Microsoft 365 Backup is critical to your data security

07 November 2022

It's high time we initiate a conversation regarding Microsoft 365 and the vital aspect of safeguarding data. However, before we delve into that discussion, let's take a moment to reflect on the past, considering the context from which we've evolved to our current state.

Furthermore, it's essential to address the aspects we might have overlooked or misconstrued throughout this journey.

Preceding the Migration to Microsoft 365

Not too far back, the term "the cloud" was primarily associated with cutting-edge startups emerging from Silicon Valley.

The paradigm has since shifted dramatically, with traditional IT applications such as email and communication tools undergoing a significant migration to the cloud—this transition finds its embodiment in M365. For a straightforward monthly fee, the burden of managing extensive infrastructure within your environment is lifted.

To illustrate this transformation, let's focus on a singular product as an example. Nevertheless, the underlying principle applies to every facet within M365, or indeed, to practically any SaaS-based "cloud" product available.

Remember when email was a distinct entity? Actually, it still holds its relevance. In the past, these mail servers—referred to as Microsoft Exchange servers—were operated on-premises.

Any proficient IT department would have incorporated two fundamental pillars to ensure optimal performance for their organization:

  1. Availability of Services
  2. Strategy for Data Protection


Service Availability

To begin, these services were typically constructed using virtual machines deployed on highly resilient storage infrastructure, often comprised of extensive arrays of hard drives designed to withstand failures. The computing resources were distributed across multiple servers, forming a robust cluster capable of withstanding disruptions.

Additionally, the Exchange environment was engineered to withstand node failures, allowing for the graceful handling of server outages, whether planned (e.g., for patching) or unplanned (due to hardware issues or server crashes). This resilience was achieved through the implementation of a Database Availability Group (DAG), essentially constituting a cluster composed of two or more Exchange servers.

Data Protection Strategy

Regarding data protection, the servers and storage systems mentioned earlier were routinely safeguarded using a backup solution typically overseen by the IT department, adhering to the well-established 3-2-1 methodology.



      • 3 = Maintain at least 3 copies of your data
      • 2 = Keep copies on two different media (such as disk, tape)
      • 1 = One offsite copy, perhaps even in another cloud provider (BaaS)

This approach provides you with the highest likelihood of recovery in the event of a catastrophe, be it a fire, flood, earthquake, or even the often underestimated "user error," which, surprisingly, occurs more frequently than the aforementioned natural disasters.

The final component of this recovery strategy involves ensuring that, should the need arise to restore this data, we can do so, ideally at a granular level. Think of individual email items or entire mailboxes, as seen in our Exchange example. While it's not an ideal scenario to restore the entire Exchange environment, most reputable backup solutions should be equipped to handle this by maintaining image-level backups of each server, offering it as a viable option.

Post-Migration to Microsoft 365

Your organization is content; the IT department has successfully migrated everyone's data to the M365 cloud, making the project a resounding success. So, what does this mean for different user personas?


Users can now collaborate even more seamlessly than before. They're increasingly entrusting their data to the cloud, thanks to tools like OneDrive readily available at their disposal. Teams chat has emerged as the primary communication tool, and all seems well.

A noteworthy detail here is Microsoft's remarkable uptake during the pandemic when stay-at-home orders were issued practically overnight. As noted in the Azure blog:

"Since its launch, Teams has experienced strong growth: from launch in 2017 to 13 million daily users in July 2019, to 20 million in November 2019. In April (2020), we shared that Teams has more than 75 million daily active users, 200 million daily meeting participants, and 4.1 billion daily meeting minutes."

IT Department

A significant portion of on-premise infrastructure has been retired, resulting in reduced storage requirements and fewer servers to maintain. In general, the IT department's workload has become considerably simpler.

This is possible because Microsoft now assumes responsibility for server management, storage, and the high-availability design of the solution, ensuring maximum resiliency.

However, and here comes the inevitable "but," do you know what aspect Microsoft does not oversee, which the IT department used to manage?

It's the data protection strategy. This is what is often overlooked or, at the very least, misunderstood along the way.

Common Misconceptions About Microsoft 365 Data Protection

Let's examine a couple of significant misconceptions regarding your data when it resides within Microsoft's cloud services.

Misconception 1: Microsoft Has a Backup of My Data Incorrect. In fact, their own services agreement explicitly states:

"We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services." (Microsoft Services Agreement, link)

The crucial point here is "that YOU regularly backup YOUR content and data." It's your data, so it's your responsibility to protect it!

Surprisingly, this is not an uncommon assumption. According to ESG Master Survey results, a staggering 35% of respondents believed that their SaaS vendor, namely Microsoft, is responsible for data protection.

Understanding the Shared Responsibility Model This is where comprehension of the shared responsibility model is invaluable. The infographic below visualizes the respective responsibilities within the realm of Microsoft 365.

You may observe some other components in this context, such as security and regulatory aspects, and there's a strong parallel to be drawn with data protection.

For instance, we understand that Microsoft takes care of physical security, access to data centers, the physical servers and storage they operate on, as well as access to the exchange servers themselves. However, it remains our responsibility to oversee user security measures like enforcing robust password policies, implementing multi-factor authentication, and conducting log audits, among others.

