Skip to main content

Microsoft Office 365

Using this Protected Item type may incur additional charges.

This feature requires Comet Backup 21.9.x or later.

The "Microsoft Office 365" Protected Item type allows you to back up data from your Office 365 cloud account. The backup job runs on the local device, using Comet's client-side encryption, compression and deduplication to store data efficiently.

The following Office 365 services are supported:

  • Exchange Online
    • Mailbox (Email)
    • Calendar
    • Contacts
  • Sites
    • SharePoint
    • OneDrive for Business
    • Teams Files

NOTE: Microsoft Online Services are responsible for the availability of the Office 365 online service and meeting their SLA guarantees. There are first-party archival and history solutions such as Retention Policy and Litigation Hold. Back up your Office 365 cloud account, for purposes of data safety; redundancy; resilience to tampering, misconfiguration, and accidental loss; legal compliance; unified reporting with other backup sources; and ease of restoring single items.

Overview - Office 365 services

When selecting mailboxes for backup – you can choose ALL user, or Individual users or specific Azure AD groups

ServicesBackupRestore to LocalRestore to CloudSupportedNot Supported
Exchange Online
Mailbox (Email)YesYesYesActive users, shared mailboxesGuest users, Deleted users, Discovery mailbox, Archive mailbox, Journal mailbox, Outlook group mailboxes
CalendarYesYesYesRestore to local:JSON format
ContactsYesYesYesRestore to local:JSON format
SharePoint Online
SitesYesYesNoRestore lists, documents and pages individually
OneDrive for Business
Document Library (Word, Excel, PowerPoint, OneNote)YesYesYesDisplayed under "Documents" in associated SharePoint site
FilesYesYesYesDisplayed under "Documents" in associated SharePoint site


For backups, grant Comet the ability to read data from your Office 365 account. Please pay attention to the credentials provided as a significant amount of access to the Office 365 organization occurs. This grant is done by creating an "Application" inside Azure AD. This application can be created automatically or manually.

Automatic application registration

Click the "Azure Active Directory" button. This opens a registration application wizard dialog that steps you through the process to automatically register. Authenticate with Azure as a top-level administrator.

Manual application registration

If you are unable to use the automatic application registration, you can register the application manually via the Azure AD web interface via the following steps:

  1. Register a branded application inside the Azure Active Directory panel:

    • Click "App registrations" > "New registration"
    • Enter an application name (e.g. "My Branded Office 365 Backup Product"). The other options can be left as default
    • Click the "Register" button.
    • Copy the Application (client) ID field into Comet's Application ID field
    • Copy the Directory (tenant) ID field into Comet's Tenant ID field
      • Ensure that there are no extra spaces in the field after the Tenant ID
  2. Register an authentication secret for the application:

    • Click the "Certificates & secrets" left-hand tab
    • In the "Client secrets" section, click the "New client secret" button
    • Create a new secret
      • Specify any name (e.g. "My Comet integration credentials") and any expiry (e.g. "Forever / No expiry")
    • Copy the Value column into Comet's Application Secret field
  3. Grant this application permission to read Office 365 data:

    • Click the "API permissions" left-hand tab
    • Click the "Add a permission" button

    • Find and add the following permissions:
      • "APIs my organization uses" > "Office 365 Exchange Online" > Application permissions > ...
        • "Other permissions" > full_access_as_app
      • "Microsoft APIs" > "Microsoft Graph" > Application permissions > ...
        • Application.Read.All
        • Calendars.ReadWrite
        • ChannelMessage.Read.All
        • Contacts.ReadWrite
        • Directory.Read.All
        • Files.ReadWrite.All
        • GroupMember.Read.All
        • Mail.ReadWrite
        • Notes.Read.All
        • Sites.FullControl.All
        • TeamMember.ReadWrite.All
        • User.Read.All

    • Back on the API permissions page, click the top "Grant admin consent for (My Organization Name)" button

The authentication details are automatically populated in the desktop app, use the "Test Connection" button to validate the Office 365 credentials.

MS Office 365 Backup Configuration Video Guide

Configuring selections

Comet supports backing up different items from your Office 365 account. Use the pencil button in the desktop app to configure which mailboxes and sites will be backed up. Make separate selections for both mailboxes and sites using the dropdown arrow beside the plus button.

User has the following options for backups:

  • Back up all mailboxes/sites
  • Back up only the selected mailboxes/sites
  • Back up all mailboxes/sites except for the selected ones

When selecting users or sites for backup, the first dialog shows your current selection. Inside the first dialog, click the plus button to open a second dialog, to find users and sites from the Office 365 server.

The Search field in the second dialog box can be used to quickly filter for a known user or site.

