Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
YannickJ
Level 2 Contributor

CSP O365 Backup Alternatives

Hi,

 

We're a CSP and we have our mailboxes and O365 licenses linked to our own AD Tenant.  We're currently using the services of a company called Skykick in order to back up our own mailboxes. The problem arises that this deploys 'admin' users in our tenant in order to facilitate the backup-procedure. I've contacted them and they've acknowledged that the way Skykick works is not MFA compatible and will stop working after enabling the Policies (it uses PowerShell in the backend I believe). They say they are talking with Microsoft in order to find a solution but obviously, we haven't got much time left.

 

So this poses the question:

1. Is there an alternative in order to keep our O365 backed up while being compliant with MFA

 

2. Is it bad practice to have our O365 licenses in the same Tenant where our CSP admin users exist? Having them separated would have solved quite a few issues already with this enforced policy (for example our ticketing system uses o365 credentials to read a mailbox in order to create new/follow-up tickets. We can't change the programming of the tool so we're stuck there. Having our mailboxes in a non-csp Tenant would have prevented that.)

 

 

 

 

 

10 REPLIES 10
StuartO
Level 1 Contributor

Tarasius
Level 1 Contributor

NAKIVO Office 365 Backup and Recovery offers reliable and robust protection for your Office 365 applications, safeguarding you from the loss of your mission-critical data. With NAKIVO Backup & Replication, you can easily back up and recover Exchange Online for any item needed in a timely manner.

fmartel
Level 2 Contributor

I am late to the party, but just to let you know that Veeam for Office 365 does support Security App Model for backup Mailboxes, Groups, sharepoint and Onedrive. Emails reports go by SMTP, so you have to use a 3rd party email service or another Office 365 tenant to get your reports via SMTP.

JanoschUlmer
Microsoft

@fmartel : App passwords can also work for legacy protocols (given that you have AAD premium Plan1 and thus can enable MFA per user) - and this would also be compliant. 

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
Andra
Community Manager

Hi Yannick ,

 

Hope your week is going well!

 

To your first question, we might need a SME with in-depth knowledge to reply, allow me to check that and get back on this thread this week.

On your second question I replied on a related post here: https://www.microsoftpartnercommunity.com/t5/Key-Resources-and-Guides/Migrating-to-new-CSP-tenant/m-p/11711#M29

 

Please let me know if this helps or you need further guidance.

 

Have a great day!
Andra

matgus
Level 1 Contributor

@AndraHI I read the "other post" mentioned but what did you come up with? Can we split the tenant in any way without disrupting everyting

cheers

/Mats

Andra
Community Manager

Hi Mats,

 

My apologies I didn`t highlight the answer. It is technically possible, however more complicated, i.e. would be a manual migration with new licenses required and cancelations. It would be a very extensive, time consuming, and potentially error prone process.

 

The official guideline says:

While Microsoft does not have concrete guidance or tools to facilitate a split of one tenant to two separate tenants, this is certainly possible.  

Recommendation would be to move the internal production use to a separate tenant. To transfer data & configuration to the new tenant Partners would need to leverage 3rd party migration tools since Microsoft does not offer solutions for migrating data between tenants 

Also, reseller relationship needs to be established again for every customer and all licenses would need to be exchanged for all customers (exchange means cancel/suspend the old licenses & provision new ones). 

 

Cheers,

Andra

JanoschUlmer
Microsoft


@Andra wrote:

 

Also, reseller relationship needs to be established again for every customer and all licenses would need to be exchanged for all customers (exchange means cancel/suspend the old licenses & provision new ones). 

 


Actually this sentence belongs to another scenario - If you move the production workload to a different tenant, but keep the CSP business in the tenant where it currently is, reseller relationship does not need to be established again. 

Only when you choose the other option - migrating CSP business to another tenant, then it is required to re-establish reseller relationship.

 

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
Andra
Community Manager

Good point, @JanoschUlmer !

Apologies as I misinterpreted the scenario and looked at the latter option - to migrate the CSP tenant.

 

Andra

gr91
Visitor 1

SkyKick are hoping to have an MFA solution hopefully early October