Best practices for Microsoft 365 admins and MSPs in CubeBackup.


CubeBackup provides a straightforward backup & recovery solution to protect your Microsoft 365 data. In addition to these basic functionalities, you can also review and implement the following best practices to ensure your CubeBackup instance remains secure and functions seamlessly with your custom integration.

Keep a copy of the encryption key file

CubeBackup will generate an encryption key and use it to encrypt all your data before uploading it to the backup repository.

On Windows, the location is C:\Program Files\CubeBackup365\data\keys.json by default.
On Linux, the location is /opt/cubebackup365/data/keys.json by default.

As long as the key is still accessible, it is always possible to set up a new CubeBackup instance and point it to your old backups, even in the unfortunate case of a server crash. Detailed instructions can be found here: Disaster recovery of a CubeBackup instance.

Please note that if the key file is lost, your encrypted backup data will be completely unrecoverable. CubeBackup Inc. does not have access to any key files and will be unable to help you.

Store the data index on an SSD

Data indexes are required for performance reasons in CubeBackup. A backup process must perform substantial read and write operations on the SQLite database in order to track backup data, especially file and folder revisions. SQLite is designed to be a local database, and may have performance and integrity problems when accessed through remote storage, especially in a multi-threaded environment.

The backup process relies heavily on reading/writing the data index, and additionally, CubeBackup backs up Microsoft 365 accounts in parallel, so the data index can easily become a bottleneck. Based on our tests, storing the data index on an SSD can greatly improve backup speeds.

More information about the data index in CubeBackup can be found here: What is the data index and why is it needed?

Schedule email reports of the backup status

For your convenience, CubeBackup will send periodic automated backup status reports so that it's not necessary to constantly sign in to the CubeBackup web console. Email reports will cover the recent backup status, the current backup progress, and the storage and license usage of your CubeBackup instance.

You can configure the receipts and frequency of email reports in the SETTINGS > System > Email reports section. CubeBackup also optionally supports sending email reports using custom SMTP services. See How are email reports generated and sent via SMTP services for detailed instructions.

By default, CubeBackup will generate the reports locally on your backup server and send them from [email protected] using the Mailgun's API. All details and statistical data used to generate the reports remain strictly private.

Enable HTTPS for your CubeBackup service

Keeping your HTTP connection to the CubeBackup service secure is crucial if you wish to access the backups from another machine, or even outside of your office network if allowed by your company's security policy. Enabling HTTPS for the CubeBackup web console provides another layer of protection for all operation requests.

CubeBackup can apply for a Let's Encrypt's free TLS certificate, and also allows you to upload your own certificate, which can be installed on the backup server automatically. For detailed instructions, see How to enable HTTPS/TLS for the CubeBackup web console.

Assign CubeBackup admins with granular role-based access

Best practice to address privacy and security concerns while managing the backups of a relatively large organization is to create multiple CubeBackup accounts with different levels of permissions. You can manage the CubeBackup admins in the SETTINGS > Accounts section.

CubeBackup supports creating operators to help in daily routine management without needing to involve a system administrator. You can also create and manage multiple CubeBackup system administrators with root privileges, to view the audit logs and update system settings. See Types of accounts in CubeBackup for Microsoft 365 for a full list of CubeBackup admin roles.

Admin permissions can also be configured on a domain basis, which can be very helpful if you are managing multiple Microsoft 365 domains as an MSP in a single CubeBackup instance.

Enable Microsoft OAuth login

In addition to multiple administrators, individual users can also be allowed to log in to the CubeBackup console using their normal Microsoft accounts to perform self-service recovery operations. It is often advantageous, especially in large organizations, to allow end users to individually find and recover Microsoft 365 files or emails by themselves.

Detailed instructions can be found here: How can end users recover their own Microsoft 365 data through Microsoft OAuth Login?

Download the diagnostic file before reaching out for support.

Our support team is always available at [email protected] if you have any questions or need assistance. Before reaching out for support, a good practice is to download your diagnostic file and send it to us for reference.

You can do this by logging in to the CubeBackup web console and modifying the URL like this: <domain name/IP>/diagnose.zip (e.g. http://127.0.0.1/diagnose.zip or https://backup.domainname.com/diagnose.zip). This will download a zip file to your local machine.

Upgrade the server hardware before backing up Google Workspace and Microsoft 365 simultaneously

For managed service providers, you may run CubeBackup for Google Workspace and CubeBackup for Microsoft 365 simultaneously on one server. In this case, please be sure to assign at least 8 GB of memory for your backup server before running the two services at the same time. For more detailed information, see Can I back up Google Workspace and Microsoft 365 on one machine at the same time?