Office|Office 365

Does Your Office 365 Tenant Need Backups?

To Backup or Not to Backup

The question whether a company using a cloud system like Office 365 should deploy third-party backups is asked frequently in the Microsoft Technical Community (here’s another post). Some people are passionate advocates for backups while others assert that backups aren’t necessary because Microsoft can be trusted to take care of the data. Indeed, the only backups Microsoft takes of customer data within Office 365 are for SharePoint Online. No backups are taken for Exchange Online, Teams, Planner, or Azure Active Directory.

I’ve written about this topic before. Generally speaking, I’m not a huge fan of taking backups of Office 365 data unless forced into the situation by something like legal or audit requirements.This time round I want to raise the question of whether technical change within Office 365 is making the notion of backups more irrelevant over time, especially if you use the full spectrum of functionality available in the suite.

Not a Simple Question

Deciding whether external backups are needed isn’t a simple question and there isn’t a simple answer. Some companies operate under strict regulatory environments that are interpreted to need to need some form of external backup. Some have hybrid organizations and others are cloud-only. Some use all the Office 365 applications, while others use a limited selection. All these factors influence the choice a company might make.

Among the reasons I see people cite to deploy backups for Office 365 are:

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

  • Administrators purging data when they shouldn’t.
  • Hackers gaining access to an administrative account in a tenant.
  • Ransomware attacks which encrypt documents stored in SharePoint and OneDrive for Business.
  • It’s not a good idea to put all your data under the control of one supplier (Microsoft).
  • Need to keep email and documents for long periods.

There’s no doubt that accidents happen that result in lost data and that we live in a world where attacks against corporate systems are an ongoing fact of life. However, the technology inside Office 365 is improving all the time to help resist problems like those listed above. In some cases, the solution to the problem is available in a feature available in Office 365 today; in others, the solution lies in improved administrator knowledge and awareness.


The “all your eggs in one Microsoft basket” question is interesting because it anticipates some catastrophic event when Office 365 might become unavailable for a sustained period. In effect, all the Office 365 datacenters in a region will be offline for more than a few hours. Although it’s impossible to say that such an event can never happen, it has not to date. Outages do happen that affect Office 365, but those outages are usually localized and only affect a subset of users and applications in a single datacenter region.

For example, is it likely that the Office 365 EMEA region will suffer an outage involving the Dublin, Amsterdam, Helsinki, and Vienna datacenters that Microsoft will not be able to recover within a day? Figuring out the statistical possibility of such an event is difficult and understanding how having external backups would help is harder. Where, for instance, could you restore the backups?

Technology Changes Quickly in the Cloud

Because technology changes so quickly, tenants should assess their backup needs on an ongoing basis. A conclusion reached even two years ago might not stand up to the test of today because the application mix within Office 365 is different and the available functionality has expanded.

For example, two years ago, no one used Teams. Now, 329,000 organizations use Teams, all of whom must depend on Microsoft for Teams data storage because no backup API is available for Teams messages or other metadata.

It’s not just technology that should be considered. Regulations such as GDPR mean that companies need to pay more attention where their data is stored and how it is managed.

Analyzing the Problem

To assess the need for external backups, a company should work through an exercise to review their current situation and discover whether backups can help. Stripping out all the FUD that is sometimes thrown into the mix, we can focus on three straightforward questions.

  • What use is made of Office 365 applications? This helps to frame what kind of backups the company needs. Understanding basic figures like the number of mailboxes and document libraries and the size of data created or updated daily will guide discussions with backup vendors and tell you if any network changes are needed to cope with backups. Most backup products happily cover the basics of email and documents but struggle to cope with applications like Teams, Office 365 Groups, and Planner. Some products say that they can cope with Office 365 Groups, but they might only cover basics like copying group mailboxes and document libraries. These products can’t process the metadata that links the information in an application together. Another thing to remember is that Exchange Online mailboxes hold much more data than just user messages. If a backup only copies messages, a restore will be incomplete.
  • What Office 365 features are licensed but unused? Microsoft adds features to Office 365 on an ongoing basis and some of those features address problems that cause people to think they need backups. For example, the “rogue admin” scenario does happen (albeit I have never experienced it), but the influence of any rogue activity can be moderated by making sure that retention policies cover mailboxes, teams, and document libraries (retention policies also solve the problem of needing to keep files and email for certain periods). You can deploy Privileged Access Management (PAM) to force administrators to seek approval for privileged operations, just like Microsoft datacenter operators need to ask permission if you use the Customer Lockbox feature. Judicious use of the Office 365 audit log also serves to discover if administrators are doing anything they shouldn’t. Products like Cloud App Security (included in Office 365 E5) or ISV solutions like Quadrotech Nova make it easier to highlight anomalies captured in audit events. Applying protection (encryption) to documents and messages stops those who don’t have access ever seeing the content. And Azure Active Directory Access Role Reviews can be used to ensure that people don’t keep administrative roles when they don’t need to.
  • To reduce the chance of hackers penetrating your tenant, all administrative accounts should be enabled for multi-factor authentication (and all other important user accounts too). New features like protocol authentication policies for Exchange Online can stop hackers breaking in using techniques like password spraying. To help users recover from deletion errors, they can be shown how to use features like the point-in-time restore for SharePoint Online (soon) and OneDrive for Business and the Recover Deleted Items feature in Exchange. The point is that backups are false security if you don’t maximize the protection features available within Office 365.
  • What potential data loss scenarios cannot be covered using Office 365 technology? After understanding what Office 365 data are created and used by the organization and how you protect that data with Office 365 functionality, you can then ask the question whether any gaps exist, what those gaps are, what needs to happen for a gap to result in data loss, and whether a third-party backup solution can close the gap. Scenarios such as regulatory compliance, external attacks, and internal incompetence should be included in the debate.

