=============== LIBRARY RULES =============== From library maintainers: - This is unofficial documentation - always verify against official Veeam Help Center # Veeam Data Cloud Documentation Veeam Data Cloud is a comprehensive SaaS backup-as-a-service platform that provides centralized data protection for multiple cloud workloads through a unified web portal. The platform enables organizations to protect Microsoft 365 (Exchange Online, SharePoint Online, OneDrive for Business, Teams), Microsoft Azure (VMs, SQL databases, Azure Files), Microsoft Entra ID (users, groups, policies, Intune), and Salesforce (data, metadata, files) without managing backup infrastructure. The platform offers role-based access control, automated backup policies, granular restore capabilities, and secure storage with built-in immutability and encryption. Veeam Data Cloud Vault provides managed object storage that integrates with Veeam Backup & Replication, Veeam Backup for Microsoft Azure, and Veeam Kasten for additional backup storage needs. ## Accessing Veeam Data Cloud Users access Veeam Data Cloud through the web portal at https://cloud.veeam.com using either Veeam My Account credentials or Microsoft 365 single sign-on. The platform supports multi-factor authentication and automatically logs out users after 30 minutes of inactivity. ``` # Access Methods Portal URL: https://cloud.veeam.com # Login Options: # 1. Continue with Microsoft - Redirects to Microsoft Entra authentication # 2. Continue with Veeam - Redirects to Veeam My Account authentication # Supported Browsers: # - Google Chrome (latest stable) # - Microsoft Edge (Chromium) # - Mozilla Firefox (latest stable) # Session Management: # - Auto-logout after 30 minutes of inactivity # - 2-minute warning before session ends # - To logout manually: Click user initials (top-right) > Sign Out ``` ## Adding Microsoft 365 Tenants To protect Microsoft 365 data, you must first add your tenant to Veeam Data Cloud. This connects your Microsoft 365 organization and enables backup policy creation for Exchange Online, SharePoint Online, OneDrive for Business, and Teams. ``` # Add Microsoft 365 Tenant Wizard Steps: Step 1: Launch Wizard - Navigate to Microsoft 365 page - Click "Add Tenant" Step 2: Specify Tenant Settings - Enter tenant name for identification - Configure region for data storage Step 3: Connect to Flex (for Flex/Premium plans) - Grant Veeam Data Cloud permissions to access Microsoft 365 - Authenticate with Global Administrator account - Accept required Microsoft Graph API permissions Step 4: Connect to Express (for Express/Premium plans) - Enable Microsoft 365 Backup Storage API integration - Configure native backup storage settings Step 5: Configure Initial Backup Policy - Select workloads to protect (Outlook, OneDrive, SharePoint, Teams) - Choose backup scope (Entire Organization or Selected Items) - Set retention period (default: 1 year for Flex, 52 weeks for Express) Step 6: Complete Setup - Review configuration summary - Click "Finish" to add tenant ``` ## Creating Microsoft 365 Backup Policies Veeam Data Cloud for Microsoft 365 supports two types of backup policies: Flex (customizable schedules and retention) and Express (simplified, Microsoft-managed storage). Each policy type offers Entire Organization or Selected Items backup scope. ``` # Create Express Backup Policy Step 1: Navigate to backup policies - Microsoft 365 > [Tenant Name] > Backup Policies > Add New Backup Policy Step 2: Select policy type - Choose "New Express Policy" > Next Step 3: Select application - Options: Outlook, OneDrive, or SharePoint - Note: Only one Entire Organization policy per application type Step 4: Configure policy details Name: "Exchange Full Organization Backup" Description: "Daily backup of all Exchange mailboxes" Backup Scope: "Entire Organization" # or "Selected Items" # For Selected Items - Outlook/OneDrive: - Click "Select" next to Microsoft 365 Users or Groups - Choose specific users/groups to protect # For Selected Items - SharePoint: - Click "Select" next to SharePoint Sites - Or click "Upload file" to import CSV with site URLs Step 5: Save policy - Click "Save" to create and enable the policy # Express Backup Schedule (automatic): # - Exchange Online: Every 10 minutes # - OneDrive/SharePoint: Every 10 minutes (2-week retention) # Weekly snapshots (50-week retention) ``` ## Creating Azure VM Backup Policies Veeam Data Cloud for Microsoft Azure enables image-level backups of Azure virtual machines with customizable protection settings, guest processing options, and snapshot management. ``` # Create Azure VM Backup Policy Step 1: Launch wizard - Azure > [Tenant Name] > Backup