Search

Google Workspace Backup and Archiving Guide

Doug Chanin
Doug Chanin
  • Updated

Topic

This article explains how to add Google Workspace mailboxes to your Dropsuite backup.

Environment

  • Dropsuite
  • Google Workspace

Description

Dropsuite allows you to back up Google Workspace (GWS) mailboxes easily. The sections below outline the steps involved in adding, backing up, or archiving your GWS mailboxes.

Authentication

Before you can begin backing up GWS, you'll need to authenticate the account. Follow these steps to authenticate your Google Workspace (GWS) account.

  1. Log in to the end user dashboard.
  2. Click Add Backup.
  3. Select the Sign in with Google Workspace button from the dashboard page. Use Google Workspace super admin credentials.
  4. Select the Google Sign Out button to log out of all active Google Workspace sessions in your browser. Verify that you have enabled cookies for your browser; if not, you will need to retry and sign in again.
  5. Sign in to your Google Workspace account using your super admin credentials from your Google Workspace subscription.
  6. Once signed into Google Workspace, install the Dropsuite application on your Google Workspace Marketplace. You can find the application at: https://admin.google.com/ac/apps/gmail/marketplace/domaininstall (external link)
  7. Click Integrate with Google.
  8. Click Continue.
  9. Select I agree to the application's Terms of Service, Privacy Policy, and G Suite Marketplace Terms of Service.
  10. You can now close the window and navigate back to the Add Backup page in Dropsuite.

Why is a Super Admin User Required?

A super admin user is required to obtain the tenant data. Specifically, the super admin user access is needed to back up the following products:

  • Shared Drive
  • Google Group

 Email, G Drive, Calendar, Contacts, and Tasks use impersonation for backup.

When inspecting logs within the tenant, you will notice that the super admin account is downloading files from these sources.

Add All Users Automatically by Using Auto-discover

If you select this option, we will automatically add all the users to the backup. In the future, if you add more users to your GWS tenant, we will add them to the backup if sufficient licenses are available.

You can add users to the exclusion list so they are not auto-discovered by enabling Auto-discover and adding the mailboxes to the "Select Excluded Account" drop-down menu.

Add Mailboxes Manually

To add mailboxes to the backup manually, wait for the list to populate, and click the empty box next to the user's email. If the user shows available, you can add it to the backup. You can also click the three dots next to available and add the mailbox to the exclusion list.

Journal Configuration (archive subscription only)

These steps are only applicable for archive subscriptions. Backup subscriptions don't require these steps. Users need to perform manual configuration for Archive routing, as Google Workspace doesn't support PowerShell.

Configure Archive for All Users - Setup Sending and Receiving Routing Settings

  1. Sign in to the Google Workspace administrator console using an administrator account at https://admin.google.com (external link)
  2. On the Main Menu, click AppsGoogle WorkspaceGmail
  3. Click Routing
  4. Select an organization.
  5. Next to the Routing settings, add a new rule by clicking Add Another Rule. If this is your first time setting up a routing rule, you can click Configure.
  6. Enter a short description for the journaling setup
  7. Select all four checkboxes in the Email Messages to Affect's section
  8. Select Add more recipients in the Also deliver to setting, and click Add
  9. Select Advanced and on the Envelope Recipient's section, then select  Change Envelope Recipient → Replace recipient and input an email address that is retrieved by contacting your reseller or by clicking the arrow beside your name and selecting Journal ID
  10. Select Do not deliver spam to this recipient if you do not want to capture spam emails
  11. Select Suppress bounces from this recipient
  12. Select Add custom headers, click Add, and input DME-JOURNAL-REPORT as key and true as value.
  13. Click Save.

Selective Archiving 

The difference between this method and the previous one has to do with the user. Since this is using Google Groups, you must first create a Google Group with the selected users for archiving. Then, set up sending and receiving routing rules separately by specifying this group in the filter section. It's not compulsory to add all the users to the group by the time of its creation. You can update the group's users at any time as needed.

Create a Google Workspace Group

To create a Google Workspace Group, follow these steps:

  1. Sign in to the Google administrator console at https://admin.google.com (external link).
  2. Choose Groups from the administrator dashboard.
  3. Click Create Group.
  4. Enter a name and group email address of your choosing, fill out other fields as required, and click NEXT.
  5. By default, the system checks Mailing as the label of the new group. However, if you want to have more controlled access to sensitive information, you can check the Security label (note: once checked, you won't be able to uclear.
  6. Configure the settings as required or keep defaults and click the CREATE GROUP button.
  7. Click Done.

