OneDrive for Business

Synology DiskStation Microsoft 365 Backup Review

Posted on by Adam Fowler

Synology sent me a new DiskStation to review after I’d acquired an older one myself to look at it’s ability to back up Microsoft 365 data (the updated name for Office 365). Being a Microsoft MVP in Office Apps and Services category, so I was very interested to see how it worked.

After reading up on and seeing that it was a completely free piece of software available as part of owning a DiskStation, I was hoping this would be a good solution at an incredibly low price – buy your DiskStation and disks, some time to set it up, and you’re done. To me, that’s already a very appealing offering, along with Synology having a good reputation for maintaining and supporting their hardware several years on – which was proved by the 7 year old DS1813+ I set up a few months ago.

I’ve left the new Intel-based DiskStation 1618+ – Quad Core CPU and 4GB RAM (expandable) running for about a month now, backing up my Microsoft 365 tenant’s data. I ticked ALL the options to see how it went. This tenant is just for me, so the data set is smaller than most tenants – but I do run a few live things through it like email and OneDrive. There’s also a little SharePoint Online data from Micrsoft 365 Groups and Teams I’ve played around with.

Here’s what the dashboard looks like now:

Some useful information there around what’s being backed up and how big it is. You might notice there’s a few errors on the summary. I drilled into those and each was because ‘The Microsoft Server is busy’, and a few minutes later it would try again successfully.

This is likely because I used a backup option to get incremental changes, rather than at a set time. Maybe I’m hitting it too much and getting blocked occasionally.

I know I’ve gotten ahead of myself here, so let’s go back to how to set this up. Assuming you have yourself a Synology DiskStation of some sort that supports ‘Active Backup for Office 365‘ – and which models are those? Here’s the list:

  • 20 series:FS6400, FS3600, FS3400, RS820RP+, RS820+, DS920+, DS720+, DS620slim, DS420+, SA3600, SA3400, SA3200D
  • 19 series:RS1619xs+, RS1219+, DS2419+, DS1819+, DS1019+, DVA3219
  • 18 series:FS1018, RS3618xs, RS2818RP+, RS2418RP+, RS2418+, RS818RP+, RS818+, DS3018xs, DS1618+, DS918+, DS718+, DS418play, DS218+
  • 17 series:FS3017, FS2017, RS18017xs+, RS4017xs+, RS3617xs+, RS3617RPxs, RS3617xs, DS3617xs, DS1817+, DS1517+
  • 16 series:RS18016xs+, RS2416RP+, RS2416+, DS916+, DS716+, DS716+II, DS416play, DS216+, DS216+II
  • 15 series:RS815RP+, RS815+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, DS415+
  • 14 series:RS3614xs+, RS3614RPxs, RS3614xs, RS2414RP+, RS2414+, RS814RP+, RS814+
  • 13 series:RS10613xs+, RS3413xs+, DS2413+, DS1813+, DS1513+, DS713+
  • 12 series:RS3412RPxs, RS3412xs, RS2212RP+, RS2212+, RS812RP+, RS812+, DS3612xs, DS1812+, DS1512+, DS712+, DS412+
  • 11 series:RS3411RPxs, RS3411xs, RS2211RP+, RS2211+, DS3611xs, DS2411+, DS1511+, DS411+, DS411+II

From the DiskStation desktop, open Package Center and follow these steps:

  • Find and click ‘install’ on the ‘Active Backup for Office 365’ package
  • Click ‘Activate’
  • Click ‘OK’
  • Choose the endpoint – for most it’s the default ‘Office 365’ option
  • Accept the very long list of permissions required using an admin account for your Microsoft 365 tenant
  • ‘Agree’
  • You need a shared folder to save the backups to – ‘Go to Control Panel’
  • Enter a name and description for the shared folder
  • Encypt the data if you like
  • ‘Next’
  • Make any user permission changes you like and press ‘OK’
  • Again choose the Office 365 option applicable to your tenant
  • Pick the user(s) you want to back up, and what data
  • Choose the ‘Site’ tab to select which SharePoint sites you want to back up
  • Press ‘OK’
  • Choose your backup schedule – I used Continuous
  • Review all the settings and click ‘Apply’

This was a very easy setup to do – I took screenshots of every step involved, but it barely needs an explanation for anyone who’s an admin of a Microsoft 365 Tenant.

The program will then go off and start backing up what you told it. The ‘Activities’ section of Active Backup for Office 365 will show any backups running, and you can also use the inbuilt ‘Resource Monitor’ to see upload/download speeds, disk utilization etc.