Policies > Create New Policy - Select "New Azure Virtual Machine Policy" Step 2: Policy identification Name: "Production VMs Daily Backup" Description: "Daily backup of production Azure VMs" Step 3: Select source VMs - Browse Azure subscriptions and resource groups - Select VMs to protect - Use tags or naming patterns for dynamic selection Step 4: Configure protection settings (SLA) Schedule: Daily at 2:00 AM UTC Retention Policy: - Daily restore points: 14 days - Weekly restore points: 4 weeks - Monthly restore points: 12 months Step 5: Guest processing settings (optional) Enable Application-Aware Processing: Yes - Quiesce applications before snapshot - Enable VSS for Windows VMs Truncate SQL Transaction Logs: Yes Step 6: Snapshot settings Create Azure snapshots: Yes Snapshot retention: 7 days Enable Instant VM Recovery: Yes Step 7: Notification settings Email notifications: admin@company.com Notify on: Failure, Warning Step 8: Complete configuration - Review all settings - Click "Finish" to create policy ``` ## Salesforce Backup Configuration When you add a Salesforce tenant, Veeam Data Cloud automatically creates a backup policy with default settings. Each tenant has a single backup policy that can be customized for schedule, retention, and object selection. ``` # Default Salesforce Backup Policy Settings | Setting | Default Value | |----------------------------------|----------------------------------| | Salesforce API Limits | 60% | | Schedule | Daily | | Included Objects | All (except History/Tag objects) | | Included Files | All | | Auto-add New Objects | Enabled | | Auto-add New Fields | Enabled | | Encryption | Built-in key, all file types | | Records/File Versions Retention | 1 year | | Deleted Records/Files Retention | 1 year (not configurable) | # Edit Backup Policy Navigate: Salesforce > [Tenant Name] > Backup Policies > Edit # Schedule Options: - Standard: Daily, Weekly, Monthly - Custom: Define specific days and times - High-frequency: Multiple times per day for critical objects # Object-Level Configuration: Objects: Account: schedule: "Every 6 hours" retention: "2 years" Opportunity: schedule: "Daily" retention: "1 year" CustomObject__c: schedule: "Weekly" retention: "6 months" # Encryption Settings: encryption_type: "aws_kms" # or "built_in" kms_key_id: "arn:aws:kms:us-east-1:123456789:key/abc-123" encrypted_file_types: ["all"] # or specific types ``` ## Restoring Microsoft 365 Outlook Mailboxes Veeam Data Cloud provides two restore methods for Outlook data: Flex Restore (granular control over restore location and options) and Express Full Restore (quick restore to original location). ``` # Flex Restore - Outlook Mailbox Step 1: Navigate to restore - Microsoft 365 > [Tenant Name] > Restore Step 2: Select restore point - Default: Latest available - Custom: Click calendar icon, select date/time Step 3: Select mailbox to restore - Browse organization tree - Select single mailbox or multiple (checkboxes) - Click "Restore Selected Mailbox" Step 4: Choose restore destination Options: a) Original location - Restores to source mailbox - Advanced options available b) Other user's mailbox Mailbox: "recovery@company.com" Folder: "Restored Items/John Doe" c) Local computer (< 1GB) - Downloads as .PST file immediately d) Download in background (> 1GB) - Creates .PST file(s) for later download - Large mailboxes split into 10GB .PST files Step 5: Advanced options (Original/Other mailbox) Restore the following items: [x] Changed items [x] Missing items Flag restored items: [x] Mark restored as unread Exclude folders: [ ] Drafts [x] Deleted Items [ ] In-Place Hold Items [ ] Litigation Hold Items Step 6: Execute restore - Click "Restore" or "Download" # Express Full Restore - Outlook Mailbox Step 1-3: Same as Flex Restore Step 4: Select restore method - Choose "Express Full Restore" Step 5: Choose restore point - "Use the latest available restore point" - OR "Use the restore point from" + select date/time Step 6: Choose restore location - "Original location" - Replaces existing data - "New folder" - Creates "Recovered Items YYYY-MM-DD, HH:MM" Step 7: Execute - Click "Express Full Restore" ``` ## Restoring Azure VMs Veeam Data Cloud for Microsoft Azure supports three restore options for virtual machines: entire VM restore, disk-level restore, and file-level restore from snapshots or image-level backups. ``` # Restore Options for Azure VMs # 1. Entire VM Restore Navigate: Azure > [Tenant Name] > Restore > VMs Select VM and restore point Click "Restore Entire VM" Restore Settings: Restore Mode: - Original location (overwrite) - New location (new VM) Target Settings (new location): Subscription: "Production-Sub" Resource Group: "RG-Restored" VM Name: "VM-Restored-2024" Virtual Network: "VNet-Production" Subnet: "Subnet-Web" Power Options: [x] Power on VM after restore [ ] Connect to original network # 2. Disk Restore Navigate: Azure > [Tenant Name] > Restore > VMs Select VM > Click "Restore VM Disks" Restore Settings: Disks to restore: [x] OS Disk (osdisk-vm01) [x] Data Disk 1 (datadisk-01) [ ] Data Disk 2 (datadisk-02) Target: Storage Account: "storerestored01" Container: "restored-disks" # 3. File-Level Restore Navigate: Azure > [Tenant Name] > Restore > VMs Select VM > Click "Restore VM Files" Step 1: Select restore point Step 2: Mount backup as iSCSI target Step 3: Browse file system in web UI Step 4: Select files/folders to restore Step 5: Download or restore to original location Session timeout: 30 minutes (extendable) ``` ## Salesforce Restore Operations Veeam Data Cloud for Salesforce provides four restore types: records (full object content), field values (specific fields), files (attachments and documents), and metadata (configuration and schema). ``` # Salesforce Restore Types # 1. Restore Records Navigate: Salesforce > [Tenant Name] > Restore > Create New Job Job Configuration: Name: "Account Records Restore" Type: "Restore Records" Organization: "Production Org" Data Selection: Object: "Account" Filter: "Industry = 'Technology' AND CreatedDate > 2024-01-01" Include Attachments: Yes Include Child Hierarchy: Yes Hierarchy Depth: 10 # Max recommended Restore Options: Conflict Resolution: "Skip existing" # or "Overwrite" Restore Deleted Records: Yes Map External IDs: Yes # 2. Restore Field Values Job Type: "Restore Field Values" Object: "Opportunity" Fields to Restore: - Amount - CloseDate - StageName Records: [Select specific record IDs or use filter] # 3. Restore Files Job Type: "Restore Files" File Types: - ContentDocument - Attachment - ContentVersion Target: Original location or download # 4. Restore Metadata Job Type: "Restore Metadata" Metadata Types: - Custom Objects - Custom Fields - Profiles - Permission Sets - Flows - Reports # Cross-Tenant Restore (Production to Sandbox) # Full restore procedure: 1. Restore metadata first 2. Manually enable required Salesforce features 3. Install required external packages 4. Restore records and files # Job Lifecycle: Status: Draft -> Running -> Completed/Failed Actions: Start, Stop, Clone, Edit (draft only), Remove (draft only) ``` ## Microsoft Entra ID Protection Veeam Data Cloud for Microsoft Entra ID backs up tenant configurations including users, groups, administrative units, roles, applications, Conditional Access policies, and Microsoft Intune policies with audit and sign-in log retention. ``` # Add Entra ID Tenant Navigate: Entra ID > Add Tenant Step 1: Launch wizard - Click "Add Entra ID Tenant" Step 2: Authorize access - Sign in with Global Administrator account - Grant required Microsoft Graph API permissions: - Directory.Read.All - AuditLog.Read.All - Policy.Read.All - DeviceManagementConfiguration.Read.All (for Intune) Step 3: Select backup region Options: - US East - US West - Europe West - Europe North - Australia East Step 4: Configure retention Tenant Backup Retention: 365 days Audit Logs Retention: 90 days Sign-in Logs Retention: 30 days Step 5: Complete setup - Review summary - Click "Finish" # Backup runs automatically after tenant is added # Default schedule: Daily # Restore Operations # Restore Users Navigate: Entra ID > [Tenant] > Restore > Users Select restore point > Select users > Restore Restore Options: - Restore entire user object - Restore specific properties only - Restore to original location - Export to JSON file # Restore Conditional Access Policies Navigate: Entra ID > [Tenant] > Restore > Conditional Access Select policies > Choose restore mode: - "Restore as new" (creates new policy) - "Overwrite existing" (replaces current) # Restore Intune Policies Navigate: Entra ID > [Tenant] > Restore > Intune Supported policy types: - Device Configuration - Compliance Policies - App Protection Policies - Enrollment Restrictions # Export to JSON Navigate: Entra ID > [Tenant] > Restore > [Object Type] Select objects > Click "Export" Download JSON file with object definitions ``` ## Veeam Data Cloud Vault Veeam Data Cloud Vault provides secure, managed object storage with built-in immutability for integration with Veeam Backup & Replication, Veeam Backup for Microsoft Azure, and Veeam Kasten. ``` # Add Storage Vault Navigate: Vault > Storage Vaults > Add Storage Vault # For Azure-based Vault Edition: Step 1: Select vault type - Azure Blob Storage Step 2: Configure vault Name: "Primary-Backup-Vault" Region: "East US 2" Storage