I’ve noticed several backup vendors become very excited by the Microsoft Shared Responsibility model for cloud services (Figure 1), mostly because the belief exists that the model supports the need for backups. I’m not sure that this is the case. Like any generic model, interpretations vary with circumstances and it’s impossible to say that the model always applies in all circumstances.
Figure 1: Microsoft Shared Responsibility Model
Microsoft Service Agreements and Backups
Another Microsoft document often advanced in support for backups is the Services Agreement for Online Services. While undoubtedly true that the agreement mentions backups three times, two are in the context of closing an account and the need to copy data before closure. The other mention says, “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.” At first glance, that sounds conclusive. And then you realize that the recommendation is for Microsoft consumer online services like Outlook.com and OneDrive.com. We therefore conclude that Microsoft recommends consumers to backup their data, which is reasonable advice.
Microsoft 365 applications include features like Exchange Online native data protection to ensure that data loss does not occur. Some other features, like retention policies and labels, depend on having appropriate licenses (Office 365 E3 and above), and can be used to ensure that important data cannot be removed.
Although APIs exist to backup some Microsoft 365 apps, the APIs were never created to underpin cloud backup and recovery. For instance, Microsoft created Exchange Web Services (EWS) for programmatic access to mailbox data. EWS was never intended to stream large quantities of mailbox data across the internet.
Even worse, backup APIs do not exist for the newer cloud-only services like Teams, Planner, Yammer, and Stream. Microsoft can’t recommend backups when no possibility exists to take backups. Some vendors attempt to workaround the lack of APIs by copying compliance records from Exchange Online. This is acceptable if you recognize that the records are incomplete and cannot be restored.
Backup products often focus on workloads, like Exchange Online or SharePoint Online. This is old-school thinking firmly rooted in the world of on-premises deployments where workload-specific processing is the norm. In the cloud, apps intermingle in a way which doesn’t happen on-premises. This creates a difficulty in restoring data. To achieve a complete point-in-time restore for Teams, for instance, the restore process might have to deal with Teams channel conversations, chats, configuration data, SharePoint Online and OneDrive for Business documents, whiteboards, calendars, attendance reports for meetings, meeting notes, approvals, and a bunch of data belonging to first and third-party apps. Teams is the most complex of any Microsoft 365 app to backup in terms of the web of connections it uses, but it does illustrate the problem faced for restore operations.
Given the amount of data generated by Microsoft 365 organizations, I wonder if it is possible to restore more than a few accounts should a problem occur. The value from a backup is often best seen in granular recovery operations when you need to restore just a few documents or a couple of mailboxes. Once numbers scale up, the sheer amount of data which needs to be restored creates a real challenge.
Of course, backup vendors do not acquaint potential customers with these inconvenient facts. Instead, too much focus is given to the potential dire consequences of something like a cyberattack (which has happened to Microsoft 365 tenants) without exploring the methods to resist attacks, like enabling multi-factor authentication for all users.
Not Against Backups
I am not against organizations subscribing to third-party backup solutions to protect their Microsoft 365 data. Backups have their place and can be very valuable if you understand the situation and can leverage backup technology to solve a problem for your company. Any considered decision which takes all the facts into account before settling on a course of action is goodness.
What I am against is the lack of honesty which often happens in conversations around the need for backup of Microsoft 365 data. Too much FUD, like the rogue administrator who removes a bunch of data, is used to create the case for backups. It would be better if backup ISVs argued their case based on fact rather than fear. I live in hope.
Last Updated: 2 April 2021
The topic of backups is covered in more detail in the Office 365 for IT Pros eBook. We like to think we take a pragmatic and sensible approach to the topic.
One Reply to “The Vexed Question of Microsoft 365 Backups”
Thank you for the interesting information that will help us make the right decision. Recently our company has been thinking about office 365 backup and recovery https://spinbackup.com/products/office-365-backup/ and have not yet made a final decision. But I think it is effective for business in the future can help a lot.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Thank you for the interesting information that will help us make the right decision. Recently our company has been thinking about office 365 backup and recovery https://spinbackup.com/products/office-365-backup/ and have not yet made a final decision. But I think it is effective for business in the future can help a lot.