Teams is the Most Difficult Office 365 Application to Backup

Contemplating Teams Backup

I’m bemused by the solutions people proposed when asked about Teams backup. It’s reasonable to consider backing up any IT service and given the recent growth in Teams usage I have seen several requests from people looking to understand what they can do to secure Teams data. The reasons why you might want to backup a cloud service include:

  • Securing critical data against loss caused by an external attack (including ransomware and other malware).
  • Stopping rogue administrators removing or altering information.
  • Moving copies of data to external repositories to ensure people can work if the cloud service is unavailable for an extended period.

These are classic reasons long cited in the on-premises world. However, in the cloud, things are different because you typically don’t have the same level of access to data that you enjoy on-premises.

No Backups in Office 365

Apart from SharePoint Online, Microsoft doesn’t backup Office 365 services. Microsoft relies on its technology to protect data, so if you want a backup, you must use a third-party service. There are many services available and generally there are no problems backing up or restoring mailbox and document data. Backup products for Exchange Online and SharePoint Online have roots in on-premises technology and the methods to move data in and out of mailboxes and sites are well understood. APIs, albeit never designed for cloud backups, are available, and everything works. Well, everything works until sensitivity labels and encrypted content are introduced into the mix, but that’s another discussion.

Teams is a Cloud App

Teams is a different matter. Unlike Exchange and SharePoint, Teams is a product of the cloud. It does not exist on-premises and no one ever developed backup interfaces for Teams. But more importantly, Teams is built on top of multiple Office 365 and Azure services. The data in these services is interconnected and dependent. Restoring a mailbox is simple compared to the reconstruction of a team, complete with all its channels, tabs, conversations, meetings, and so on.

Claims of Backup Vendors

Some backup vendors claim their products cover Teams. Most base their claim on copying the Teams compliance records stored in group and personal mailboxes in Exchange Online. Although it is possible to copy Teams compliance records like any other Exchange mailbox data, this is not a backup. It doesn’t even come close for two reasons:

  1. Teams compliance records are designed to capture communications for eDiscovery and compliance use. They are not the actual data and the compliance records are not true copies of the original because they lack certain elements of Teams messages, such as reactions.
  2. No API exists to restore Teams compliance messages into a Teams channel conversation or personal chat. You could read the compliance records and use Graph API calls to write new messages into channel conversations and chats, but this is not a true restore because the newly-written items would be dated differently to the original and lack all the data not copied to compliance records.

Any backup vendor who insists that they deliver Teams coverage through Exchange Online exhibits a woeful ignorance of Teams technology. If a vendor doesn’t understand the strengths and weaknesses of their product, you shouldn’t use them.

The second (less common) approach is to use the beta Teams migration API to backup Teams data. I covered how BitTitan uses the API for cross-tenant migration in a article last August (AvePoint and Quadrotech use the same API for their tenant to tenant migration products). Not much has happened since to develop the API since and the same problems exist. One glaring issue is the inability to handle Teams personal chats.

Failure to Deal with Full Scope of Teams

Both the migration API and Exchange-based backups fail to take the wide spectrum of Teams interconnected data into account. Backing up one piece of information secures that data, but that data might be useless if other connected data is not copied and available.

Table 1 lists some of the connected data used by Teams. It’s not a definitive list and other data might be needed (like OneNote) to create a comprehensive backup of Teams in an Office 365 tenant. The purpose of the list is to illustrate the wide array of user and system data consumed by Teams. If you want to backup Teams, you need to understand what data is used with Teams in your tenant. Once you know that, you can figure out how to solve the backup problem.

