Does Microsoft back up Entra ID?
No. Microsoft operates Entra ID as a service under a shared responsibility model. They maintain infrastructure availability, but the configuration of your tenant — users, groups, policies, app registrations — is your responsibility to protect and recover.

What Entra ID objects are backed up?
The service backs up users, groups, directory roles, app registrations, enterprise applications, and conditional access policies. All objects are captured at your configured backup frequency and retained according to your chosen retention policy.

How often can backups run?
Backup frequency is configurable down to every hour. Combined with retention from days up to 25 years, this provides granular recovery points across the full depth of your identity configuration history.

Where is backup data stored?
Data is stored exclusively on IBM Cloud Object Storage in the region you select at onboarding. It does not transit or reside on Microsoft infrastructure. Regional options provide cross-site geo-redundancy across three independent IBM Cloud datacenters.

How does the change comparison work?
The platform allows administrators to compare the current live Entra ID environment against any retained backup snapshot. Differences are shown at the object level — identifying exactly which users, groups, policies, or app registrations were added, modified, or removed.

Does this help with NIS2 and DORA compliance?
Yes. The service supports NIS2 and DORA requirements for operational resilience of critical identity infrastructure. Independent backup with full audit logging, immutable storage, and demonstrable recovery capability provides the compliance evidence base that regulators require.

Can I recover a single conditional access policy?
Yes. Recovery scope ranges from individual objects — a single user, group, policy, or app registration — to a full tenant-wide configuration rollback. You select the backup point and the specific objects to restore via the management portal.

Can I bundle this with Backup for 365?
Yes. Anycloud offers a unified bundle covering both Microsoft 365 data (Exchange, SharePoint, OneDrive, Teams) and Entra ID identity configuration. Both services are managed from one portal, providing complete protection across content and identity.

Does Microsoft 365 include backup?
No. Microsoft operates under a shared responsibility model. Their SLA covers service availability. Data retention in the recycle bin is time-limited (typically 93 days) and not equivalent to an independent backup with configurable RPO and long-term retention.

Where is backup data stored?
Data is stored exclusively on IBM Cloud Object Storage in the region you select at onboarding. It does not transit or reside on Microsoft infrastructure. Regional options provide cross-site geo-redundancy across three independent IBM Cloud datacenters.

What happens to backup data if we cancel?
Upon contract termination, backup data is retained for a defined period to allow data export if required. Anycloud provides export in standard formats before storage is decommissioned. Data is not migrated, shared, or repurposed.

How is ransomware recovery handled?
Backup data is stored on air-gapped, WORM-protected IBM Cloud storage, so ransomware in the Microsoft 365 environment cannot reach or modify the backup. Additionally, all data is scanned for malware at ingest — meaning restore points contain only verified clean data. Recovery involves selecting a pre-infection snapshot and restoring the affected items or workloads.

Can I search across all users’ backed-up email at once?
Yes. Administrators can run a single full-text search query across all protected mailboxes simultaneously, spanning the entire backup retention window. This supports legal investigation, compliance review, and data location tasks without requiring per-mailbox searches or snapshot mounting.

Is the service available through distributors?
Yes. Anycloud Backup for 365 is available through IBM Cloud Marketplace and ArrowSphere. Partners can provision and manage the service on behalf of their customers through these channels.

How does GDPR right-to-erasure work in backup?
The service includes a dedicated right-to-be-forgotten function. Administrators can submit a deletion request for a specific user, and all backup objects associated with that user’s data are permanently purged from storage — across all retained snapshots and regions.

Can I manage multiple customers from a single login?
Yes. The partner portal provides a single-pane view across all managed customers — backup status, job health, protected seat counts, and storage consumption per customer. Partners do not need separate logins for each customer environment. The REST API extends this to PSA and RMM integrations for automated status reporting and alerting.

What backup software is compatible?
Any backup solution that supports the S3 storage protocol. This includes Veeam, Commvault, Rubrik, Cohesity, Acronis, NAKIVO, and many others. SaaS platforms with Bring Your Own Storage (BYOS) support also work by pointing to the Anycloud S3 endpoint.

How does immutability work?
Immutability is enabled through IBM object-lock, configured in the management portal. Once enabled, backup objects cannot be altered, deleted, or overwritten for the retention period configured in your backup software. This is enforced at the IBM Cloud Object Storage layer, not the application layer.

What does pay-as-you-go include?
One all-inclusive price per terabyte consumed per month. There are no egress fees for data retrieval, no API call charges, and no tiered pricing models. The price includes storage, encryption, immutability, and portal access.

Where is data stored?
Data is stored exclusively on IBM Cloud Object Storage in the datacenter region you select. Regional (geo-redundant) locations distribute data across three independent datacenters minimum 10 km apart. Single-site options are available where regional redundancy is not required.

Is immutability available in all regions?
Immutability is available in most datacenter regions but not all. The datacenter list on this page identifies which locations support immutability. If immutability is a requirement, select a region where it is marked as available.

Is there a storage capacity limit?
No. The service provides unlimited storage capacity. You can scale from gigabytes to petabytes without capacity planning or hardware procurement. Pricing remains the same per terabyte regardless of volume.

Can I use this for multi-customer MSP deployments?
Yes. The management portal supports multi-customer environments with isolated storage buckets per customer, per-customer usage tracking, and centralised administration. MSPs can manage all customers from one portal with full cost visibility.

What about CO2-friendly datacenters?
Selected IBM Cloud datacenters are powered by 100% renewable energy through Renewable Electricity Certificates (RECs). CO2-friendly regions are identified in the datacenter list so you can choose a location that aligns with your sustainability goals.

Doesn’t Azure already include backup?
Azure Backup and Azure Site Recovery operate within the same Azure subscription and identity boundary as your production workloads. If a ransomware actor compromises an admin account with Backup Contributor rights, they can disable soft-delete, purge Recovery Services vaults, and destroy all backup data. Independent, air-gapped backup eliminates this attack vector.

Where is backup data stored?
Backup data is stored in the Azure datacenter region you select from 43 available locations across 30+ countries. Data does not leave the selected region. The backup infrastructure is logically and physically separate from your Azure tenant — there is no network path between your production environment and your backup storage.

What is segregation of duties and why does it matter?
Segregation of duties means the people who manage your production Azure environment do not have access to backup data. Anycloud manages the backup infrastructure independently. This prevents an insider threat or compromised admin account from affecting both production and backup simultaneously — a core requirement of NIS2, DORA, and ISO 27001.

How does ransomware recovery work?
Because backup data is stored on air-gapped, WORM-protected storage, ransomware in your Azure environment cannot reach or modify the backup. Recovery involves selecting a pre-infection snapshot and restoring the affected VMs, databases, or files directly back to your Azure tenant. All restore points are immutable and verified clean.

How are new Azure resources automatically protected?
Tag-based backup policies automatically include new resources as they are provisioned. When a new VM, database, or storage account is created with the designated backup tag, it is automatically assigned to the corresponding backup policy — no manual intervention or ticket required.

What portals are available?
Two portals are available: the management portal for administrators to configure backup policies, monitor job health, and manage storage; and the restore portal for IT and helpdesk staff to initiate recovery operations. Both portals are browser-based and require multi-factor authentication.

Does the service support GDPR right-to-erasure?
Yes. Administrators can submit a deletion request for a specific data subject, and all backup objects associated with that subject’s data are permanently purged from storage — across all retained snapshots and regions. This supports Article 17 GDPR obligations.

Is the service available through distributors?
Yes. Anycloud Azure Backup is available through ArrowSphere and direct from Anycloud. Contact the sales team for pricing, onboarding, and technical briefing.