When your organization leverages Microsoft Cloud services, it should have some idea on how to cope with the inevitable. You should make backups to elevate beyond the mere replicas Microsoft makes of your data… and then test these backups to make sure you can restore the backed up information.
As with every data protection solution, the solution needs to be in place before the service, system or application that processes data is rolled out within the organization. Oftentimes it is not, causing serious headaches: organizations are losing chats in Microsoft Teams due to configuration errors or are providing false access to other people’s mailboxes due to incorrect hybrid identity matching.
An ecosystem of solutions
What is relatively new is the ecosystem surrounding the capability of creating backups of Microsoft Cloud Services, like Office 365’s Exchange Online, SharePoint Online and Teams services. New solutions have popped up in recent months. There is a wide array of vendors to choose from. Luckily, some well established solution vendors have also entered this arena, like Altaro.
You may have already heard of Altaro, as they have been around since 2009. They are a leading developer of Virtual Machine backup and recovery solutions, but I’m guessing most Microsoft-oriented IT Pros know them for their free Hyper-V Dojo and publications like the Backup Bible.
Indeed, Altaro has earned street cred since 2009. Therefore, their Office 365 Backup solution should be on your organization’s shortlist.
I’ve been using their solution for the past few months and their solution does exactly what you’d expect when reading its name and the word ‘solution’ in it.
It’s a solution
Altaro can pride itself that they have fully automated the onboarding and offboarding process for their Office 365 backup solution. Through the cloud management console, you can easily onboard a tenant by granting API permissions to a dedicated Altaro Office 365 Backup service principal in Azure AD. In a streamlined three-strep wizard you grant access. The same wizard can be used to re-grant access if need be.
As expected, Altaro Office 365 Backup requires a ton of API permissions for both read and write access. This is a completely transparent process, as these permissions are requested in a new browser tab when you grant access to the tenant as an administrator from Altaro's management console.
Creating backups within 15 minutes
Altaro’s goal is to start creating backups within 15 minutes of starting the onboarding process. This admittedly lofty goal is achieved for every organization as Altaro takes care of everything in an automated fashion. Altaro configures the application, the service, the encryption, the storage … everything.
To achieve its ‘backups starting within 15 minutes’ goal, however, some corners are being cut. The one-size-fits-all approach to backups in Altaro Office 365 Backup is roughly every 6 hours, starting its schedule at the moment you finish onboarding the tenant into the Altaro management interface as an organization. It’s good that Altaro starts performing backups immediately, but the inability to granularly control backup schedules might feel odd to seasoned backup admins.
To cater for immediate backup requirements, a Take Backup action however is available per resource. This way you can perform migration actions per mailbox, OneDrive, Teams team or SharePoint site after backup completes. API access into Altaro’s infrastructure still features on my wish list to automate all the things, though.
Licensing the solution
Altaro’s license structure for its Office 365 backup solution is as straightforward as it gets: one flat yearly fee per user. Where other vendors require you to size up, purchase, configure and manage storage, storage is simply included with Altaro’s solution in its yearly fee that is less than EUR 40 per user. This makes Altaro Office 365 Backup a SaaS solution, just like Office 365 and Microsoft 365. They’re birds of a feather.
Retention of backed up items
Backed up items have unlimited retention, too. It means that from the moment you start creating backups, you can restore items in backups.
European organizations may hit the limits of Article 89 of the GDPR, which range from 24 hours to 15 years depending on the type of data. Luckily, the right to be forgotten as per Article 17 of the GDPR is taken care of: When an admin clicks the Remove User from Subscription & Delete Backup Data (instead of Disable this User), the data is permanently deleted from backups and thus from the (encrypted) storage Altaro allocates to your organization.
All of that legal stuff is easily forgiven when you actually need to restore information. On-premises, restoring is the moment where you come to know if you can eat the cake. With Altaro’s solution, you can have the cake and eat it too. It’s super easy to restore mail items, attachments, calendar appointments, contacts or even entire mailboxes, either to a *.zip file, a *.pst file or to the original mailbox, or the a different mailbox.
Files in Teams, OneDrive for Business and SharePoint can also be restored with the same options except for the *.pst file option (obviously). Files are password-protected when you download them, so the restore process features the same Altaro end-to-end-encrypted principles.
Auditing is clear, granular and immutable, as it should be. The Audit tab in the left navigation pane of Altaro’s management console provides information on all the actions that have been performed by admins. As you might expect, even looking into a user’s data to granularly restore an item results in an audit event detailing browsing access to the data, whether the data is subsequently restored or not. Filtering and export functionality make this feature complete.
Can Altaro improve their solution?
Despite my confidence in Altaro Office 365 Backup, I can see room for improvement.
Multi-factor authenticated admin access
As an identity guy, I feel Altaro spied a mare’s nest by not requiring multi-factor authentication for admin accounts to access its service. Where Microsoft and Microsoft partners are doing everything they can to require multi-factor authentication everywhere they can, even one Management Console that does not require it may prove to be an easy door, no matter how reputable the organization.
Enabling multi-factor authentication to access Altaro’s Management Console is easy, but I feel it should be enabled by default, because it adds an additional layer of security to the account by requiring more than just a password to sign in. Altaro is not alone in this practice, as Twitter recently reported only 2,3 percent of its user base actually has multi-factor authentication enabled.
Alerts are also not enabled, by default. You can enable alerts to receive notifications by email as soon as an event occurs. You can choose for which events you would like to raise alerts, for instance failed mailbox backup operations and successful OneDrive account restore operations. In contrast to text messages, email messages only cost bandwidth, so why alerts are not enabled by default is beyond me.
Small and medium-sized businesses
While using Altaro’s Office 365 Backup solution, it does become clear that this is a solution for small and medium-sized businesses. Delegation with distinct role separation is unavailable, even though I feel the auditing feature may already benefit from it in highly regulated environments where auditors and admins work in different teams reporting to different managers.
Would I recommend Altaro Office 365 Backup?
I feel Altaro Office 365 Backup is a great solution to create backups of Exchange Online, SharePoint Online, OneDrive for Business and Teams data for most organizations.
There is one thing however, that holds me back from advising Altaro Office 365 Backup to all small and medium-sized organizations: Altaro leverages Azure storage to store your backups. I get it. Azure storage is relatively cheap, versatile and offers AES-256 encryption to secure your data so even Altaro can’t access it.
The best storage in the world, however, comes with the biggest drawback: Altaro Office 365 Backup is not the best solution if you want your backups in different regions than the regions your Office 365 data resides in. Access to your organization’s live data and your organization’s backups are governed by the same terms and largely the same infrastructure, including authentication, certificates and DNS.
It is the equivalent of putting all your eggs in one basket.
Altaro Backup for Office 365 has a lot going for it. Its EUR 40 per user per year flat fee offers virtually unlimited scalability, straightforward backups and restores, and clear auditing.
It’s the ideal solution for organizations that have a cloud-first strategy where software as a Service (SaaS) and Platform as a Service (PaaS) services are preferred to Infrastructure as a Service (IaaS) and on-premises systems. These organization may have already learned that Microsoft is better in hosting and securing data than they are themselves…
Within 15 minutes, any organization can start creating backups of their Exchange Online, SharePoint Online, OneDrive for Business and Teams data. With the proper settings, the solution is secure enough for any Microsoft-oriented organization.