This question gets posed frequently and there is some confusion about who has responsibility for data protection in O365 environments.  Microsoft’s documentation is a little…. vague in some areas which doesn’t help matters.

Lets break this down a little.

Some background – who’s doing what?

Microsoft take care of the infrastructure and ensure the availability of the application.  They ensure that this environment is resilient, with redundant hardware, ensuring data replicated across multiple sites and a whole host of security measures.

They do backup data, but this is to ensure platform availability and in the event of a major disaster have a recovery point, this backup is not necessarily for the benefit of the user community.  The administration of the application, the application of security recommendations and the protection of data is the clients responsibility.

Is Microsoft protecting my o365 data then?

In part yes, in part no.  Microsoft are providing a highly available platform and as such they have a highly redundant setup that ensures that users experience the minimal amount of downtime.  If Microsoft has a serious failure, rest assured that they have your data failed across to another site and/or a copy of your data to recover from.

That’s great, historically, there would be concern over hardware failure, site redundancy and so on, but these issues are largely eradicated with Office365, Microsoft host applications and data across multiple sites providing some comfort against issues affecting the Data Centre, Hardware or OS.  One headache removed and a big tick in the box.

However, the level of data protection Microsoft are providing is to ensure the application remains available.  True data protection is the responsibility of the customer.  If data is accidentally (or intentionally) deleted, if there is a malicious attack or if data is corrupted via a virus or other means, Microsoft wont take responsibility for the recoverability of that data, that is your responsibility.

What about retention policies?

Retention Policies go part way to offering a solution, but only protect you from data loss in limited scenarios.  Some examples of the policies / controls that can be implemented natively include:

  • Sharepoint Online and OneDrive leverage primary and secondary recycle bins with 93 day retention periods
  • OneDrive does have a restore feature which enables you to roll back all of your files to a previous point in time (within 30 days)
  • Exchange Online has a recoverable items folder if emails are deleted from the recycle bin which has a 14 day default retention period – this can be extended to 30 days.

Unfortunately, these policies don’t offer full proof protection and have some practical limitations.  Examples include:-

  • In the case of OneDrive, its all or nothing, users have to roll back all changes instead of being limited to files and folders
  • Offers very little, if any protection in the event of user error, hacking, malicious intent or sync issues
  • If data gets deleted from OneDrive it becomes irretrievable
  • Primary and Secondary recycle bins can be emptied at any time, at which point data becomes irretrievable
  • Limited retention periods

So do I need to backup O365 or not?

Our recommendation would be yes, absolutely.

  1. Retention policies alone don’t offer sufficient data protection or restore capability for the myriad of scenarios whereby data needs to be recovered.
  2. You are not in control over the time to restore/recovery.  You are totally in Microsofts hands here and to re-iterate, there is no SLA on recovery.

In a real world customer example, it took 72 hours for data to be recovered after a major incident (not of the customers making).  When SharePoint, OneDrive and Exchange data is pivotal to business operations, thats just too long.

What are my options, is there a native Microsoft backup product?

To our knowledge no and Azure Backup doesn’t currently support O365 backup, although we’d anticipate that it will in time.

There are lots of providers on the market providing a cloud to cloud solution.  The first place to go would be to ask you existing backup vendor if they have a solution that integrates with your existing backup mechanism.  Some have modules (others have bought a completely different business and rebadged it).  The ideal would be to have a single console to work from, but not always possible.

We use a SaaS tool (Backupify), which is a Datto product.  Its licensed per user, so there is no additional storage charges which makes life easier.  It provides a cloud to cloud backup solution for O365 which just works; ensuring several roll back periods are available for:-

  • Exchange / Email
  • Sharepoint Online
  • OneDrive
  • Contacts / Calendar

Hopefully this helps if you are asking this very question, but if there is something we’ve not covered, feel free to get in touch.

You can read Microsoft’s documentation on retention policies here 

Mike Starnes

Mike has worked in the IT Industry for over 20 years. If he's not talking technology, he'll be reading, playing football or trying to embarrass his daughters.