When selecting users, the dialog also shows groups (Azure AD groups of user accounts). If you select a group, Comet will backup all the mailboxes for user accounts belonging to this group.

Comet supports Azure AD groups of user accounts, but does not currently support Outlook groups. If email messages are in an Outlook group, Comet will not be able to to back them up. You can see the Outlook groups via the Sites view, but group messages are not included via the Sites backup job.

The only mailboxes available for selection are

  • Active Users (as shown in the Office 365 Admin Center), and
  • Shared Mailboxes (created with an Exchange E5 license plan or higher).
    • Comet supports backing up Shared Mailboxes. Shared Mailboxes are counted as a full separate mailbox for the purposes of billing, regardless of the number of other accounts with access to the Shared Mailboxes.

The Protected Item configuration is also available remotely via the Comet Server web interface. This feature can be used when the device is online with a live-connection to the Comet Server.

Performance considerations

The backup job uses the Microsoft Office 365 API to read data from the cloud and store it in the Storage Vault. A large amount of data will be downloaded to the local device.

The backup job takes advantage of Office 365 server-side delta change APIs to efficiently perform incremental backup jobs.

  • This applies to Mailbox (Email), Calendars, Contacts, OneDrive files, and Teams files, allowing for high-performance incremental backup.
    • Deleting any file from within a backup job snapshot will disassociate the backup job snapshot from the server-side delta change. If you delete a file from the most recent backup job snapshot, the next incremental backup job will require a longer duration.
  • This does not apply to SharePoint lists, which may re-download data during each backup job, reducing performance.

The Office 365 API imposes some rate-limiting on the backup operation. This may limit the total performance of the backup job.

  • One of the multiple imposed rate-limit rules is based on the target mailbox account. Each mailbox has its own rate limits. Comet backs up multiple mailboxes in parallel; if the Office 365 tenant has a large number of mailboxes, the overall backup job performance would be balanced evenly across all the mailboxes. If the Office 365 tenant contains mailboxes with very different sizes, the single largest mailbox may reduce performance owing to the tail effect.

Hosting the Comet device inside Microsoft Azure provides the lowest possible latency to the Office 365 servers improving the performance.


Select files for restore. When browsing files to restore, different columns are displayed depending on the type of item being browsed.

Preview an email before restoring it, by using the right-click menu. The email preview shows the rich HTML content if the email contains it. Email preview contains the header fields, such as the From, To, and Subject fields; information about attached files; and embedded images.

Restoring Office 365 items to the local PC

Emails are restored in MIME format (*.eml). These files can be opened with Microsoft Outlook on your PC, or in any other email program (MUA) such as Mozilla Thunderbird. Microsoft Outlook supports importing *.eml files in bulk by dragging-and-dropping into an Outlook folder.

If the email represents a meeting invite, the email contains a calendar appointment attachment in vCalendar format. These attachments can be renamed to *.vcf and opened with Microsoft Outlook on your PC.

Contacts and Calendars are restored in JSON format. These files require further processing to convert to standard vCalendar format (*.vcf) before opening with Microsoft Outlook.

SharePoint file attachments, including OneDrive items and Teams files, are found within associated SharePoint site. OneDrive files can be restored as regular files and folders underneath the "Documents" subdirectory of the associated SharePoint site.

Restoring Office 365 items back to the cloud

You can choose to restore Office 365 items back to the cloud. You can choose to restore either to the original Office 365 cloud location, or a custom location.

All items will be restored with the default retention policy.

Any existing emails will not be overwritten. If an email selected for restore already exists in the target Office 365 cloud location, it will be restored as a duplicate email.

Microsoft Office 365 Cloud to Cloud:

Use Comet as a backup service provider to offer a fully "cloud to cloud" service to your end customers. Setup steps:

  • Install Comet Server, or use the Comet-Hosted Comet Server service offering
  • Create a single user account
  • Register for a VM on Azure and install Comet into it
  • Create a Protected Item for each target Office 365 tenant organization.

Each "cloud to cloud" Office 365 organization that you want to back up would be represented as a Protected Item, not as a separate user account. This allows you to easily centrally manage the worker VM and set any schedule frequency.

You can monitor the worker VM's CPU and memory resources, and increase the instance's resources as necessary; or you can split into multiple worker VMs.

Comet supports sending job report emails to different recipients for different Protected Items.

Comet Server does not have a built-in customer signup mechanism, so representing a customer as a Protected Item instead of as a user does not change that. You may use the Comet Server API to build a custom signup form that onboards customers as a Protected Item instead of as a user.

The full feature set of the Comet Server web interface is available from the API, including browsing an Office 365 organization's resources and registering application credentials.