Carbonite Backup for M365
What makes Carbonite Backup for Microsoft 365 stand out?
The "Carbonite Backup for Microsoft 365" is a cloud-to-cloud solution with which various M365 object types can be automatically backed up up to four times a day.
The data backups are stored in a Microsoft Azure data center of your choice.
Your backups and restores are managed and configured via a single sign-on management portal, which is divided into three areas.
Object types
The following Microsoft object types can be backed up with Carbonite Backup for M365:
- Exchange Online
- OneDrive
- SharePoint Online
- Microsoft 365 Groups
- Teams
- Teams Chat
- Project Online
- Planner
- Public Folders (Exchange)
- Viva Engage
- Power BI
- Power Automate
Storage locations
You can choose Azure data centers in the following regions for storage:
- Australia (New South Wales)
- France (Paris)
- United Kingdom (London)
- India (Pune)
- Canada (Toronto)
- United States (Virginia)
Management Portals
The administration interface consists of three administrative areas: Partner, Customer and Endpoint Portal.
Below you will find a detailed explanation of the functions of the sub-areas.
Partner Portal
The Partner Portal is available exclusively to you as a specialist retail partner and includes customer management and general settings.
Here you can, among other things, invite new customers or create reports on storage usage.
Dashboard
The dashboard in the Partner Portal is divided into several widgets and provides information about failed backups,
the number of your (new) customers and an "analysis of unusual activities".
The values of the "Storage" widget (Carbonite storage) show the storage space used and are not taken into account for the calculation.
You can use the "Export" button to download a report that shows you, among other things, the "Protected Capacity",
which is the storage value relevant for the calculation.
Customer directory
The customer directory lists all tenants that you manage.
You can invite new tenants using the "Add new customers" tab.
Under "Reports" you can also export reports on storage usage and backup status.
If you hover your mouse over a customer, the following two menu items appear at the edge:
*image* This menu item is a link that allows you to switch to the customer or endpoint portal of the corresponding customer.
*image* Under this menu item you can view and edit the stored customer information.
You can also view a report for the selected customer here.
Reports
The "Reports" tab contains a number of pre-defined report options for monitoring your tenants.
Using the "Create report" action tab, you can configure your own reports using a selection of predefined parameters.
(e.g. to display the amount of protected data relevant to billing.) Self-created reports can be sent automatically and at a specific time.
Customer Portal
In the Customer Portal (also called "Cloud Backup Admin") you can configure authentication methods and so-called scan profiles at the tenant level,
which are required to back up your data. You will also find all tenant-specific settings and user management here.
You can access the Customer Portal by clicking on the name of the desired tenant in the customer directory of the Partner Portal.
This opens a larger overview for the customer. Now select the name again to be redirected to the desired portal.
Homepage
On the "Homepage" you will be redirected to the Endpoint Portal for the relevant customer by clicking on the white window (heading: Carbonite Backup for Microsoft M365).
Administration
Under the item "Administration", the authentication methods "App Profiles" and "Service Accounts" are primarily configured.
These have the function of authenticating your tenant for the "Carbonite Backup for Microsoft 365".
One of the two methods is required to back up your data. Which of the two options you use
depends, among other things, on the object type to be backed up and the user role. You can find a helpful overview here.
You can also create customer access for the customer portal of the respective tenant in the "User Management".<br
Auto Discovery
Under the "Scan Profiles" tab, you first define which object types of the tenant should be secured.
You also assign one of the previously configured authentication methods here and specify a time for the scans.
Administration
Here you will find general reporting, notification and security settings. You can also view the license expiration date under "Subscription".
Endpoint Portal
The Endpoint Portal serves as an interface for performing restores and data exports.
In addition, schedules and email notifications for jobs can be configured here.
Only the application and service administrators can access this area.
Backup
The "Backup" overview shows you at a glance which and how many objects of a customer are backed up and when the last backup was made.
You can also use the point menus to configure additional object types or display backup details for the object types already configured
and their backup history. You have the option of hiding object types that you do not need from your view.
Restore
The restores are carried out at the object type level. So you first select the desired type and then have the option
to perform a restore using the two different procedures "Simple Search" & "Calendar_Overview".
You can find more information on this under the corresponding links.
