Backing up Microsoft 365 can be a fairly controversial question – with some people suggesting you definitely, absolutely need to backup – and others saying there is no need. Sure – there are some valid reasons to backup data in Office 365, but in general, most organizations don’t need to do this.
When you research whether you need to backup Microsoft 365 though, you’ll usually find lots of content telling you that you do need to. But more often than not the content is sponsored, paid for, or authored by a company selling a Microsoft 365 backup or continuity solution. Some are written with the express aim of convincing the reader that backups for Microsoft 365 are essential.
Most backup vendor’s marketing material aims to convince the reader in several ways:
- Microsoft 365 default retention periods for storage of deleted data are not long enough.
- A rogue administrator or hacker can delete data in Microsoft 365.
- Your data could become encrypted by ransomware on your desktops.
- Microsoft 365 doesn’t provide the ability to quickly (or at all) restore data.
These statements have a foundation in fact, but if you consider them in a little more detail, they don’t stand up well.
In the first part of this article, we’ll examine the above statements and what recovery and protection is available in the service. In part two, we’ll think about the wider protection and consider what other Microsoft 365 customers do.
In both parts, I’ll primarily link to Microsoft guidance in particular, because ultimately they provide the service, and if you make a decision to use Microsoft capabilities for protection then you should use Microsoft documentation as the reference to support your reasons. I’ll also focus primarily on Exchange and SharePoint/OneDrive – primarily because these are the core services that backup vendors truly support backup and full restore for.
Retention policies are not Microsoft 365 backups by themselves, but they are one part of the picture.
If the default retention periods in Microsoft 365 don’t meet your needs, and you have suitable licensing in Microsoft 365, like Office 365 E3, you will take advantage of in-built immutability within the service to keep data for the duration the business needs.
This is described by Microsoft in one of many of documents on the subject. Crucially, you have the ability to ensure data cannot be deleted for as long as needed. If you need to keep data such as an email or file for ten years, and ensure that a user (or rogue admin) cannot remove it permanently, you can.
You can also ensure that admins cannot change these policies using Preservation Lock, which locks retention policies so that once switched on – no-one can turn them off, and content protected cannot be removed from the policy.
Retention policies aren’t backups. They ensure that the data isn’t removed from the service. Instead ensuring that the retained data cannot be removed is dealt with by other aspects of the service. For example, Exchange Online is designed using the same principles as you’d use if you Exchange Native Protection instead of backups for on-premises Exchange. However, whilst using Exchange Native Protection requires a mature operating model for server management on-premises, it doesn’t require that in Exchange Online, as Microsoft is responsible for these aspects.
Backup vendors will often counter this based on little understanding of Exchange, and equate a Database Availability Group in the latest version of Exchange to SAN replication technology, where the disk blocks are simply copied between sites, allowing logical corruption to propagate. This is false – and although corruption can occur, modern Exchange is designed specially, using technologies including page patching, and lagged copies.
It’s much the same for SharePoint Online and OneDrive for Business. These services benefit from the same retention controls, and highly available infrastructure; however unlike Exchange, have backups performed by Microsoft, that they control. Microsoft actively markets OneDrive as a PC backup solution.
Recovery inside the service is possible but requires skill
The weakness in Microsoft 365 is how complex it is to understand how to recover data. That doesn’t mean recovery is necessarily easier with a backup product, but it does mean that a backup product generally has a single interface to restore data. Microsoft’s core tooling for recovery of data is aimed at empowering users first to recover data from accidental deletion, with longer-term or admin-driven restores being a more complex process.
Exchange Online in particular has been seen as notorious for being complex when restoring deleted items. It isn’t complex but there are a variety of options available. If a user wants to restore an item back to the original folder is best achieved by directing a user to Outlook on the web. As an admin, recovering deleted data can be accomplished by several processes document by Microsoft, such as using Search-Mailbox to recover data or eDiscovery, including purged data held by policy; or by using the new Exchange Admin Center interface or PowerShell cmdlets to recover items.
As well as Microsoft’s backup for the service itself – which you can request file restores via support, OneDrive and SharePoint both include the ability to restore files and libraries from a previous version, roll-back a library to a previous point in time a deleted file, and when retention policies are configured can use the preservation hold library to keep data for as long as required.
