Does Your Office 365 Tenant Need Backups?

To Backup or Not to Backup

The question whether a company using a cloud system like Office 365 should deploy third-party backups is asked frequently in the Microsoft Technical Community (here’s another post). Some people are passionate advocates for backups while others assert that backups aren’t necessary because Microsoft can be trusted to take care of the data. Indeed, the only backups Microsoft takes of customer data within Office 365 are for SharePoint Online. No backups are taken for Exchange Online, Teams, Planner, or Azure Active Directory.

I’ve written about this topic before. Generally speaking, I’m not a huge fan of taking backups of Office 365 data unless forced into the situation by something like legal or audit requirements.This time round I want to raise the question of whether technical change within Office 365 is making the notion of backups more irrelevant over time, especially if you use the full spectrum of functionality available in the suite.

Not a Simple Question

Deciding whether external backups are needed isn’t a simple question and there isn’t a simple answer. Some companies operate under strict regulatory environments that are interpreted to need to need some form of external backup. Some have hybrid organizations and others are cloud-only. Some use all the Office 365 applications, while others use a limited selection. All these factors influence the choice a company might make.

Among the reasons I see people cite to deploy backups for Office 365 are:

  • Administrators purging data when they shouldn’t.
  • Hackers gaining access to an administrative account in a tenant.
  • Ransomware attacks which encrypt documents stored in SharePoint and OneDrive for Business.
  • It’s not a good idea to put all your data under the control of one supplier (Microsoft).
  • Need to keep email and documents for long periods.

There’s no doubt that accidents happen that result in lost data and that we live in a world where attacks against corporate systems are an ongoing fact of life. However, the technology inside Office 365 is improving all the time to help resist problems like those listed above. In some cases, the solution to the problem is available in a feature available in Office 365 today; in others, the solution lies in improved administrator knowledge and awareness.


The “all your eggs in one Microsoft basket” question is interesting because it anticipates some catastrophic event when Office 365 might become unavailable for a sustained period. In effect, all the Office 365 datacenters in a region will be offline for more than a few hours. Although it’s impossible to say that such an event can never happen, it has not to date. Outages do happen that affect Office 365, but those outages are usually localized and only affect a subset of users and applications in a single datacenter region.

For example, is it likely that the Office 365 EMEA region will suffer an outage involving the Dublin, Amsterdam, Helsinki, and Vienna datacenters that Microsoft will not be able to recover within a day? Figuring out the statistical possibility of such an event is difficult and understanding how having external backups would help is harder. Where, for instance, could you restore the backups?

Technology Changes Quickly in the Cloud

Because technology changes so quickly, tenants should assess their backup needs on an ongoing basis. A conclusion reached even two years ago might not stand up to the test of today because the application mix within Office 365 is different and the available functionality has expanded.

For example, two years ago, no one used Teams. Now, 329,000 organizations use Teams, all of whom must depend on Microsoft for Teams data storage because no backup API is available for Teams messages or other metadata.

It’s not just technology that should be considered. Regulations such as GDPR mean that companies need to pay more attention where their data is stored and how it is managed.

Analyzing the Problem

To assess the need for external backups, a company should work through an exercise to review their current situation and discover whether backups can help. Stripping out all the FUD that is sometimes thrown into the mix, we can focus on three straightforward questions.

  • What use is made of Office 365 applications? This helps to frame what kind of backups the company needs. Understanding basic figures like the number of mailboxes and document libraries and the size of data created or updated daily will guide discussions with backup vendors and tell you if any network changes are needed to cope with backups. Most backup products happily cover the basics of email and documents but struggle to cope with applications like Teams, Office 365 Groups, and Planner. Some products say that they can cope with Office 365 Groups, but they might only cover basics like copying group mailboxes and document libraries. These products can’t process the metadata that links the information in an application together. Another thing to remember is that Exchange Online mailboxes hold much more data than just user messages. If a backup only copies messages, a restore will be incomplete.
  • What Office 365 features are licensed but unused? Microsoft adds features to Office 365 on an ongoing basis and some of those features address problems that cause people to think they need backups. For example, the “rogue admin” scenario does happen (albeit I have never experienced it), but the influence of any rogue activity can be moderated by making sure that retention policies cover mailboxes, teams, and document libraries (retention policies also solve the problem of needing to keep files and email for certain periods). You can deploy Privileged Access Management (PAM) to force administrators to seek approval for privileged operations, just like Microsoft datacenter operators need to ask permission if you use the Customer Lockbox feature. Judicious use of the Office 365 audit log also serves to discover if administrators are doing anything they shouldn’t. Products like Cloud App Security (included in Office 365 E5) or ISV solutions like Quadrotech Nova make it easier to highlight anomalies captured in audit events. Applying protection (encryption) to documents and messages stops those who don’t have access ever seeing the content. And Azure Active Directory Access Role Reviews can be used to ensure that people don’t keep administrative roles when they don’t need to.
  • To reduce the chance of hackers penetrating your tenant, all administrative accounts should be enabled for multi-factor authentication (and all other important user accounts too). New features like protocol authentication policies for Exchange Online can stop hackers breaking in using techniques like password spraying. To help users recover from deletion errors, they can be shown how to use features like the point-in-time restore for SharePoint Online (soon) and OneDrive for Business and the Recover Deleted Items feature in Exchange. The point is that backups are false security if you don’t maximize the protection features available within Office 365.
  • What potential data loss scenarios cannot be covered using Office 365 technology? After understanding what Office 365 data are created and used by the organization and how you protect that data with Office 365 functionality, you can then ask the question whether any gaps exist, what those gaps are, what needs to happen for a gap to result in data loss, and whether a third-party backup solution can close the gap. Scenarios such as regulatory compliance, external attacks, and internal incompetence should be included in the debate.

If You Need Backups

If at the end of the day, you conclude that external backups are needed for your Office 365 data (or some subset of that data), go ahead and look for a reliable backup vendor who can meet your requirements (including data sovereignty, compliance with GDPR, coverage of all your Office 365 data, and ability to recover in some useful way). There are plenty of cloud-based backup vendors for Office 365 for you to talk to that offer a variety of services at different price points.

Avoid any backup product that offers to move data from the cloud to PST files. Apart from giving information to a legal investigator to review, there’s absolutely no good reason to use PSTs as a backup media.

Keep the conversation focused on your needs instead of letting the vendor direct you to what they can deliver. Stay away from what-if situations that are unlikely to occur and focus on how backups help solve business problems. It’ll be a more productive conversation that way.