Why You Should Back Up Microsoft 365

Before I was a consultant, I spent 20+ years managing all manner of technology groups and functions. Backup was always core to any system decision or implementation just like networking, security, or storage. Most of the time I made sure there was a backup plan before there was an implementation plan. While the technology and media may have changed (and yes, I’m looking at you, DDS-4…), backup was a common requirement that transitioned to virtual machines hosted on-premises in a colocation facility, and servers hosted on Infrastructure-As-A-Service (IaaS) virtualization services like Azure and AWS.

For whatever reason, though, this mindset didn’t seem to follow the data that moved to Software-As-A-Service (SaaS) platforms like Microsoft 365, Salesforce, or Google Workspace. Many organizations moved their data to these platforms and never gave backup a second thought (including yours truly, up until a few years ago). When you consider that the “crown jewels” of most organizations include their files and email, this is simply astonishing.

The reality is that many SaaS providers have fairly limited backup features embedded in their products, and those features are typically focused on short term retrieval of a small amount of data. You may argue that the extent of their infrastructure and internal redundancies make failures that cause data loss extremely rare, and that is true most of the time. However, to have full control of backups and be able to retain and restore backups in the various ways that organizational or compliance requirements dictate, you really do need a backup solution for your Microsoft 365 data. Microsoft 365 and other SaaS platforms typically offer APIs for data backup systems to connect to and use.  Also, have a look at the terms of service you agreed to – they usually recommend that you use a third-party backup method. Listed below are some of the many reasons you need a backup solution.

Long-term Backup Retention

  • Recycle Bin Function: There is a recycle bin function in Microsoft 365 that retains deleted data for about 90 days. If someone deletes critical files and no one realizes it until after that 90-day period expires, that data is gone.
  • Point-in-time backups are often required at the end of a business period (End of Month or End of Year). A third-party product is required to capture and maintain a backup like that for Microsoft 365 data.
  • Compliance programs or government regulations often dictate that multiple copies of specific kinds of data like public records, blueprints, property records, and the like are maintained for long periods (20+ years). Microsoft Purview can manage records like this, but a third-party platform allows you to maintain distinct copies in a separate location(s).
  • M365 Functions: The document versioning, retention and legal hold functions in Microsoft 365 are powerful and useful features, but they aren’t intended to replace the need to back up data.

Robust Incident Recovery Capabilities

  • Cyber insurance policies often require data to be backed up in an immutable format in case of a malware attack. Microsoft 365 does not offer this kind of protection.
  • More often than cyberattacks, people make mistakes or sometimes intentionally delete data. Recovering large amounts of data like entire mailboxes or file stores is much easier using a tool designed for that. Doing this with the native GUI and PowerShell tools is very time consuming.
  • Microsoft 365 is an ecosystem, and even the data stored in peripheral apps like Planner or Forms can be recovered more easily.
  • Mass version rollback is often a click of a button in the case of a ransomware attack. Doing the same thing with the native tools is difficult.
  • A third-party product will give you restore options outside of the Microsoft 365 platform in the event there is ever an extended outage.

There are a large number of products on the market that can back up Microsoft 365 data. It is important to consider how the design, features, and cost of the platform you select will fit into your overall backup and recovery strategy.

Consider Your Requirements

  • Depending on the amount of data in the tenant, it may take weeks for the initial data backup to complete. After that, the backup platform should perform incrementally from that point forward. Confirm that process with your vendor and understand what best practices you should follow to avoid being throttled by API limitations.
  • Ensure that the location of the backup data aligns with your recovery plans. Vendors offer the ability to backup to another public cloud, a dedicated data center, or even locally to your data center.
  • Be thoughtful about licensing. Backup vendors license their products in a variety of ways. Make sure the licensing approach aligns with your needs. If you have many users with low volume, or fewer users with high volume that can make a big difference in cost. Also, be sure to ask and understand how disabled, archived, or shared accounts are licensed.
  • Access control is critical. Ensure that similar identity, authentication, and content permissions can be maintained. You don’t want to sidestep your production environment access controls in the backup environment. Backup users should only have access to what they require. You will also want to set up a “break-glass” account in case SSO is impacted by an outage that you need to recover from.
  • Maintain content encryption. The backup solution should encrypt the data it holds and you should be able to manage the encryption keys accordingly.
  • Ensure the backup solution provides robust reporting and exception alerts. Like other applications, it will require some care and feeding from time to time.
  • Find out if your existing backup vendor offers Microsoft 365 backup. Using a consolidated tool can make recovery planning and training easier.

In general, third-party backup systems make it easier to find and restore data than the native Microsoft 365 methods. Consider how that can be leveraged on a day-to-day basis. For example, it may allow you to have the service desk fulfill restore requests rather than senior engineers when someone accidentally loses a file. 

Personally, I have seen third party cloud SaaS backup platforms save the day more than once. A couple of examples:

  • An executive deleted the contents of their inbox and then somehow deleted the messages out of the trash when trying to recover them. Of course, this was just before a critical inventory order was due (which was in the inbox). The service desk was able to restore all of it in a few minutes, no senior engineer required. Just a few clicks.
  • A departing employee deleted a few hundred critical files on their way out the door just before COVID lockdown, and COVID caused the files not to be missed for about 4 months. When the files were discovered to be missing, they were no longer in the SharePoint recycle bin.  (They were in the backup platform.) Thousands of dollars and hours saved.

Neither of the situations above were overall business-threatening incidents, but they would have been costly. The point is that most of the time you will be using a SaaS backup to resolve common issues and help everyone save some angst, time, and money.

I always recommend to clients now that they include Microsoft 365 backup in their disaster recovery plans. It fills a gap and also provides another tool set for the technology team to be able to leverage for daily tasks at a fairly reasonable cost. (And it is most certainly better than DDS-4.) 

Tom Papahronis

Tom Papahronis

Strategic Advisor - eGroup | Enabling Technologies

Ask the Experts!

Interested in discussing your M365 backup plan or your strategy for disaster recovery?

Contact our team of experts to get started!

Last updated on July 31st, 2023 at 12:41 pm