Data management
Here you can remove data that has been excluded from your backup. This "unprotected data" is displayed to you
if object types were previously scanned and then excluded from the respective container.
In addition, you can delete individual files from the backups under "Delete backup data manually".
Reporting
The reporting includes various statistics on storage usage and growth rate (see "Subscription Consumption" & "Coverage Report").
The reports can also be downloaded as PDFs. The "System Auditor" allows you to track all actions performed by users within the portal,
such as logins to the portal. There is also the item "Analysis of unusual activities".
You can find more information on this in the linked article.
Job Monitor
The Job Monitor shows you the status, start and end times for the respective backups, restores and exports of your object types.
You can also view reports on the backups via the point menus. If, for example, a backup fails, the reason is explained in the details.
Settings
The settings contain the menu item "Notification". Here you can configure notification profiles,
so that you are informed by email when a backup is completed, depending on the backup status, for example.
Installation
The following articles describe the setup process for “Carbonite Backup for M365” in five steps,
from completing the order to configuring email notifications.
(1) Activation of master access
As soon as you have placed an order for the “Carbonite Backup for M365” in the “TERRA CLOUD Center”,
you will receive an invitation email from the manufacturer of the product to the email address that was defined as the master account during the order.
(Sender address: “noreply@carbonite.com”)
Please confirm the invitation by clicking on the link contained in the email. You will then assign a corresponding password for your master access.
This point of the setup process only needs to be carried out once.
You can access the partner portal at the following address:
https://backupoffice365.carbonite.com/partnerlogin
(2) Invite tenant
After logging into the Partner Portal, please select the "Customer Directory" tab. Here you have the option of inviting a tenant using the "Add new customers" button.
The following three options are available to you:
- Global Microsoft 365 Administrator *recommended*
- Local account
- Authorization link
We recommend using the "Global Microsoft 365 Administrator" as this automatically creates an app profile for the tenant.
Otherwise, the authentication method must be created manually.
(3) Select authentication method
In order for the "Carbonite Backup for M365" to be authorized to back up the M365 data,
in the next step, one of two possible authentication methods ("App Profile" / "Service_Account") must be configured for the tenants and stored in the scan profile.
You can find the menu items for configuration in the Customer Portal under the item "Management". You can find a comparison of the two methods under the following link.
(4) Set up scan profile
Once you have decided on an authentication method, you can proceed with configuring a scan profile.
You can also find this option in the Customer Portal under the menu item "Auto Discovery".
The scan profiles define the object types of a tenant to be backed up and the authentication method required for backup.
You can find more information about this here.
(5) Configure backup frequency & email notification
To complete the setup process, you only need to enter backup times for the backups in the Endpoint Portal.
Optionally, you can also configure email notifications, e.g. for failed backups.
To access the Endpoint Portal, go to the Customer Portal homepage.
There, click on the white window with the heading "Carbonite Backup for Microsoft 365" to be redirected.
In the Endpoint Portal, you can select the frequency and time for performing the backups under the item menus for the object types.
Add new customer
If you would like to invite a new (customer) tenant to “Carbonite Backup for M365”, navigate to the customer directory in the Partner Portal
and select the “Add new customer” tab. After you have decided on one of the three possible invitation options,
you must first enter the account information. In addition, select the desired target data center.
Please note that the data center cannot be changed afterwards. Complete the first step with “Invite and continue”.
In the second step, you only have to select the service. The tenant is then assigned a corresponding license.
Step three involves entering the license information. For the subscription type, we expressly recommend that you use the “Subscription” option,
since you can only back up up to five users with a “test license”. The subscription type cannot be changed later.
The storage and retention information cannot be changed.
Please select the "Pool subscription" for the "Source" and enter a time in the distant future for the expiration date or select the option "like pool subscription".
Authentication methods
The "Carbonite Backup for M365" offers two different authentication methods. These methods are called "App Profile" & "Service Account".
At least one of these two methods is required per tenant so that Carbonite receives authorization from Microsoft to back up the M365 data.
App Management
The "App Management" can be found in the Customer Portal under the "Management" item. Here you can configure the "App Profile" authentication method.
An app profile can authenticate tenants for the "Carbonite Backup for Microsoft 365". This method is recommended for most scenarios.
