Object Lock (Immutability)
This chapter is intended to describe Object Lock Immutability support for Microsoft 365 / Google Workspace Backup. For information on how Object Lock (Immutability) is supported for backup plans in new backup format with GFS, refer to the following article.
This chapter covers the following topics:
- About Object Lock (Immutability)
- Retention Modes for Immutable Data
- Grant Administrators Permissions to Manage Object Lock (Immutability)
- Allow Object Lock (Immutability) in Backup Destinations
- Disable Object Lock (Immutability) for Storage Account
- Manage Object Lock (Immutability) using Retention Policies
About Object Lock (Immutability)
Object Lock (Immutability) is a feature that locks backup datasets for a period specified by default or custom retention policy. In case of Object Lock (Immutability) is allowed for the backup storage, all backups with configured retention policy that are created in this backup storage become immutable for the retention period. Within this period, backup data is kept unmodified. Object Lock (Immutability) is not applicable for the backups without configured retention policy.
Object Lock (Immutability) is supported by the following storage providers:
In case of the storage with Object Lock (Immutability) enabled is selected for Microsoft 365 / Google Workspace Backup, you will see the Object Lock icon on the main menu of service Dashboard.
Note that the Object Lock (Immutability) is not supported for MSP360 storage powered by AWS and by Wasabi
The Object Lock (Immutability) feature support depends on the retention policy assigned. If the Immutability is applied along with retention policy settings, backups that are subject to the retention policy become immutable for the period specified by retention policy. Refer to the table below for details on how it works.
| Object Lock on Backup Destination | Default Retention Policy | Custom Retention Policy | RESULT | Comment |
|---|---|---|---|---|
| ✔️ | ✔️ | ✔️ | Backup locked | Unable to delete backup data until the period set by custom retention policy expires |
| ✔️ | ✔️ | ❌ | Backup locked | Unable to delete backup data until the period set by default retention policy expires |
| ✔️ | ❌ | ✔️ | Backup locked | Unable to delete backup data until the period set by custom retention policy expires |
| ✔️ | ❌ | ❌ | Backup NOT locked | Backup data can be deleted |
| ❌ | ✔️ | ✔️ | Backup NOT locked | Backup data can be deleted |
Object Lock (Immutability) support can only be applied to the new bucket. You cannot set this setting for existing bucket, you should create a new one.
| Top |
Retention Modes for Immutable Data
Generally, two object lock retention modes are supported for immutable storage:
Governance mode (default, all storages work in this mode)
In Governance mode, protected objects in backup storage are locked (users cannot overwrite or delete an object version or alter its lock settings using Management Console or Backup Agent). These objects can only be deleted using cloud storage provider tools. By design, when you create a destination bucket using the Management Console, the Governance mode is used for all destination buckets with Immutability enabled.
Compliance mode
In Compliance mode, protected objects in backup storage are locked completely (users cannot overwrite or delete an object version or alter its lock settings using Management Console or Backup Agent). These objects cannot be deleted until their retention period defined in the retention policy settings ends. Management Console or Backup Agent provide no option to switch object lock retention mode for existing destination buckets. If need to use the Compliance mode for the case, you can check this option with MSP360 support.
Use the Object Lock (Immutability) feature with extreme caution. Once a backup data become immutable in Compliance mode, there is no way to delete them from the storage until the specified by retention policy period expires except for the storage account termination. Incorrect settings can cause high storage bills
| Top |
Allow 'Manage Object Lock (Immutability)' Permission for Your Administrators
If you intend to delegate the Immutability management to your administrators, grant the appropriate permission for them. To do this, proceed as follows:
- Open the Management Console.
- In the Organization menu, select Administrators.
- Click Edit or Add Administrator to create a new one.
- Switch to the Permissions tab.
- Find the Manage Object Lock (Immutability) option, then select the appropriate check box.
- Click Save.
| Top |
Allow Object Lock (Immutability) for Storage Account
Consider, Object Lock (Immutability) should be allowed by means of Management Console. Object Lock (Immutability allowed using the backup storage management consoles cannot be supported
If you need to comply with the regulations, maintenance or legal requirements, or anything else that requires an immutable backup dataset, enable this feature for an appropriate storage account. If you do not have any storage destinations with the allowed Object Lock (Immutability), you can create a new destination bucket in Management Console.
To use the Object Lock (Immutability) feature, appropriate permission must be granted to the account used for backup storage connection. For example, for S3 destinations, GetBucketObjectLockConfiguration permission must be granted.
