We have some customers (tenants) that are managed by a common support organisation, which is asking whether the Azure Storage account that is required for SharePoint restores needs to be within the tenancy hosting the SharePoint (M365) implementation. Presumably, they want to have their own storage account rather than ask each customer to create their own (this always seems to be an awkward conversation with customers for some reason). I’ve checked books online and it cannot find this detail.
Is it possible to have the Azure storage account hosted outside the SharePoint tenancy and if so will Commvault restores cope with multiple parallel restores for different tenants (data segregation springs to mind)?
We are running CV 11.22.19 and have V1 and V2 type agent for O365 applications.
Best answer by Stuart Painter
Thanks for the question, I’ll move this post across to sharing best practices.
In some discussions in support internally we’ve raised a few points for consideration:
- Each Tenant must have their own subscription and apps exclusively for and licensed to each tenant company.
- If an MSP could create a single storage account that could be shared with the correct permissions for each tenant, this may represent a risk whereby tenant admins would effectively have access to an account with privileges in other tenants.
- Considering a safety and security first approach, a storage account per tenant, with limited permissions contained within that tenant would certainly reduce or even eliminate that risk.