Hornetsecurity vs Keepit for MSPs: Entra Restore Proof
Hornetsecurity vs Keepit for MSPs: Entra Restore Proof
Hornetsecurity vs Keepit is not just another Microsoft 365 backup checkbox fight.
For MSPs, the useful question is simpler and sharper: can you prove the restore that actually matters when a client loses access, breaks identity policy, deletes a group, or needs evidence for the next QBR?
Mailbox backup still matters. OneDrive, SharePoint, Teams, Planner, and OneNote still matter. But Entra ID changed the sales conversation. Identity is now part of the recovery chain, not a side note.
If your backup quote protects mailboxes but cannot explain users, groups, policies, app registrations, roles, and restore evidence, the client may be buying mailbox insurance while the front door keys sit outside the scope.
Quick answer
Hornetsecurity 365 Total Backup is usually the better fit when an MSP wants Microsoft 365 backup tied to Hornetsecurity's broader M365 security and tenant-management motion, with all-inclusive positioning, unlimited storage messaging, and Entra users and groups now included. Keepit is usually the better fit when Entra ID restore depth is the proof point, especially for Conditional Access, app registrations, selected Intune policies, BitLocker keys, activity logs, and cross-tenant recovery.
Neither answer is universal. The right vendor depends on the restore promise you are willing to put in writing.
If you are still comparing Microsoft 365 backup to BCDR platforms more broadly, start with the Datto, Acronis, and Axcient MSP backup comparison. This article is narrower. It is about Hornetsecurity, Keepit, and the restore proof MSPs need before they sell another per-user SaaS backup SKU.
Why Entra ID belongs in the backup conversation
Microsoft 365 backup used to be easy to explain to clients.
They understood deleted email. They understood lost OneDrive files. They understood SharePoint folders going missing after someone cleaned up the wrong library.
Entra ID is less visible, which makes it easier to under-scope.
A client may not ask about role assignments, Conditional Access policies, app registrations, group memberships, activity logs, or BitLocker recovery keys. They will ask why users cannot get into systems after a bad admin change, outage, compromise, or failed cleanup.
That is why the restore proof matters more than the backup badge.
For MSPs, the service has to answer five questions:
| Question | Why it matters |
|---|---|
| What identity objects are backed up? | Users and groups are not the same as policies, apps, roles, logs, and device data. |
| Can those objects be restored cleanly? | Export-only recovery is not the same as guided restore into production or a secondary tenant. |
| What relationships come back? | A user without group memberships, licenses, or manager relationships may still be broken. |
| What does the client see as proof? | A dashboard is useful, but QBR evidence needs dates, workloads, restore tests, and outcomes. |
| What is excluded from the quote? | Unsupported object types, retention limits, and labor assumptions need to be written down. |
This is also where the shared responsibility matrix becomes practical. The MSP should not simply tell the client, "Microsoft does not back this up for you." The MSP should define which SaaS data, identity data, restore tests, and approval steps are included in the managed service.
Hornetsecurity 365 Total Backup: strong Microsoft 365 coverage, narrower Entra proof
Hornetsecurity's 365 Total Backup page positions the product as automated Microsoft 365 backup and recovery with multi-tenant management. The public workload list includes mailboxes with In-Place Archive mailboxes, Teams chats, Planner, OneNote, Entra ID users and groups, OneDrive for Business accounts, and SharePoint document libraries.
That is a solid Microsoft 365 backup scope for MSP conversations.
Hornetsecurity also says backups run automatically multiple times per day. It emphasizes ransomware protection, storage on Hornetsecurity infrastructure outside Microsoft, one all-inclusive fee, unlimited storage and retention, and the ability to choose the backup-data region.
Those are useful client-facing messages because they are easy to package:
- backup for common Microsoft 365 workloads
- multi-tenant monitoring from a central console
- automated backup runs
- user and workload selection controls
- alerts and daily summaries for backup state
- custom retention periods
- end-user recovery for some M365 data through the Hornetsecurity User Panel
For MSPs already selling Hornetsecurity email security, tenant management, or 365 Total Protection plans, that packaging can reduce vendor sprawl. The MSP story is clean: Microsoft 365 security, management, and backup under one vendor relationship.
The Entra question is where the comparison gets sharper.
Hornetsecurity's February 2026 365 Total Backup release notes say 365 Total Backup now supports backing up and restoring Entra ID users and groups, including metadata and relationships to other Entra ID entities. Administrators can restore one, multiple, or all Entra ID users and groups directly to Entra ID in the same Microsoft 365 organization, or export the data as a ZIP archive with JSON files.
The same notes say the restore workflow can generate replacement UPNs or group nicknames when needed, and that restored users receive a generated password that can be changed or regenerated. They also describe Backup Pilot controls for newly discovered workloads, including mailboxes, OneDrive, SharePoint, Teams, Planner, and Entra ID.
