M365 Backup & Data Protection Best Practices for MSPs

Microsoft 365 is the largest SaaS app on the planet (with 345 million users), so it’s no surprise that it’s also one of the most targeted services for data protection solutions. Yet, in spite of the myriad of data protection solutions available, few are designed to meet the complexity and unique needs of Managed Service Providers (MSPs) who manage backups for multiple clients. This is why we created SaaSAssure, to help MSPs streamline data protection management and meet their clients’ needs more cost-effectively. This article will discuss the challenges MSPs encounter in managing backups and how SaaSAssure addresses these issues.

Again, there are several options for high-value SaaS data protection, but not all are suited to multitenant scenarios. G2 has over 100 listings for SaaS backup software, most of which primarily focus on or include Microsoft 365, and the number is growing. With no shortage of options, how do you select the right one?

Key Challenges  

The current crop of SaaS backup products are designed to integrate with a select number of services, usually M365, Google Workspace, and Salesforce, given the maturity of their APIs and the popularity of their services. Most do a decent job of that primary function — proving a M365 backup solution. MSPs and their clients face several challenges with data protection services, including ease of use, the speed of data restoration, and the ability to report on backup activity. Additionally, knowing where data is stored is crucial for maintaining data sovereignty and compliance. Equally important is addressing the critical concern of security.

Current Security Trends  

Due to the sensitive nature of the data stored, SaaS data and SaaS backup services are increasingly becoming prime targets for cyberattacks. Customer records, financial data, R&D information and more are commonly stored in everyday Word, Excel, and PowerPoint files that live in SharePoint. Confidential discussions are becoming increasingly common over Teams. All of this critical data holds value to attackers and can seriously disrupt business operations if lost or compromised due to an attack or human error. MSPs must prioritize ALL client SaaS data as client demands for comprehensive security intensify.

Mitigating M365 Data Risks for Your Clients 

MSPs need to be acutely aware of the risks associated with M365 data and proactively address three specific concerns:

1. Recoverability: Can data be recovered quickly in the event of an accidental deletion, a malicious action, or a disaster?
2. Security: Can external or internal actors be prevented from damaging or compromising their data?
3. Compliance: Can it be proven to relevant authorities that the organization has taken all necessary precautions to protect their data in order to avoid fines and penalties?

The Necessity and Limitations of Third-Party M365 Backup 

As explored in our previous articles, such as “A Guide to Understanding the Shared Responsibility Model”, Microsoft’s data protection measures are insufficient for client needs. Under the Shared Responsibility Model, Microsoft is not accountable for client data protection. Primarily, Microsoft delegates data protection to third-party providers.

As the outsourced trusted IT provider for multiple clients, MSPs play a critical role. Their distinct needs are often not adequately met by most third-party SaaS backup tools.

Lack of Multitenant Support  

The biggest challenge for MSPs in using a 3rd party backup tool is lack of multitenant support. Some tools might not provide any support at all, forcing the MSP to create and manage multiple accounts in a backup tool to manage multiple clients, which can become a logistical nightmare when dozens or hundreds of clients are involved.  

Even when a tool does support multiple domains, it often lacks the capability to logically separate data within the backup system. Typically, providers offer a single dashboard for setting up and monitoring backup jobs across multiple clients. This can complicate the recovery process, as identifying the correct backup job for recovery may become time-consuming.

Getting Paid 

MSPs want to make money. So, billing becomes a critical challenge, with many tools failing to provide reports on the number of user accounts protected or actual usage statistics. This means the MSP must manually track which clients are being protected and the number of users covered. This lack of automated reporting can significantly impact the reconciliation process, crucial for ensuring accurate billing and timely client payments.

Big Security Gaps

Security vulnerabilities often emerge within the current SaaS backup tool set. Most solutions available today were designed with a single administrator in mind, backing up a single company. This means the admin has full control over all actions, which can include serious data-destructive tasks such as exporting, deleting backup jobs, or recovering data with outdated backups. A rogue administrator, or an external actor with compromised credentials can do a lot of damage right from the SaaS backup console. If a backup admin is reusing passwords across multiple client backup logins, then the threat is exponentially increased. MSPs need additional protections beyond simple password security measures.

A True Multitenant M365 Backup Solution 

SaaSAssure has been designed from its inception to be purpose built for MSPs. Built by Asigra, an enterprise data protection solution serving MSPs for 30+ years, SaaSAssure was designed not just to protect SaaS data, but to address many of the operational and security issues MSPs encounter when providing that service. The SaaSAssure platform has strong support for M365 data, as well as a growing list of other business-critical SaaS apps.

Operational Enhancements for MSPs

• Modern User Interface: Significant effort has been invested in designing the user interface to ensure it is clear and easy to navigate, minimizing the steps required to take action. Data is presented logically, so the service desk technician doesn’t have to hunt for actions. This manifests into major efficiencies for the help desk.

• Customizable Dashboards: The interface is customizable to the MSPs workflow. Dashboards can be created by client (or group of clients), geographically, by business unit, or by any other descriptor that makes sense for the team managing their clients. These dashboards provide relevant client backup job reporting, and act as a jumping off point for backup and recovery operations.

• Backup & Recovery Actions by Account: The most important improvement in workflow is allowing backup administrators to easily navigate to the tasks by client. Typically, the more time-sensitive tasks are recovery tasks and by giving admins the ability to filter out all backup jobs not related to a specific client, they can find the backup job to recover faster, and with fewer errors.

• Integrated Billing Reporting: Running reports to figure out what clients are being backed up and how much they should be billed is a tedious monthly task that takes a lot of administrative work. In SaaSAssure, the MSP can assign a role that just has access to billing details and makes it easy to run usage reports by client, simplifying billing reporting processes and reducing work for the actual backup admins. Future iterations of SaaSAssure will be integrated with popular MSP billing software.

• These enhancements are not just unique to protecting Microsoft 365 environments — SaaSAssure can be used for a wide range of business-critical SaaS services, and the unified interface will help simplify operations for all these services. It also makes it easier for MSPs to offer expanded protection to other services at the click of a button.

• Flexible Storage: SaaSAssure users can use the storage built-in the service at no charge, which is based on Amazon S3. However, they can also assign their own S3 compatible storage to meet the storage retention needs of their customers to meet compliance requirements.

Security Enhancements with Multiperson Approval  

SaaSAssure sets a new standard for security compared to other services by introducing an innovative feature: Multiperson Approval (MPA). This industry-first tool enables the main administrator to mandate that data-destructive tasks, such as deleting a backup job or altering a backup schedule, require the approval of up to three admins. MPA significantly enhances security across numerous scenarios and keeps the MSP and customer fully aligned.

Imagine a rogue administrator intent on causing significant damage. With full access to a unified SaaS backup console, they could delete customer backups, restore outdated data over current files, and then eliminate those records. Multiperson Approval (MPA) prevents such actions by requiring approvals from multiple admins for critical tasks. This safeguard also protects against unauthorized users with stolen credentials or attackers with remote access. With MPA, exporting data to third parties is blocked, providing strong security against various threats.

MPA can also be instrumental in preventing human error, where an admin is performing a simple restore. If they are restoring the wrong data set, a second set of eyes can help catch errors.

Conclusion

In conclusion, the challenges MSPs face in managing Microsoft 365 data protection are significant, yet critical to overcome. As organizations increasingly rely on SaaS platforms for their day-to-day operations, the need for robust, efficient, and secure backup solutions cannot be overstated. SaaSAssure emerges as a purpose-built solution for MSPs, addressing not only the multifaceted challenges of data backup and recovery but also introducing pioneering security features like Multiperson Approval.