The Case for Backing up O365

"Should I back up O365?"

There is no simple yes or no answer to this question, as Microsoft 365 provides several data recovery capabilities, but it comes with limitations and should not be compared to enterprise-class data protection offerings. In addition, Microsoft has limited responsibility for your data.

First, you will want to evaluate Microsoft’s native capabilities and limitations and compare them to your organizational requirements before investing in third-party backup solutions.

If you find that you need to complement Microsoft 365 capabilities, then you should invest in Microsoft 365 third-party backup solutions. These "complements" offer improvements in management and recovery, and granular data protection and recovery options. Note that these are independent of recycle bins and are stored outside of Microsoft and operated outside of the control of the Microsoft 365 administrator.

Limit investments in third-party backup solutions to offer disaster recovery, resilience or continuity for specific use cases, as third-party backup mostly serves operational recovery use cases. Disaster recovery is primarily Microsoft’s responsibility, although third-party security and archiving technologies are potential alternatives to support Microsoft Exchange Online continuity.

?Microsoft Capabilities

It's important for enterprises to understand that while Microsoft 365 does offer a highly resilient service, it may not provide comprehensive backup and recovery options. The multi-staged recycle bin architecture that is in place is primarily designed for self-service recovery by end-users, but it still requires actions from Microsoft 365 administrators. This architecture has limitations, as it is time-limited and can be bypassed or compromised. Unlike traditional data protection solutions, Microsoft 365 does not create an independent, accessible external copy of the data. This means that data protection is heavily reliant on the recycle bin capabilities and vulnerabilities, as well as the IT expertise of end-users. Additionally, each service or module within Microsoft 365 may have different recycle bin properties, dependencies, and vulnerabilities, which requires separate configuration. Enterprises must carefully evaluate their backup and recovery needs and consider additional solutions to ensure their data is properly protected.

?For organizations subject to strict compliance and regulatory environments, it is crucial to understand the limitations of the native backup and recovery features in Microsoft 365. While some organizations may find these features sufficient, many will need to supplement them with third-party solutions to ensure comprehensive backup and recovery. Microsoft has developed APIs for third-party vendors to deliver and create enhanced backup services, and organizations should consider leveraging these solutions to meet their specific needs. By doing so, they can achieve a more comprehensive backup service that meets the strict requirements of their industry and regulatory environment. It's important for Infrastructure & Operations (I&O) leaders to carefully evaluate their backup and recovery needs and work with their vendors to ensure they have a solution that provides the necessary level of protection for their organization's data.

?Microsoft’s SLAs

Microsoft's primary focus is on delivering high service availability for Microsoft 365, which includes Exchange, SharePoint, and OneDrive. This means that their priority is to ensure that the services are available and running smoothly, rather than focusing on meeting specific data recovery point objectives (RPOs) and recovery time objectives (RTOs) for individual clients.

The Microsoft 365 SLA is measured based on service uptime, and users are compensated with service credits if Microsoft does not meet the SLA. However, it's important to note that this compensation may not cover any losses or damages that may have been incurred because of the service outage.

Furthermore, clients are responsible for managing all aspects of their data security and recovery. While Microsoft provides built-in features for data protection and recovery, such as versioning, retention policies, and recycle bin, it's up to each client to ensure that they have a comprehensive backup and recovery strategy in place to protect their data in case of a disaster or data loss event.

Conclusion

I&O leaders should carefully evaluate their backup and recovery needs for Microsoft 365 to ensure that they are adequately protected against data loss that cannot be restored. This includes considering regulatory compliance, data sovereignty, backup windows, RPOs, RTOs, and long-term retention requirements.

It's also important to consider complex recovery scenarios, such as team recovery within Microsoft Teams, where recovery of data across multiple affiliated workloads can be a challenging task. Third-party backup solutions can offer simplified recovery for these scenarios, avoiding the need for complex PowerShell scripts to protect or recover this data.

By thoroughly exploring and documenting all Microsoft 365 requirements for their organization, I&O leaders can better prioritize their backup and recovery needs and determine whether additional data protection is required. This can help to avoid the risk of data loss that cannot be restored, ensuring that critical data is always available and recoverable in case of a disaster or data loss event.