Backing up Microsoft 365 can be a fairly controversial question – with some people suggesting you definitely, absolutely need to backup – and others saying there is no need. Sure – there are some valid reasons to backup data in Office 365, but in general, most organizations don’t need to do this.
When you research whether you need to backup Microsoft 365 though, you’ll usually find lots of content telling you that you do need to. But more often than not the content is sponsored, paid for, or authored by a company selling a Microsoft 365 backup or continuity solution. Some are written with the express aim of convincing the reader that backups for Microsoft 365 are essential.
Most backup vendor’s marketing material aims to convince the reader in several ways:
- Microsoft 365 default retention periods for storage of deleted data are not long enough.
- A rogue administrator or hacker can delete data in Microsoft 365.
- Your data could become encrypted by ransomware on your desktops.
- Microsoft 365 doesn’t provide the ability to quickly (or at all) restore data.
These statements have a foundation in fact, but if you consider them in a little more detail, they don’t stand up well.
In the first part of this article, we’ll examine the above statements and what recovery and protection is available in the service. In part two, we’ll think about the wider protection and consider what other Microsoft 365 customers do.
In both parts, I’ll primarily link to Microsoft guidance in particular, because ultimately they provide the service, and if you make a decision to use Microsoft capabilities for protection then you should use Microsoft documentation as the reference to support your reasons. I’ll also focus primarily on Exchange and SharePoint/OneDrive – primarily because these are the core services that backup vendors truly support backup and full restore for.
Retention policies are not Microsoft 365 backups by themselves, but they are one part of the picture.
If the default retention periods in Microsoft 365 don’t meet your needs, and you have suitable licensing in Microsoft 365, like Office 365 E3, you will take advantage of in-built immutability within the service to keep data for the duration the business needs.
This is described by Microsoft in one of many of documents on the subject. Crucially, you have the ability to ensure data cannot be deleted for as long as needed. If you need to keep data such as an email or file for ten years, and ensure that a user (or rogue admin) cannot remove it permanently, you can.
You can also ensure that admins cannot change these policies using Preservation Lock, which locks retention policies so that once switched on – no-one can turn them off, and content protected cannot be removed from the policy.
Retention policies aren’t backups. They ensure that the data isn’t removed from the service. Instead ensuring that the retained data cannot be removed is dealt with by other aspects of the service. For example, Exchange Online is designed using the same principles as you’d use if you Exchange Native Protection instead of backups for on-premises Exchange. However, whilst using Exchange Native Protection requires a mature operating model for server management on-premises, it doesn’t require that in Exchange Online, as Microsoft is responsible for these aspects.
Backup vendors will often counter this based on little understanding of Exchange, and equate a Database Availability Group in the latest version of Exchange to SAN replication technology, where the disk blocks are simply copied between sites, allowing logical corruption to propagate. This is false – and although corruption can occur, modern Exchange is designed specially, using technologies including page patching, and lagged copies.
It’s much the same for SharePoint Online and OneDrive for Business. These services benefit from the same retention controls, and highly available infrastructure; however unlike Exchange, have backups performed by Microsoft, that they control. Microsoft actively markets OneDrive as a PC backup solution.
Recovery inside the service is possible but requires skill
The weakness in Microsoft 365 is how complex it is to understand how to recover data. That doesn’t mean recovery is necessarily easier with a backup product, but it does mean that a backup product generally has a single interface to restore data. Microsoft’s core tooling for recovery of data is aimed at empowering users first to recover data from accidental deletion, with longer-term or admin-driven restores being a more complex process.
Exchange Online in particular has been seen as notorious for being complex when restoring deleted items. It isn’t complex but there are a variety of options available. If a user wants to restore an item back to the original folder is best achieved by directing a user to Outlook on the web. As an admin, recovering deleted data can be accomplished by several processes document by Microsoft, such as using Search-Mailbox to recover data or eDiscovery, including purged data held by policy; or by using the new Exchange Admin Center interface or PowerShell cmdlets to recover items.
As well as Microsoft’s backup for the service itself – which you can request file restores via support, OneDrive and SharePoint both include the ability to restore files and libraries from a previous version, roll-back a library to a previous point in time a deleted file, and when retention policies are configured can use the preservation hold library to keep data for as long as required.
Where a backup vendor has an advantage is simplicity. Whilst in the plethora of links above a variety of different methods are available to restore – and will have required a reasonable amount of configuration to correctly put in place – it’s quite understandable that for the occasional file or email restore it would be nice (and save time) to have a single portal to perform recovery tasks.
Microsoft 365 backup products have key gaps that limit the security and productivity of your organization
It’s not the fault of backup products that they can’t back up data or fully restore data in Microsoft 365 completely. Microsoft’s APIs are richest in the services like Exchange and SharePoint that have an on-premises history and need to support migrating data into or out of the service. They are weak in areas such as services built for the cloud, like Yammer and Teams.
Ask a backup vendor about their capabilities to restore Teams conversations or chats fully, as if they had never been deleted. Ask them how they’ll restore a deleted Power BI dashboard, Power App, video in Stream, or message on Yammer.
If you plan on classifying and protecting data using Sensitivity Labels, AIP or MIP functionality it will be crucial to understand how they backup and restore that data, especially in the type of worst-case scenarios a vendor might have suggested their product was suitable for, like a total loss of service.
If those services form a part of your future strategy, then you’ll need to configure Microsoft 365 to protect data within those services appropriately. Or, if you rely solely on a backup solution you may have to hold back your organizations’ digital transformation.
In the final part of this series
The next part of this series covers what prevention, rather than cure, looks like. Then, finally, we’ll review what other Microsoft 365 customers do when it comes to backup.