MJFChat: How to Handle Office 365 Backups
We’re doing a twice-monthly interview show on Petri.com that is dedicated to covering topics of interest to our tech-professional audience. We have branded this show “MJFChat.”
In my role as Petri’s Community Magnate, I will be interviewing a variety of IT-savvy technology folks. Some of these will be Petri contributors; some will be tech-company employees; some will be IT pros. We will be tackling various subject areas in the form of 30-minute audio interviews. I will be asking the questions, the bulk of which we’re hoping will come from you, our Petri.com community of readers.
We will ask for questions a week ahead of each chat. Readers can submit questions via Twitter, Instagram, Facebook and/or LinkedIn using the #AskMJF hashtag. Once the interviews are completed, we will post the audio and associated transcript in the forums for readers to digest at their leisure. (By the way, did you know MJFChats are now available in podcast form? Go here for MJF Chat on Spotify; here for Apple Podcasts on iTunes; and here for Google Play.)
Our next MJFChat, scheduled for August 31, is focused on Office 365 backups. My special guest is Steve Goodman, a Petri.com contributor, Microsoft Most Valuable Professional and Principal Technology Strategist with Content and Code.
Steve is ready to discuss anything and everything you’re curious about, in terms of Office 365 backups: When, how and if you should worry about them; how best to plan for them; ways to stay current about what’s happening in this area and more.
If you know someone you’d like to see interviewed on the MJFChat show, including yourself, send me a note at [email protected] (Let me know why you think this person would be an awesome guest and what topics you’d like to see covered.) We’ll take things from there….
Mary Jo Foley (00:00):
Hi, you’re listening to the Petri.com MJF Chat show. I am Mary Jo Foley, AKA your Petri.com community magnate. And I am here to interview tech industry experts about various topics that you, our readers and listeners want to know about. Today’s MJF Chat is going to be all about Office 365 backups. And my special guest today is Steve Goodman, who is a Microsoft MVP and Principal Technology Strategist with Content and Code. Welcome Steve, and thank you so much for doing this chat with me.
Steve Goodman (00:37):
Hi, thank you for asking me on.
Mary Jo Foley (00:40):
I’m excited and I’m sorry, I’m doing this on a bank holiday for you, but thanks for doing it anyway.
Steve Goodman (00:46):
Oh, no, it’s absolutely fine. We’re not going very far around here, so it’s not a problem at all, to be honest, I forgot it was a bank holiday until last Thursday. So it’s always nice to find out you’ve got an extra day off.
Mary Jo Foley (00:58):
That’s true. That’s true. So on the topic of Office 365 backups, I want to start with a very basic, but what I think might be a key question, which is, does Office 365 automatically backup user’s data or not?
Steve Goodman (01:16):
The simple answer to that is in general, no. But there are services in it. Cause as you know, Office 365 has got a whole host of different services. The ones being Exchange, SharePoint, Teams and some of these services like SharePoint, Microsoft do backup, but no, there’s not a portal you go into in Office 365, where you can see the state of your backups across the service.
Mary Jo Foley (01:47):
Do you think they’ll ever add something like that or do you think it’s just the nature of the beast that that’s not the way this works?
Steve Goodman (01:54):
I think it’s been designed so it doesn’t need backups. So I don’t see Microsoft in the short term, introducing a dedicated backup service where they might take a full copy of the data and back that up to tapes or discs in another region or data center.
