This article will guide you through how to register an Azure AD (Azure Active Directory) application and generate a certificate for backup authorization. The registration method depends on the version of Active Backup for Microsoft 365. Please check the version in Package Center first before proceeding with the instructions.

Applications and certificates will be automatically generated during the task creation. Follow the wizard to create your application and certificate.

1. Launch Active Backup for Microsoft 365.
2. Go to Task List and click Create to launch the Task Creation Wizard.
3. Select Create a backup task.
4. Set the endpoint type to Microsoft 365 operated by 21Vianet. Enter a strong and memorable password to protect your certificate.
5. Sign in to Microsoft 365 as a global admin. Click Accept if you agree to the permission request.
6. Download and keep your certificate in a secure place.
7. Follow the wizard to complete the backup settings. Your application details can be found in Task List > Edit > App Credentials.

Generate your application and certificate by running a PowerShell script.

Execution environment

• Windows 10/Windows Server 2016 or later as the operating system

Generate a certificate

Create a self-issued X.509 certificate to authorize backup tasks.

Change the PowerShell execution policy

1. Type Windows PowerShell in the search bar.
2. Right-click Windows PowerShell (not Windows PowerShell (x86)) and select Run as Administrator.
   
3. To authorize the script provided by Synology, change the execution policy by entering the following command line. This command line changes the execution policy only once.
   
   Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
4. Enter Y to confirm.
   

Download and run the PowerShell script

1. Click here to download the PowerShell script, CertificateGenerator.ps1.
2. Right-click the script, CertificateGenerator.ps1. Select Properties and copy the file path in the Location field.
3. Type the location into PowerShell using the following format: cd filepath
   
   cd C:\Users\username\Downloads
4. Specify the script file using the following format: .\filename
   
   .\CertificateGenerator.ps1
5. Enter R to run the script. If your PowerShell version is not up-to-date, you might need to enter Y to install and import the NuGet provider first and then enter Y again to install the modules from 'PSGallery'.
   
6. When prompted to enter a certificate password, enter a strong and memorable password and press Enter. You will have to enter the same password when creating a backup task. Keep a record of the password so as not to forget it.
7. The file paths of the certificate file and key credentials will be displayed in PowerShell. Copy them to your Notepad and do not delete the files. All of this information will be used later.
   

Register an Azure AD application

Register an Azure AD application and record the information that will be used to create backup tasks.

Create an application

Create an application to run backup tasks in Active Backup for Microsoft 365.

1. Sign in to Microsoft Azure Portal as a global admin.
2. Go to Azure Active Directory.
   
3. Go to App registrations and click New registration.
   
4. Specify the following settings and click Register:
   • Name: Name your application.
   • Supported account types: Select Accounts in this organizational directory only (Organization Name only - Single tenant).
     
5. You will be led to the application overview page. Copy the Application (client) ID and the Directory (tenant) ID to your Notepad.
   

Grant application permissions

Grant access permissions to Microsoft Graph, Office 365 Exchange Online, and Sharepoint, so that data of these services can be backed up and restored.

The following table lists all the required application permissions for a quick overview:

1. Go to API permissions and click Add a permission.
   
2. Select Microsoft Graph.
   
3. Select Application permissions.
   
4. Search for the following permissions and tick the checkboxes:
   • Calendars.ReadWrite
   • Contacts.ReadWrite
   • Directory.ReadWrite.All
   • Files.ReadWrite.All
   • Group.ReadWrite.All
   • Mail.ReadWrite
   • Sites.ReadWrite.All
   • User.ReadWrite.All
5. Click Add permissions at the bottom to add all the selected permissions at once.
   
6. Click Add a permission and select Sharepoint.
   
7. Select Application permissions.
   
8. Tick the following checkbox and click Add permissions:
   • Sites.FullControl.All
     
9. Click Add a permission.
   
10. Go to APIs my organization uses. Search for Office 365 Exchange Online and click it in the search result.
    
11. Select Application permissions.
    
12. Tick the following checkbox and click Add permissions:
    • full_access_as_app
      
13. After granting all the required permissions, you should have a list such as the following:
    
14. Click Grant admin consent for Organization Name > Yes.
    

Update key credentials to your application manifest

Update key credentials that are used when requesting access tokens.

1. Copy the file path of KeyCredentials.txt recorded in your Notepad. Paste it into the Location field of File Explorer and click Enter.
2. Copy the entire text in KeyCredentials.txt.
3. Return to Microsoft Azure Portal and click Manifest on the left panel.
   
4. Paste the copied text into the brackets following keyCredentials. Click Save.
   

Create a backup task in Active Backup for Microsoft 365

1. Launch Active Backup for Microsoft 365.
2. Go to Task List and click Create to launch the Task Creation Wizard.
3. Select Create a new backup task and click Next.
4. Fill in the following information. The credentials should be recorded in your Notepad from the previous steps:
   • Microsoft 365 endpoint: Microsoft 365 operated by 21Vianet
   • Domain admin email address: The global admin account that you used to create the application
   • Tenant ID: The Directory (tenant) ID in your Notepad
   • Application ID: The Application (client) ID in your Notepad
   • Certificate file: The file path in your Notepad
   • Certificate password: The password you entered in PowerShell
5. Follow the wizard to complete the backup settings.