That is real progress.
But public Hornetsecurity materials I reviewed do not claim the same Entra breadth Keepit claims for Conditional Access policies, app registrations, service principals, selected Intune policies, BitLocker recovery keys, and activity logs. If those are required, the MSP should not assume coverage from the phrase "Entra ID" alone.
When Hornetsecurity is the better fit
Hornetsecurity fits best when the MSP wants a Microsoft 365 backup service that is easy to attach to a broader Hornetsecurity relationship.
Good fits:
- clients that primarily need Exchange, OneDrive, SharePoint, Teams, Planner, OneNote, and Entra users and groups protected
- MSPs that already sell Hornetsecurity email security, tenant management, or M365 security packages
- teams that value one contract, one vendor conversation, and centralized partner operations
- clients that care about all-inclusive backup positioning, region choice, and simple storage messaging
- MSP service catalogs where Entra policy and app-registration recovery are not part of the current offer
The risk is overpromising Entra recovery.
If the client expects Conditional Access restore, app registration recovery, Intune policy recovery, BitLocker key access, or activity-log recovery, confirm it in writing before the quote goes out. "Entra users and groups" is useful. It is not the same as "all identity configuration."
Keepit: stronger Entra depth, more to package for MSP delivery
Keepit has a broader public Entra story.
The Keepit Entra ID backup page says the service protects users, groups, admin units, roles, enterprise apps, app registrations, Conditional Access policies, Intune device compliance and configuration policies, BitLocker recovery keys, and activity logs.
Keepit's current Entra ID backup coverage help page is more precise. It says Entra ID Advanced protects users, groups, administrative units, roles, service principals, app registrations, policies, selected device attributes, and activity logs. The policy list includes Conditional Access policies, compliance policies, configuration profiles, authentication methods, authentication strengths, named locations, account protection policies, and Intune Antivirus policies. The device-attribute list includes BitLocker recovery keys and Windows LAPS. Activity logs include audit logs and sign-in logs.
That is a much deeper identity recovery promise than a basic user and group backup.
Keepit also documents object metadata and relationships. Users include ownerships, memberships, manager, role assignments, licenses, and photo. Groups include owners, members, memberships, role assignments, licenses, and photo. Administrative units, roles, app registrations, and service principals have their own relationship details.
This matters because identity restore is often relationship restore.
A deleted group is not just a group name. It can be owners, members, assignments, roles, access, policy behavior, and the messy operational reality around those objects.
Keepit also emphasizes restore options. Its Entra page describes in-place restore, cross-tenant restore, bulk restore, subobject restore, downloads, and secondary-tenant recovery if the primary tenant is unavailable. For Microsoft 365, Keepit says it covers Exchange Online, OneDrive, SharePoint, Groups, and Teams, including Teams posts and replies, Planner, files, channels, and related SharePoint data.
On pricing, Keepit's public pricing page uses contact-sales motions rather than public per-seat dollar amounts, but it does publish packaging differences. Business Essentials includes one year of data retention. Enterprise Unlimited and Governance Plus include unlimited retention. Keepit also says hot storage, data traffic, and storage regions are included across the displayed plans, with no egress, ingress, or transaction fees.
That is useful, but it does not remove MSP scoping work.
You still need to define which Keepit services the client is buying, which retention tier applies, what restore tests are included, who monitors jobs, and how support handoff works.
When Keepit is the better fit
Keepit fits best when Entra ID restore proof is central to the sale.
Good fits:
- clients that need Conditional Access policy recovery or app-registration recovery in scope
- environments where Intune policy data, BitLocker keys, Windows LAPS, audit logs, or sign-in logs matter
- clients that want backup stored in Keepit's independent cloud regions instead of the same vendor environment as production data
- MSPs that want cross-tenant restore as part of resilience planning
- QBR programs where restore evidence needs to include identity objects, not just mailbox and file restores
The risk is packaging too much as one generic "SaaS backup" line item.
Keepit can cover a lot, but MSPs still have to explain which apps and identity workloads are included, what retention tier the client bought, and what the restore test cadence looks like.
