Cloudativ 365 Protect

Cloudativ365Protect — Backup & Restore, On Your Terms Cloudativ365Protect is a self-hosted backup and restore platform for Online Services environments. It is built for managed service providers, internal IT teams, and security-conscious organizations that want enterprise-grade Online Services data protection without handing their tenant data to a third-party SaaS vendor. The Software runs on infrastructure you control, writes to storage you own, and is licensed per tenant or per protected seat. What it protects Cloudativ365Protect covers the five Online Services workloads that matter most to operations and audit teams: Exchange Online — mailboxes, folders, messages, attachments, calendars, contacts, tasks, and shared mailboxes. OneDrive for Business — user drives, files, folders, version history, and sharing metadata where exposed by Microsoft Graph. SharePoint Online — site collections, document libraries, lists, list items, and per-site metadata. Microsoft Teams — team and channel structure, channel messages, chat messages where access is permitted, and shared files. Entra ID (Azure AD) — users, groups, group memberships, application registrations, and configuration objects relevant to identity recovery. Backup coverage tracks Microsoft Graph API capabilities and continues to evolve with the platform. How it works Cloudativ365Protect installs as a single Windows Service on a Windows Server you control. The bundled deployment package includes the API, the React-based web console, and a guided installer that: builds and publishes the application as a self-contained Windows Service, imports your TLS certificate (or generates a self-signed one for staging), configures Kestrel HTTPS, firewall rules, and auto-recovery, creates and migrates the SQL Server database, and starts the service with auto-start at boot. Once the service is running, you connect each Online Services tenant via an Azure AD app registration with the documented Graph permissions, configure backup schedules, and select where backups should be written. Storage targets — your data, your storage Backups are written to storage you provision and control, with no copy retained on Cloudativ-operated infrastructure: Local disk on the backup server, SMB / UNC network shares for traditional file-server estates, Azure Blob Storage for native Azure deployments, Amazon S3 and other S3-compatible object stores (MinIO, Wasabi, Backblaze B2, on-prem object stores). Object-store immutability and versioning are honored where the provider supports them, allowing you to enforce ransomware-resilient retention policies through your Storage Target's native controls. Restores Cloudativ365Protect supports the restore modes that real recovery scenarios actually require: In-place restore back to the original Online Services tenant and original location. Side-by-side restore that creates a new folder, list, or container alongside the live data, so users can pick what they need without overwriting current state. Alternate-location restore to a different mailbox, drive, or site within the same tenant. Cross-tenant restore for tenant-to-tenant migrations or M&A scenarios (subject to license entitlement). Granular item-level restore — single message, single file, single list item, single chat thread. Export to PST, ZIP, or original-format files for legal hold and discovery workflows. Every restore is initiated explicitly through the web UI or API, runs under the role-based access control you configure, and is recorded in the audit log. Scheduling and retention Backups can be triggered on demand or run on flexible schedules per tenant and per workload. Retention is configurable per protection set (daily/weekly/monthly/yearly tiers), with policies driven by the Software and reinforced by your Storage Target's own immutability or lifecycle rules. The built-in Hangfire job engine handles scheduling, retries, and concurrency, and surfaces job state through the web UI and SignalR-driven progress streams. Multi-tenancy and access control Cloudativ365Protect is multi-tenant by design and is appropriate for MSPs that protect many customer tenants from a single deployment. Tenant data is isolated through database-level foreign keys and application-layer query filtering, and operational responsibilities are split across role-based access control: SuperAdmin — full platform configuration and tenant onboarding. TenantAdmin — manages a single tenant's schedules, retention, and storage targets. BackupOperator — runs and monitors backups. RestoreOperator — runs and approves restores. Auditor — read-only access to logs, reports, and audit trails. JWT-based authentication, refresh-token rotation, rate limiting, and full audit logs of every backup, restore, and configuration change are built in. Security and compliance TLS 1.2+ for all in-transit communication; HSTS enforced behind a valid certificate. Encryption at rest for Azure AD client secrets, refresh tokens, an