Do you really need to back up Microsoft 365?

W. Curtis Preston, Chief Technology Evangelist

Why should you back up Microsoft 365?

As a person who has dedicated their career to backup and recovery, one of the things I find hardest to comprehend is when someone says “X is so good, it doesn’t need to be backed up.” The biggest example lately is proponents of Microsoft 365 (formerly Office 365) that suggest that it “performs backups” for you, which simply isn’t true.

Microsoft 365 offers basic protection to deal with some risks that could damage your data, but there are things it doesn’t protect you from, and there are side effects to some of its optional protection features. Even if you feel you are well protected, the restore might be time intensive and quite a bit more work if you don’t have a third-party backup tool. So, maybe backup is a good thing after all.

The 3-2-1 rule of backups

The first reason why Microsoft 365 should be protected by a third party is the age-old concept of the 3-2-1 rule of backups. Three copies of your data on two different pieces of media, one of which should be offsite. Using Microsoft 365 to protect itself violates every one of these basic data protection steps. It’s like backing up your laptop files to another slice on your local hard drive. An app should be protected by something that isn’t the app.

Even Microsoft agrees. Here is what they say in their service agreement for Microsoft 365¹:

“We recommend that you regularly backup your content and data that you store on the services or store using third-party apps and services.”

Why might Microsoft say this, you ask? Because there are more ways to destroy your data, Horatio, than are dreamt of in your philosophy (my apologies to the bard).

Say, for example, you accidentally delete an email, OneDrive file, or SharePoint item. Microsoft 365 has places where it stores deleted items that allow you to retrieve them for a set period of time. You just need to locate the deleted item in the recycle bin before it expires (and hope it wasn’t manually emptied by an admin – rogue or otherwise). But what if malware deletes files you don’t use frequently so you won’t notice the deletion? You will only be able to recover them if you notice the deletion within the specified retention period. And if you don’t notice in time – because the malware is hoping you won’t – you lose the data forever. In addition, if malware deletes hundreds or thousands of files, you will be spending quite a lot of time in the recycle bin locating each file and putting it back, a process some refer to as “dumpster diving,” which no one should use as their backup method.

A third–party backup tool would allow you to easily find and restore as many files as you need, or even restore an entire user or folder to a point in time. One step, instead of thousands of them.

SharePoint and OneDrive do offer versioning to protect against accidental mistakes, and Microsoft 365 now enables 500 versions by default. You can check whether or not versioning is currently enabled in your account, and reduce or increase this number as required. 

While 500 versions may sound like a lot, you should know that Microsoft 365 is continually saving versions while you are working on a document. I’ve seen plenty of complaints about this online.

Versioning protects you from typical user errors, but malware may be able to change or encrypt your file more times than the number of versions you store, which would mean you do not have a valid version to restore. Malware can even encrypt your files a random number of times so you have to dig all over time and space to find the right version — What a mess.

Microsoft retention policies vs. third-party Microsoft 365 cloud backup solutions

An attacker intent on doing your company harm might also attempt to gain administrative access to your Microsoft 365 account via phishing, social engineering, or even taking advantage of a vulnerability in the software itself. A rogue admin (or well-meaning admin attempting to save space) can easily disable versioning or reduce it to a very low number. Even features like legal hold will not stand up to a rogue or fake administrator. This is why we back up data that matters to us, and Microsoft 365 is no exception.

Microsoft 365 does offer a new feature called retention policies that provides additional protection against some of the risks mentioned above if you use an optional feature called retention lock; however, there are some things you should know about these features. The first thing I’ll say is that they’re not that simple. The “overview” of how they work is 25 pages and over 5,000 words long. There are a variety of options in this tool, any one of which could be configured incorrectly and result in a reduction in protection.

Perhaps the most important thing to understand about retention policies is that the additional versions of files they store are kept in your Microsoft 365 account, some of which are counted against your storage allocation. In addition, retention policies are only effective against hackers and rogue admins if you enable retention lock. It prevents bad actors from undoing the retention policy you put in place by not allowing anyone to undo a retention policy once you have activated retention lock. The downside is that you can never undo this change. If you use all your storage allocation, you will be required to buy however much additional storage you need, at whatever price Microsoft wants to charge you for it.

Another problem with retention lock is what happens if you get a right to be forgotten request from GDPR or California’s CCPA. By design, there is no way to satisfy these requests. This is potentially a very serious side effect of using Microsoft 365 to protect itself.

