TERRA CLOUD Veeam Data Protection

Introduction

Product presentation TERRA CLOUD Veeam Data Protection

The Software-as-a-Service product TERRA CLOUD Veeam Data Protection offers you the opportunity to build or expand your own cloud backup platform.
At the heart of this platform is the multi-tenant portal protection.terracloud.de, which grants you access to various Veeam backup products.
TERRA CLOUD provides you with the necessary resources, such as Veeam Backup for M365 servers or TERRA CLOUD S3 storage.
At launch, you can operate a complete cloud backup solution for Microsoft 365 data for your end customers.
Additional data backup products (Veeam Agents, Backup and Replication) and storage targets will be added later.

Facility

Setup process overview

Setting up the data backup consists of four steps, with steps 2-4 being repeated for each end customer.

Deployment of the TERRA CLOUD Veeam Data Protection Platform

You can have your TERRA CLOUD Veeam Data Protection Platform created with a one-time order in the TERRA CLOUD Center.
Upon completion of the deployment, you will receive a confirmation email. Your initial login credentials will be displayed in the TERRA CLOUD Technical Center.
Further setup of your customers and data backups is done in the technical administration portal protection.terracloud.de.

Establishment of the portal "protection.terracloud.de"

First login and change of initial access data

First Login:
You will receive a confirmation email after the deployment is complete.
You can retrieve your initial login credentials for protection.terracloud.de via the Technical Center.
Note: The user role "Reseller Admin" is required to access the login credentials.

The login is structured as follows:
(Wortmann Customer Number)\(Wortmann Customer Number-Administrator)
Example:
111490\111490-Administrator

Changing the Initial login credentials and multi-factor authentication: '
We recommend making the following adjustments to your initial administrator access (Service Provider Global Administrator) after logging in for the first time:

1. Changing the password
2. Activating and configuring multi-factor authentication
3. Verifying the stored email address ("Forgotten password" function)

Editing a user:
Option 1:
Please go to the settings using the "Configuration" gear in the upper right corner.
In the "Roles & Users" section, select the Service Provider Global Administrator using the checkbox and edit it using the pencil icon.

Option 2:
The currently logged in user can also be edited using the drop-down menu next to the username.

Adjusting the Administrator Profile:
Please assign a new password for this Service Provider Global Administrator user.
Check the email address stored in the "User Info" section; this is required for the "Forgot Password" function.
The address of the Cloud Master Account is stored by default. Change the address stored there if necessary.

We recommend enabling multi-factor authentication for all users in the Protection Portal.

Further configuration will be performed the next time you log in.
In the final step, you will receive a summary of the configured changes.

Configure email notifications

Please follow the steps below to configure email notifications:

1. Configuring the TERRA CLOUD SMTP server
Please open the portal settings using the "Configuration" gear and select the "Notifications" menu item.
Check whether an SMTP server has already been configured by TERRA CLOUD. If so, you can skip this step.
If no SMTP server has been configured, please click "Configure."
Please enter "mail.protection.terracloud.de" for the server and set the "Encryption protocol" to "None."
Since this SMTP server is located in the management infrastructure, encryption up to the SMTP server is not required.
Outgoing emails are encrypted if the receiving mail server requests it.

2. Setting up notifications
First, change the "Default sender" to "no-reply@protection.terracloud.de".
Select whether you want to be notified of every event or only receive summaries.
Enter the sender address and the desired recipient address again in the "Alarms" section.
The "Discovery Rules" and "Billing" sections are not required.

Configuration of Alarm Management

The Protection Portal offers its own monitoring function, which can be configured in the "Configuration --> Notifications --> Alarms Management" area.

Deactivating the "Managed companies quota" alarm

Please enter "Managed companies quota" in the search bar and disable this alarm.
TERRA CLOUD uses the Company Quota function to manage the provisioning of end customers via the TERRA CLOUD Technical Center.
For this purpose, the quota is set to the current number of managed end customers and only increased by +1 when a new end customer is provisioned automatically.
This automation causes the "Managed companies quota" alarm to be triggered incorrectly and should be disabled beforehand.

