Object Lock (Immutability)
This chapter is intended to describe Object Lock Immutability support for Microsoft 365 / Google Workspace Backup. For information on how Object Lock (Immutability) is supported for backup plans in new backup format with GFS, refer to the following article.
This chapter covers the following topics:
- About Object Lock (Immutability)
- Retention Modes for Immutable Data
- Grant Administrators Permissions to Manage Object Lock (Immutability)
- Allow Default Object Lock in Backup Destinations
- Edit Default Object Lock Settings for Storage Account
- Disable Default Object Lock for Storage Account
- Allow Object Lock for GFS backups in Backup Destinations
- Disable Object Lock for GFS backups for Storage Account
- Manage Object Lock for GFS backups using Retention Policies
About Object Lock (Immutability)
Object Lock is a feature that locks backup datasets for a period specified by default or custom retention policy. If Object Lock is allowed for the backup storage, all backups with configured retention policy that are created in this backup storage become immutable for the retention period. Within this period, backup data is kept unmodified.
The Object Lock feature supports the following feature types:
- Default Object Lock (New)
- Object Lock for GFS Backups (formerly Object Lock (Immutability)). This feature is not applicable for the backups without a configured retention policy.
In the selected backup destination for Microsoft 365 / Google Workspace, only one of these feature types should be enabled
Default Object Lock (New)
Default Object Lock is an alternative immutability type in which all backup data written to the backup destination is automatically locked.
- Configured on the cloud storage provider side
- Applied automatically to all backups using the destination
Object Lock for GFS Backups
Object Lock for GFS Backups (formerly Object Lock (Immutability)) is applied only to backup data created using Microsoft 365/Google Workspace Backup and is not applicable for the backups without a configured retention policy.
- Configured in Managed Backup
- Requires the Manage Object Lock (Immutability) permission for administrators.
If the storage with Object Lock feature enabled is selected for Microsoft 365 / Google Workspace Backup, you will see the Object Lock icon on the main menu of Service Dashboard.
The Object Lock for GFS Backups feature support depends on the retention policy assigned. If the Object Lock for GFS Backups is applied along with retention policy settings, backups that are subject to the retention policy become immutable for the period specified by retention policy. Refer to the table below for details on how it works.
| Object Lock on Backup Destination | Default Retention Policy | Custom Retention Policy | RESULT | Comment |
|---|---|---|---|---|
| ✔️ | ✔️ | ✔️ | Backup locked | Unable to delete backup data until the period set by custom retention policy expires |
| ✔️ | ✔️ | ❌ | Backup locked | Unable to delete backup data until the period set by default retention policy expires |
| ✔️ | ❌ | ✔️ | Backup locked | Unable to delete backup data until the period set by custom retention policy expires |
| ✔️ | ❌ | ❌ | Backup NOT locked | Backup data can be deleted |
| ❌ | ✔️ | ✔️ | Backup NOT locked | Backup data can be deleted |
| Top |
Retention Modes for Immutable Data
Generally, two object lock retention modes are supported for immutable storage:
Governance mode (default, all storages work in this mode). In Governance mode, protected objects in backup storage are locked (users cannot overwrite or delete an object version or alter its lock settings using Management Console or Backup Agent). These objects can only be deleted using cloud storage provider tools. By design, when you create a destination bucket using the Management Console, the Governance mode is used for all destination buckets with Immutability enabled.
Compliance mode. In Compliance mode, protected objects in backup storage are locked completely (users cannot overwrite or delete an object version or alter its lock settings using Management Console or Backup Agent). These objects cannot be deleted until their retention period defined in the retention policy settings ends.
Management Console or Backup Agent provide no option to switch object lock retention mode for existing destination buckets. If you need to use the Compliance mode for the case, you can check this option with MSP360 support.
The Object Lock feature should be configured carefully, especially in Compliance Mode. When enabled, backup data becomes immutable and cannot be deleted or modified until the retention period specified by the policy expires. This restriction applies even to administrators, and the only way to remove such data is by terminating the entire storage account
| Top |
Grant 'Manage Object Lock (Immutability)' Permission
To delegate Object Lock management to administrators:
- Open the Management Console
- Go to Organization > Administrators
- Click Edit for the administrator account you are planning to use for backup storage management
- Open the Permissions tab
- Enable Manage Object Lock (Immutability)
- Click Save.
| Top |
Allow Default Object Lock for Storage Account
Ensure that Object Lock is enabled on the storage.
To allow Default Object Lock, proceed as follows:
- Open the Management Console.
- In the Storage Accounts, select the required account to allow the Default Object Lock or create a new storage account.
- Expand the actions, then select View Backup Destinations.
- Click Add Destination Bucket to create a new backup destination for immutable backups.
- In the Destination Bucket property box, fill in the required data (create or select an existing bucket), then click Set Default Object Lock.
Do not use Default Object lock and Object Lock for GFS backups on the same storage
- Confirm the action.
Wasabi: Buckets with Object Lock enabled must also have Versioning enabled
| Top |
Edit Default Object Lock Settings for Storage Account
If Object Lock period is changed on the storage side:
If Object Lock settings can be read from storage, the protection period is populated automatically.
If the settings cannot be read, you will be prompted to provide the protection period settings manually.
To provide the protection period settings manually, proceed as follows:
- Open the Management Console.
- In the Backup > Storage Accounts select the required account.
- Click the storage account name to view a list of backup destinations.
- Click the edit icon at the end of the required backup destination record.
- In the Edit destination dialog, edit the number of days below the Set Default Object Lock checkbox to provide the correct value.