For more detailed information about the Microsoft Shared Responsibility model, you can refer to the Veeam blog.

Retention policies are backups.

These are two distinct concepts:

  • Backup refers to a duplicate copy of your data that you can use for recovery purposes if the need arises.
  • Retention, on the other hand, refers to the duration for which something must be preserved before it can be deleted. Even in the realm of backups, this terminology is applicable, specifying how long a restore point should be retained before the backup solution removes it.

This distinction is crucial because relying solely on retention policies to keep your data online in the cloud for legal or compliance reasons doesn't equate to a comprehensive backup solution.

While you can set retention policies for extended durations, this may lead to other implications, such as increased data storage costs. Eventually, you might end up paying more to retain your data than employing a regular retention period plus a third-party backup solution. Moreover, adhering solely to retention policies means you never fulfill the "1" in the 3-2-1 rule, which involves having an offsite or "off cloud" copy of your data.

So, why do we need backups? What risks are we safeguarding against?

Traditionally, when we contemplate the need for backups, we think of conventional scenarios like fires or natural disasters. These are unlikely to occur in the vast "clouds" spread across multiple facilities, right?

To some extent, this holds true. Microsoft 365 is a highly resilient platform distributed across facilities worldwide. However, it's not immune to data loss. Referring back to Microsoft's own Services Agreement under the warranties section, it explicitly states:


Additionally, there are other security threats and complexities for which your organization is responsible, as per the shared responsibility model.

While numerous edge cases and reasons exist, these are the most common motives for implementing a third-party backup solution for your data:

Retention/Policy Gaps

Configuring these can be intricate, often requiring multiple policies to meet your needs, which carries the risk of creating gaps in data retention that you may not be aware of.

User Error/Accidental Deletion

Accidentally deleting files due to human error is an exceedingly common data loss scenario. It's also the most prevalent.

Security Threats

The prevalence of security threats, such as ransomware and phishing attacks, has risen significantly. Attackers with compromised credentials can manipulate and remove compliance and retention policies before deleting data from your M365 tenancy.

Now, let's explore your options and how straightforward it is to implement third-party backup solutions.

The good news is that enabling third-party backup solutions is a relatively straightforward process. Microsoft has provided external APIs that allow third parties to securely access and retrieve data, with proper consent, of course.

Numerous software applications and even other SaaS/cloud providers offer such services. The choice depends on your strategy, whether you prefer to manage your infrastructure or outsource it.

In both scenarios, I personally recommend Veeam Backup for Microsoft 365. It supports:

  • Exchange
  • OneDrive
  • Teams
  • SharePoint

This product offers flexibility in configuring data protection, allowing you to include or exclude specific data, determine retention periods, and set backup job frequencies according to your preferences.

When it comes to data restoration, Veeam provides market-leading tools for searching data within your backups and facilitating eDiscovery. One particularly valuable feature is the ability to compare your backup data with the data in M365, making it easy to identify missing items. This is useful when users cannot recall precisely what they deleted but know they removed a batch of files or when an employee has "exited" the organization and conducted some data cleanup along the way.

In terms of licensing, Veeam's approach stands out. Unlike some products that require you to pay for all users in the backup set, including those who have left the company, Veeam charges only for active users. Consequently, all historical data in the tenancy can be retained at no additional cost, except for storage expenses.

For a comprehensive overview of this product, you can visit the Veeam Backup for Microsoft 365 product page.

Now, it's time to make a decision: do you want to manage the backup environment yourself or outsource it? Each approach has its merits, depending on your internal resources.


In most cases, all you need is a single server. For larger organizations, deploying additional worker nodes may be necessary to handle the high volume of data generated and distribute backup jobs accordingly.

The server can be a physical or virtual machine on-premises. However, if you've transitioned away from on-premises infrastructure, you can spin up a virtual machine on any cloud provider supporting Microsoft Windows and run the Veeam product from there.

Regarding where to store backup data, I recommend object storage. Any S3-compatible provider is supported, such as AWS, Azure, Wasabi, or a local provider to meet regulatory requirements. Object storage offers high resilience and scalability, eliminating concerns about data expansion.

However, the product also supports saving data to conventional block storage (local hard drives), but be mindful that monitoring the local drive and expanding it as your backup grows will be necessary.


This is the simplest option. Veeam has a growing number of Service Provider Partners with expertise in configuring and maintaining these environments, sparing you the responsibility.

Reputable providers incorporate automation to facilitate onboarding with your M365 credentials. Once configured, your service provider will grant you access to a dashboard displaying backup history and providing you with the tools to control what gets backed up and how long it's retained. They'll also offer tools or a portal for data restoration when needed.

Billing models for this service are typically straightforward, akin to how you consume M365: (#of users * license) + total data storage. However, it's advisable to confirm these details with your chosen provider.

As a disclaimer, I work for one such provider, Softsource vBridge, where we have integrated all the automation mentioned above to simplify monthly consumption. We offer flexible terms with no commitments, and you can request more information here if interested.


November 2022

Back to Articles

Other Recent Articles

Read More
Read More
Read More
Read More
Read More