Teams dataLocationBackup Situation
Personal and group chat messagesAzure CosmosDB.No backup API available.
Channel conversationsAzure CosmosDB.No backup API available.
GIFs used in Teams messages.Teams CDN.No backup API available.
Documents shared in personal and group chatsOneDrive for Business.Backed up with OneDrive for Business.
Documents shared in Teams channels (Files).Document libraries and folders in SharePoint Online sitesBacked up with SharePoint Online.
Private channelsSeparate set of SharePoint Online sites.Backed up with SharePoint Online (if the backup product copies these sites)
Email sent to Teams channels via connector.Azure CosmosDB and SharePoint Online,Backed up with SharePoint Online (messages posted to channels are not backed up).
Messages posted to channels via Office connectors.Azure CosmosDB.No backup API available.
Teams calendar.User and group mailboxes (Exchange Online)Backed up with Exchange Online data.
Teams meeting recordingsStream/OneDriveNo Stream backup API available. Recordings of meetings stored in OneDrive for Business and SharePoint can be backed up.
Teams WikiSharePoint Online.Should be backed up with other SharePoint information.
Teams compliance recordsExchange Online mailboxesBacked up with Exchange Online data.
PlannerAzureNo Planner backup API available.
Teams audit data.Office 365 audit log.Can be extracted with the Search-UnifiedAuditLog cmdlet (PowerShell).
Third-party apps.Teams app store and third-party repositories.Responsibility of third-party apps.
Teams membership and group object.Azure Active Directory.Can be backed up by reading information from Azure AD (membership of Teams private channels is not in Azure AD).
Teams policies and settings.Azure.Some data can be backed up by reading policies and settings with PowerShell.
Teams usage data.Microsoft Graph.Can be read from the Graph.
Whiteboard used in meetingsMicrosoft Whiteboard service.No backup API available.
Table 1: Teams Data is Spread across Microsoft 365 Services

In some cases, a workaround might compensate for the lack of a backup API. For instance, you could download every video from Stream and copy the video to a backup site. You could use the Graph API to copy Plans, and so on.

The problem with workarounds is that they often lack automation and the ability to scale. How many videos does a tenant store in Stream? How many are generated daily? How many plans are created and how many tasks are added, changed, or removed daily? And whiteboards?

Restore an Even Bigger Issue

Backup vendors want to sell products. Their access to your data is limited by the available APIs, so no great mystery exists as to why a comprehensive backup for Teams is so difficult to achieve. And once you have some backup data, consider that restoring Teams is even more problematic.

For more information about Office 365 backups, read Chapter 4 of the Office 365 for IT Pros eBook. Our approach can be summarized as “understand what you need to backup and why before you commit to an external backup service.”

12 Replies to “Teams is the Most Difficult Office 365 Application to Backup”

  1. Well, this is sobering! Thanks for the detailed information on the locations of Teams data. I agree with the implication that no vendor is likely to achieve comprehensive backup and restore capability for the whole universe of Teams data. And my impression from reading this is that, however unlikely data loss due to system failures is, Microsoft also currently lacks the ability to restore Teams in a licensee’s tenant.

    Shouldn’t this be a bigger concern, both among users and by Microsoft, than it seems to be?

    1. I can’t comment on the tools available to Microsoft as they might have internal utilities that can be used to effect a restore. What I can say is that no public API is available to customers to backup or restore Teams data.

  2. Hi Tony,

    thanks for the detailed information about this problem.
    Has the situation changed? Is there any product that is capable of doing a full backup atm?

    1. Of Teams? No. The problem is down to APIs. Unless and until Microsoft delivers an API to allow backup vendors access to chats and channel messages stored in the Teams data store in Azure, a full backup of Teams is not possible.

  3. It goes without saying you should interrogate the sales process to ensure that your technical requirements are covered. If you need to protect a particular element of Teams then surely you ask if that particular element can be protected using the available APIs. If it’s not, and the APIs aren’t available, then all products are in the same boat. In most cases Teams is protected via the component parts, e.g. Exchange Online, OneDrive and SharePoint Online.

    1. Sorry Edgar, but you’re dead wrong. Teams is not protected by Exchange Online, by which I assume you mean Teams messages. There is no API to backup Teams personal chats or channel conversations. You can copy the compliance items created in Exchange Online, but that’s not a backup, no matter how much backup vendors attempt to make the case that it is.

  4. I agree with Tony, I think first what you need to do is try to utilise Microsoft 365 native capabilities, such as retention, policies, etc before consider backup and chcek the ROI what you get out from backup.
    Also, Teams recordings will moves to SharePoint Online and OneDrive as follows.
    Rolling out starting March 1, 2021 Enterprise & GCC customers
    No new meeting recordings can be saved to Microsoft Stream (Classic); all customers will automatically have meeting recordings saved to OneDrive for Business and SharePoint even if they’ve changed their Teams meeting policies to Stream.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.