SaaS Backups

The One Backups protects Microsoft 365 and Google Workspace data against accidental deletion, ransomware, and retention policy gaps in the native platforms. SaaS backup is separate from endpoint backup — it connects directly to the M365 or Google API via OAuth consent and runs independent of the RMM agent.

What Is Protected

Microsoft 365

Service	What Is Backed Up
Exchange Online	All mailbox items: emails, sent items, deleted items, calendar events, contacts, tasks
OneDrive	All files in each user's OneDrive, including version history
SharePoint	Document libraries across all site collections
Teams	Channel messages and file attachments stored in Teams channels

ℹ️Teams chat (1:1 and group direct messages) requires the ChannelMessage.Read.All permission granted during M365 consent. If this permission was not granted, Teams backup will not capture DMs. Re-authorize the connection to add the missing permission.

Google Workspace

Service	What Is Backed Up
Gmail	All messages in all labels including Spam and Trash
Drive	All files in My Drive for each user
Calendar	All calendar events from the primary calendar
Contacts	All contacts in the user's Google Contacts

Shared drives are backed up if the service account has access. Contact your Google Workspace admin to confirm shared drive access is included in the consent scope.

Connecting an M365 Tenant

Step 1: Create the Connection

1. Go to Backups console → SaaS → New Connection
2. Select Microsoft 365
3. Enter:
   • Name — A label for this connection (typically the client company name)
   • M365 Tenant ID — Found in Azure Portal → Azure Active Directory → Tenant Properties
   • Backup Scopes — Select which services to back up (Exchange, OneDrive, SharePoint, Teams)
   • Company — Optionally link to a company in your Backups tenant for billing and CMDB tracking
4. Click Save — the connection is created with status Setup

Step 2: Authorize via Admin Consent

5. Click Authorize on the new connection
6. You are redirected to the Microsoft admin consent URL:

   https://login.microsoftonline.com/{tenant-id}/adminconsent

7. Sign in as a Global Administrator of the M365 tenant
8. Review the permissions:
   • Mail.Read, MailboxSettings.Read — Exchange backup
   • Files.Read.All, Sites.Read.All — OneDrive and SharePoint backup
   • TeamSettings.Read.All, Channel.ReadBasic.All, ChannelMessage.Read.All — Teams backup
   • User.Read.All, Directory.Read.All — Enumerate users to back up
   • Calendars.Read, Contacts.Read — Calendar and contacts
9. Click Accept to grant admin consent for the entire organization
10. The Backups console updates the connection status to Active

ℹ️Admin consent must be granted by a Global Administrator — a regular user cannot authorize these permissions. If the tenant uses Conditional Access policies that require managed devices or specific locations for admin consent, have the Global Admin complete the consent flow from a compliant device.

Connecting a Google Workspace Tenant

1. Go to Backups console → SaaS → New Connection
2. Select Google Workspace
3. Enter the Google Workspace Domain and a name for the connection
4. Select backup scopes (Gmail, Drive, Calendar, Contacts)
5. Click Authorize — you are redirected to Google's OAuth consent page
6. Sign in as a Super Admin of the Google Workspace account
7. Review and accept the permissions
8. The connection activates and the first backup job is scheduled

Google Workspace backup requires the admin.directory.user.readonly scope to enumerate users. Without this scope, only the authorizing admin account is backed up.

Backup Frequency and Schedule

SaaS backup jobs run on a daily schedule by default:

Setting	Default
Schedule type	Daily
Run time	2:00 AM UTC
Scope	All users in the connected tenant

The first backup is a full sync of all items across all users. Subsequent jobs use delta tokens — Microsoft Graph delta links for M365 and Gmail history IDs / Drive change tokens / Calendar sync tokens for Google — to capture only changes since the last sync.

You can trigger a manual backup from the Jobs tab on any SaaS connection at any time.

SaaS Data Retention

SaaS backup retention is configured in the SaaS policy attached to the connection. Default retention:

Tier	Default
Daily	30 days
Monthly	12 months
Annual	0 years

SaaS items are encrypted at rest using envelope encryption: each item has a unique data encryption key (DEK), and the DEK is wrapped with a per-tenant key encryption key (KEK) stored in Azure Key Vault.

Restoring SaaS Data

Granular Item Restore

Restore a single email, file, calendar event, or contact:

1. Go to SaaS → select the connection → Browse
2. Select a user from the user list
3. Navigate to the service (Exchange, OneDrive, etc.)
4. Find the item — use search if needed
5. Click Restore → choose Restore to Original Location or Download

Restore to original location re-creates the item in the live M365 or Google account. The original item is not modified if it still exists — the restored version is added alongside it.

Bulk Restore

Restore all data for a specific user (e.g., after account deletion or ransomware):

1. Go to SaaS → select the connection → Browse
2. Select the user → Restore All
3. Choose a point-in-time snapshot
4. Confirm — the restore job runs in the background

Bulk restores for large accounts (50GB+) can take several hours.

Token Refresh

OAuth tokens for M365 and Google connections expire and must be refreshed. The token refresh timer runs every 4 hours and proactively refreshes tokens before they expire. If a refresh fails (e.g., consent was revoked by the M365 admin), the connection status changes to Consent Expired and an alert is created.

To re-authorize an expired connection, click Authorize on the connection and repeat the admin consent flow.

Related Pages

• Getting Started — Connecting your first M365 tenant
• Restore Procedures — Detailed restore options for SaaS data
• Backup Health Monitoring — Monitoring SaaS backup health and alerts
• Troubleshooting — Common SaaS connection issues