Do I need a backup in Microsoft 365?

This question is essential in cloud project. In this post I analyze the pro and con and give you some advisory on how to decide.

If I had received 1 dollar for each time I hear this question and I would already be in retirement 😉 There is no real YES or NO answer – the answer is a typical answer of a (good) consultant: it depends! I am pretty sure most of you hate this answer like hell but don’t blame us, we are just trying to find the solution that fits best to your needs. With this article I give you an overview of what Microsoft offers and what not.

I want to give you an overview about the points or “reasons” I regularly discuss in my projects. This article is quite long so feel free to browse directly to the information you are interested in:

I need a backup because I’ve always had one!

I need to retain my data because of a legal requirement

I need a backup because I need to be able to recover a folder structure

I need a backup for the case of accidential user deletion

I need to have a backup for the case of a crypto trojan attack

I need an exit strategy out of Microsoft 365

Summary

Additional links

I need a backup because I’ve always had one!

Wrong. Absolutely wrong.

If that is your opinion and you are not open for a discussion, you should immediately stop working with cloudservices. Or in case of reading this article, stop reading now and continue somewhere else, e.g. here -> Welcome to Microsoft’s Homepage (archive.org) (and think about the good old times). With that fixed and unchangeable opinion you are proving that you have not understood and are not willing to understand how modern cloud services are working.

In Opposite: if the headline matches your opinion but you are open for a discussion – Great! You are absolutely right here!

Now you may think:

Andreas that is a very cruel and offensive opinion!

Yes it is. But it was proven to me again and again that this opinion is the biggest innovation blocker. But now I come back to the topic. Why is the attitude I need a backup because I’ve always done it wrong?

To understand that you need to take a close look at the root of backup. Why did companies initially perform backups:

To be able to restore a server after a full crash (bare metal restore)
Desaster recovery
To restore a database (e.g. SQL or mail database in Exchange)
To store settings in a product (some kind of self-designed DSC)

The reasons are all valid in on-premises infrastructures, but what about M365?

Server restore -> this is the job of your hoster (Microsoft), not yours
Desaster recovery -> this is the job of your hoster (Microsoft), not yours
Restore a database -> this is the job of your hoster (Microsoft), not yours
store settings in a product -> this is a valid reason, but for that you don’t necessarily need a backup. You can achieve that much cheaper.

Okay, so for the traditional reasons there is no more a need for a backup. The summary with easy words:

With Microsoft 365 you are no more the administrator of a dedicated server, but the service. That means, you do not have to care about the server health itself, the hoster does that for you. In this case it is Microsoft.

I need to retain my data because of a legal requirement

I know many customers that used a backup software for that use case. In general there is nothing to say against it – law only tells you “Keep all data for X years”, the HOW is up to you.

In Microsoft 365 you have Retention Policies (not only for Exchange but the whole tenant). With these, you can retain data from Exchange, OneDrive, SharePoint and Teams. You can configure this to preserve data based on keywords, on group memberships, on service, by user or with a combination of that.

The tools here are designed to fulfill law, so they keep all data – for the user not visible or changeable – as you configure it. When you need to access the data, you have a tool called eDiscovery. The GUI for that is really ugly and the handling far away from comfortable (I hope that will change in future), but it is there. In many plans without extra cost! That means: “for free” (not really free, but no additional license needed). You can read on Microsoft 365 licensing guidance for security & compliance about the details.

I need a backup because I need to be able to recover a folder structure

eDiscovery and retention is a nice feature but it is not designed to retain structure. For that the tools would need the intelligence to detect a folder structure change. That is not the use case for a compliance tool that was built for legal requirements.

For folder structure you need to rely on standard tools that Microsoft delivers. For Outlook, SharePoint and OneDrive that is the recycle bin. Teams can be restored by an administrator. A closer look at each of these:

Exchange does not force an Outlook client to empty a recycle bin on close. An administrator can create a policy for that.
Exchange keeps all items that were removed from the recycle bin for 14 days. An administrator can increase that to 30 days.
Exchange keeps Junk emails for 30 days in a mailbox. The user can delete them earlier or move them out of the folder and mark as not junk.
Exchange does not keep folder structure that was deleted from the recycle bin.

