Does Microsoft backup your Microsoft 365 data? Well, yes and no. While it’s true that Microsoft has some native retention and recovery capabilities–many of which you should be taking advantage of–Microsoft does not provide complete and robust backup and recovery services. As they say right in their documentation, data integrity and retention is your responsibility.
Depending upon the size of your organization and the number of mission-critical documents, emails, and team chats you have, the Microsoft 365 native tools may or may not be enough protection for your needs. Only you can make that decision. To help you decide, let’s take a look at some of those Microsoft data retention features, what they do and don’t do, and the reasons why you should consider a full backup and recovery solution from a third party.
Microsoft’s native data protection: The good, bad, and the not so pretty
As you will see, while these features are not a substitute for full backups, if properly used and configured, they can be a great first line of defense for protecting your data:
Data replication
Microsoft mirrors your data in at least two different data centers within the same region, so your data and their service are generally protected against localized natural disasters or other service-disrupting events. However, the number one cause of data loss is human error. In a recent study conducted by IT security company Netwrix, more organizations (50%) reported losing data due to accidental deletions and other human errors than by any other means. Unfortunately, these deletions will propagate through each data repository.
Microsoft’s data retention policies
Microsoft uses a two-stage recycle bin, enabling users to retrieve deleted files within a “reasonable” period of time. Data that is stored in OneDrive or SharePoint can be restored within 93 days of being deleted. Email mailboxes can be retrieved for up to 30 days by default and individual emails can be retrieved within 14 days by default.
Microsoft allows you to configure your own data retention policies, however, through its Security & Compliance Center. You can decide to keep data indefinitely so that all of your data would be retrievable long after it was deleted by any one individual. The problem here is not so much in the saving but in the retrieving. There’s no easy way to find the file that you want to restore. Unlike the elegant management consoles you experience with leading third-party backup solutions, you can’t simply navigate to a document or folder to restore it. Instead, you are forced to search for the deleted files based on keywords or other metadata using Microsoft’s Content Search or eDiscovery tool, then export the results from the content search in order to restore them. Now imagine having to restore the contents of an entire Mailbox or SharePoint folder in this fashion!
Native Microsoft Backup
Contrary to popular belief, Microsoft does provide basic backup. The company backs up your Office 365 data every 12 hours and keeps it for 14 days. In the event of a ransomware attack, for instance, you can reach out to Microsoft and they can restore your data. However, this will be a full restore, so everything else will be overwritten. This form of basic backup will not help you if you need to restore a single file or folder. Nor will the Recovery Time Objective (RTO) likely be acceptable to you in the event of a successful attack.
Reasons why you should consider third-party backup of Microsoft 365 data
Now that you know a little bit more about the levels of protection you can expect from Microsoft, let’s take a look at some of the particular scenarios you may encounter that would make investing in third-party backup for Microsoft 365 a wise choice for your situation.
Data loss due to user error and accidental deletions
As previously mentioned, accidental deletions are the most common reason for data loss (although data suggests that ransomware has recently claimed this dubious honor). If you discover that loss after your configured retention policy, you’re out of luck. Your data is gone. Even if you catch the error in time, will you be able to restore the files and accounts in the configuration you need? As stated earlier, the restore process is not an easy one.
User errors such as hastily deleting the wrong file or folder, or overwriting permissions and security configurations are common. System administrators are not immune to this type of human error, but their mistakes create bigger headaches for an organization. They can accidentally leave critical accounts or APIs open to the public or can overwrite mountains of critical business data with a single keystroke.
Ransomware and compromised administrator accounts
Whether by accident or malicious intent, the vast majority of data loss is caused by humans, not infrastructure. Phishing attacks are on the rise. It’s becoming more difficult if not impossible to avoid. In fact, in a recent ESG survey on the state of Ransomware, 79% of respondents experienced a ransomware attack in the last 12 months, and 41% admitted that they were successful and had an impact on their organization.
One wrong click by a user can infect your system with malware and corrupt your data. If your Microsoft 365 administrator account is compromised, your native backups are lost. Recovering from this nightmare scenario can be difficult and time-consuming using Microsoft’s built-in capabilities. Versioning in OneDrive and SharePoint can help, but this counts against storage allocation and may result in additional storage costs. Plus, do you really want to deal with a piecemeal recovery strategy when you are in a crisis situation?
