️ Tutorial – Back up data to the Microsoft cloud with Synology Active Backup

This article was originally published at hungvu.tech – How to back up to Microsoft 365 with Synology Active Backup? ,

Synology has been a strong player in the network-attached storage (NAS) market due to their user-friendly solutions for home users and small businesses. As a mature platform, Synology NAS features can be greatly expanded through the Package Center. One of the popular packages is Active Backup for Microsoft 365. In this article, I’ll take the steps you need to take to make your first backup of Microsoft 365 cloud services on Diskstation Manager (DSM) 7.

Active Backup for Microsoft 365 provides a centralized interface that comes with auto-discovery service for efficient data backup and management, Continuous backup mode to reduce the risk of data loss, Microsoft 365 portal for easy restoration Active Backup, and more.

, Synology Inc.

before we start

  • At the time of writing, only the following Microsoft 365 plans are supported: Business (Basic, Standard, Premium), Enterprise (F3, E3, E5), Education (A1, A3), and Exchange Online (Plan 1, Plan 2 )
  • Make sure your NAS device is compatible with Active Backup for Microsoft 365. The compatibility list can be found here.
  • The tutorial assumes that you already had some experience with DSM. Active Backup for Microsoft 365 is on version 2.4.1, different steps may be required for other major versions.

Step 1: Install Active Backup for Microsoft 365

Active Backup for Microsoft 365 is a free add-on package, so it doesn’t come by default on newly installed DSMs. Download and install the package. An online Synology account is required to activate the package.

Step 2: Create a Backup Destination

  • go to Control Panel > Shared Folders,
  • press to create, and enter the name of the folder. Set the other checkboxes to your liking, then press next,
  • to select This shared folder is encrypted and provide your preferred key. This is sensitive information so store it securely, and you will need the key to decrypt and mount the shared folder for future use. Keys can be generated using password generators or other key generator libraries.

Generate encryption keys using Python's secret module.

  • press next and enable Data checksum for enhanced data integrity, do not enable file compression Otherwise, encryption will be disabled.

Shared folder encryption is disabled because of the file compression feature.

  • press next To download the encryption key file (.key), and finish creating a shared folder.
  • Set the user’s permission to the shared folder as per your choice.

How about file-level encryption?

Sensitive data should always be encrypted, so there is more protection against malicious actors (eg, thieves, hackers, etc.). However, encrypting an active backup for Microsoft 365 (also applicable for Google Workspace) can be confusing due to the lack of an official one. Documentation from Synology. file-level encryption Introduced in the latest version of Active Backup for Business (a separate package, not for Microsoft 365 and Google Workspace). Therefore, encryption occurs at the backup job, not at the shared folder level.

Configure file-level encryption in Active Backup for Business.

However, file-level encryption is still offered in neither Active Backup for Microsoft 365 nor Active Backup for Google Workspace, so we can rely only on shared folder encryption.

Why should you initially create an encrypted shared folder?

Here’s an interesting point, Synology uses e-cryptFS As an encryption mechanism for your shared folders, there is therefore a 143 English character or 47 Asian (CJK) character limit on file or folder names (not the length of the entire path) Therefore, enabling encryption on non-encrypted shared folders with files with long names will result in an error.

Cannot encrypt a shared folder that contains files or folders with long names.

However, if the shared folder is encrypted from the beginning, backup jobs can still run and store files as normal at the destination. However, the long file name is appended with (name too long) So I It’s not just a visual presentation in the Synology portal, because the download-from-NAS file is also (name too long) So I Shared folders can be un-mounted (encrypted) and mounted (decrypted) without any hassle. I reached out to Synology support to ask about this behavior, and they confirmed that it is normal.

Long filenames are appended with a raw `(name too long)` at the end.

Step 3: Create a Backup Task for Microsoft 365 Services

Create a new task in Active Backup for Microsoft 365.

  • Open Active Backup for Microsoft 365 package and go work schedule,
  • to select create a backup job then press next,
  • choose your favorite Microsoft 365 Endpoint, If your subscription is directly from the Microsoft website, the option is Microsoft 365,
  • Set a certificate password, treat it as creating an encryption key step 2then press next,
  • Synology requires you to sign in as a Microsoft tenant administrator with sufficient privileges to provide consent on behalf of your organization. The figure below shows the permissions granted to an application built by Synology on Azure to perform backup tasks.

Synology Permissions in Azure Applications.

  • You will be asked to confirm the NAS IP address. As a NAS, it should have a static IP address, but if that changes somehow down the road. Active Backup for Business allows connection editing, but it doesn’t seem to be the case for Microsoft 365 and Google Workspace, so you need to recreate a task.
  • Fill name of work, backup destination (the encrypted shared folder you just created). Other settings are to your liking. Active Backup for Microsoft 365 allows backup for tenant users, groups, sites, teams, auto-discovery, and more. You can choose whether to back up.
  • Microsoft Teams Backup requires access to the protected API, so you’ll need to request access to Microsoft. Instructions for the request can be found here. If this is not satisfied, the Microsoft Teams backup will fail. That said, it’s great that the active backup job can partially fail without causing any interruption to the flow.

Team Backup fails due to lack of permission to access protected APIs.

  • press next To select the backup and retention policy. Personally, I prefer to have a physical air gap system, so my choice is manual backup work and keep all versions policies
  • Confirm Summary, then press to request To finish construction work.
  • Now that the backup task has been created, it should appear in the task list, and you can monitor its status or reconfigure some settings along the line.

The newly created Active Backup for Microsoft 365 appears in the Tasks list.


In this article, we learned how to set up Active Backup for Microsoft 365 (v2.4.1) in DSM 7. Remember, different package versions may change how the process goes, but in general, it should remain relatively the same. If you have any questions, please let me know in the comments below!

Interested in web development, GitHub Actions, and more? My other articles may be helpful to you!

Get more developer news and technology articles on my blog on Dev Reports.

Plus, let’s join!

Leave a Comment