Where a backup vendor has an advantage is simplicity. Whilst in the plethora of links above a variety of different methods are available to restore – and will have required a reasonable amount of configuration to correctly put in place – it’s quite understandable that for the occasional file or email restore it would be nice (and save time) to have a single portal to perform recovery tasks.
Microsoft 365 backup products have key gaps that limit the security and productivity of your organization
It’s not the fault of backup products that they can’t back up data or fully restore data in Microsoft 365 completely. Microsoft’s APIs are richest in the services like Exchange and SharePoint that have an on-premises history and need to support migrating data into or out of the service. They are weak in areas such as services built for the cloud, like Yammer and Teams.
Ask a backup vendor about their capabilities to restore Teams conversations or chats fully, as if they had never been deleted. Ask them how they’ll restore a deleted Power BI dashboard, Power App, video in Stream, or message on Yammer.
If you plan on classifying and protecting data using Sensitivity Labels, AIP or MIP functionality it will be crucial to understand how they backup and restore that data, especially in the type of worst-case scenarios a vendor might have suggested their product was suitable for, like a total loss of service.
If those services form a part of your future strategy, then you’ll need to configure Microsoft 365 to protect data within those services appropriately. Or, if you rely solely on a backup solution you may have to hold back your organizations’ digital transformation.
In the final part of this series
The next part of this series covers what prevention, rather than cure, looks like. Then, finally, we’ll review what other Microsoft 365 customers do when it comes to backup.
Excellent article.
We have been debating the need for M365 backup for a couple of years within the M365 North user group.
My view is that organisations may not need it, but that comes with some caveats.
Do you fancy doing a session (online) for the user group on this topic sometime?
What about when someone deletes emails stored in a sub-folder/s then empties their recycle bin? Recovering from the retention system just brings them all back into the Inbox. Not good enough. Just one of many reasons we recommend our clients use proper Microsoft 365 backup systems.
Great article and thanks so much for the time – confirmed my long held suspicions.
My main concern is not around just MS, but what will happen if one of these major cloud vendors has an unrecoverable outage? We all assume they are indistructible but do we all remember when AWS went down on the west coast and all data was lost? The size of data stored in the cloud makes the old school backup options obsolete and incapable. All enterprises (and governments) are moving to a cloud scenario and I am simply nervous of the potential.
Hi Steve,
How do we restore if the file is overwritten by malicious too in sharepoint online as version will only work if there change in the state of a file not in a situation where it is overwritten ?
Regards,
Budh
An overwrite to a file should generate a new version – I’ve seen that behaviour as recently as the other day when working an entirely new version of a template document and validating that the previous versions are still intact.
Remember, Microsoft are selling the solution as a way of protecting against that exact scenario.
Nonetheless, this does not affect behaviour regarding storing data for retention purposes where a delete and replace, switching off versioning etc will not affect whether the file is kept or not.
I’m sorry, but this STILL feels like Microsoft is trying to pound a square peg through a round hole here. All these different policies, retention, eDiscovery, etc, etc. Complex doesn’t even begin to describe it. Having that single pane of glass that tells me that I have a copy of my data in a safe place, and can easily recover that data, is worth the cost of a backup tool. Administrator time/effort has a cost as well, and having a single tool helps to save on that. Finally, SOME of my O365 users have to have their data kept for YEARS for compliance purposes. So you’re suggesting a 7-10 year retention? With all those versions? That’s a lot of space, backup tools like me move some of that data onto lower-cost storage. So, when you add it all up, yes, native M365 CAN provide the protection you need. But is it the most cost efficent and easiest way to do it? I would say no.
Then do that then. It’s not essential, which is what backup vendors try to drum into folks. What you’ve said is absolutely accurate. It’s the simplicity and tools designed for a job. Yes, retention polices like that a massively common and you’ll be in the minority buying a backup solution to back up a solution designed to mitigate against needing one… But if it works for you, and you have a SaaS vendor that’s gonna provide realistic restore times, you don’t have compliance reasons to also need retention, and they charge less than Microsoft for storage, and their solution, why not? If it works for the business you work for – fab!
Microsoft can address this, easily, like they did in the past with other such topics. It seems like they’d just need to create something like https://backup.microsoft.com for their M365 customers where they consolidate all the different tools at 1 place.