Mary Jo Foley (02:17):
Okay. So this kind of is an excellent segue into this next question. When we were first talking on email, back and forth about this chat, you told me that Office 365 backups can be a very divisive topic among IT Pros and that the division line often corresponds to the size and type of organization. So can you talk a little bit more about that? Like what are you seeing out there in the real world? In terms of people who think things need to be backed up, versus people who do not
Steve Goodman (02:50):
You’re right. So people do have some strong opinions on it. And I do see a lot of medium sort of sized companies. You know, 500, 1000 people and below who might only have one IT person. He or she might be looking after the whole infrastructure. They might be looking after their VMware infrastructure or Hyper V. They might be looking after the payroll apps and Office 365, because it is, is just yet another thing that they look after. So, they don’t have time to understand everything about it and often are looking for something simple. That means that they don’t need to become an expert in all of the different ways of protecting your data in Office 365. But larger organizations not only have lots and lots of more data, they often buy the more expensive licensing plans that have more capabilities for making sure data stays where it’s been put.
Steve Goodman (03:52):
And they also employ subject matter experts in not only Microsoft 365, but in very specific fields where you might have somebody or maybe even a team of people employed at some large organizations just to look after SharePoint Online or Teams, perhaps two or three people looking after Exchange and so on. So they end up getting a lot more deeper knowledge, both from an operational point of view and from how to configure the service, so that they’ve got more time to understand this overwhelming set of services that they bought from Microsoft and better understand how to protect the data in it. So you do get a bit of a difference in opinions when you speak to these different organizations, you know, often it boils down to what they want to do and how they want to be able to quickly achieve what the business has asked, without so much faffing around,
Mary Jo Foley (04:52):
Faffing around. I love that term. We need to use that in a headline somewhere. It’s such a good term.
Steve Goodman (04:59):
It’s not the most technical term.
Mary Jo Foley (05:01):
It’s not, but it fits many situations in tech, I feel like. So this I have a listener slash reader question, which is kind of related to what we were just talking about there, David Wanderer on Twitter said, do you even need backups if you implement retention policy? So that throws an extra little wrinkle into the, do I need it or don’t I need it conversation.
Steve Goodman (05:27):
Well, there’s a lot of organizations that will decide, no, they don’t because retention policies can either delete data earlier than needed. Well, as soon as needed or they can keep it for a very, very long time. So we heard about, I think one of the big four accounting firms and professional services firms, they accidentally lost lots and lots of Teams chats because of a retention policy. So things can go wrong with a retention policy, but for most organizations often they’re going to keep data for a long amount of time. So one of my customers, you know, an engineering firm, they said, we need to keep some data for a hundred years because we build bridges and we need to make sure that all the documentation about that bridge is kept for that amount of time. Now they might not stay with Office 365, for a100 years.
Steve Goodman (06:20):
But whatever happens with that data, as long as it’s in Office 365, they need to make sure that it’s kept, so we can use retention policies to do that. And we can use an add on feature on top called Preservation Hold to effectively, make sure that nobody can change those policies. So if I added you to a policy and, that’d been configured to keep it for 10 years, then I wouldn’t be able to delete or change or take you out of that policy once it had been applied, which policies like that require a lot of thought before you brought them into place, but they effectively make sure that the data’s immutable, it cannot ever be changed, deleted or destroyed, but it’s stored within Office 365. So there’s not a second copy of it being kept. It just can never be changed until a point that that policy expires.
Mary Jo Foley (07:18):
Okay. So I just saw recently that Tony Redmond, who like you is a Petri.com author wrote a bit about Office 365 backups, and he brought up the point that things are more complicated for Office 365 apps that only exist in the cloud. So things like Planner and Teams, and To-Do and Stream, because Microsoft hasn’t created backup APIs for Office 365. So do you also consider this to be a big issue? And do you think that Microsoft ever will create those kind of backup APIs for third parties? Or is there some kind of way around it for companies who are worried about backing up things like Teams?
Steve Goodman (08:02):
I don’t think Microsoft will create specific backup APIs especially for backing up the data. The same API is usually used when there’s mergers and acquisitions and perhaps a company gets bought and they need to copy out all of their data from one Office 365 subscription or tenant into another. And that’s where we see those same gaps in what these APIs can do. But as Tony quite rightly points out, a lot of the backup services that are sold only focus on the stuff that was traditionally developed on premises. So you might see some backup solutions, say that our solution backs up Office 365, and you read it and what they’re going to do. And they’re just backing up email, or they’re just backing up email and files in SharePoint on OneDrive. And that’s not enough because a lot of organizational data might be stored for some organizations in Yammer, or it might be Teams chats.