Email notification when a Managed companies quota alarm is triggered.
If the alarm has not yet been deactivated, the following message will be displayed in the Protection Portal and/or sent to you via email.

Create and link end customers

General:
In the Protection Portal, end-customer organizations are represented by a "Company." Your "Reseller" organization can manage any number of companies and thus end customers.
Companies can only be created automatically via the TERRA CLOUD Technical Center and not manually in the Protection Portal.
This enables the clear assignment of TERRA CLOUD Veeam Data Protection usage data to an end customer from the TERRA CLOUD Center/Technical Center.

Deploy TERRA CLOUD Veeam Data Protection for an end customer

1. Please navigate to the "Customer Management" section in the TERRA CLOUD Technical Center
2. Select the desired end customer and go to the "SERVICE SETTINGS" tab
3. Start the deployment by clicking "CREATE AND LINK END CUSTOMER" (see screenshot below)

The automated deployment performs the following steps in the background:

1. Create a company based on the end customer information from the Technical Center
2. Assign your resources for data backup (Veeam Backup for M365 Server and Repository)
3. Create a user account for the company

After successful completion, the created user account and a green check mark will be displayed.
The The displayed user access is a default of the Veeam Service Provider Console and is not required for setting up and managing data backups.
This provides insight into the data backup configuration within the company.

Setting up a Microsoft 365 data backup

Connect and link Microsoft 365 organizations

To configure data backup, please go to the Protection Portal.

The link between a created company (end customer) and a Microsoft 365 tenant can be configured in the "Veeam Backup for Microsoft 365 Plugin."
You can find this in the plugin library list in the "Configuration" section.

Go to the "Organizations" menu item and add a new one using "New."

First, select the company you want to link, and then select the object types you want to protect ("Protected Services").
This selection determines which permissions the Entra ID application requires for tenant data backup.

The Microsoft 365 region must then be specified if it differs from the "Default" default.

Please register a new Entra ID application in the tenant to be backed up.
The abbreviation TCVDP in the example stands for TERRA CLOUD Veeam Data Protection and facilitates identification within Entra ID.

To create the Entra ID application and grant it the required permissions, you must log in and authorize it as a Global Administrator.
Please copy the code and log in to M365 using the link provided.

Confirm your login to the Microsoft Azure CLI to create and authorize the Entra ID application.

After successful login and confirmation, the "Verification" status should change to "Verified."
If not, you can generate a new code using "Refresh code" and log in again.

Finally, the status of the M365 Organization and the VSPC Company should be set to "Mapped."

Create a Microsoft 365 backup job

To configure a backup job, select the "Backup Jobs" tab in the left menu bar in the "Management" section.
You can create a new backup job using "Create Job."
First, enter a name for the backup job and, optionally, a description.
We recommend choosing a name that reflects the job's backed-up content, as in our example.

Please select the already linked Microsoft 365 tenant that you want to back up.
The backup scope of your job is configured under the Backup Mode. The backup of the entire organization is preselected.

You can also customize the scope and define granular exclusions.
The next step is to add the schedule. Here, you can define the frequencies, days, and retries.
Optionally, you can allow or prohibit data backups within a backup window (e.g., during business hours).

In the final summary, you can run the data backup immediately using the "Start the job when I click finish" option.

Recovering Microsoft 365 data

Requirements

1. Active Entra ID Backup Application, which is already created during setup
2. Microsoft 365 credentials (affected user or global administrator)
3. TERRA CLOUD Veeam Data Protection Restore Portal Application added to the tenant

Add Restore Portal Application in the tenant

The TERRA CLOUD uses a Microsoft Entra ID Enterprise Application to perform restores in the backed-up tenants.
To enable this, the application must be added and authorized once per tenant.
Please use the "Connect-VB365RestorePortal" application, which is described in the following section.

Connect-VB365RestorePortal Application

Download

You can download the "Connect-VB365RestorePortal" application via this Link.

