Microsoft 365 Backup: What it means for SaaS data protection

Infrastructure and operationsFeb. 19, 2024 | 5 minutesBy Paul Robichaux

At the Microsoft Ignite conference back in November 2023, Microsoft announced their release plans for their Microsoft 365 Backup service. Now that they’re in a paid public preview, with general availability being slated for basically now (first quarter, calendar year 2024), I thought “what better time than now?” to share my takeaways and what I believe this milestone means for SaaS data protection now and going forward. Here are three main points I’ll cover:

  • Welcome Microsoft to the backup space; 
  • What Microsoft’s backup service means for the SaaS data protection world; 
  • The Keepit promise.

Welcome to Microsoft into the backup space

First off, let’s give a warm welcome to Microsoft on their entrance to the backup space. As a long-time Microsoft community member, twenty-year Microsoft MVP, and Senior Director of Product Management at an industry-leading data protection vendor, I’d say Microsoft’s entry into the market validates what all the SaaS data protection vendors have long been saying about the strong need for Microsoft 365 data protection.

Ultimately, our mission is to protect critical SaaS data to help companies keep their business-critical data backed up, thereby ensuring continuity and compliance in face of rising ransomware threats. As long-time Microsoft partners — part of the ISV Partner Program — we at Keepit see this as an opportunity to have an even greater impact on the market. How’s that?

Well, we know that an overwhelming percentage of Microsoft’s enterprise customers have no backup. So, naturally, we want to bring that number down to boost cyber resilience of, say, critical infrastructure and critical services, and of course the market in general. So, how does Microsoft releasing their own backup help drive us forward?

Well, for one, it validates what we’ve been doing for more than 20 years. We’re built in the cloud, for the cloud, to protect cloud SaaS data. I guess a bit more practically speaking, another change is that we can now probably drop the top objection we faced from customers over that time: That cloud SaaS data doesn’t need backup.

What does Microsoft 365 Backup change? 

Now, let’s get into point two: What does Microsoft 365 Backup mean for SaaS data backup? Well, all the vendors in this space have long had to challenge the popular notion that data being in the cloud was, by default, automatically and perfectly protected. And many of us have talked at length about Microsoft’s shared responsibility model where Microsoft themselves clearly state that you, the customer, are responsible for backup of information and data, including your devices and accounts and identities.

Microsoft has built an amazing record of service quality and resilience, but their primary focus has been on protecting your data against Microsoft losing it. The Microsoft 365 Backup offering is the start of Microsoft’s journey into protecting your data against other threats, including malicious attacks, mistakes, misbehaving automations, and other misfortunes.

The optimist in me hopes that now, with Microsoft themselves developing their own backup service, we can finally put the shared responsibility model into its proper perspective. Of course you need to back up your Entra ID, M365, and other SaaS application data because clearly you are responsible for your data. Why else would Microsoft release a backup service if you weren’t responsible for it all along?

Now, aside from that original objection that perhaps can be laid to rest, at this point, not that much has actually changed with Microsoft’s announcement. That said, there sure is a newly awakened interest in data protection because of this release. This is how I see the typical train of thought playing out in response to the news:

  • We clearly need to back up our Microsoft SaaS app data. Why else would Microsoft be offering a backup service themselves?
  • Protecting our data is important because it helps us meet our business continuity and compliance requirements, but
  • To meet those requirements, we need our data available 24/7.

Let’s dive down a bit more into that last point there. How does a business guarantee access to their data no matter what happens, be it mistakes, mishap, or malice (like ransomware)? The answer is true backup.

The Keepit promise: True backup for cyber resilience 

To get to the Keepit promise, we first need to consider what the meaning of backup is. You might come across the term true backup (we use it ourselves from time to time) because ‘backup’ alone has been misused to cover things that it shouldn’t.

The canonical meaning of backup refers to storing instances of your data on an infrastructure separate from your primary data. If something should happen to your production data, your backups won’t be affected since they are separated by a physical or logical air gap.

In cloud computing, a lot of what’s being called backup is actually storing data on the same cloud as the primary data. What this means is that whatever risks you’re exposed to in your production environment would also impact your ‘backup’ data since there’s no separation. For example, an attacker who can penetrate your Entra ID tenant and can pivot into your Azure tenant holds all your Azure-based storage — including, and especially, backups — at risk.

The Keepit promise is to always offer the ultimate in data protection for multi-workload SaaS application data. By building our solution from the ground up for SaaS data protection only, we were able to create an optimized data protection solution in line with best practices like the 321 backup rule. Air gapping, immutability, and a fully redundant independent cloud are all things we’re already offering now in our service. So, it’s more the Keepit reality rather than the promise of adding in things later.

Protecting SaaS data is the Keepit mission and has always been — it’s not a feature we’re tacking on. As specialists in data protection, we provide confidence to thousands of customers that their data is here today and will be here tomorrow via our vendor-independent cloud. We look forward to working with Microsoft now and into the future to continue to lead the way in protecting SaaS data.

As we embark on this new chapter in SaaS data backup, I’d like to leave you with a question: What steps are you taking today to protect your control plane (Entra ID and Power Platform)? If you want to learn a bit more about control plane data protection, read my previous article on why you should back up Entra ID (Azure AD) in the cloud.


Paul Robichaux is Senior Director of Product Management at Keepit and a Microsoft MVP (Most Valuable Professional) – a title he has been awarded every year since 2003. Paul has worked in IT since 1978 and held a number of CTO and senior product development positions in the software industry.

Paul is a prolific contributor to the Microsoft community: He is the author of an impressive amount of books and articles about Microsoft technologies, including the best-selling Office 365 for IT Pros, a contributing editor for Practical 365, and produces a continuous stream of videos, podcasts, and webinars.  He is based in Alabama in the United States.

Find Paul on LinkedIn and Twitter