The user name and password of the Microsoft 365 account do not need to be specified. An app token is used for backup and management.
In order for the app profile to have the required permissions to access the M365 environment, it must be authorized by a global administrator.
You can also grant the profile SharePoint Online and Exchange Online permissions so that these object types can be backed up.
To configure an app profile, click the "Create" button. Then select the service and confirm with "Next".
In the second step, you must select a setup method. We recommend that you use the “Classic Mode” or alternatively the “Modern Mode”.
Both variants lead to the same result. If you have opted for the "classic mode",
you can now grant "Carbonite Backup for M365" permission under "Microsoft 365 (All Permissions)" to search your M365 environment for objects to be backed up.
If you also grant permissions for "Viva Engage" and/or "Delegated App", you can also back up the following object types:
"Viva Engage" permission:
- Viva Engage
"Delegated App" permission:
- Teams channel conversations
- Power BI
- Power Automate
The "Modern Mode" is recommended if you do not want to assign the global administrator, but rather separate administrators for the permissions.
Service account
The "service account" is the second available authentication method for "Carbonite Backup for Microsoft 365".
In contrast to the app profile, the login information of the Microsoft 365 account is used for authorization.
These are checked daily at a defined time. We recommend this method if you want to back up the "Project Online" object type.
Service accounts must be authenticated by a Global Administrator, SharePoint Online Administrator or Exchange Online Administrator Account.
If the password of the user used for authentication is changed, the account must be authorized again. You can find a workaround here.
You can find the subcategory “Service_account” in the Customer Portal under the tab “Administration”. You can now create a new service account using the “Create” button.
For the profile name, we recommend that you specify the object types to be backed up in the name.
Functional overview of authentication methods
| Object type | Authentication method | Required permission | Required M365 license | |
|---|---|---|---|---|
| Exchange Online mailboxes | App profile | Exchange Online Rights | ||
| Service Account | Exchange Online Administrator | To scan mailboxes, the user account must be assigned the Exchange Online product license in Microsoft 365. | ||
| OneDrive | App Profile | Sharepoint Online Rights | ||
| Service account | SharePoint Online Administrator | |||
| SharePoint Online Site Collection | App Profile | Sharepoint Online Rights | ||
| Service account | SharePoint Online Administrator | |||
| Microsoft 365 Group | Microsoft 365 Group | App Profile | All rights | If you want to back up or manage Microsoft 365 Groups, the Microsoft 365 Global Administrator used to create the app profile must have the Exchange Online product license in Microsoft 365. |
| Service account | SharePoint Online Administrator and Exchange Online Administrator | If you want to secure or manage Microsoft 365 Groups, the user account must have the Exchange Online product license assigned to it in Microsoft 365. | ||
| Microsoft Teams | App profile | All rights | ||
| Service account | The user account must be either the owner or a member of the scanned team. | To backup and restore Teams, the user account must have the Microsoft Teams product license assigned in Microsoft 365. | ||
| Microsoft Teams Chat | Only supported with custom Azure app profile | Microsoft Graph API permissions: User.Read.All: & Chat.Read.All: |
||
| Microsoft Planner | App Profile | All rights | To backup and restore Planner, the user account must have the Microsoft Planner product license assigned to it in Microsoft 365. | |
| Service account | The user account must be both the owner and member of scanned Microsoft 365 Groups and Teams. | To back up and restore Planner, the user account must have the Microsoft Planner product license assigned to it in Microsoft 365. | ||
| Project Online Site Collection | App Profil | Not supported | Not supported | |
| Service account | SharePoint Online Administrator | To scan and back up Project Online Site Collection, the user account must be assigned the Project Online product license in Microsoft 365. | ||
| Exchange Online Public Folders | App Profile | Exchange Online Rights | To scan and back up Exchange Online public folders, it is required that the Microsoft 365 Global Administrator, the used to create the application profile has the Exchange Online product license in Microsoft 365. | |
| Service account | Exchange Online Administrator | To scan and back up Exchange Online public folders, the user account must have the Exchange Online product license assigned to it in Microsoft 365. | ||
Scan profile
Each tenant needs a scan profile to perform a backup, in which the object types to be backed up and the authentication method are stored.
The scan profile can therefore be compared to a backup job. The configuration menu can be found in the respective customer portal under the item "Auto Discovery".