Steve Goodman (09:07):
And although some of this data, it gets backed off into services like Exchange for retention purposes. If somebody’s deleted something permanently, then they might want to restore that back to where it was. And it’s not the backup vendor’s fault. But as Tony said, there’s not a way of restoring that data back to the same place in all its glory. So it’s quite difficult because if you’re a backup vendor, you might want to backup this for a customer. If you’re a customer, you might want to buy a solution that will take an exact copy and be able to restore it back. But you’ve got the APIs that don’t support backing up all of the data. And then you’ve got the speed of backup and restore, which might make it near impossible to restore that data in adequate time.
Mary Jo Foley (09:58):
Hmm. Right. Okay. Tony brought up another issue in his post on Petri around encryption, and he said as more and more Office, 365 data gets encrypted because right now, not a whole lot is being encrypted. This could become an issue in terms of backup because backup products need unencumbered access to data. So how do you think backup’s gonna work with encrypted data? As we see more of that out in the wild
Steve Goodman (10:28):
I think it just becomes more and more difficult and it undermines the case for backups as well, because Office 365, well Microsoft 365. So the Windows piece, the security piece, what was EMS or is EMS and the Office 365 piece, this whole Microsoft 365 suite, that people buy. The best way of protecting your data is to use a lot of that functionality, not only to make sure that data can’t be deleted, but it can’t be accessed by the wrong people, making sure that the desktops, laptops all protected effectively, as well. All of these things together are usually implemented by an organization when they get a bit further down their journey into the cloud. And it does mean that yeah, significant issues. So let’s say the most important thing to your organization was email and it wasn’t necessarily that you needed to keep a backup of it and restore it all back to an on premises server if Office 365 suddenly disappeared, but it might be that you’ve got a concern from the business that what if Office 365 is down for an afternoon, email can’t be accessed and you might buy an email continuity service from one of those big vendors that sell cloud based email continuity services, malware protection, journaling, and so on.
Steve Goodman (11:52):
And that’s where encrypted emails and encrypted files become problematic because if you are protecting your files and email, as it goes in and out of the organization, then even those services that legitimately give you some additional protection for that hour or two, that one day you might need it for. Then if 20% of your emails back and forth between your customers have been encrypted, then you won’t be able to access them. And so they either need to work with Microsoft and many of these vendors, they are Microsoft partners as ISVs, need to work with Microsoft to provide a solution for that, because there’s legitimate reasons why people do buy services like that. But it’s one of many reasons why actually you’re better making sure that your data is protected so you don’t get hit by a ransomware attack and so on and need to restore files in the first place. So prevention being better than a cure.
Mary Jo Foley (12:57):
Got it. Okay. we have another listener question, reader slash listener question from Twitter. Russell Clark asked, he asked about a specific scenario for his company. So he said, we are just about to implement Office 365 in my organization, but we’re being told by Microsoft, the third party backup solutions are not supported or necessary. So how do I counter this argument and what are the risks/issues if we don’t back up? So he’s in the camp, obviously that I need a backup solution and I don’t believe I should not have to back up.
Steve Goodman (13:35):
Well, the backup vendor supports the backup solution, right? Microsoft don’t need to support the solution you’ve bought from somebody else. So when you buy a backup solution, then you’ll buy that with support, especially if it’s a cloud service as well. So that supportability part, you will be relying on the vendor to make sure that if Microsoft changed the way an API works, that their solution is going to be able to restore data, but Microsoft aren’t gonna provide an SLA for how quickly somebody else’s solution is going to be able to restore that. It is true though, that Microsoft had designed the service so that it doesn’t require a third party backup solution. If you look at very large organizations, who’ve got a lot of data, then realistically, they wouldn’t ever be able to do a full restore.
