How to Configure a Secure and Immutable Microsoft 365 Backup Using Synology Active Backup and Offsite Replication

Introduction

Backing up Microsoft 365 (formerly Office 365) data is a critical step in any organization’s disaster recovery and data-protection strategy. While Microsoft does maintain its own data centers, the responsibility for data protection ultimately falls on the user. Synology’s Active Backup for Microsoft 365 provides a robust solution for backing up emails, OneDrive files, SharePoint libraries, and Teams data onto a local Synology NAS.

But what if you want to add an extra layer of protection against ransomware or accidental deletions? This is where immutability and offsite replication come into play. By replicating to a second, offsite Synology NAS and using snapshot-based or write-once methods, you can drastically reduce the risk of data loss and ensure your backups remain tamper-proof.

In this blog post, you will learn how to:

1. Install and configure Active Backup for Microsoft 365 on a Synology NAS.

2. Set up scheduled backup tasks to protect your Microsoft 365 data.

3. Enable immutable backups using Synology’s Snapshot Replication or Hyper Backup to a second, offsite Synology NAS.

Let’s dive in.

Prerequisites

1. Primary Synology NAS (Recommended models supporting Btrfs for Snapshot Replication):

   • At least one Synology NAS with sufficient storage space and running DSM 7.x or later.

   • Installed and configured with Btrfs file system on your volumes to utilize snapshots.

2. Secondary (Offsite) Synology NAS:

   • Also running DSM 7.x or later with Btrfs-supported volumes.

   • Accessible via a secure network connection (site-to-site VPN, Synology SSL VPN, or port-forwarding with caution).

3. Microsoft 365 Subscription:

   • Global Admin credentials (or app-only access with relevant privileges) to grant Active Backup for Microsoft 365 permissions.

4. Active Backup for Microsoft 365:

   • Installed on your primary Synology NAS via Package Center.

Step 1: Install and Configure Active Backup for Microsoft 365

1. Open Synology DSM: Log in to your primary Synology NAS using the DSM web interface.

2. Go to Package Center: Search for “Active Backup for Microsoft 365” (sometimes labeled “Active Backup for Office 365”).

3. Install the Package: Once installed, launch the application.

4. Add a Microsoft 365 Organization:

   • Click Add Microsoft 365 (or Add Office 365) in Active Backup for Microsoft 365.

   • Sign in with your Microsoft 365 Global Admin credentials, or use an appropriate application account with required backup permissions.

   • Complete the setup wizard, granting the requested permissions for mail, OneDrive, SharePoint, and Teams (if applicable).

5. Confirm Backup Settings:

   • Select which mailboxes, SharePoint sites, and Teams channels you’d like to back up.

   • Configure schedule settings: daily, multiple times per day, or manual backups depending on your needs.

6. Start Initial Backup:

   • A full backup will commence. Depending on the size of your organization’s data, this can take anywhere from a few hours to multiple days.

Tip: Check Resource Monitor or the Active Backup for Microsoft 365 dashboard to watch real-time backup progress and verify there are no permission or connectivity issues.

Step 2: Verify Storage and Snapshot Support

1. Confirm Btrfs Volume:

   • In Storage Manager > Volume, verify your main volume is formatted with Btrfs. This is required for snapshot capabilities that underlie immutability on Synology.

2. Check Snapshot Settings:

   • If using Snapshot Replication, ensure it’s installed from the Package Center.

   • Create a schedule for regular snapshots of the shared folder containing your Active Backup data.

By using Btrfs snapshots, you can preserve read-only versions of the backup data at specific points in time, making them resistant to ransomware or unintended deletions.

Step 3: Configure Offsite Replication to a Second Synology NAS

With your primary NAS now actively backing up Microsoft 365 data, the next step is replicating these backups offsite. Synology offers Snapshot Replication and Hyper Backup as two primary methods:

3.1. Using Snapshot Replication for Immutable Backups

1. Install Snapshot Replication:

   • On both the primary and secondary NAS, go to Package Center and install Snapshot Replication (if not already installed).

