Office 365 Backup: do we really need it? Office 365 is (mostly) a cloud-based service, but it doesn't mean that your data is automatically safe

Answer a MS Office 365 Survey and win a 100$ Amazon gift card

By reading this line, you might be tempted to ask for the following question: "Why should I back up these data? Isn't Microsoft already doing this for me?"

As a matter of fact: no, it doesn't. Office 365, just like MS Azure, enforces a shared responsibility model between the cloud provider (Microsoft) and the end-user (you or your organization). For that very reason, if you want to really minimize the risk of losing your data, you should consider a third-party backup solution to protect your valuable data from Exchange Online, MS Teams, SharePoint Online, OneDrive for Business, and all the products related to Microsoft 365 ecosystem.

If you don't know what a shared responsibility model is, don't worry: the first part of this post will shed some light about that. In the second part of this post we'll briefly review some cost-effective Office 365 backup solutions to securely protect our Mailboxes, Teams and OneDrive & SharePoint files.

Shared Responsibility Model

When dealing with cloud-based services and solutions, it's important to clarify which security tasks are handled by the cloud provider and which tasks needs to be handled by the customer. These responsibilities usually vary depending on the service model: Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), not to mention the cloud-based solution that strongly relies upon on-premise resources for, workloads, data storage, and such.

Here's a Microsoft diagram that explains how these responsibilites are split between the provider and customer:

Office 365 Backup: do we really need it?
Azure's Shared Responsibility Model

As we can easily see by looking at the above diagram, regardless of the service model, the customer always own his/her data and identities: however, it means he/she's also responsible for protecting the security of such data & identities, regardless if they are stored on on-premises resources or in the cloud. Here's a brief list of the responsibilities always retained by the customer:

  • Data
  • Endpoints
  • Account
  • Access management

Now, if those elements are stored in the MS Azure cloud, Microsoft has the responsibilities of physical hosting, networking and datacenter management. This is a great thing, because it means that, other than being shielded from external attackers, our data are protected from any loss due to system or data center failure.

Office 365 replicas are owned by Microsoft

More specifically, Office 365 includes a built-in data replication, which provides data center-to-data center georedundancy. And the great part of that architecture is that the replication fail overs are completely transparent, meaning that the user is completely oblivious to any changes.

However, the fact they're available "transparently" also mean that the end-user can't directly manage (or access) them. To put it in other words, those replicas are not owned by the end-user: they are owned by Microsoft. And that's only a part of the problem.

Replicas are not Backups

As we've already said early on, replicas are a great way to preserve our data from loss due to system or hardware failures, as well as natural disasters: not surprisingly, they are a fundamental part of any good disaster recovery and business continuity policy.  However, there are a number of scenarios where replicas are simply not enough to protect our data: for example, if we accidentally delete a file, the replica will update accordingly, meaning that such file will be lost. The same goes for data corruption: if one of our data gets corrupted (accidentally by us or intentionally by a malicious third-party, such as a virus or ransomware), such issue will be also replicated along with the valid data, thus resulting in a corrupted replica.

This leads us to an inevitable conclusion: replicas are good, but we also need backups.

What about the Recycle bin?

After reading all this, some of us might be still tempted to ask something like: "what about the Office 365 cloud-based trash?" As a matter of fact, the Office 365 recycle bin option can be configured to grant some limited, short-term data loss recovery: however, that's not the reason it's there. You might want to purge or prune the recycle bin, maybe even automatically... and you can't be 100% sure it won't happen for some reason. As a matter of fact, relying to a feature specifically designed for handle a different task (giving the end-user a chance to change idea after performing a manual deletion) is not the smartest thing we can do, especially if we want to retain complete access and control of these business-critical data which require short-term retention, long-term retention and the ability to fill any gaps in retention policies - not to mention the capabilities to perform granular restore, bulk restore, and point-in-time restore tasks.

Which brings us to the root of the problem: without a specific Office 365 backup solution, we will inevitably have limited access and control to our data, meaning that we might always fall victim to gaps in our retention policy and data loss. These risks have also been identified and classified by a detailed research commissioned by International Data Corporation (IDC), the global provider of market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets.

Luckily enough, this security flaw can be easily fixed with a backup of our data, stored in a location of our choice, so that we can easily access and restore whatever and whenever we want.

Introducing Office 365 Backup

For all the above reasons you should definitely adopt one of the many Office 365 Backup solutions currently available on the market:  these products are tipically offered using a Software as a Service service model and allows to back up and recover all our company's Microsoft Office 365 mailboxes, Teams, and files stored within OneDrive and SharePoint, backing them up to a separate, secure infrastructure.

Main Features

When looking for an Office 365 backup solution, here are the distinctive features you should aim for:

  • Automatic backup. The backup process should be easy to configure and fully automated (transparent), just like the bare-metal replica performed by MS: however, the end-user should have full rights over the backups, being able to download them, set up restore points, and all the common backup settings.
  • Encryption at-rest. Backup data feature should use a strong level of encryption at-rest, using the strongest encryption algorythms.
  • Encryption in-transit. All the communications should be protected with a strong encryption in-transit using HTTPS.
  • Restore strategies. The solution should be able to restore its backups as a whole (bare-metal) or using granular restore options: for example, we should be able to choose to restore an entire mailbox (or MS Team Chats) or a selected group of mail items and Team conversations.
  • Restore methods. The solution should be able to let the end-user choose between different restore supports: OneDrive Account, SharePoint Document Library, a downloadable ZIP archive, and the likes.
  • Centralized dashboard. The whole backup status should be monitored and controller using a single control page.
  • Secure access (2FA/MFA). For additional security, all backup data access (including the centralized dashboard) should be protected by a two-factor authentication (2FA) or multi-factor authentication (MFA) system.
  • Access control. The solution should support a privacy-aware ACL mechanisms, so that administrators can give restore permissions to various user accounts while respecting the least privilege principle.
  • Audit logs. The solution should generate audit trails to securely record the user activities, including: enabling or disabling mailboxes, OneDrive and SharePoint backups, backup data browse, backup restore tasks, and so on: those audits should also be tamper-proof.
  • No hidden costs. The service fee (subscription) should include backups, a suitable amount of storage (or unlimited storage), 24/7 support and the management tools, without additional costs.

Considering all those requirements, our suggested choice for 2021-2022 falls to Altaro Office 365 Backup, a comprehensive solution that meets all these expectations with a reasonable price. However, there are a lot of other alternatives to consider that offer similar features: just be sure to select something that isn't missing anything important.


That's it, at least for now: we hope that this informative post will help other system administrators and company owners to adopt a secure Office 365 backup solution to minimize the risks of data loss.


About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

One Comment on “Office 365 Backup: do we really need it? Office 365 is (mostly) a cloud-based service, but it doesn't mean that your data is automatically safe

  1. Ive realised a whole lot from reading through this post and I hope that I can catch up on other these kinds of posts soon.
    Very well written. Thanks for sharing.

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.