Grant restore permission for a tenant

Step 1: Start the application "Connect-VB365RestorePortal.exe" on an administrative system.
In process steps 1 and 2, this checks whether the required Azure AD (now Entra ID) PowerShell modules are installed and installs them automatically if necessary.
Step 2: After checking the PowerShell modules, a Microsoft 365 login dialog opens in a new window.
Please log in with a global administrator account of the tenant for which you want to perform the restore.

Step 3: Please confirm the authorization of the Entra ID Restore Portal Application of the TERRA CLOUD via Azure CLI using the second Microsoft 365 login dialog.
After successful configuration, you should receive the following result:
"The backup application 'TERRA CLOUD Veeam Data Protection - Restore Portal (V8.2)'[...] has been granted admin consent."

Restore as user

Step 1:
Under the "Protected Data" menu item, you can open a new tab with the "Restore Portal" link to access the Restore Portal.
Please log in with the Microsoft 365 user for whom you want to restore something.

Step 2:
Select the desired restore point from the calendar.

Step 3:
Now compile the restore set from the required files.
You can navigate through the backup and the various object types, as well as use the search function.
You can select individual files directly and restore them using the "Restore" function or add them to the restore set using "Add to Restore List."

Step 4:
Please check whether all the desired files are included in the restore list under "Items."
You can then specify the "Restore Mode" to determine whether the files should be overwritten or retained in their original location.
Click the "Finish" button to start the restore.

Performing a restore as an administrator for other or multiple users

Prerequisite:
You can authorize one or more users as "Restore Operators" through TERRA CLOUD Support.
Please provide us with the desired tenant, e.g., contoso.onmicrosoft.com, and the desired user, e.g., admin@contoso.onmicrosoft.com.
As a "Restore Operator," you can use the "Scope" to change your identity and perform the restore for other or multiple users.
The procedure is identical to restoring as a user.

---

Consumption data

Determine consumption values ​​via the TERRA CLOUD Technical Center

The TERRA CLOUD Technical Center provides you with an overview for each end customer and a summary of the consumption data for the selected month.
Within the table view, you can filter the values ​​as usual using the respective function and export them as a CSV.
The consumption overview shows you the following values:

Date

• Indicates the completed and billing-relevant month selected in the "Report Month" drop-down menu.
• If nothing is selected, the last completed month will be displayed.

End Customer

• Indicates the end customer linked to the backed-up Microsoft 365 tenant.

Number of backed-up M365 users

• Sum of new and billed M365 users.

Number of new backed-up M365 users

• Users newly added to the backup in the selected month will not be billed.
• This applies to both the initial tenant setup and newly added users for existing customers.

Number of billed M365 users

• Users billed in the selected month.

Below the table with the consumption values ​​per end customer, you will also find your summarized consumption values ​​as a partner.

When does a Microsoft 365 user consume a backup license?

A Microsoft 365 user consumes one license for TERRA CLOUD Veeam Data Protection Microsoft 365 Backup in the billing month if the following criteria are met:

1. The online services Exchange Online and/or SharePoint Online/OneDrive for Business are used and backed up by the product.
   
2. The user has been part of at least one data backup within the last 31 days.

Important note:
Restoration from previously created data backups is also possible without an active license.

When both criteria are met for the first time, the user is recorded as "new."
If a user has not been backed up in the last 31 days, no more licenses are consumed.

What doesn't consume a license for Microsoft 365 Backup?

The following objects can be included in the backup, but do not consume a license.

1. Microsoft Teams objects
2. Groups and non-personal SharePoint sites
3. Shared mailboxes
4. Resource mailboxes
5. Public folders
6. External SharePoint users
7. Microsoft Teams guest users

FAQ

Microsoft Teams

Can Microsoft Teams chats be backed up?

Chats between individual users and group chats cannot be backed up.
For more information about the limitations of Veeam Backup for Microsoft 365 Teams backup, see here.

What would be secured if the "Teams chats" option is selected under "Protected Services"?

The option "Teams chats" requires the paid use of the Microsoft Teams Export APIs and secures posts in public Teams channels.

What are the costs for using the Microsoft Teams Export APIs?

An overview of the costs can be found in this Microsoft article.
Veeam is classified as a Model B certified partner.