2. Enable Shared Folder Snapshots:

   • On the primary NAS, open Snapshot Replication.

   • Click Shared Folder > Create (or Settings) to enable snapshots on the folder containing your Active Backup data.

   • Set a snapshot schedule and retention policy that meets your RPO (Recovery Point Objective) needs.

3. Set Up Replication Tasks:

   • Under Replication in Snapshot Replication, create a new replication task.

   • Choose your Active Backup for Microsoft 365 shared folder.

   • Enter the IP address or QuickConnect ID of the offsite NAS.

   • Provide admin credentials for the offsite NAS.

   • Configure the replication schedule and confirm you want to replicate snapshots.

Immutability Consideration:

• Once snapshots are created and replicated, they are inherently read-only. By strictly controlling admin access and snapshot retention settings, you effectively have an immutable set of recovery points on the offsite NAS.

3.2. Using Hyper Backup for Offsite Copy

If Snapshot Replication is not feasible (or you need additional backup format options), Hyper Backup can create versioned backup tasks which are also robust against direct file modifications:

1. Install Hyper Backup:

   • On the primary NAS, open Package Center > Hyper Backup.

2. Create a Backup Task:

   • Click Create and choose Remote NAS device as the backup destination.

3. Configure Destination:

   • Enter the IP or QuickConnect ID of the secondary NAS, along with login credentials.

   • Select (or create) a shared folder on the offsite NAS to store the backups.

4. Backup Settings:

   • Select the Active Backup for Microsoft 365 data folder.

   • Choose a backup schedule, rotation policy, and encryption if desired.

   • Complete the setup and run the initial backup.

Immutability Approach:

• Hyper Backup archives can’t be simply edited once created. To further enhance immutability, restrict admin privileges on the remote NAS, use encrypted backups with a passphrase, and enable Btrfs snapshots on that backup folder as well.

Step 4: Confirming Immutability and Ransomware Protection

1. Test Recovery:

   • Try restoring a single mailbox or a file from OneDrive to confirm your backups are valid. In Active Backup for Microsoft 365, go to Portal > Restore to verify data integrity.

2. Check Snapshot Read-Only:

   • On both primary and secondary NAS, confirm your snapshots (or Hyper Backup versions) are read-only. Attempting to modify snapshot data should be impossible.

3. Review Permissions:

   • Limit admin rights to a small number of trusted individuals.

   • Consider enabling multi-factor authentication (MFA) for Synology NAS accounts.

A combination of offsite replication, Btrfs snapshots, and limited administrative access forms the backbone of a solid ransomware protection strategy.

Step 5: Maintenance and Ongoing Monitoring

1. Regularly Update DSM and Packages:

   • Keep the Synology operating system, Active Backup for Microsoft 365, Snapshot Replication, and Hyper Backup up to date.

2. Adjust Retention Policies:

   • Tailor the snapshot or backup retention schedule based on business requirements (e.g., daily, weekly, monthly).

   • Balance cost and storage usage against regulatory or compliance demands.

3. Monitor Disk Usage:

   • Keep an eye on disk space utilization for both the primary and offsite NAS to avoid running out of capacity for snapshots.

4. Periodic Testing:

   • Test the restoration process at least quarterly to ensure data recoverability and process familiarity.

Conclusion

Implementing Active Backup for Microsoft 365 on a Synology NAS gives you full control over your organization’s critical Microsoft 365 data. By extending your setup with offsite replication and immutability through Snapshot Replication or Hyper Backup, you achieve a multi-layered defense against ransomware, accidental deletions, and catastrophic failures.

Key Takeaways:

• Active Backup for Microsoft 365 seamlessly centralizes backups for mail, OneDrive, SharePoint, and Teams.

• Btrfs Snapshots on Synology add powerful version control and immutability.

• Replication to an offsite Synology NAS ensures data remains recoverable even if your primary site is compromised.

By following these steps, you’ll have a robust, secure, and highly available backup framework, delivering peace of mind and compliance-readiness for your Microsoft 365 environment.