Why backup for Microsoft 365 — All you need to know

Infrastructure and operationsJune 1, 2022 | 8 minutesBy Paul Robichaux

If you have children, you’re probably familiar with the feeling you experience when you suddenly realize how much they’ve grown over a period of time. Day by day, those changes may seem small, but when looking across years or decades, they add up. So it is with Office 365, which has grown to have more than 345 million paid seats and generates a large part of the nearly US$100 billion that Microsoft will book for cloud revenue this year. I’m old enough to remember Microsoft’s proud announcement that Exchange Server itself had crossed the US$1 billion/year revenue mark back in 2004.

“But what does that have to do with why I should back up my Microsoft 365 data?” you ask. Good question. In fact, it’s a great question, and one that leads to lots of other questions (thus the structure of this post as a sort of informal Q & A).

This steady, sustained, and impressive revenue growth came about because organizations value the collaboration and communication features in Office 365 highly enough not just to subscribe, but to stay on the platform. Every minute that your users are using Office 365 applications and services, they’re creating and editing the data that your business needs to operate.

“What’s the worst that could happen?”

Lots of people tend to think that bad things only happen to other people. It’s natural to assume that the extensive data protection measures in Microsoft’s platform will keep your data safe—but that’s not entirely true. In future articles, I’ll dig into specific parts of the Microsoft data protection world and talk about their strengths and weaknesses, but for now, let’s say that it’s more accurate to say that Microsoft’s native data protection measures may protect you against some types of catastrophic data loss, but there are still lots of things to watch out for. 

First, not all data items are created equal; that email in your sent items folder accepting the meeting request for Bob’s retirement party isn’t worth as much as the Excel file that has your end-of-quarter sales data. To make this problem worse, let’s not forget that not all workloads are equally well protected. Some services have recycle bins, and some do not. Some provide support for document versioning, and some don’t.

Second, consider which threats you really need to protect against. Aliens probably aren’t going to attack Microsoft’s entire network and burn down all their data centers—the biggest risk you actually face isn’t Microsoft permanently losing your data (although it does sometimes happen).

Instead, there are some bigger risks you face, including, but not limited to, these:

  • Service outages: A Microsoft outage will keep you from getting access to your data. The multiple outages in Azure multi-factor authentication that blocked users from logging on to the service in 2019, 2020, and 2021 are great examples. 
  • Oops: A mistake by your own users or administrators, or by Microsoft’s service team, will delete some important data. (KPMG IT blunder erases 145,000 users' data). 
  • Malicious deletion: A security breach or problem will cause you to lose access to your data, either because ransomware has removed or encrypted it or because something else in the chain gets broken.

We sum these potential causes up with a simple phrase: mishaps, mistakes, and malice.

As you can see, the native data protection features included with the service may not help in all these scenarios, especially because you may have important data in workloads that don’t have much protection. Having an independent cloud-based backup with no dependencies on Microsoft’s services can preserve your ability to access your data even during an Azure AD or other outage.

Is Microsoft responsible for my data?

In a word: No, as you can see from this Microsoft article. Microsoft essentially says that they’re responsible for security (which in this case I’ll say means the confidentiality, integrity, and availability) of the infrastructure used to run Office 365, but that in the end you are the owner of, and responsible for, the data itself.

If you carefully read the Office 365 or Azure service descriptions, you won’t find any promises by Microsoft that say things like “we promise to protect your data” or “we’ll never lose your data.” Instead, when you examine their security best practices for various parts of their estate, you’ll see recommendations to back up your data, test your backups, maintain good personnel security, and so on—all things that Microsoft may also be doing, but on which you probably shouldn’t bet your company.

“Do I really need a third-party backup tool?”

It’s an old cliché that aviation regulations are “written in blood.” When it comes to backups, it might be less dramatic and more fair to say that backup best practices are written in tears, lost dollar bills, or maybe in shredded resumes.  

The risk of you unrecoverably losing all of your M365 data may seem small, but the impact of such a loss would be very high for most of us. This is especially true when you consider that a worrying number (86%) of ransomware operators haven’t been restoring data even after the ransom’s been paid!  

The risk of unrecoverably losing some of your data, though, grows in line with multiple factors: how much data you have, how much of it is high-value, how many people have write access to it, and how emerging security threats hold that data at risk. Having an immutable copy of your important data stored securely in an independent cloud is terrific insurance against both large- and small-scale risks.

If you don't have third-party backup and Microsoft cannot restore your data, you're just out of luck. We went with Keepit to ensure both consistent backup and long-term retention of our data.

Ken Schirrmacher

Sr. Director of IT/Interim CIO at Park 'N Fly

“What do I do now?”

If you haven’t ever lost data because of malice, mistakes, or mishaps, maybe you’re not convinced of the value of robust, cloud-independent backup for your data. Sadly, though, most of us have indeed lost data for some (or maybe all!) of these reasons.  

Either way, the first step in deciding how to best protect your SaaS data is to take an honest and comprehensive look at the potential losses you’d face from not having timely access to your critical data. The built-in reports in the Microsoft 365 admin center will help tell you who your most active users are and who has how much data in OneDrive, SharePoint, and Exchange Online. Couple that with your own knowledge of your business and you’ll get a good start on deciding where the potential catastrophes might lie. 

Next, think clearly about the risks you face, both from the standpoint of your IT organization’s capability and maturity but also from the overall standpoint of your business. Many organizations have increased their spending on security—which is often beneficial!—but haven’t done anything to improve their ability to protect against mishaps or mistakes, much less to carefully plan and test a recovery strategy.

If, after doing these things, you realize that some or all of your Microsoft 365 data is valuable enough for your company to protect to continue day-to-day operations, then you can read more about how Keepit Backup and Recovery for Microsoft 365 can help protect your data on our product page.


Paul Robichaux is Senior Director of Product Management at Keepit and a Microsoft MVP (Most Valuable Professional) – a title he has been awarded every year since 2003. Paul has worked in IT since 1978 and held a number of CTO and senior product development positions in the software industry.

Paul is a prolific contributor to the Microsoft community: He is the author of an impressive amount of books and articles about Microsoft technologies, including the best-selling Office 365 for IT Pros, a contributing editor for Practical 365, and produces a continuous stream of videos, podcasts, and webinars.  He is based in Alabama in the United States.

Find Paul on LinkedIn and Twitter