and public folders) you want to back up. The registration can be performed:
- Automatically by CodeTwo Backup,
- Manually in the Microsoft Entra admin center.
Automatic registration
In the Application registration step of the connection wizard, select Automatic registration and click Sign in as Microsoft 365 admin (Fig. 3.).
Fig. 3. Automatic registration of CodeTwo Backup in Entra ID.
On the Microsoft sign-in page, enter the credentials of your Microsoft 365 admin. Remember that your account must be assigned the Global Administrator or Privileged Role Administrator role. When prompted, grant the required permissions to CodeTwo Backup. These are necessary for the program to be able to back up and restore data from and to your Exchange Online environment (Fig. 4.).
Fig. 4. Granting the necessary permissions to CodeTwo Backup.
CodeTwo Backup will be registered as CodeTwo Backup Exchange in your Entra ID and signed with a unique certificate.
Important
A new CodeTwo Backup Exchange entry will be registered in your Entra ID each time you configure a new connection to Microsoft 365 by using the Automatic registration option. To avoid having multiple registration entries in your tenant, edit the existing connection. If you now select the Manual registration option, all the necessary registration details will be filled out in the Application details step.
The CodeTwo Backup Exchange registration entry will remain in your Entra ID even if you delete the server connection that has created this entry, or if you uninstall the program from your machine. If you want to delete the CodeTwo Backup Exchange entry, you need to do so manually by following these steps.
Manual registration
You can register CodeTwo Backup manually in your Microsoft Entra ID by following the steps provided in this Knowledge Base article. Once done, select Manual registration in the Application registration step of the server connection wizard (Fig. 5.) and click Next.
Fig. 5. Select this option if you want to register CodeTwo Backup in your Entra ID by yourself.
In the Application details step, provide the following information:
- Dedicated application account – the email address of any user from your Microsoft 365 tenant. This account is used get the necessary information about the tenant (name, domain, etc.).
- Client ID – a unique identifier (GUID) assigned to CodeTwo Backup after the program has been registered in your Entra ID. To get this ID, sign in to the Microsoft Entra admin center, go to Identity > Applications > App registrations, click the All applications tab, and select the entry under which you have registered CodeTwo Backup. The ID is found on the Overview page, under Application (client) ID (Fig. 6.).
- Tenant ID – a unique identifier (GUID) assigned to your Microsoft 365 tenant. You can find it on the same Overview page as shown in Fig. 6., under Directory (tenant) ID.
- Certificate thumbprint or Client secret generated in Entra ID to authenticate CodeTwo Backup. You need to provide only one of these credentials. You can add or view certificates and client secrets (app passwords) in the Microsoft Entra admin center, on the Certificates & secrets page of the registered application (Fig. 7.).
Fig. 6. The client and tenant ID assigned to CodeTwo Backup in Entra ID.
Fig. 7. The location of a certificate thumbprint (A) and client secret (B) in Entra ID.
To be able to use a certificate, it needs to be signed with a 2048 bits key and placed in the personal certificate store of the currently logged in user and the account under which the CodeTwo Backup Service runs. You can use the Import button to install the certificate in the correct store (use the Import certificate window for that purpose, as shown in Fig. 8.). If the certificate is already installed in that store, you can simply provide its thumbprint in the Certificate thumbprint field.
Fig. 8. Importing the certificate associated with CodeTwo Backup.
Client secret is generated in the Microsoft Entra admin center for each registered application, on the Certificates & secrets page (see Fig. 7. above). Be sure to copy it to the clipboard and paste in the right field in the server connection wizard (Fig. 9.). You will not be able to see (or copy) that credential once you leave the Certificates & secrets page.
Fig. 9. Application registration details filled out in Exchange connection wizard.
In the last step, Configuration, the program will attempt to connect to your Microsoft 365 tenant based on the data provided in the previous steps of the wizard. Click Configure and wait for the results (Fig. 10.). During this process, the program is registered in your AD (if you have chosen the Automatic registration option) and verifies connections with Exchange Web Services and Microsoft Graph API (used to perform backup and recovery tasks).
Fig. 10. Verifying the connectivity to Microsoft 365 (Exchange Online).
If you have successfully connected to Microsoft 365, click Finish to close the wizard. If you get any errors instead, consult the Troubleshooting section.
Important
After closing the connection wizard, you also need to click OK in the Manage server connections window (Fig. 11.) to save your connection. This will automatically close the window and store your settings. Otherwise, the connection will not be saved, and you will have to start from the beginning.
After confirming your server's connection settings, you will be able to use this connection to create backups of mailboxes and public folders residing on this Microsoft 365 tenant. Furthermore, you can also use this connection to restore backed-up Exchange data to that tenant.
Connecting to on-premises Exchange Server
In the Server connection step, select how the program should connect to your Exchange server. To allow the program to locate your server automatically based on admin account credentials provided in the next step of the wizard, select the Autodiscover Exchange Server option. If you want to the program to connect to a specific server, you can select the Configure connection manually option and enter the server's fully qualified domain name (FQDN) or IP address (Fig. 12.). The server's FQDN consists of the server's name followed by the domain name, e.g. myserversname.domain.com. The EWS URL field will be completed automatically.
Fig. 12. Providing the server's FQDN manually.
Warning
If you use the IP address of a server instead of its FQDN, you first need to configure its PowerShell Virtual Directory in IIS to allow basic authentication. Otherwise, the program will not be able to grant impersonation rights on users' mailboxes or enumerate target mailboxes. As a result, you will get errors (failure notifications) when your connection settings are verified, and the program will not be able to run any jobs by via such a connection.
In the next step, Admin's credentials, provide the User Principal Name (UPN) and password of the admin account that will be used to connect to your Exchange Server. The Administrator's UPN field is filled in automatically with your local admin credentials, that is the credentials of the user who is currently using the program (Fig. 13.).
Fig. 13. Local admin credentials are proposed automatically by the program.
Important
Make sure that the provided admin account is mailbox-enabled, has appropriate UPN suffix configured, and has impersonation permissions on users' mailboxes. By default, members of the Organization Management group fulfill these requirements. Read more on how to create an account with the minimum required permissions to be used in CodeTwo software.
To use a different administrator account, enter the UPN manually or select another user via the Browse button. To select an admin account from another domain, in the Select User dialog box click Locations first and select the required domain (Fig. 14.).
Fig. 14. Choosing a different domain.
Info
The Browse button can only be used to list administrators from the same domain or from different trusted domains. If you want to use an admin account from an untrusted domain, you will have to type the UPN manually.
In the last step, Configuration, the program will attempt to connect to your Exchange Server based on the data provided in previous steps of the wizard. To start the verification process, click Configure and wait for the results (Fig. 15.). During this process, the program checks the server connection, verifies the impersonation rights (and grants them, if necessary), and tries to enumerate mailboxes by using PowerShell.
Fig. 15. Verifying the connectivity to your on-premises Exchange server.
If you have successfully connected to the selected Exchange Server, click Finish to close the wizard. If you get any errors instead, consult the Troubleshooting section.
Important
After closing the connection wizard, you also need to click OK in the Manage server connections window (Fig. 16.) to save your connection. This will automatically close the window and store your settings. Otherwise, the connection will not be saved, and you will have to start from the beginning.
After confirming your server's connection settings, you will be able to use this connection to create backups of mailboxes and public folders residing on this server. Furthermore, you can also use this connection to restore backed-up Exchange data to that server.