Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Does Your Office 365 Tenant Need Backups?

To Backup or Not to Backup

The question whether a company using a cloud system like Office 365 should deploy third-party backups is asked frequently in the Microsoft Technical Community (here’s another post). Some people are passionate advocates for backups while others assert that backups aren’t necessary because Microsoft can be trusted to take care of the data. Indeed, the only backups Microsoft takes of customer data within Office 365 are for SharePoint Online. No backups are taken for Exchange Online, Teams, Planner, or Azure Active Directory.

I’ve written about this topic before. Generally speaking, I’m not a huge fan of taking backups of Office 365 data unless forced into the situation by something like legal or audit requirements.This time round I want to raise the question of whether technical change within Office 365 is making the notion of backups more irrelevant over time, especially if you use the full spectrum of functionality available in the suite.

Not a Simple Question

Deciding whether external backups are needed isn’t a simple question and there isn’t a simple answer. Some companies operate under strict regulatory environments that are interpreted to need to need some form of external backup. Some have hybrid organizations and others are cloud-only. Some use all the Office 365 applications, while others use a limited selection. All these factors influence the choice a company might make.

Among the reasons I see people cite to deploy backups for Office 365 are:

Administrators purging data when they shouldn’t.
Hackers gaining access to an administrative account in a tenant.
Ransomware attacks which encrypt documents stored in SharePoint and OneDrive for Business.
It’s not a good idea to put all your data under the control of one supplier (Microsoft).
Need to keep email and documents for long periods.

There’s no doubt that accidents happen that result in lost data and that we live in a world where attacks against corporate systems are an ongoing fact of life. However, the technology inside Office 365 is improving all the time to help resist problems like those listed above. In some cases, the solution to the problem is available in a feature available in Office 365 today; in others, the solution lies in improved administrator knowledge and awareness.

Recovery

The “all your eggs in one Microsoft basket” question is interesting because it anticipates some catastrophic event when Office 365 might become unavailable for a sustained period. In effect, all the Office 365 datacenters in a region will be offline for more than a few hours. Although it’s impossible to say that such an event can never happen, it has not to date. Outages do happen that affect Office 365, but those outages are usually localized and only affect a subset of users and applications in a single datacenter region.

For example, is it likely that the Office 365 EMEA region will suffer an outage involving the Dublin, Amsterdam, Helsinki, and Vienna datacenters that Microsoft will not be able to recover within a day? Figuring out the statistical possibility of such an event is difficult and understanding how having external backups would help is harder. Where, for instance, could you restore the backups?

Technology Changes Quickly in the Cloud

Because technology changes so quickly, tenants should assess their backup needs on an ongoing basis. A conclusion reached even two years ago might not stand up to the test of today because the application mix within Office 365 is different and the available functionality has expanded.

For example, two years ago, no one used Teams. Now, 329,000 organizations use Teams, all of whom must depend on Microsoft for Teams data storage because no backup API is available for Teams messages or other metadata.

It’s not just technology that should be considered. Regulations such as GDPR mean that companies need to pay more attention where their data is stored and how it is managed.

Analyzing the Problem

To assess the need for external backups, a company should work through an exercise to review their current situation and discover whether backups can help. Stripping out all the FUD that is sometimes thrown into the mix, we can focus on three straightforward questions.

What use is made of Office 365 applications? This helps to frame what kind of backups the company needs. Understanding basic figures like the number of mailboxes and document libraries and the size of data created or updated daily will guide discussions with backup vendors and tell you if any network changes are needed to cope with backups. Most backup products happily cover the basics of email and documents but struggle to cope with applications like Teams, Office 365 Groups, and Planner. Some products say that they can cope with Office 365 Groups, but they might only cover basics like copying group mailboxes and document libraries. These products can’t process the metadata that links the information in an application together. Another thing to remember is that Exchange Online mailboxes hold much more data than just user messages. If a backup only copies messages, a restore will be incomplete.
What Office 365 features are licensed but unused? Microsoft adds features to Office 365 on an ongoing basis and some of those features address problems that cause people to think they need backups. For example, the “rogue admin” scenario does happen (albeit I have never experienced it), but the influence of any rogue activity can be moderated by making sure that retention policies cover mailboxes, teams, and document libraries (retention policies also solve the problem of needing to keep files and email for certain periods). You can deploy Privileged Access Management (PAM) to force administrators to seek approval for privileged operations, just like Microsoft datacenter operators need to ask permission if you use the Customer Lockbox feature. Judicious use of the Office 365 audit log also serves to discover if administrators are doing anything they shouldn’t. Products like Cloud App Security (included in Office 365 E5) or ISV solutions like Quadrotech Nova make it easier to highlight anomalies captured in audit events. Applying protection (encryption) to documents and messages stops those who don’t have access ever seeing the content. And Azure Active Directory Access Role Reviews can be used to ensure that people don’t keep administrative roles when they don’t need to.
To reduce the chance of hackers penetrating your tenant, all administrative accounts should be enabled for multi-factor authentication (and all other important user accounts too). New features like protocol authentication policies for Exchange Online can stop hackers breaking in using techniques like password spraying. To help users recover from deletion errors, they can be shown how to use features like the point-in-time restore for SharePoint Online (soon) and OneDrive for Business and the Recover Deleted Items feature in Exchange. The point is that backups are false security if you don’t maximize the protection features available within Office 365.
What potential data loss scenarios cannot be covered using Office 365 technology? After understanding what Office 365 data are created and used by the organization and how you protect that data with Office 365 functionality, you can then ask the question whether any gaps exist, what those gaps are, what needs to happen for a gap to result in data loss, and whether a third-party backup solution can close the gap. Scenarios such as regulatory compliance, external attacks, and internal incompetence should be included in the debate.

If You Need Backups

If at the end of the day, you conclude that external backups are needed for your Office 365 data (or some subset of that data), go ahead and look for a reliable backup vendor who can meet your requirements (including data sovereignty, compliance with GDPR, coverage of all your Office 365 data, and ability to recover in some useful way). There are plenty of cloud-based backup vendors for Office 365 for you to talk to that offer a variety of services at different price points.

Avoid any backup product that offers to move data from the cloud to PST files. Apart from giving information to a legal investigator to review, there’s absolutely no good reason to use PSTs as a backup media.

Keep the conversation focused on your needs instead of letting the vendor direct you to what they can deliver. Stay away from what-if situations that are unlikely to occur and focus on how backups help solve business problems. It’ll be a more productive conversation that way.

by Tony Redmond
Nov 1, 2018

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with c...

Nested Microsoft 365 Groups: What You Need to Know

Jul 12, 2023
Microsoft and AI: What Is the Copilot Semantic Index and How Does It Work?

Feb 6, 2024
Mar 21, 2024
How to Grant Full Mailbox Access to Users in Office 365 and Exchange Server

Aug 4, 2023
Aug 08, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.