It’s also worth noting that the backup you created has an ‘account discovery’ option where it’ll find any new accounts created and automatically add them to the backup, which is great for not having to change backup settings each time you have a new user start.

Running a backup is great, but how do you restore the data? There’s a second app you’ll need, ‘Active Backup for Office 365 Portal’. Launching this will take you to a web interface where admins can browse all data, and users can browse just their own (user access can be disabled if you prefer).

On this web interface, you can then find the file(s) you want to restore, and restore them. You also get a nice timeline down the bottom so you can move backwards and forwards to see a snapshot of a certain time.

Although Mail, Calendar, Contact, and Site (SharePoint) support searching across all backups for names and contents, at the time of writing this isn’t possible for OneDrive backups. It’s worth being aware of this – if someone requests a file restore you’ll need to know exactly when from. I don’t see this as too much of an issue though, as OneDrive has great version control natively, and an automatic recycle bin – so you’d probably rely on the native solution for finding a file, but still it’s worth knowing this existing limitation.

That was the only slight negative I could find while testing. Everything else just worked, was quick to browse and restore, and incremental backups appeared to be on the DiskStation within several seconds after creating a new file in OneDrive.

Again, this is an incredibly cheap Office 365 backup solution. Some may question if you need to back up Office 365 at all. You could set up infinite retention against all content, so why take a backup? To me it’s a definite grey area, and partly depends how much you value the data. Microsoft may never lose your data, but will it be available 100% of the time? What if that important document is in your OneDrive and hadn’t synced down, and there was an outage? We’ve seen a few outages lately, including ones that have broken authentication – your data is still there, but you can’t get to it. In that scenario, having a local copy of something time sensitive could be worth it. Considering the relative low cost of buying a Synolgoy DiskStation – your disks are probably going to cost more than the unit itself, I consider it a pretty easy sell.

OneDrive for Business Rollout Considerations

Posted on by Adam Fowler

If you’re managing OneDrive for Business in your organisation, there’s a lot to consider – more than what you’d think until you start looking into it. I’ve just gone through this, so thought it was a good time to document and share what I found with my recommendations.

There’s two major areas to review settings in:

admin.onedrive.com

You may not know this even exists as it’s still in preview, as OneDrive for Business fully functions without ever having to go here. The OneDrive admin center at https://admin.onedrive.com/ has some nice settings worth checking out. Some of the settings were already available in other areas, but this gives a central point to manage them.

Sharing: Under the Sharing section, there’s a few settings I’d recommend changing. The defaults are much more open – allowing users to create shareable links that don’t require a sign-in (which is really a bad idea when you’re sharing work information!), as well as the default link type being ‘Shareable: Anyone with the link’.

I’d recommend having the default ‘Direct: Specific people’ when sharing a link, and restricting the ability to have anonymous shareable links at all. This way ensures that data only gets shared to the people the end user chooses, and nobody else.

Sync: ‘Allow syncing only on PCs joined to specific domains’ is off by default, and you’ll need to look up your domain’s GUID to enter it in. This is good for data leakage, do you really want someone’s home PC automatically downloading all work data? This won’t block them from accessing OneDrive information at all as it’s available via web and Android/iOS apps, but none of those solutions automatically sync content. You can also block Mac OS if you don’t manage any in your company.

There’s also the option of blocking syncing of specific file types – I can’t think of a particular reason for this though. OneDrive already has AV built into it, as does your PC with Windows Defender, AND you should have Applocker in place to block running unwanted executables… but it’s still worth noting the option.

Storage: The default ‘Days to retain files in OneDrive once a user account has marked for deletion’ might be missing a word, but it’s default value is 30. You can go all the way up to 3650, which is 10 years minus a few days for leap years. I don’t have to worry about this data or pay extra for it, so I’d rather have it retained just in case.

There’s also another option where on departure, the manager based on the AD/AAD field of the departing user will be granted access to their OneDrive, which is a nice automated way of having someone check the contents in case anything needs to be saved out. That setting lives in the SharePoint Admin center, fully described in the above link.

Device Access: Worth noting that you can restrict access from certain IP addresses, but in the real world I don’t see many companies doing this unless you really want to keep your OneDrive data internal.

If you’re in a position to disable this other option though, removing the ‘Allow access from apps that don’t use modern authentication’ is good security wise, and ties into my other post Protect Your Office 365 Accounts By Disabling Basic Authentication.

