Microsoft 365 Business Backup

So you have already or are planning to migrate to the Microsoft 365 Business Suite. This is either a hybrid or pure cloud instance. So, you now need to address how to run Microsoft 365 Business Backup ? Additionally, this begs the question as why do I need to do this, because it’s in the cloud right?

Read on to learn the the real confusion about what the challenges are around Microsoft 365. Furthermore, how to ensure you have the bases covered with respects to Microsoft 365 and backups.

Aren’t Backups are part of the service?

First, lets get this out in the open. This is a hot topic, and it’s a common misconception that the platform is protected fully. Secondly, there are vendors introducing FUD into the the Microsoft 365 Business Backup conversation.

“The misconception that Microsoft fully backs up your data on your behalf is quite common, and without a shift in mindset, could have damaging repercussions when this responsibility is left unattended.”

I’m not sure where this misconception exists. Microsoft is quite clear that, apart from SharePoint Online, they do not backup Office 365 data. Instead, Microsoft depends on functionality built into the software (like Exchange Online’s Native Data Protection) coupled with hardware resilience to protect customer data. It has been this way since Microsoft launched Office 365 in June 2011.

Microsoft 365 Business Misconceptions

Nevertheless, projecting the view that it’s important to backup data is goodness for backup vendors, especially when they can infuse customers with the feeling that they have a responsibility to backup their Microsoft 365 data (because Microsoft won’t). Let’s review the reasons advanced to justify Microsoft 365 Business Backup. Lets delve into the some of these topics :

Recycle Bin
- Accidental Deletion
Retention Policy
Internal Security Threats
External Security Threats
Legal and Compliance Requirements
Managing Hybrid Email Deployments
Confusing Office 365 with a Limited Application Set

Microsoft 365 Recycle Bin -Microsoft 365 Business Backup

So, lets start by debunking some of these misconceptions and how to close the possible gaps. First, SharePoint Online and the 93-day standard processing cycle for deleted items through its recycle bin. There are metrics that indicate “the average length of time from data compromise to discovery is over 140 days” and, somewhat breathlessly, says that this is “a shockingly large gap.” (assuming the gap is the 57 days difference).This is good example of classic FUD. Some vendors paint a picture to tell customers that they might lose important data and the only solution is to deploy software that the vendor just happens to have available.

Native Microsoft 365 Solution

Firstly, the simple fact that your tenant should have retention policies enforced. This ensures that important information is under protection. This requires implementation of SharePoint Preservation Hold Library. Additionally, it’s where documents are under the scope of retention policies. They are kept safe and available for eDiscovery and recovery (if necessary). The downside of using retention policies for documents is that data held in the Preservation Hold Library. Consumers of M365 services are an additional charge against the tenant’s SharePoint storage quota. Additionally, this isn’t a problem data protection issue, but it might force the tenant to buy more storage from Microsoft.

Accidental Deletion

For instance, backups are necessary in case of accidental deletion . I’d be more inclined to believe that this is a problem. If you didn’t see text like warning “If you delete a user, whether you meant to or not”. That deletion is replicates across the network, along with the deletion of their personal SharePoint site and their OneDrive data. Lastly keep in mind the focus here is on SharePoint Online.

OneDrive for Business is a user’s personal site, and the workflow used to remove accounts allows an administrator to assign access to the deleted user’s OneDrive for Business account as part of the process. If you want to keep someone’s mailbox, put it on hold before deleting the account and Exchange Online will make the mailbox inactive and keep it until the hold expires. In any case, for all account deletions, even if no hold exists. You can still recover the account for up to 30 days following the deletion.

Exchange Online automatically increases the storage quota for Recoverable Items to 100 GB. So, when mailboxes are on hold to ensure that email held by retention policies can be available online for recovery.

Retention policy gaps and confusion – Microsoft 365 Business Backup

Retention planning and execution can be confusing. So, unless it’s planned, especially when several Office 365 workloads are applicable, but let’s investigate further. Another, misconception is Office 365 has limited backup and retention policies that can only fend off situational data loss.

Leaving aside the odd phrasing of “fending off situational data loss,” the fact is that SharePoint Online is the only Office 365 workload that takes backups, so they’re right about limited backup. But that’s by a deliberate design decision to rely on the ability of software to construct robust data protection schemes, like Exchange Native Data Protection.

Native Data Protection for Exchange Online is rooted in practicality. In general, the amount of data generated by Office 365 applications would create significant challenges and cost if Microsoft were to attempt to take backups. In the case of Exchange Online , consider how long it would take and how much storage is needed to back up the mailboxes of 258 million Office 365 users. Furthermore , when the average size of a cloud mailbox is much larger than its on-premises counterpart due to larger mailbox quotas, the recoverable items quota, and expandable archives. Lacking backups is only a weakness in the eyes of backup vendors; it can be a valid and defendable choice for tenants who elect to exploit the features incorporated in the software

Catastrophic failure of Exchange , SharePoint Online or OneDrive

If Office 365 suffers a catastrophic failure, what is the restore target? Will the customer have on-premises servers to restore data to? Or can they move data to another platform? The multiple datacenters within Office 365 regions means that it would take a truly catastrophic incident to remove service from tenants for more than a working day – and the history of Office 365 operations proves this to be the case.