The scans are carried out once a day at a time of your choosing. Please note that no backup is carried out here.
The scan only gives Carbonite the authorization to access the corresponding M365 data. The meta information of the data is also checked.
To configure a scan profile, click on "Create". In the first step, select the object types to be scanned.
If you include the public folders (Exchange Online) in the scan profile, you will need to specify a so-called "identity switch account".
In the second step, give the profile a name. We recommend, for example, "Carbonite_Backup_for_M365#Auto_Discovery|Auto Discovery". B. to store the included object types in the name.
From now on, the scan profiles will differentiate between the two modes "Express" and "Advanced". The differences are explained below:
Express Mode
In "Express mode", all data of a tenant that can be assigned to the object types stored in the scan profile is scanned.
The data is then added to the "Standard container". This mode is particularly suitable for small tenants.
Advanced mode
In the "Advanced Mode", additional rules are defined that divide your M365 data into different containers based on selected parameters.
The available parameters vary depending on the object type.
The rules can be used to exclude individual users, mailboxes or sites from the scan area, for example. You can find instructions for this here.
Scan profile (public folders)
In order to be able to scan a tenant's public folders, the impersonation account must be specified when creating the scan profile.
Specify the M365 user that will be used to call the Exchange Web Services API.
Please note that this user must be assigned an Exchange Online license and must be in the public folder owner group.
Scan Profile (Power Platform Objects)
In order to be able to back up Power Platform objects, a "delegated app profile" is required. Instructions on how to create one can be found here.
Once this step is complete, the Power Platform objects should also be listed when creating a new scan profile.
Select the desired elements and confirm completion with "Save" or "Save and run".
Container
Scanned data is usually added to the so-called standard container. If you use an "advanced scan profile" with self-defined rules,
you can configure additional containers. The rules are then used to decide which container the data is added to.
User management
You can create additional users in the user management of the Customer Portal. These users can only log in to the corresponding Customer Portal.
Please note that it is not possible to log in to the Partner Portal with these users. You will find an explanation of the individual roles below:
Tenant Owner
This is the user whose account was used to log in to the Customer Portal ("Carbonite Backup for Microsoft 365 Admin").
The number of tenant owners is limited to one per Customer Portal. This user's permissions are unrestricted within the Customer Portal.
Service Administrator
A service administrator has the same permissions as the tenant owner and is also able to add additional service administrators or tenant users.
Tenant User
For tenant users, a distinction is made between the two roles “standard user” and “application administrator”.
Standard User
Standard users can configure recovery settings, perform restores, and view activity reports.
Application Administrator
Application administrators can configure backup and restore options, perform backups and restores, and add additional tenant users.
Restores
In the Endpoint Portal, there is a separate tab for restores in the left menu bar.
If you want to perform a restore, first select the desired object type. The "Search mode" view then opens.
In the top right corner, you have the option to switch between "Search" and "Calendar mode". The differences between the two options are explained below:
Simple search
The "Simple Search" is primarily suitable if you are looking for a specific file. You first define the search conditions
to find the desired file. In addition to the name, backup period and level, depending on the object type, you must also specify the user's email address,
the URL of the sharepoint or, in the case of groups, the name of the group.
Calendar mode
The "Calendar mode" is particularly suitable if you do not know the exact names of the data to be restored - but do know the approximate time period of the backup.
You can simply click on one of the backups in the calendar in which you want to search for the desired file. If, for example, you do not want to restore the entire user,
you can search within the data by double-clicking on the user after selecting the safe set.
Special features of restores
Teams
Since "Teams" is not a standalone application and combines data from the "Exchange Online", "SharePoint Online" and "OneDrive" applications as an abstraction layer,
you will find the data under the respective object types during a restore.
The following graphic is intended to clarify the dependencies and shows under which objects the corresponding data can be found:
With “SharePoint Online” a distinction is made between modern and classic Sharepoints. You can find an overview of the differences under the link.
This is important to know for the recovery, as with modern Sharepoints all objects can be found under the M365 groups or teams.
With a classic Sharepoint you can find all objects directly under the object type “Sharepoint”.
Data exports
You can also export and download the backed up data for Exchange Online, SharePoint Online, OneDrive, Microsoft 365 groups and Project Online.