Steve Goodman (14:29):
You know, even if we think of a organization with a thousand people and over time, they’ve got 50 gig or something like that inside everybody’s OneDrive. And over the course of a few days, IT are alerted to a ransomware attack. They’ve not done anything to protect against that in the first place. And they needed to restore that data. Then it could take weeks. It could take nearly two months going by the most optimistic restore speeds or migration speeds into the service, which is what effectively you’d have to do to restore all of that data back to where it was. So you’re going to be better off saying, well, actually I trust Microsoft, you know, Microsoft sell OneDrive as a PC backup solution. If you look at their website, they provide automatic ransomware protection to alert you to a ransomware attack.
Steve Goodman (15:24):
They provide features that aren’t perfect as Tony and others have pointed out before, to effectively roll back in time changes that have been made to use as OneDrives, they’re not perfect. But then again, neither are solutions from backup vendors. So I think it’s quite hard to counter that argument because Microsoft have designed that service. So it doesn’t require you to buy a separate backup and restore service. Really, it’s not whether Microsoft say it’s necessary or not. It’s whether there’s a specific need, that’s going to be met by a backup solution for your business, whether that is making it easy for generalist, IT admins to be able to quickly find and restore a file or an email, whether that is in an on premises file server or SharePoint, OneDrive or in somebody’s inbox. If, you know, if it’s something like that, then maybe there’s a case. Some of the customers that might have contractual requirements that will take a lot of work to change, that say you must back up perhaps a client’s data to a separate location outside of that cloud service. Those are the sort of legitimate reasons. And they come from the business, they don’t come from Microsoft saying you must do something.
Mary Jo Foley (16:48):
Okay. I’m curious if there are any kind of like top one or two gotchas or mistakes that you see people making routinely when they start trying to implement Office 365 backup strategy, you know, things like, I’ve heard some people say, people routinely forget to protect all types of data. Like they forget to backup Calendars or Tasks or Contacts, or even sometimes all the Office 365 apps when they’re creating a backup plan. Are those things you see? Or are there other things that you routinely see clients or customers or people in the field doing that you would consider a mistake when they’re talking about backup?
Steve Goodman (17:32):
So the majority of the company I work for, our customers don’t need a backup solution. Most of those are reasonably large enterprise customers. In another part of the business then we have a lot of midsize clients and they do take backup solutions. And the biggest thing with all backup solutions, whether that’s on premises, whether that’s in the cloud, is not regularly testing the restore process. If you’re buying it based on what it can back up, but you’re not concerned with how quickly it can restore, what data it can restore, how it looks when it’s been restored. Then I think you, why are you buying the solution in the first place? If you’re not confident it can restore properly. If it’s not meeting all the requirements, you’ve really bought it just to tick a box. Then I question, why have you bought it in the first place. I think because of the way that people adopt services in Office 365, then the backup solution you buy is never going to protect all of your data.
Steve Goodman (18:42):
So you’ve got a choice and you need to make it with the business as to, are you okay that as you begin to use Teams, Planner, store videos in Stream. Start using all of these other services that are cloud first, cloud only services, that can’t easily be backed up or restored. Are you comfortable that the business is going to use those services using the native functionality to retain data in Microsoft 365. And if you’re happy with that great, but if you buy a solution, you start backing up, you leave it to do its job, and then the business goes and adopts other services, then are they going to come in to a position where they asked for something to be restored and the solution you bought can’t do that. And there’s really only a small number of solutions on the market that go as far as you possibly could in terms of backup and restore of these services. So, you know, pick the solution that’s gonna meet not only your old on premises needs, but your planned adoption of other services once you’ve moved to the cloud.
Mary Jo Foley (19:53):
Okay. That’s good advice. Last question I have for you is for people who want to look into Office 365 backup, or kind of keep current with what the latest is on this topic, are there any resources or websites that come to mind and feel free to recommend your own if that’s one of them. But yeah, just kind of a couple of resources for people who are interested in this topic.
Steve Goodman (20:19):
Well, I’m going to start by pointing out some of the places that are not so good because, and I’m not going to name any names because, you know, genuinely a lot of the backup vendors on the market you know, come from the old on premises space, they’re well known and trusted by the people that have bought them. So some of the ones that are the worst in terms of the [inaudible], but the disinformation about why people should backup Office 365, are fantastic at backing up on premises environments. They’re really, you know, were good solutions in that old world, but backup vendors obviously have a vested interest in what they’re trying to say. So when there’s eBooks and stuff like that from a backup vendor then just be cautious that they are presenting their view of the facts and they do want you to buy their solution.
Mary Jo Foley (21:20):
Steve Goodman (21:20):
So, and Microsoft sit on the fence a bit here because, you know, obviously they’ve got customers, they’ve got the backup vendors as partners as well. They don’t want to outright tell people that they shouldn’t do this kind of stuff. So independent sites are good. But really, you need independent views where they’re not being paid by a backup vendor to write them, but they need to source the reasons why, back on Microsoft documentation. Because I might say, yeah, you don’t need backups on my block, but, you know, but when it comes to presenting that to your business, saying, Steve, on the internet wrote it, isn’t going to be good enough. So you do want to have a look at independent articles that reference what Microsoft have said on that topic, because it’s very hard to collate all of that information into one place.
Steve Goodman (22:15):
The reason why a lot of people buy Office 365 backup solutions is because it is hard to find comprehensive information that tells you how to backup and restore, or effectively hold and pull back deleted data within each individual service, because they’re all written by all those different product groups. So Tony Redmond, his Office 365 for IT Pros book is a great reference source. I’ve reviewed that on one of the websites I wrote for, Practical 365. it’s regularly updated and most people who’ve got that think, it’s a definitive independent source for information across Office 365. And that’s got a lot of useful information about backups. Where I write for, both Petri and Practical 365. I write on this topic as well. And again, when I do, I try and reference it back to the right information from Microsoft, and of course, nobody’s paying me to say one way or the other, whether backups are good or not. So honestly, you know, MVPs in general are trying to give the most independent view for what customers could or couldn’t do and try and balance and present, you know, both sides of the argument, but reference it with useful information.
Mary Jo Foley (23:30):
Hmm. That’s good. Yep. And I know a lot about Tony’s book. I actually get a comped subscription to it and it is, it’s like the Bible, I call it that all the time. I’m like the Bible of Office 365, that book.
Steve Goodman (23:44):
Yeah. And I’ve known a lot of people at Microsoft who think it’s a fantastic book, because even if you work at Microsoft, you can’t know everything about the services. So books like that, are good. I was always a big fan of Tony’s older sort of inside out books for Exchange and so on. And it follows that sort of tradition where you get that outside in view of the service, that mixes that real world knowledge with somebody that’s spent the time and effort to speak to people in the product group to get a really accurate view of how these services are designed. And it’s full of lots of useful nuggets that explain to you how the services are built. And that’s useful information when you’re trying to understand how your data is being kept safe in services like Office 365.
Mary Jo Foley (24:32):
Nice. Okay, well, thank you again for doing this chat with me, Steve. It was really interesting and insightful. So thanks for sharing all your knowledge on this topic.
Steve Goodman (24:42):
Thank you. It’s been a pleasure.
Mary Jo Foley (24:44):
And for everyone else who is listening to, or reading this chat, I will be posting more information soon on Petri about who my next guest is going to be. Once you see that you can submit questions directly on Twitter for the guest. In the meantime, if you know of anyone else or even yourself who might make a good guest for one of these MJF Chats, please do not hesitate to drop me a note. Thank you very much.