About immutability Settings in Veeam Backup for Microsoft 365

[m.kan]

Hi forums

As our project, we plan to use Veeam M365 to create backups with immutability enabled.
The backup target is SharePoint Online site data.
AWS S3 storage will be used as the backup repository.
However, there are some uncertainties regarding the S3 Versioning and Object Lock settings.

As far as we have confirmed on our side, the specifications are as follows:

■When immutability is enabled in Veeam
→ The target S3 bucket must have both “Versioning” and “Object Lock” enabled; otherwise, you will encounter an error when registering the repository.

■When immutability is disabled in Veeam
→ The target S3 bucket must have both “Versioning” and “Object Lock” disabled; otherwise, you will encounter an error when registering the repository.

Since our plan is to enable immutability and perform backups, we intend to configure the bucket with both “Versioning” and “Object Lock” enabled. However, the following questions have arisen in relation to this configuration, so could you please advise?

【Background】
In our environment, we performed a SharePoint backup with the following settings:

<S3 Settings>
Versioning: Enabled
Object Lock: Enabled
Default retention mode for Object Lock: Disabled

<Veeam Settings>
Make backups immutable: Checked
Use govenance mode: Unchecked

【Questions】
We understand that when immutability is ON, the backup should not be deletable from the bucket during the specified retention period. However, we confirmed that, with the above settings, the backup data can still be deleted from S3 (we performed the deletion via the AWS console).

According to AWS specifications, to prevent deletion by any user, the bucket’s default retention mode must be enabled in Compliance mode, which we suspect is the cause. However, if we enable Compliance mode, Veeam can no longer register the repository.

When we tested this, we received the error:
“A default retention mode is enabled on the selected bucket. Select a bucket without default retention configuration.”

Could you please clarify what the correct S3 settings should be according to Veeam’s specifications?

I would appreciate your clarification on this matter.

[Mildur]

Hello Mugisuke,

With S3 object storage, there are two different modes for writing backup data:

• Governance Mode – Immutable objects can be deleted by a storage administrator with specific permissions.
• Compliance Mode – Immutable objects cannot be deleted.

Based on your question, it appears you want to use Compliance Mode. The Veeam Backup for Microsoft 365 configuration you shared ensures that Compliance Mode is in effect.

【Questions】
We understand that when immutability is ON, the backup should not be deletable from the bucket during the specified retention period. However, we confirmed that, with the above settings, the backup data can still be deleted from S3 (we performed the deletion via the AWS console).

Regarding your observation about backup data deletion via the AWS console, please confirm whether the objects are truly being removed or if they are simply tagged as deleted. When you click on “Show versions,” you will see “deleted objects” indicating that they haven’t been permanently removed.

When we tested this, we received the error:
“A default retention mode is enabled on the selected bucket. Select a bucket without default retention configuration.”

We do not support setting up immutability retention settings on the bucket level via an AWS policy. Instead, the immutability period must be managed solely by the Veeam products.

To ensure proper configuration, your AWS S3 bucket must have:

Versioning enabled:


Object Lock enabled, Default retention disabled:


Best,
Fabian