With SharePoint and OneDrive data, the extra versions you will keep go directly against your main storage allocation — this is why there was an uproar in the online community when Microsoft enabled 500 versions by default. It was seen as forcing customers to increase their storage allocation, which they now have to pay for. Imagine how much storage you will need to store every version of every file for multiple years.

The impact of using retention policies is different with Exchange Online. When you have a retention policy, deleted emails are moved into a 100 GB archive folder. If that folder fills up, you are given another 100 GB archive folder, and so on. At this time, you are not charged for this additional storage, but that could change in the future. The more archive folders you have, the harder it is to find old emails. You cannot search across your entire account; you must search within each archive folder. A third-party backup and long-term-retention system would allow you to easily search across your entire account.

There are also limitations to what retention policies can restore. For example, with SharePoint, they can’t restore deleted list columns. The only option to restore those would be a complete site restore – more on that later. With Exchange Online, they can’t do a point-in-time restore of a mailbox. I read the other day of an admin that had accidentally corrupted a user’s mailbox by uploading another user’s PST file to it. If all you have is retention policies, there is no way to undo this change, short of manually deleting the hundreds of emails and calendar entries for the other users. But if you used a third-party tool, you could easily restore that user to just before the corrupting event.

Retention policies also do not address legal hold requirements. Yes, Microsoft 365 does have a legal hold capability, but it requires many steps to activate and can be easily deactivated by a rogue administrator. More importantly, all it does is lock the data of a user. It does nothing to cull the data and prepare it for the eDiscovery process. A third-party backup tool can do this much more simply than Microsoft 365.

The “anti-backup” crowd

In Office 365 for IT pros, by Tony Redmond, Paul Robichaux, et al, there is a chapter, “Backup for Office 365,” which starts with the sentence: “Backup for Office 365 data isn’t strictly necessary.” Although the author seems to be arguing against backups, I believe a few quotes from the chapter will actually prove my point :

“Many companies believe that backups are a good thing because they would like to have a method of restoring data should the need arise… to go back to a specific time in case a tenant is infected with ransomware… to meet regulatory requirements… have multiple copies of important corporate data outside the control of a single provider. The ability to recover from administrator error… If [users] make a mistake and if they don’t [recover deleted items] before the retention period, they won’t be able to retrieve the data.” 

He says that while Microsoft 365 includes mechanisms to address some, but not all, of these requirements. That seems like a whole lot of reasons to back this data up!

He also mentions that Microsoft 365 backs up your SharePoint site every 12 hours, but that “a full restore of a site collection (which overwrites your entire site) is the only option.” You will have to download from the current site any data you need to keep. You will be responsible for determining which recovery point to use, and “determining that time can be quite a challenge.” That sounds like a huge operation and a big risk of lost data from recent work. This system has two levels of granularity — site collection and subsite. If you only need to restore a folder within a single user, there is no way to do this. I spoke directly to Microsoft about this process, and they said it could take anywhere from a few hours to a few weeks, although weeks were considered the exception. Microsoft also verified that there is no SLA for recovery; it is a best–effort process.

As to versioning, Tony Redmond verifies that administrators can “disable versioning or limit the number of versions of an item to keep.” It does not protect you against a rogue or unauthorized admin, unless you use a retention policy with a retention lock. He also says “if a virus or ransomware attack hits a tenant and infects all the files in a library, it might be possible to redress much [but not at all] of the damage by restoring the previous version.” He references a PowerShell Script that can help you with that, but there are multiple comments on that site from people that experienced the kinds of scenarios mentioned above.

The author’s final sentence in the “Backup for Sharepoint” section is, “recovering from a virus infestation or malicious deletion is likely to be easier with a third-party backup.” So, even if Microsoft 365 is able to restore your deleted or corrupted data, it is likely going to be much easier with a third-party backup tool.

Protect your business with Microsoft 365 cloud backup solutions

In summary, there are a lot of good reasons to back up Microsoft 365. Using a third-party service like Druva to protect and back up Microsoft 365 will be easier, safer from hackers and rogue admins, and bring extensive cost savings over competing solutions, once you consider the extra storage requirements of using retention periods and locks. Most importantly, recoveries can be at any level of granularity (e.g. email, file, folder, user, site, or subsite) and come with a durability guarantee not offered by Microsoft. Microsoft says you should use a third-party service to back up Microsoft 365 and we agree.

Learn more about how Druva can help close the gaps in Microsoft 365 data protection.


¹ Microsoft, “Microsoft Services Agreement,” August 1, 2020.