Does Microsoft backup my data in Office 365? Do I need more or additional backup?Alex Fields
A new reader question came in, and frankly it’s one that I hear a lot. I’m sure I have smatterings referring to this issue in other articles, but this one should stand to clear up the questions once and for all–this will be something I can point people to moving forward.
Alex, Love your site and your blog articles. They are awesome! I wonder if you would consider doing a blog post on backup strategies and options for Office365 (in non-hybrid setup). Thinking of how we keep safe all our cloud data in Sharepoint, OneDrive, Emails, etc. Do you consider the need for a third party product to accomplish this and if so do you have any thoughts on products you’d recommend? Or alternatively, are there any Office365 licences or settings we should have which keep us protected in the case that the worst case happens? […] Anything else we should consider to increase our disaster recovery abilities? Thanks Mike
I left out a long list of Mike’s considerations and thoughts here for brevity, but thanks for sharing them, Mike.
The shortest and best answer to this question is basically that you should plan for as much backup as you are comfortable with. Knowing what I know about the service, I do not use any third party backup solutions for my data in Office 365. But, that doesn’t mean my preference will be everyone’s.
Although I do not advocate for any particular solution, I can help shed light on what is possible out of the box, with various subscriptions. From there you can decide if that is enough protection for your needs.
How Office 365 data is protected against loss
On Microsoft’s Trust Center, you can read a bit about how data is protected in Office 365, from a security & compliance perspective. It’s fairly impressive, if you take the time to read up on it.
As regards availability of data: your data is always stored in more than one datacenter region within your designated geography (e.g. United States). Data is not only replicated to multiple storage locations within the primary datacenter region, but it must also be available in at least one other datacenter region at any given time (e.g. Chicago, IL and San Antonio, TX).
Therefore your data is highly available, and would be accessible in almost every type of disaster scenario, unless there is some event so catastrophic that multiple datacenters, geographically disparate, were to completely fail at the same time, and also to become unrecoverable in both locations (and then we have much bigger problems, no?).
So that speaks to some of the concerns around Business Continuity. Now let’s talk about backup. Contrary to popular belief, Microsoft does in fact back up Office 365 data. You can dig in and find more details about the resiliency, recovery and other protections of data on Microsoft docs:
- Data resiliency in Office 365
- Exchange Online data resiliency
- SharePoint Online data resiliency
- Protection against DDOS attacks
Regarding data that is deleted, whether accidentally or otherwise: lost data is recoverable for a certain period of time in every subscription, which varies based on the service. For SharePoint Online, deleted items stay in the recycle bin for 93 days before they are purged, and remain recoverable during that time.
Exchange Online retains deleted mailboxes for 30 days by default, and individual deleted items within a mailbox are recoverable for up to 14 days, but administrators can also increase this to 30 days (the same amount of time as a whole mailbox). Here is how you would increase this limit to its maximum allowed value via PowerShell for Exchange Online:
Get-Mailbox | Set-Mailbox -RetainDeletedItemsFor 30
With regard to either Exchange mailboxes or SharePoint libraries, it is also possible to ask Microsoft support to restore these locations to previous points in time according to the same limits. And with OneDrive, any user can perform a similar self-service restore, that is, without contacting support.
Just be aware that when either you or Microsoft performs a full restore of some library or mailbox to a previous point in time, that action will overwrite everything that is presently there today, and literally put it back to the date requested. This is good protection for say, a ransomware scenario, but not great for individual file restores.
And while Microsoft support cannot themselves restore individual items for you from the back-end, you can of course browse the recoverable items yourself and restore them (or roll back to previous versions of files within SharePoint, for instance).
Going beyond the default recovery options…
Additionally, with Office 365 Enterprise subscriptions, or any Microsoft 365 subscription (including Business), you will also have the ability to define Retention policies, which can preserve data (even deleted data) for whatever time period you specify in the policy.
At the end of the retention period, deleted items will follow the same rules as any other Office 365 data. Here is the default for SharePoint:
And for Exchange:
Remember that 14 days can be extended to 30. Also, with Exchange Online Archiving included in many Office 365 and Microsoft 365 plans, there is the option to enable Litigation hold on your mailboxes, which means data can be preserved indefinitely. To place all mailboxes on litigation hold using PowerShell, you can run this command:
Get-Mailbox | Set-Mailbox -LitigationHoldEnabled $true
Whether under retention or hold, even when the entire underlying user account is deleted, then the mailbox simply becomes an “inactive” mailbox that can be restored at any future point, on-demand.
Immutability / WORM
Another important concept here is data immutability. Office 365 complies with SEC rule 17a-4 or WORM (Write Once, Read Many). When a SharePoint document is copied into the preservation library, for instance, that document is no longer “alterable”–it is immutable. Likewise, mailboxes on hold or retention are immutable. Once data is written into the preservation locations, that data cannot be changed. Write Once.
So if a document in SharePoint changes, those changes are written into the preservation library, but the original version remains there too, still unchanged. This is what makes it possible to roll back to previous points in time, and know that the data has not been modified from that state. Therefore, you can restore information from the preservation library at any point during the retention period. Read Many.
Actual, granular recovery of data
So you turn on retention policies, and/or you just blanket enable litigation hold across all mailboxes. Okay, great. Meanwhile, all of the data, deleted or otherwise, remains available to eDiscovery and Content searches that are performed by admins.
Restoring data is therefore possible, as you can also export from a Content search or eDiscovery case. But having to “search” for the item(s) you want to restore is a bit different than a traditional backup solution, where you can mount an image of a file structure or mailbox, and copy out the items you were looking for. Some people aren’t comfortable with not being able to see the underlying structure, so to speak, where the recovered data is coming from.
Therefore, third party solutions can offer options that may be more attractive and flexible than what Office 365 provides using its native tool set. I personally feel perfectly comfortable using the Content search, but to each their own.
You should have as much backup as you are comfortable with
Now, knowing what I know about the service, I do not sweat the need for a third-party backup. That having been said, some people just will not be comfortable having all of their eggs in the Microsoft basket–relying on only one set of data protections (no matter how robust they may seem).
Additionally, some people may find that third-party products provide a better experience and accessibility for individual file or message restores. Just be sure you know why you’re getting the other backup. It should be adding some value. Get a demo in advance if you can. Most of the major ones out there will support both Exchange mailboxes and SharePoint/OneDrive data.
For smaller concerns, like temporary outages of cloud services, there are several third party continuity services out there that would allow you to continue checking on and responding to emails, for instance, through a third-party portal. Again, I don’t have any in particular to recommend.
And that’s about it. If you want or need any of the following, then you’re looking at a third-party:
- peace of mind for having a backup outside of Microsoft
- more convenience to restore individual files from different points in time without relying on a content search
- continuity during a major cloud provider outage
Otherwise, Microsoft does provide several protections against corruption, deletion, ransomware and disaster scenarios, right out of the box, which can be enhanced further using features such as retention policies and litigation hold. If that’s enough peace of mind for you (as it is for me), then that’s okay too.