From there you can easily go into the services and manage policies, retention times or levels etc. and get all the service-oriented restore capabilities…
From a Business perspective this can even bring new sales opportunities to Microsoft as they could start selling different levels of backup service like standard/bronze up tome gold/platinum thing where – at additional cost – you’d get some triple fail-safe backup at dedicated hardware with instant recovery & support options….. just thinking 😉
Interesting read. You mention ransomware at the top, but you don’t say how you can recover from a ransomware attack without a backup solution.
You can restore the folder back to the point previous to a ransomware attack using built-in features in SharePoint Online and OneDrive.
Using a backup solution to do that for more than a few users would be unlikely to succeed. Obviously, you’ll also protect against that from happening in the first place too, by using Defender for Endpoint and Defender for M365.
We have PITR to recover from Ransomware. If built in solution didnt work we can raise request with MS to restore the files. Request shd be made with in 14 days
Good article.
I must add that retention has some build-in flaws:
SharePoint sites under retention have the problem that file versioning are accumulated endlessly. Even if you set library version to 1, it will accumulate up to 50,000 versions.
MS are saying it boldly:
“For items that are subject to a retention policy (or an eDiscovery hold), the versioning limits for the document library are ignored until the retention period of the document is reached (or the eDiscovery hold is released). In this scenario, old versions are not automatically purged and users are prevented from deleting versions”
https://docs.microsoft.com/en-us/microsoft-365/compliance/retention-policies-sharepoint?view=o365-worldwide#how-retention-works-with-document-versions
2. Deleted files are still searchable. Say you shared your salary file with the whole company by mistake. You deleted the file to remedy the mistake, and deleted it from recycle bin and from 2nd stage recycle bin. File was then moved to the “preservation hold library”, where is it still searchable. anyone in the company can go to office.com type a word from the file content search and find it.
Your comment has little to do with backups and more to do with issues in the way retention works. You’ll need these features, including versioning and retention, whether or not you use a backup solution.
Steve- good content. Being an Engineer, I always say prove it. If the tickets/manhours justify buying a 3rd party backup software, there’s your answer.
That’s an excellent take on this Justin – indeed, the tickets or hours don’t lie. Having looked at a similar problem recently, sometimes it is process – but sometimes (and for some aspects of restoring data in Microsoft 365) it can be a lengthy process. Picking the right backup/restore solution though would be key to actually reducing tickets and the hours spent on those tasks.
Steve
Everyone mention Microsoft 365 Backup or Office 365 Backups local or cloud-based but nowhere can I find if these services will allow me to backup my Microsoft Family Edition including mail, calendar & Onedrive
This article is about the business versions of Microsoft 365, which have different features and a different contract with Microsoft. I don’t know if the business-focused backup software for Microsoft 365 can backup the home versions, but I doubt it.
This was a fantastic read. Especially with an upcoming meeting with Rubrik- a backup software company. They did say they are there to fill the gaps, I’ve found the main purpose was ease of backup and recovery based on the standard deletion policies in Exchange & SharePoint/OneDrive, not any DLP/Preservation or Information Governance Policies.
Filling the gaps is a good way to put it. I know there is a need for some organizations, but often backup vendors will make wild claims to undermine Microsoft – hopefully this helped put a different spin on it.
Really interesting read Steve – I too was naïve to the marketing of O365 backup vendors and thought backups were a “must” but now see it’s more of a convenience.
Look forward to read Part 2.
It is certainly an “it depends” because I know of customers who are contractually obligated to “back up” to a different service certain data, based on contracts that are thinking about an on-premises world.
Part two is here: https://www.practical365.com/microsoft-365/microsoft-365-backups-do-you-need-them-part-two/
Interesting article Steve. For most of the customers I look after, retention policies provided enough peace of mind knowing that they are compliant and can’t lose data.
However, some of them want the ability to restore mailboxes completely to a point in time, and having a third party backup product makes that process much easier than doing searches.
I’ve looked at a number of different vendors recently (and had demos of 5 of them) and the products differ widely, and Teams support is still pretty sketchy in a number of them, down to API limitations as you say.
But the APIs are improving and it is all about the convenience of a traditional backup solution and what the customer is willing to pay for that. In reality the number of times someone wants something recovering that is beyond the default deleted items retention in Exchange or is not in the sharepoint recycle bin is far and few between.
Of course, you can configure the retention settings to extend as long as you want. Recovery requires mastering a few consoles. I agree it’s all about the convenience.