There are other options in the OneDrive for Business Admin Center, but nothing I personally considered changing.

Group Policy

This is probably where you’ve already started. Make sure you’ve deployed the latest ADMX files, and review all the settings. Here’s the key ones I’d recommend looking at, some are computer based and some user:

Enable OneDrive Files On-Demand: This makes just the stubs of files download to the OneDrive client, then download the full file when requested. There might be some pushback on not having instant access to a file when wanted, but when you tie this into Known Folder Redirection (below) and have users that move around a lot, this should save bandwidth and disk space across your fleet. I have this one enabled.

Prevent users from using the remote file fetch feature to access files on the computer: I’d definitely have this one off as it lets users access the entire contents of any PC they’re signed into (where their account also has access to the local files of course), remotely. It could easily lead to data leakage when you’re opening up such a big door.

Delay updating OneDrive.exe until the second release wave: If OneDrive becomes important to your users (which it should, yet again with Known Folder Redirection), then you probably want to avoid getting a new release that has a bug. Sit back and wait for the second release wave to make sure you’re getting a more stable update each time. Enabled with maybe a few users having this Disabled for piloting/testing.

Prevent users from synchronizing personal OneDrive accounts: I enabled this one, as with the above settings I’ve already allowed a method that users can get and work on the files they want from anywhere. I can also monitor this and produce logs if required. Someone’s personal OneDrive I have no visiblity or control over, and there’s really no need to allow this.

Silently move Windows known folders to OneDrive: Once you’re ready and fully deployed with OneDrive, this is the next great feature to check out. It deserves it’s own blog post later, but you can silently configure the user’s Desktop, Documents and Pictures folders to live in OneDrive, rather than the local PC. This lets users access the same data wherever they log into, with the extra benefit of doing it in the background after the user logs in – no login delays. It’s like having an important part of roaming profiles, without the headaches. More info here: https://docs.microsoft.com/en-us/onedrive/redirect-known-folders

If you’d originally disabled OneDrive via GPO through the policy Prevent the usage of OneDrive for file storage then just disabling that policy should be enough, as long as you still have OneDriveSetup.exe running at login via the Run registry hive against the user. If you removed that, you may have to add it back in.

I found this method to be useful – to create the value HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run – Reg_SZ value type OneDriveSetup with value data C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup – but only applying this if the OneDrive registry value didn’t exist. OneDriveSetup should remove itself if successfully run, and will also create OneDrive meaning the setup key won’t get put back again.

If you see what a new user gets the first time they log in assuming no OneDrive cleanup has happened, is the exact same OneDriveSetup key as above. In my testing, having other switches against OneDriveSetup caused issues.

OneDrive for Business – Turn Off ‘Allow Editing’ By Default

Posted on by Adam Fowler

Update 21st March 2019

You can now find these settings in the OneDrive Admin Center (Preview) at https://admin.onedrive.com and that’s a clearer experience.

Update 16th April 2020

As the SharePoint Admin Center has been updated, here’s the area to find the view/edit choice:

Original Post

Every organisation has their own requirements and standards. For mine, I see a risk when the default action of sharing a document via OneDrive for Business is the ability to ‘Allow editing’ of any document sent out. It’s worse because that option is hidden behind the main popup when sharing a file, and you don’t actually see that you’re giving ‘modify’ access rather than ‘read only’:

OneDrive for Business default sharing popup
OneDrive for Business ‘Allow editing’ on by default

There is a way to change this default behavior though, and it’s not in the OneDrive admin center.

Instead, you’ll need to head to the SharePoint admin center (since the backend of OneDrive is SharePoint Online, this makes some sense). From here, go into ‘sharing’ and there’s an option around ‘Default link permissions’. You can change this to ‘View’ rather than ‘Edit’:

SharePoint admin center

The change was immediate from my testing, as soon as I went to share another file via OneDrive for Business, the ‘Allow editing’ option was unticked. This is only changing the default too, someone can still decide they want to allow editing and tick the box.

It’s worth considering what you should have as your default. The new versioning in OneDrive/SharePoint Online is really good, and will let a user easily roll back to a previous version of a document if something accidentally gets changed – but will your users be aware if something does change? It’s possible to set up an alert, but it’s a bit tedious: http://itgroove.net/brainlitter/2016/05/16/creating-alerts-documents-new-onedrive-business/

Hope this helps anyone considering rolling out OneDrive, or wants to start allowing external sharing.