Better control of restoring files
You may be able to restore an entire mailbox or site collection in Microsoft 365, but granular restores are not possible. To reduce RTOs and save precious time and resources–especially while recovering from a disaster–you will want the ability to restore the exact files you need when you need them.
While Microsoft natively gives users the ability to roll back OneDrive files to a previous point in time (if that data has not been deleted already), it is an “all or nothing” restore. Instead of limiting the rollback to specific files or folders, your only option is to roll back all of your data to a specific point in time. This kind of destructive restore is typically used as a last resort, as incalculable amounts of data and vital changes will be lost. This can easily be prevented through the granular restore capabilities of a more comprehensive backup solution.
Keep in mind, that while Microsoft 365 has default retention periods, these policies vary from service to service. Also, data that is actively deleted by an admin or user will not be recoverable if the recycle bin retention period expires or if the user actively deletes the data from the recycle bin. Without flexible and granular control over retention policies, critical or sensitive data can fall through the cracks
Rapid restores
How quickly you recover from a disaster depends on your ability to identify and control two things: your Recovery Time Objective (RTO) and your Recovery Point Objective (RPO). While your ability to reduce RTO requires the flexibility to target exactly what you need to recover, RPO is dependent upon the frequency of your backups. Flexible recovery options and backup scheduling are core features of a robust, purpose-built backup solution.
Legal compliance and retention policy gaps
Organizations must retain data for a host of business, compliance, or other legal purposes. However, Microsoft’s native data protection may not meet the requirements of every industry or type of data. While Microsoft’s default retention is 30 or 90 days, depending upon data type, many organizations are required to retain data for years. Healthcare, financial services, or any other heavy-regulated industry is often required to retain data for decades if not indefinitely.
If your business cannot manage data properly, policy gaps may emerge. Policy gaps arise due to operational disruptions such as failure to backup former employees’ data, inadequate Microsoft 365 backup rules, and data loss during migrations. Are you legally required to comply with specific data retention and potential litigation policies? Are you required to produce specific documents for files on demand from a years-long archive? If so, you may want to consider a third-party backup solution for Microsoft 365 that also supports long-term retention and recall.
Cloud syncing is not the same as backing up your data
Many Microsoft 365 users don’t think they need to back up their files because they use OneDrive. But OneDrive is not the same as backing up; it’s a file-syncing tool designed to optimize file sharing and collaboration. Whatever happens to a local document happens to the document that is synced in the cloud. If a file is deleted or infected by malware on your local drive, that change will propagate automatically in your synced OneDrive account. File versions are not immutable or isolated recovery points within Microsoft 365. If a file is deleted, all older versions of that file are also deleted. If they are permanently deleted, no viable recovery points are available.
Microsoft’s Shared Responsibility Model makes you responsible for your data
Using native Microsoft data protection tools can be the first step toward maintaining the security of your business. For instance, enabling multifactor authentication (MFA) can help prevent unauthorized users from penetrating your systems. However, these tools are no substitute for a comprehensive backup and recovery solution. Moreover, Microsoft makes it clear in their Shared Responsibility Model that they are not responsible for your data, only to the infrastructure they maintain to deliver their services. Here’s what the Enterprise Strategy Group has to say about the subject:
“Given Microsoft’s responsibility and supporting technology is limited to infrastructure levels, organizations are exposing themselves to risks such as data loss and security breaches, retention and regulatory compliance exposures, and lack of data control in hybrid deployments if they are without third-party backup plans. In addition, many customers have their data stored in a combination of on-premises and cloud environments, while others have different teams on different versions of Microsoft 365 suites, which can make data protection more challenging in hybrid deployments without a unified backup solution.”1
Backup and protection of all SaaS applications has become a growing concern of IT decision makers in recent years. However, according to a recent 451 Research report, Voice of the Enterprise: Storage, Data Management and Disaster Recovery 2022, when asked which SaaS platform they would consider purchasing a backup service to protect, more than twice as many respondents selected Microsoft 365 than the second highest-ranking platform.
Perhaps the greatest reason of all for considering a third-party backup solution is that Microsoft recommends that you do:
We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.