Add Members to the Google Workspace Group

To add members to your Google Workspace Group, follow these steps:

  1. Choose Groups from the administrator dashboard
  2. Select the group you've created
  3. Click Add Members
  4. Type a username or group
  5. Click ADD TO GROUP

Set up Receiving Routing Settings

To set up receiving routing settings, follow these steps:

  1. Sign in to the Google administrator console at https://admin.google.com (external link)
  2. On the main menu, click AppsGoogle WorkspaceGmail
  3. Click Routing
  4. This step is optional. Select Organizational Unit (OU) to filter routing based on the OU.
  5. Next to the Routing settings, add a new rule by clicking Add Another Rule. If this is your first time setting up a routing rule, you can click Configure.
  6. In Email Messages to Affect, select Inbound and Internal - receiving
  7. Click Show optionsEnvelope filters.
  8. Select Only affect specific envelope recipients and select Group Membership (only received email).
  9. Click Select Groups. A pop-up will appear.
  10. Choose the groups that will receive the message.
  11. Select Add more recipients in the Also deliver to setting, and click Add.
  12. Select Advanced and on the Envelope Recipient's section, then select Change Envelope Recipient → Replace recipient and input an email address that is retrieved by contacting your reseller or by clicking the arrow beside your name and selecting Journal ID.
  13. Select Do not deliver spam to this recipient if you do not want to capture spam emails.
  14. Select Suppress bounces from this recipient.
  15. Select Add custom headers.
  16. Click Add and input DME-JOURNAL-REPORT as key and true as value.
  17. Click Save.
  18. Close the pop-up.
  19. Click Save

Set up Sending Routing Settings

To set up sending routing settings, follow these steps:

  1. Sign in to the Google administrator console at https://admin.google.com (external link).
  2. On the main menu, click AppsGoogle WorkspaceGmail.
  3. Click Routing.
  4. This step is optional. Select an Organizational Unit (OU) to filter routing based on the OU.
  5. Next to the Routing settings, add a new rule by clicking Add Another Rule. If this is your first time setting up a routing rule, you can click Configure.
  6. In Email Messages to Affect, select Outbound and Internal - sending.
  7. Click Show optionsEnvelope Filters.
  8. Select Only affect specific envelope recipients and select Group Membership (only sent mail).
  9. Click Select Groups. A pop-up will appear.
  10. Choose the groups that will receive the message.
  11. Select Add more recipients in the Also deliver to setting, and click Add.
  12. Select Advanced and on the Envelope Recipient's section, then select Change Envelope Recipient → Replace recipient and input an email address that is retrieved by contacting your reseller or by clicking the arrow beside your name and selecting Journal ID.
  13. Select Do not deliver spam to this recipient if you do not want to capture spam emails.
  14. Select Suppress bounces from this recipient.
  15. Select Add custom headers, click Add, and input DME-JOURNAL-REPORT as key and true as value.
  16. Click Save.
  17. Close the pop-up.
  18. Click Save.

Journaling Setup

For Microsoft 365 and Hosted Exchange:

  • Automatic Journaling Setup:
    • Dropsuite will automatically create a distribution group that includes all the mailboxes you've added.
    • The system will set up a journal rule to route a copy of all emails to Dropsuite's external journal mailbox.

Permissions

Dropsuite uses the following permissions for Google Workspace backups. There are two types of permission scopes, sensitive and restricted. The chart below provides details for each type.

Sensitive

Grant access to personal user data, such as reading events in Google Calendar or accessing files in Google Drive

API Scope Description
Admin SDK API  /auth/admin.directory.user.readonly See info about users on your domain
Admin SDK API /auth/admin.directory.domain.readonly View domains related to your customers
Admin SDK API /auth/admin.directory.group.member.readonly View group subscriptions on your domain
Admin SDK API /auth/admin.directory.group.readonly View groups on your domain
Admin SDK API /auth/admin.directory.orgunit.readonly View organization units on your domain
Google Calendar API /auth/calendar.events View and edit events on all your calendars
Google Calandar API /auth/calendar See, edit, share, and permanently delete all the calendars you can access using Google Calendar
Google Tasks API /auth/tasks Create, edit, organize, and delete all your tasks
People API /auth/contacts See, edit, download, and permanently delete your contacts

Restricted

Allow access to highly sensitive user data and require a more stringent verification process, including a security assessment.

Product API Scope Description
Drive Google Drive API /auth/drive See, edit, create, and delete all of your Google Drive files
Gmail Gmail API /auth/gmail.modify Read, compose, and send emails from your Gmail account

Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request