You can also find this option in the Endpoint Portal under the "Restores" tab.
First select the desired data using the "Search or Calendar mode" and then select "Export".
Then switch to the "Job Monitor" tab. A new entry with the job type "Export" should now be listed here.
As soon as the status is "completed", you can download the content via the dot menu and request the password for decryption.
Please note that you can export up to 100 GB per month by default. If you would like to export a larger volume of data,
please send us a short email as described in the linked article.
Job Notification Profile
Using the "job notification profiles" you can automatically be notified by email when your scans and backups have been completed, e.g. depending on the backup status. You can create the profiles in the partner portal under "Settings"/"Job notification profile".
After creation, the profile still needs to be assigned. To do this, go to the "Customer directory" in the partner portal.
Hover your mouse over the customer and select the points menu. You can then "Edit customer information" in the context menu.
Here you have the option of storing the corresponding job notification profile.
Reauthorize app profile
If, for example, the global administrator's password has been changed or the manufacturer has made adjustments to the permissions,
the app profile must be manually re-authorized. Please mark the checkbox of the relevant app profile in the Customer Portal under the "Administration" / "App Management" tab
and select the "Re-authorize" action. This must be confirmed by a global administrator.
Reconnect tenant
If, for example, the connection to the desired tenant cannot be established correctly during the invitation process,
the tenant may need to be reconnected. You can find the option for this in the "Customer Portal" under the "Administration" / "Tenant Management" tab.
Check the tenant's checkbox and select the "Reconnect" option. The action must be carried out or confirmed by a global administrator.
Delete data
In case you want to delete individual files or objects from your backups, the options available to you are explained below.
You can find each of the three functions described in the Endpoint Portal under the "Data Management" tab.
Please note that if you remove data from the backups but it is still present in the corresponding M365 tenant,
it should be excluded from the scan profile so that it is not backed up again.
Access requests from data subjects
Under the "Access requests from data subjects" tab, you can delete the data sets of the "Exchange" and "OneDrive" object types of individual users.
This option is intended to help you ensure GDPR compliance in this area quickly and easily.
Delete backup data manually
The "Manually delete backup data" function allows you to delete individual files from your backups and can be performed for the object types "Exchange", "OneDrive",
"SharePoint Online", "Microsoft 365 Groups" and "Teams".
Remove unprotected data
“Unprotected data” lists the files that were fully scanned – and then excluded.
This data can be removed from the backup pool using this feature.
Analysis of unusual activities
This security function is designed to detect ransomware attacks based on unusual user behavior.
To do this, abnormalities in the change and encryption rate of the backed up data are checked.
The behavior of the last thirty days is taken into account for the analysis. If more and more deviations are detected within 24 hours,
the administrator is notified. Please note that this function is only an additional security measure
that cannot replace comprehensive virus protection.
Termination
A tenant's license expiration date determines how long you want to offer the product to a customer. You can edit this date as follows:
If you click on the name of a tenant in the partner portal, a separate overview of the corresponding customer opens.
As soon as you hover your mouse over the white window with the heading "Products & Subscriptions", a menu of points appears.
If you select this, a context menu appears where you can set the license expiration date.
Here you have the option of specifying a time of your own choosing or selecting "Like pool subscription".
We recommend choosing a time in the distant future, as you can terminate the subscription immediately if necessary using the "Expire now" option.
If you cancel the product in the TERRA CLOUD Center or delete a tenant in the partner portal, the license expiration date will automatically be set to the current day.
Please note that when the date has been reached, neither backups nor restores are possible.
Your backup data will be deleted after the license expiration date has been reached. stored for a maximum of 60 days.
Support
If you see errors in the overview of the Partner Portal, it is first important to know whether these occurred during the scan (Auto Discovery)
or only during the backup. The following articles explain where the corresponding log files can be found to explain the error pattern.
An overview of the most common errors can be found at the link.
If you need help from our support, we ask you to always send us the following information:
- Affected tenant owner
- You can find this in the Partner Portal in the customer directory, for example.
- Log files
- Please only send us the log files unpacked.
- Short description of the error pattern
Auto Discovery
In the event of a faulty scan, you will find further information in the so-called scan history. To do this, navigate to the Customer Portal.