If You Need Backups

If at the end of the day, you conclude that external backups are needed for your Office 365 data (or some subset of that data), go ahead and look for a reliable backup vendor who can meet your requirements (including data sovereignty, compliance with GDPR, coverage of all your Office 365 data, and ability to recover in some useful way). There are plenty of cloud-based backup vendors for Office 365 for you to talk to that offer a variety of services at different price points.

Avoid any backup product that offers to move data from the cloud to PST files. Apart from giving information to a legal investigator to review, there’s absolutely no good reason to use PSTs as a backup media.

Keep the conversation focused on your needs instead of letting the vendor direct you to what they can deliver. Stay away from what-if situations that are unlikely to occur and focus on how backups help solve business problems. It’ll be a more productive conversation that way.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (4)

4 responses to “Does Your Office 365 Tenant Need Backups?”

  1. <p>I find very interesting your list of reasons <span style="color: rgb(34, 34, 34);">people cite to deploy backups for Office 365 and wanted to comment on them.</span></p><p><br></p><ul><li>Administrators purging data when they shouldn’t.</li></ul><p>There is no protection from rogue admins, and backup won't save you either. Nothing prevents admins from deleting backups as well. At certain level of permissions, you either trust your admins or you fire them, there is no other way and never had been.</p><ul><li>Hackers gaining access to an administrative account in a tenant.</li></ul><p>This is a great point, but it eventually leads to the first problem as well. If a hacker got privileged admin access to your tenant, backup of your data is the least of your problems. That's why it is so important to use highest levels of authentication and to control tightly your administrative accounts and groups.</p><ul><li>Ransomware attacks which encrypt documents stored in SharePoint and OneDrive for Business.</li></ul><p>This is funny because out of all solutions SharePoint is the one best protected against ransomware. This is because SharePoint keeps versions of all documents. When ransomware encrypts the document, it is treated by SharePoint as document modification, and it keeps the previous (unencrypted) version as well. All you need to recover is just to restore the previous version, which takes literally just a couple of mouse clicks. I am actually speaking out of practical experience here. ;) </p><ul><li>It’s not a good idea to put all your data under the control of one supplier (Microsoft).</li></ul><p>This is what many people say, yes, but this is a religious argument, not a technical one. Counter argument is that it is much easier to deal with just one vendor for support and troubleshooting instead of being footballed between multiple vendors. Also, obviously integration between multiple solutions is much easier with a single vendor. Finally, using one supplier doesn't mean using one "basket", because Microsoft spreads several copies of customer data across multiple datacenters and regions and guarantees certain level of availability.</p><ul><li>Need to keep email and documents for long periods.</li></ul><p>This is exactly what litigation hold and data retention/preservation is provided for. There can be a long discussion whether/how it is convenient and meets all requirements, but the point is that there is a native solution available for this without any need for backup.</p><p><br></p><p>I post this not in order to argue or ignite a discussion, but simply to provide some additional points. Hope it makes sense. </p>

    • <blockquote><em><a href="#15810">In reply to msexpert:</a></em></blockquote><p>I agree. The reasons cited by people who think they need backups are often incorrect when examined in the cold light of what's available in Office 365 or how the applications work.</p>

  2. <p>For Office 365 backup, one can also try This Office 365 Backup software. It can easily backup office 365 mailboxes and import them in PST formThis</p><p><br></p><p>Softaken office 365 backup tool</p>

  3. <p>No data is safe and Microsoft isn't above that. Doesn't matter how many data centers they have. The weakness are humans and not the infrastructure. </p><p><br></p><p>Users can delete data even if is it only their own.</p><p><br></p><p>Gain access to admin account can be done in multiple ways. Only protection is MFA.</p><p><br></p><p>You think hackers cannot get into Microsoft data centers?</p><p><br></p><p>Consider Veeam as O365 backup product.</p>

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.
13 Email Threat Types to Know About Right Now

As email threats evolve and multiply, keeping track of them all—and staying protected against the many different types—becomes a complex challenge. Today, that requires more than just the traditional email gateway solution that used to be good enough.

In this eBook you will learn:

  • What are the most common and challenging email attacks for organizations?
  • How to defend against sophisticated email threats, such as spoofing, social engineering, and fraud
  • How to protect employees at the inbox level with the right technologies and security-awareness training
  • How to use a multilayered protection strategy to reduce susceptibility to email attacks and better defend your business and employees

Sponsored by: