Afi SaaS backup for Microsoft 365 uses a concept of a backup SLA policy to protect resources (mailboxes, sites, groups, teams, etc) and configure custom backup settings such as frequency, scope, retention and archiving settings, and encryption key (Afi- or customer-managed). A resource or a set of resources can be protected by an SLA policy directly at the Service → Protection screen or an SLA policy can be assigned to a group of resources at the Service → Protection → AAD Groups tab, in particular, to automatically protect resources that are added to this group.
Backup SLA policies are managed at the Service → Settings → SLA tab in the Afi portal. Afi automatically creates a set of pre-defined backup SLA policies upon a tenant onboarding (Gold, Silver, Bronze, Manual), but administrators can create any number of additional SLA policies customized to their needs to protect different sets of resources in a tenant with different settings. The service cost doesn't depend on which backup SLA policies are used so you can select or configure any SLA policies that you see fit for your use-cases.
Backup SLA policy management
Backup SLA policies for a tenant are configured and managed at the Service → Settings → SLA tab in the Afi portal.
You can view and change an SLA policy settings by clicking on its tile in the policies list or create a new SLA policy by clicking on the Add new SLA button in the top-right corner of the screen.
The SLA policy settings available for configuration are explained below.
Data to backup
This section allows you configure which Microsoft 365 workloads will be backed up by the Afi service for a resource which is protected by an SLA policy. Detailed description of Microsoft 365 workloads supported by Afi is provided in this article.
You can enable or disable backup of specific workloads based on your use-cases, for example, it allows you to create custom SLA policies that include only Exchange data (Emails, Contacts, Calendars, Tasks, Group mailbox) or only OneDrive and SharePoint data (Drive & OneNote, SharePoint).
You can assign a configured SLA policy to any resource, regardless of its type and workloads that it might contain. For example, you can assign an SLA policy that includes SharePoint data backup to a user mailbox - the Afi service will synchronize workloads available for this particular resource and skip workloads that are not applicable. This allows you to use a single SLA policy for all resources in your tenant in a generic way regardless of their types.
If you disable backup for a specific workload (for example, Emails) in an SLA policy settings, the service will stop synchronizing data for this workload for resources protected with this SLA policy, but old data for this workload will remain in the corresponding backups. If you want to delete already synchronized emails or files after you have disabled the corresponding workloads in an SLA policy settings, you can add custom item-level retention rules to this SLA to delete emails or files older than retention window.
SLA schedule settings allow you to define how often you want to run backups for resources protected with this SLA policy. The service can either run backups automatically once or 3 times per day or you can select Manual frequency to launch backups manually from the Afi portal. In case of Manual frequency the Afi service won't launch any backups for the corresponding resources automatically. In most cases it is recommended to use once or 3 times per day backups managed by the Afi service to make sure that your data is being backed periodically and in timely manner.
For a backup SLA policy with periodic backup frequency the Afi service triggers backups within backup windows of several hours duration:
- One 9-hours long backup window for once per day backup frequency. The backup window start can be configured when once per day backup frequency is selected.
- Three 6-hours long backup windows within a day for 3 times per day backup frequency.
Spreading backup start times across a backup window is important to avoid peak loads on Microsoft 365 services and don't cause API throttling.
By default, Afi keeps all backup snapshots and item versions for each backed up resource indefinitely, but you can configure custom data retention rules for an SLA policy to limit how long backup snapshots or items of a specific type (email/files) are kept by the service. Available data retention rules are described in the following article.
If you decide to limit how long backup data is stored by the Afi service, it is recommended to use backup version data retention rules. Item-level retention rules are better suited for compliance-related use-cases (for example, to keep email data for 7 years and delete all emails older than 7 years) and should be used with caution.
Please note that the Afi service applies retention rules only to the backups protected by an SLA policy. If a resource is not protected by an SLA policy, the service will continue to keep its backup together with all historical backup snapshots, but won't apply any custom retention or archiving rules.
Archiving rules define how long the Afi service will keep a backup for a resource protected by an SLA policy after it is marked as Archived on Afi side. A resource becomes Archived when the service can no longer synchronize its data from Microsoft 365 - when a resource is deleted on Microsoft 365 side or, in case of a user mailbox, when a Microsoft 365 administrator removes both Exchange and SharePoint licenses from this user. Archiving rules are described in detail in the following article.
By default, all Afi backups are encrypted with per-tenant Afi-managed encryption keys. Afi also supports configuring customer-managed cloud KMS encryption keys that allows an administrator to comply with regulatory requirements and have an additional layer of control over their backup data. Customer-managed (BYOK) encryption setup is described in this guide.
Protecting resources with a backup SLA policy
Once you selected or configured a backup SLA policy that you plan to use, you can assign it to a resource or a set of resources at the Service → Protection tab. When a resource is protected with an SLA policy, you can trigger its backup by clicking on the Backup now button.
You can also assign a backup SLA policy to a group of resources and automatically protect all resources that are added in this group at the Service → Protection → AAD Groups tab. Please see the following guide for more details.