For SharePoint and OneDrive:

SharePoint Online keeps deleted items in the site collection recycle bin for 93 days. On day 94 all will permanently be deleted.
SharePoint Online keeps deleted sites and site collections for 93 days. On day 94 all will be permanently be deleted.
OneDrive uses SharePoint technology -> 93 days.
A deleted OneDrive can be accessed for 30 days after a user was deleted from M365. On day 31 it will be permanently deleted. If you restore the original user within 30 days, the OneDrive will be reconnected. The retention time can be extended to 10 years by using PowerShell:
SetSPOTenant -OrphanedPersonalSitesRetentionPeriod 3560

For Microsoft Teams:

A deleted team is retained for 30 days. An administrator can restore it.
Deleted content in teams is retained as long as the service that stores it (e.g. SharePoint Online for files).
A Team can be archived (=marked as inactive) to keep the Team and the data easily accessible.

I need a backup for the case of accidential user deletion

Deleting a user accidentially is a bad thing, which luckily happens so seldom.. But if it happens you have a very unhappy user and want to calm him down be restoring all as it was before. Luckily Microsoft has built-in a 30 day-retention for everything when a user is deleted.

That means, if you exclude a user from AADConnect Sync, the user is moved to the Azure AD Recycle bin (ah another recycle bin!) and all services are disconnected. Restoring this user within 30 days will recover and reconnect all services (including all data). With other words: Within 30 days, nothing will be deleted!

I need to have a backup for the case of a crypto trojan attack

I can understand the fear, but using that as a backup use case is not the right discussion. Furthermore you should shut the front door such a trojan uses. As many virus scanners are not able to detect crypto trojans directly after release, they may (and try to) slip through your defense.

To address that you have a tool in Microsoft 365 called Microsoft Defender for Endpoint – old name Office 365 Advanced Threat Protection. This uses several technologies like AI, heuristics and sandboxing to test attachments for malware like crypto attacks, spear phishing and other modern ways of attacks. Microsoft was one of the first vendors to offer such a solution, meanwhile all big players have released something similar. Defender for Endpoint is – in any case – cheaper than a backup software (only not if you get a backup for free) and closes your front door >99,999%. I personally never say 100% because I am a guy that says “there is no 100% security”.

I need an exit strategy out of Microsoft 365

Some companies need a Plan B inside their desk – in a sealed envelope. That’s okay. While defining the exit strategy as Plan B you need to think how you can get your data our of Microsoft 365. A backup may be a really easy approach for that. But ask youself one very very very important question:

If I have all data backed up somewhere, how and where can I restore that stuff if I have no more Microsoft 365?

If you execute your exit strategy you cannot restore your backup to Microsoft 365. By the way in my opinion it makes no sense to restore something to a target where you want to move away from. You may have the idea to restore it to your old on-prem infrastructure. The only thing that can be said to that idea is “Good luck!”. The online services have many features that are never released for on-premises. Best example: Microsoft Teams. It is impossible (!!) to restore data to a service that does not offer the full services because where should the software restore to when there is not target? The only option: Pick out fragments from the backup. If you have millions (or more) items you are busy for the next months.

An exit strategy may be a good idea, but not with a backup solution. You need to use onboard tools (e.g. Exchange Hybrid) or dedicated migration tools that match your use case and support source and target.

Summary

I’ve spoilered you the questions and thoughts I have to face in most discussions. As you see, it is not an easy decision. And it will never be. I personally think in >90% of all cases a backup is not needed. If you have regulatory or legal requirements that force you to store all data at a second (different) location, or if you need 105% insurance against funny things like crypto trojans, then you can think about it. If all that is not the case, take a deep look at all tools that Microsoft 365 has in it’s case for you (at no additional cost!!) and use these.

Of course, if you want to discuss this topic detailed, feel free to contact me.