- Click Save.
Disable Default Object Lock for Storage Account
If Object Lock is disabled on the storage side:
- Existing immutable backups remain locked until their retention period expires.
- All newly created backups will not be purged during the Default Object Lock period specified in the Management Console.
In this case it is recommended to disable Default Object Lock for storage account in the Management Console. To perform this, proceed as follows:
- Open the Management Console.
- In the Backup > Storage Accounts select the required account.
- Click the storage account name to view a list of backup destinations.
- Click the edit icon at the end of the required backup destination record.
- In the Edit destination dialog, clear the Set Default Object Lock checkbox.
- Click Save.
Now all newly created backups will be purged according to the retention policy settings.
| Top |
Allow Object Lock for GFS Backups for Storage Account
Consider, Object Lock for GFS Backups (formerly Object Lock (Immutability)) should be allowed by means of Management Console. Do not use this feature if Object Lock is enabled on your storage destination.
If you need to comply with the regulations, maintenance or legal requirements, or anything else that requires an immutable backup dataset, enable this feature for an appropriate storage account. If you do not have any storage destinations with the allowed Object Lock for GFS Backups, you can create a new destination bucket in Management Console.
To use the Object Lock for GFS Backups feature, appropriate permission must be granted to the account used for backup storage connection. For example, for S3 destinations, GetBucketObjectLockConfiguration permission must be granted.
AWS S3
Ensure that GetBucketObjectLockConfiguration permission is granted.
To allow Object Lock for GFS Backups, proceed as follows:
- Open the Management Console.
- In the Storage Accounts, select the required account to allow the Object Lock for GFS Backups or create a new storage account.
Note that the 'list versions' permission must be enabled for the storage account
- Expand the actions, then select View Backup Destinations.
- Click Add Destination Bucket to create a new backup destination for immutable backups.
- In the Destination Bucket property box, fill in the required data (create or select an existing bucket), then select Allow Object Lock for GFS Backups.
- Confirm the action.
- Once you are done, proceed to Microsoft 365 / Google Workspace Dashboard to create retention policies for specific services or exported PST files. The allowed feature is enabled on the specified bucket only and does not affect any backups or exported files. You should create retention policies for every service or exported PST file to apply Object Lock period for them as described below.
Note that if a bucket has the Allow Object Lock for GFS Backups feature enabled, versioning for this bucket is automatically enabled as well
| Top |
Wasabi
To allow the Allow Object Lock for GFS Backups for Wasabi, proceed as follows:
- Open the Management Console.
- In the Storage Accounts, select the required account to allow the Object Lock for GFS Backups or create a new storage account.
Allow Object Lock for GFS Backups can only be enabled at the time a bucket is created. Buckets with Object Lock for GFS Backups enabled must also have Versioning enabled
- Expand the actions, then select View Backup Destinations.
- Click Add Destination Bucket to create a new backup destination for immutable backups.
- In the Destination Bucket property box, fill in the required data (create or select an existing bucket), then click Allow Object Lock for GFS Backups.
- Confirm the action.
- Once you are done, proceed to Microsoft 365 / Google Workspace Dashboard to create retention policies for specific services or exported PST files. The allowed Immutability enables this feature on the specified bucket only and does not apply this feature to any backups or exported files. You should create retention policies for every service or exported PST file to apply object lock period for them as described below.
| Top |
Backblaze B2
To allow the Object Lock for GFS Backups for Backblaze B2 destinations, proceed as follows:
- Open the Management Console.
- In the Storage Accounts, select the required Backblaze account to allow the Object Lock for GFS Backups or create a new Backblaze storage account.
- Expand the actions, then select View Backup Destinations. If you just created a new Backblaze storage account, just follow the storage account creation wizard.
- Click Add Destination Bucket to create a new backup destination for immutable backups.
- In the Add Destination Bucket box, select the Create new bucket option, specify the new bucket name, then select the Allow Object Lock for GFS Backups checkbox. If you want to use the existing bucket, click ..., then select the required bucket from the list.
Object Lock for GFS Backups can only be enabled at the moment a bucket is created. Thus, if you select an existing bucket, it must have the Object Lock for GFS Backups enabled previously. For existing buckets with no Object Lock for GFS Backups enabled upon creation, there is no way to enable it. You can always check the Object Lock for GFS Backups status of existing backup destinations on the 'Backup Destinations' page
- Confirm the action.
- Once you are done, proceed to Microsoft 365 / Google Workspace Dashboards to create retention policies for specific services or exported PST files. The allowed Object Lock for GFS Backups enables this feature on the specified bucket only and does not apply this feature to any backups or exported files. You should create retention policies for every service or exported PST file to apply Object Lock period for them as described below.
| Top |
Disable Object Lock for GFS Backups for Storage Account
If you want to stop Object Lock for GFS backup protection:
- Existing immutable backups remain locked until their retention period expires.
- All newly created backups will not be purged during the retention policy specified in the Management Console.
- Open the Management Console.
- In the Backup > Storage Accounts select the required account.
- Click the storage account name to view a list of backup destinations.
- Click the edit icon at the end of the required backup destination record.
- In the Edit destination dialog, clear the Allow Object Lock for GFS Backups checkbox.
- Click Save.
Now all newly created backups will be purged according to the retention policy settings.
Manage Object Lock for GFS Backups Using Retention Policies
Consider, Object Lock for GFS Backups (formerly Object Lock (Immutability)) cannot be supported for backups without applied retention policy
Refer to the following articles for details on how to configure retention policies:
| Top |