Hornetsecurity vs Keepit at a glance
| Decision factor | Hornetsecurity 365 Total Backup | Keepit |
|---|---|---|
| Microsoft 365 workload scope | Mailboxes, In-Place Archive, Teams chats, Planner, OneNote, OneDrive, SharePoint, Entra users and groups | Exchange, OneDrive, SharePoint, Groups, Teams, plus separate Entra ID service |
| Entra ID public coverage | Users and groups, with metadata and relationships to other Entra entities | Users, groups, admin units, roles, service principals, app registrations, policies, selected device attributes, and logs |
| Conditional Access coverage | Not claimed in the public materials reviewed | Claimed as part of Entra ID Advanced coverage |
| App registrations and service principals | Not claimed in the public materials reviewed | Claimed and documented in Keepit help |
| Intune and device recovery signals | Not claimed in the public materials reviewed | Selected Intune policies, BitLocker recovery keys, Windows LAPS, and device attributes are listed |
| Restore shape | Restore Entra users and groups to the same M365 organization or export as JSON ZIP | In-place, bulk, download, and cross-tenant Entra restore options are described |
| Storage and retention message | One all-inclusive fee, unlimited storage and retention, region choice | Public tiers show one-year or unlimited retention, hot storage, and no egress, ingress, or transaction fees |
| MSP fit | Strong when Hornetsecurity is already part of the M365 security and management stack | Strong when identity restore depth is the sales and QBR proof point |
The table is the point.
Do not compare these tools by saying both "do M365 backup." That hides the decision.
Compare the exact restore the client will expect you to perform under pressure.
The restore proof MSPs should require
A backup vendor comparison becomes useful only when it turns into an operating standard.
Before you quote Hornetsecurity, Keepit, or any Microsoft 365 backup for MSP clients, define the proof package.
| Proof item | What to capture |
|---|---|
| Workload coverage | Exchange, OneDrive, SharePoint, Teams, Planner, OneNote, Entra, and any excluded workloads |
| Identity coverage | Users, groups, roles, policies, apps, service principals, logs, BitLocker keys, and Intune data, with yes, no, or not sold |
| Restore target | Same tenant, alternate tenant, export, folder restore, cross-user restore, or end-user restore |
| Test cadence | Monthly, quarterly, semiannual, or event-driven, with named owner |
| Evidence | Screenshot, restore job ID, test object, date, technician, and result |
| Client expectation | RTO, RPO, retention tier, support hours, and emergency restore path |
| Exceptions | Unsupported objects, Microsoft API limits, retention limits, and billable recovery labor |
This is exactly the kind of detail that should appear in the MSP QBR template. Backup should not be a green checkmark buried in a tool report. It should be a client-facing proof point with a date, workload, restore test, and next action.
It also belongs in pricing. If the client is paying for identity-aware SaaS backup, the quote should not look the same as a mailbox-only backup. Use the MSP pricing, quoting, and margin protection guide before the backup service becomes another margin leak hidden inside support time.
The practical recommendation
Choose Hornetsecurity when the backup decision is part of a broader Hornetsecurity M365 security and management motion, and the Entra requirement is centered on users and groups.
Choose Keepit when Entra ID backup depth is the reason the client is buying, especially when Conditional Access, app registrations, service principals, selected Intune policies, BitLocker keys, Windows LAPS, audit logs, sign-in logs, or cross-tenant restore are part of the risk story.
Choose neither, or pause the decision, if the client cannot define the restore they expect.
That sounds harsh. It is cheaper than explaining after an incident that "Microsoft 365 backup" meant only the workloads the quote remembered to name.
Scopable is useful here because backup scope is not just a vendor decision. It is a client promise. If your MSP needs to turn assessment notes, restore assumptions, retention choices, and QBR proof into a quote the client can understand, join Scopable early access.
FAQ
Is Hornetsecurity or Keepit better for MSPs?
Hornetsecurity is usually the better fit when the MSP already sells Hornetsecurity's Microsoft 365 security and management stack and needs Microsoft 365 backup with Entra users and groups. Keepit is usually the better fit when Entra ID restore depth is the main requirement, including Conditional Access policies, app registrations, selected Intune policies, BitLocker keys, and logs.
Does Hornetsecurity 365 Total Backup protect Entra ID?
Yes, Hornetsecurity's 2026 release notes say 365 Total Backup supports backup and restore for Entra ID users and groups, including metadata and relationships to other Entra ID entities. Public materials reviewed for this article did not claim the broader Entra coverage Keepit documents for policies, app registrations, service principals, selected Intune data, BitLocker keys, and logs.
What does Keepit Entra ID backup cover?
Keepit says Entra ID Advanced protects users, groups, administrative units, roles, service principals, app registrations, policies, selected device attributes, and activity logs. Its public help center lists Conditional Access policies, compliance policies, configuration profiles, authentication methods, named locations, Intune Antivirus policies, BitLocker recovery keys, Windows LAPS, audit logs, and sign-in logs.
What restore proof should an MSP show for Entra ID backup?
The MSP should show the object restored, restore target, date, technician, result, screenshots or job evidence, and any excluded object types. Good proof covers both data and relationships, such as group memberships, role assignments, owners, licenses, and policy behavior.
Should Entra ID backup be part of a client QBR?
Yes, if identity is part of the managed service risk model. The QBR should show backup health, restore tests, covered workloads, excluded identity objects, retention status, and open decisions. A green backup dashboard is not enough evidence by itself.
