The Vexed Question of Microsoft 365 Backups

To Backup Or Not To Backup

I’ve noticed several backup vendors become very excited by the Microsoft Shared Responsibility model for cloud services (Figure 1), mostly because the belief exists that the model supports the need for backups. I’m not sure that this is the case. Like any generic model, interpretations vary with circumstances and it’s impossible to say that the model always applies in all circumstances.

Microsoft Service Agreements and Backups

Another Microsoft document often advanced in support for backups is the Services Agreement for Online Services. While undoubtedly true that the agreement mentions backups three times, two are in the context of closing an account and the need to copy data before closure. The other mention says, “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.” At first glance, that sounds conclusive. And then you realize that the recommendation is for Microsoft consumer online services like Outlook.com and OneDrive.com. We therefore conclude that Microsoft recommends consumers to backup their data, which is reasonable advice.

Challenges in Microsoft 365 for Backup Products

The equivalent service agreement document governing Microsoft 365 doesn’t mention backup at all. I think several reasons exist why this is so.

• Microsoft 365 applications include features like Exchange Online native data protection to ensure that data loss does not occur. Some other features, like retention policies and labels, depend on having appropriate licenses (Office 365 E3 and above), and can be used to ensure that important data cannot be removed.
• Although APIs exist to backup some Microsoft 365 apps, the APIs were never created to underpin cloud backup and recovery. For instance, Microsoft created Exchange Web Services (EWS) for programmatic access to mailbox data. EWS was never intended to stream large quantities of mailbox data across the internet.
• Even worse, backup APIs do not exist for the newer cloud-only services like Teams, Planner, Yammer, and Stream. Microsoft can’t recommend backups when no possibility exists to take backups. Some vendors attempt to workaround the lack of APIs by copying compliance records from Exchange Online. This is acceptable if you recognize that the records are incomplete and cannot be restored.
• Backup products often focus on workloads, like Exchange Online or SharePoint Online. This is old-school thinking firmly rooted in the world of on-premises deployments where workload-specific processing is the norm. In the cloud, apps intermingle in a way which doesn’t happen on-premises. This creates a difficulty in restoring data. To achieve a complete point-in-time restore for Teams, for instance, the restore process might have to deal with Teams channel conversations, chats, configuration data, SharePoint Online and OneDrive for Business documents, whiteboards, calendars, attendance reports for meetings, meeting notes, approvals, and a bunch of data belonging to first and third-party apps. Teams is the most complex of any Microsoft 365 app to backup in terms of the web of connections it uses, but it does illustrate the problem faced for restore operations.
• Given the amount of data generated by Microsoft 365 organizations, I wonder if it is possible to restore more than a few accounts should a problem occur. The value from a backup is often best seen in granular recovery operations when you need to restore just a few documents or a couple of mailboxes. Once numbers scale up, the sheer amount of data which needs to be restored creates a real challenge.

Of course, backup vendors do not acquaint potential customers with these inconvenient facts. Instead, too much focus is given to the potential dire consequences of something like a cyberattack (which has happened to Microsoft 365 tenants) without exploring the methods to resist attacks, like enabling multi-factor authentication for all users.

Not Against Backups

I am not against organizations subscribing to third-party backup solutions to protect their Microsoft 365 data. Backups have their place and can be very valuable if you understand the situation and can leverage backup technology to solve a problem for your company. Any considered decision which takes all the facts into account before settling on a course of action is goodness.

What I am against is the lack of honesty which often happens in conversations around the need for backup of Microsoft 365 data. Too much FUD, like the rogue administrator who removes a bunch of data, is used to create the case for backups. It would be better if backup ISVs argued their case based on fact rather than fear. I live in hope.

Last Updated: 2 April 2021

---

The topic of backups is covered in more detail in the Office 365 for IT Pros eBook. We like to think we take a pragmatic and sensible approach to the topic.