I appreciate that the availability of backups could allow granular restores or point in time restores of objects like an Exchange Online mailbox, a SharePoint Online site, or a OneDrive for Business account, and can be valuable in scenarios like a ransomware attack. Outside the base workloads, all bets are off because no backup and restore APIs exist for applications like Teams and Planner, a fact that no ISV cares to mention.

The outstanding Question , what about Teams ?

Backing up the Teams compliance records created in Exchange Online is not a Teams backup, no matter how loudly a vendor proclaims this to be true. Including these records along with other mailbox data is an imperfect and fundamentally flawed answer. The records are incomplete and can’t be restored into Teams chats or channels.

Some backup vendors, like Code Two, say that they backup Teams data. Further they then clarify that they’re only referring to the SharePoint Online, OneDrive for Business, and Exchange Online (calendar) data. Although, this is better than leading customers to believe that Teams chat and channel conversations are in a back up set. I prefer the clarity of other vendors like Spanning, who concentrate on the well-known and fully understood challenge of backing up Exchange Online, SharePoint Online, and OneDrive for Business.

Internal Security Threats – Microsoft 365 Business Backup

It’s true that someone with administrative permissions could attempt to remove or compromise data before they leave an organization. The “rogue admin” scenario is much beloved of backup companies. Furthermore the threat is less in the cloud than it is on-premises. The application of Retention policies (including those that can’t be amended by administrators). These, can offset the potential effect of someone who maliciously deletes all around them before they are escorted off the premises. Additionally, features like Privileged Access Management can moderate the ability of administrators to wreak havoc on mailboxes. So, confidential information can be protected against casual browsing by administrators by encrypting them with sensitivity labels.

None of these features are available on-premises, which is why they might be an oversight. Another thing is that isn’t available on-premises is a comprehensive audit log to capture details of what someone does. It exists in the cloud as the Office 365 audit log.

External Security Threats – Microsoft 365 Business Backup

The prospect of users downloading infected files or succumbing to a phishing attack is very real. User training helps, as do good mail hygiene defenses like Advanced Threat Protection or an equivalent email cleansing service, but threat of infection exists and can have horrible consequences. It’s worth noting here that SharePoint Online and OneDrive for Business both can restore files up to 30 days back and can cure an infection in this manner. There are some issues have been some issues with these restores. Microsoft has improved how the feature works since. No other Office 365 app has a point in time restore capability.

Lastly, regular backups will help ensure a separate copy of your data is uninfected and that you can recover quickly. So, if you can restore a backup to an alternative location where the uninfected data reside. I’m happy that this works well for Exchange Online and SharePoint Online. This is still questionable with Teams, Planner, Yammer, and so on.

Legal and Compliance Requirements – Microsoft 365 Business Backup

The need to be able to retrieve information to satisfy legal or compliance requirements. So, “Microsoft has built in a couple safety nets, (Litigation Hold). Although , these are not a robust backup solution capable of keeping your company out of legal trouble” and trot out. The prospect (again) of losing SharePoint data when a user account is deleted.

Litigation hold is an Exchange construct where complete mailboxes put on hold. The feature works on both on-premises and cloud platforms. Office 365 retention policies and in-place holds are much more powerful and comprehensive than simple litigation holds and cover Exchange Online, SharePoint Online, OneDrive for Business, Teams, Microsoft 365 Groups, and Skype for Business Online. So retention policies , apply here to meet the Legal and Compliance Requirements.

Managing Hybrid Email Deployments

Exchange Online is the biggest workload in Office 365 but it’s not Office 365. This problem of assuming that what works for an individual workload applies across a huge suite exhibits a lack of awareness of the integrated nature of the service. On-premises deployments focus on individual applications like Exchange or SharePoint, but Office 365 is more integrated, broader, more complex, and its data is less accessible to ISVs. I understand how people can take their on-premises experience and transpose it to Office 365, but it’s not right.

Confusing Office 365 with a Limited Application Set

It seems that backup vendors often refer to Office 365 when they really mean Exchange Online and SharePoint Online (including OneDrive for Business), which are the workloads they can process. Things get more problematic for apps like Teams, Yammer, and Planner. Microsoft hasn’t delivered suitable APIs to allow vendors to build backup and restore tools for these apps. ISVs cannot be responsible for being unable to stream data from these apps to suitable backup locations.

It’s important that vendors tell potential customers exactly what their software can do. Regretfully, a lack of precision and accuracy is often the narrative spun by backup vendors.

Poor, Badly Argued, Incomplete

Streaming information to a backup location is a well-known science for Exchange Online and SharePoint Online. Restoring data is where backup vendors differentiate their offerings and earn their money. If you decide to use a backup service, ask questions about just what data is covered and how realistic it is to restore data after a catastrophic outage. If the vendor can’t come up with compelling and evidence-based answers, try someone else.

Upgrading to more advanced (and expensive) Office 365 licenses might be a better investment than committing to a third-party backup service, especially when you consider the problems of a) backing up several Office 365 apps and b) the difficulty of restoring data (apart from email and documents) to some other platform should a disaster happen, unlikely as that might be.