Under the "Auto Discovery" section, you can mark the checkbox for the faulty scan and "export the scan history".
The error message and a solution hint are listed in the comment field of the report.
Job Monitor
If a backup was not carried out or was completed with errors, you will find information about this in the reports (log files) of the backup.
You can generate these in the Endpoint Portal under the "Job Monitor" tab and then download them.
For support cases, the "simple report" option is usually sufficient. Here, too, the cause of the error and a corresponding solution are listed in the "comment" line.
FAQ
The following articles are intended to provide answers to the most frequently asked questions. If you would like information on specific topics, we would be happy to receive your feedback.
Wrong data center selected during the invitation?
Unfortunately, it is not possible to make subsequent changes to the data center selection. In this case, the tenant must first be deleted from the partner portal.
Please note that the data is retained in the backend for up to 60 days after deletion.
We can bring forward the final deletion to our manufacturer upon request. Please send us the name of the tenant and the name of the global administrator.
You can then start setting up the tenant again.
How can I exclude objects from a backup?
In order to exclude data from your backups, you must first configure a scan profile. Instructions can be found here.
As soon as you set the scan profile to "advanced", you can start defining rules for exclusions.
At least one rule must be created for each object type. The configuration must then be saved.
We recommend that you check after the next scan whether the rules are working as desired.
Excluded files will of course still remain in the previously performed backups. If you want to delete them,
you can use the "remove unprotected data" function.
How can a manual backup be performed?
If a backup cannot be performed successfully, you will receive a warning in the dashboard. Select the area to start a new backup.
The warning will be displayed under the following conditions:
- The status of the last backup job is "Failed".
- More than 10% of the objects in a content level cannot be backed up.
- More than 5% of the objects in a container level, excluding the top container level, are not backed up.
- An object in the top container level cannot be backed up.
Tip: If you want to start a manual backup outside of the conditions mentioned above,
you can select the point menu of an object type in the End Point Portal and edit the frequency.
Set the time to the current time. The backup should then start immediately.
What does “data retention notice” mean?
If you receive an email with the subject "Data Retention Notification", this is an informational notification
to inform you that the 365-day retention period has been exceeded. The affected tenant and the corresponding object types are named in the email.
Please note that this only refers to backups that exceed the 365-day retention period.
How do I read the protected data volume?
The protected data volume serves as the basis for the calculation for the "Carbonite Backup for M365". There are different ways in which you can read this value.
In the customer directory of the Partner Portal, under the "Reports" tab, you will find the option "Export customer information report".
This report includes all the tenants you manage. For example, if you want to provide one of your customers with an overview of their storage usage,
we recommend that you use custom reports. You can also find the menu item in the Partner Portal under "Reports".
If you click on "Create report", you can continue selecting the desired parameters and tenants for your new report.
What needs to be considered when activating Microsoft Teams chat backup?
In order to be able to back up the "Teams Chat" object type, an Azure subscription is required for the corresponding tenants,
since the paid Microsoft Graph API is used to back up the chats. Please note that the costs are billed directly via the Azure subscription.
In addition, this object type only includes user-to-user chats. Messages in channels can be restored using the "Teams" object type.
Documents or files sent via Teams can be found in "OneDrive".
For the backup, a custom Azure app with "All permissions" must also be stored in the tenant.
To do this, in the second step when creating an app profile, select the "Custom mode" option and then the "Azure app" type.
Complete setup instructions can be found here.
Can OneNote files be backed up and restored?
OneNote files cannot be backed up as a standalone object type. However, the data can still be backed up and restored using "Carbonite Backup for M365".
The backup for this does not need to be set up separately and only requires the standard permissions for the app profile.
The object type under which the data can be found depends on where the end users have saved the OneNote files.
For teams, groups and SharePoint, OneNote files are usually saved in the document library.
For OneDrive, OneNote files are saved in the end user's specific OneDrive.
OneNote files can be restored from the notebook level down to the section level.
Can Planner data be backed up and restored?
Planner is not listed as a separate object type, but can still be backed up and restored.
To do this, simply activate the "Back up Planner data" checkbox in the Endpoint Portal under "Settings" (tab: Backup).
The backed up data can be found under the Microsoft 365 Groups / Teams objects.