AWS S3
Ensure that GetBucketObjectLockConfiguration permission is granted.
To allow Object Lock (Immutability) for AWS S3, proceed as follows:
- Open the Management Console.
- In the Storage Accounts, select the required account to allow the Object Lock (Immutability) or create a new storage account.
Note that the 'list versions' permission must be enabled for the storage account
- Expand the actions, then select View Backup Destinations.
- Click Add Destination Bucket to create a new backup destination for immutable backups.
- In the Destination Bucket property box, fill in the required data (create or select an existing bucket), then click Enable Object Lock (Immutability).
- Confirm the action: read the confirmation message, select the I Confirm Enabling Object Lock (Immutability) check box, then click Confirm.
- Once you are done, proceed to Microsoft 365 / Google Workspace Dasboards to create retention policies for specific services or exported PST files. The allowed Immutability enables this feature on the specified bucket only and does not apply this feature to any backups or exported files. You should create retention policies for every service or exported PST file to apply object lock period for them as described below.
Note that if a bucket has the Object Lock (Immutability) feature enabled, versioning for this bucket is automatically enabled as well
| Top |
Wasabi
To allow the Object Lock (Immutability) for Wasabi, proceed as follows:
- Open the Management Console.
- In the Storage Accounts, select the required account to allow the Immutability or create a new storage account.
Object Lock (Immutability) can only be enabled at the time a bucket is created. Buckets with Immutability enabled must also have Versioning enabled
- Expand the actions, then select View Backup Destinations.
- Click Add Destination Bucket to create a new backup destination for immutable backups.
- In the Destination Bucket property box, fill in the required data (create or select an existing bucket), then click Enable Object Lock (Immutability).
- Confirm the action: read the confirmation message, select the I Confirm Enabling Object Lock (Immutability) check box, then click Confirm.
- Once you are done, proceed to Microsoft 365 / Google Workspace Dasboards to create retention policies for specific services or exported PST files. The allowed Immutability enables this feature on the specified bucket only and does not apply this feature to any backups or exported files. You should create retention policies for every service or exported PST file to apply object lock period for them as described below..
| Top |
Backblaze B2
To allow the Object Lock (Immutability) for Backblaze B2 destinations, proceed as follows:
- Open the Management Console.
- In the Storage Accounts, select the required Backblaze account to allow the Immutability or create a new Backblaze storage account.
- Expand the actions, then select View Backup Destinations. If you just created a new Backblaze storage account, just follow the storage account creation wizard.
- Click Add Destination Bucket to create a new backup destination for immutable backups.
- In the Add Destination Bucket box, select the Create new bucket option, specify the new bucket name, then select the Enable Object Lock (Immutability) check box. If you want to use the existing bucket, click ..., then select the required bucket from the list.
Object Lock (Immutability) can only be enabled at the moment a bucket is created. Thus, if you select an existing bucket, it must have the Immutability (Object Lock in terms of Backblaze) enabled previously. For existing buckets with no Object Lock (Immutability) enabled upon creation, there is no way to enable it. You can always check the Object Lock (Immutability) status of existing backup destinations on the 'Backup Destinations' page, in the 'Immutability' column
- Confirm the action: read the confirmation message, select the I confirm enabling Object Lock (Immutability) check box, then click Confirm.
- Once you are done, proceed to Microsoft 365 / Google Workspace Dasboards to create retention policies for specific services or exported PST files. The allowed Immutability enables this feature on the specified bucket only and does not apply this feature to any backups or exported files. You should create retention policies for every service or exported PST file to apply object lock period for them as described below.
| Top |
Disable Object Lock (Immutability) for Storage Account
If you change the retention policy, storage account, or disable the Object Lock (Immutability) for storage account, all backup data locked with the Object Lock (Immutability) will be kept for the period specified in the retention policy settings applied at the moment these data was backed up.
If you need to suspend or terminate immutable backup keeping, proceed as follows:
- Open the Management Console.
- In the Storage > Storage Accounts, select the required account.
- Expand the actions, then select View Backup Destinations.
- Click the ... button to edit an existing destination.
- In the Edit Destination Bucket property box, clear the Enable Object Lock (Immutability) check box.
Note that after you disable Object Lock (Immutability), you will not be able to allow it again for this storage account
- Click Save.
| Top |
Create Retention Policies
Consider, Object Lock (Immutability) cannot be supported for obackups without applied retention policy
Refer to the following articles for details on how to configure retention policies:
| Top |