Tier: "Hot" # or "Cool", "Archive" Immutability: Enabled Retention Lock: 365 days Step 3: Access credentials - Auto-generated access keys - Connection string provided after creation # For AWS-based Vault Edition: Step 1: Select vault type - Amazon S3 Step 2: Configure vault Name: "DR-Backup-Vault" Region: "us-west-2" Storage Class: "Standard" # or "Intelligent-Tiering" Immutability: Enabled (Object Lock) # Integration with Veeam Backup & Replication # Add as Object Storage Repository: 1. In VBR Console: Backup Infrastructure > Add Backup Repository 2. Select "Object Storage" > "Veeam Data Cloud Vault" 3. Enter connection details: Endpoint: vault.veeam.cloud Access Key: [from VDC Vault portal] Secret Key: [from VDC Vault portal] Bucket: [auto-created bucket name] 4. Configure repository settings: Use as: "Capacity Tier" or "Direct backup" Immutability: [inherits from vault settings] # Vault Editions: | Edition | Storage Provider | Immutability | Encryption | |------------|------------------|--------------|------------| | Azure | Azure Blob | Yes | AES-256 | | AWS | Amazon S3 | Yes | AES-256 | ``` ## User and Role Management Veeam Data Cloud provides role-based access control with built-in roles for organization-wide and workload-specific permissions. Roles can be scoped to specific tenants for granular access control. ``` # Built-in Roles # Organization Roles OrganizationAdmin: - Full access to all workloads and tenants - User management capabilities - First user automatically receives this role OrganizationViewer: - View-only access to tenant lists - Automatically granted to all users # Microsoft 365 Roles M365:Administrator # Full M365 access M365:BackupOperator # Tenant and backup policy management M365:RestoreOperator # Restore operations only # Microsoft Entra ID Roles EntraID:Administrator # Full Entra ID access EntraID:SettingsAdministrator # Tenant settings only EntraID:RestoreAdministrator # Restore operations only EntraID:Viewer # View-only access # Salesforce Roles Salesforce:Administrator # Full Salesforce access Salesforce:BackupOperator # Backup and restore operations Salesforce:RestoreOperator # Restore operations only Salesforce:Viewer # View-only access # Microsoft Azure Roles Azure:Administrator # Full Azure access (cannot add tenants) # Vault Roles Vault:Administrator # Full Vault access # Add User with Role Assignment Navigate: Settings > Users > Add User User Details: Email: "backup.admin@company.com" Name: "Backup Administrator" Role Assignment: - Role: "M365:BackupOperator" Scope: "All Microsoft 365 Tenants" - Role: "Salesforce:RestoreOperator" Scope: ["Production Org", "Sandbox Org"] - Role: "EntraID:Viewer" Scope: "Contoso Entra ID" # The user receives an invitation email # They must accept and authenticate to access VDC # Custom Roles (Microsoft 365 only) Navigate: Settings > Roles > Create Custom Role Custom Role Configuration: Name: "Limited Restore Operator" Base: "M365:RestoreOperator" Permissions: Restore Outlook: Yes Restore OneDrive: Yes Restore SharePoint: No Restore Teams: No Download to Local: No ``` ## Searching Backup Data Veeam Data Cloud for Microsoft 365 provides basic search (keyword-based) and advanced search (multi-criteria) capabilities to locate specific items within backups for granular restore operations. ``` # Basic Search Navigate: Microsoft 365 > [Tenant] > Search > Search tab Search Configuration: Search Within: "Outlook" # Outlook, SharePoint, OneDrive, Teams Select: "user@company.com" # Specific mailbox/site/drive Restore Point: "2024-01-15 02:00 AM" # Select from calendar Keyword: "quarterly report" # Keyword matches: # - Outlook: Email subject # - SharePoint: Site name or document content # - OneDrive: File name # - Teams: Post subject Click "Search" to start Results: First 500 matches displayed Click "Continue" to load next 500 Select items > Click "Restore" to restore selected # Advanced Search Navigate: Microsoft 365 > [Tenant] > Search > Advanced Search tab Search Configuration: Search Within: "Outlook" Select: "user@company.com" as at: "2024-01-15 02:00 AM" Primary Search Criteria: Category: "Message" Field: "Subject" Condition: "Contains" Value: "Invoice" [Add to list] Category: "Message" Field: "From" Condition: "Equals" Value: "vendor@supplier.com" [Add to list] Secondary Search Criteria: Category: "Message" Field: "Has Attachment" Condition: "Equals" Value: "True" [Add to list] # Criteria are linked with OR operator # Click "Start Search" Status progression: In queue -> Processing -> Completed Click "Detail" to view results Select items > "Restore Selected Items" # Search Tips: # - Keep criteria specific for faster results # - Larger backups = longer search time # - Consider direct browse for known items ``` ## Organization Dashboard and Activity Monitoring The organization dashboard provides centralized monitoring of data protection status across all workloads, while the Activity view consolidates backup sessions and audit events for operational visibility. ``` # Organization Dashboard Navigate: Click Dashboard icon (left menu) Available to: OrganizationAdmin role only Supported workloads: Microsoft 365, Entra ID, Salesforce # Dashboard Sections: 1. Protected Objects - Ratio of protected vs total objects - Protection status based on RPO compliance 2. Tenants - Total tenant count in current view 3. Unprotected Objects - Objects without restore points within RPO 4. Data Protection History Time Range: 7 / 30 / 90 days View by: Objects | Sessions Status breakdown: - Success (green) - Warning (yellow) - Error (red) 5. Recent Activity - Latest backup sessions - Click "View all activity" for full list # Filtering: All Workloads > [Select specific workloads] All Tenants > [Select specific tenants] Clear All > Remove all filters # Activity View Navigate: Click Activity icon (left menu) Available to: - OrganizationAdmin - OrganizationViewer + workload admin role # Backup Sessions View Navigate: Activity > Backup Sessions Columns: - Session Name - Workload Type - Tenant - Start Time - Duration - Status - Objects Processed - Warnings/Errors Filters: - Date Range - Workload - Tenant - Status # Audit Logs View Navigate: Activity > Audit Logs Events tracked: - User logins/logouts - Policy changes - Restore operations - User management actions - Tenant configuration changes Columns: - Timestamp - User - Action - Resource - Details ``` ## Security Features Veeam Data Cloud implements enterprise-grade security including ISO/IEC 27001 certification, 256-bit encryption, service-level immutability, and multi-factor authentication across all workloads. ``` # Security Architecture Certifications: - ISO/IEC 27001 - SOC 2 Type II - Regular third-party penetration testing # Data Sovereignty Microsoft 365 Flex: - Dedicated storage accounts per customer - Region selection during tenant setup - Data never leaves selected region Microsoft 365 Express: - Stored within customer's Microsoft 365 region - Uses native Microsoft 365 Backup Storage APIs # Storage Redundancy Flex Storage: Local Redundant Storage (LRS) - 3 copies on separate disks - Single Azure region Express Storage: - Microsoft 365 native backup storage - Microsoft-managed redundancy # Encryption In-Transit: TLS 1.2 or higher At-Rest: AES 256-bit encryption Salesforce additional options: - Built-in encryption key (default) - Customer-managed AWS KMS keys # Immutability Service-level immutability on all backups: - Data cannot be altered after backup - Protected from user deletion (including admins) - Ransomware protection # Authentication Methods: - Veeam My Account credentials - Microsoft 365 SSO (Microsoft Entra) - Multi-Factor Authentication (MFA) enforced Session Management: - 30-minute inactivity timeout - 2-minute warning before logout # SLA Veeam Data Cloud for Microsoft 365 Flex: - 99.9% uptime SLA - Excludes planned maintenance windows # Retention Defaults | Workload | Default Retention | Customizable | |---------------|-------------------|--------------| | M365 Flex | 1 year | Unlimited | | M365 Express | 52 weeks | No | | Entra ID | 365 days | Yes | | Salesforce | 1 year | Yes | | Azure | Policy-based | Yes | ``` ## Summary Veeam Data Cloud serves as a unified SaaS backup platform for organizations requiring comprehensive data protection across Microsoft 365, Microsoft Azure, Microsoft Entra ID, and Salesforce workloads. The platform eliminates infrastructure management overhead while providing enterprise-grade security features including immutability, encryption, and compliance certifications. Primary use cases include protecting Exchange Online mailboxes and Teams data, backing up Azure VMs and SQL databases, preserving Entra ID configurations and Intune policies, and maintaining Salesforce data with hierarchical object relationships. Integration patterns typically involve connecting cloud tenants through OAuth/API authentication, creating automated backup policies with customized schedules and retention, and performing granular restores when data loss occurs. Organizations can extend Veeam Data Cloud capabilities through Vault integration with existing Veeam Backup & Replication deployments for hybrid backup scenarios. The role-based access control system enables delegation of backup and restore responsibilities across teams while maintaining security boundaries through tenant-scoped permissions.