In today's fast-paced working environment, businesses need to be able to access their data easily from any device to ensure seamless operations and uninterrupted productivity. With companies increasingly transitioning to cloud-based operations, reliable and secure data access has become more critical than ever. Microsoft 365 (M365) is a powerful suite of cloud-based productivity and collaboration applications that has gained an impressive following of 345 million paid users worldwide.
Microsoft provides very limited backup for M365 data with a very limited retention period for some resources like email. This does not include the kind of granular recovery and longer recovery point objectives that are standard in most businesses. In the event of a ransomware attack, for instance, Microsoft can bulk-restore your mailbox going back two weeks, but you will lose all work in the interim and cannot restore individual resources lost due to accidental deletion.
It is therefore essential that businesses consider implementing a third-party M365 backup tool to provide additional data protection layers and to back up data to secure off-site locations. In fact, Microsoft itself makes this exact recommendation. To quote from its standard M365 service level agreement: “We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”
The use of a third-party backup solution for M365 does more than just follow Microsoft’s recommendation to “protect your own data because we barely do.” Such solutions offer several additional advantages, including enhanced data security, easier data recovery, more control over data backups and regulatory compliance.
This article explains M365’s limitations, the importance of third-party backup services to M365, and best practices for choosing a third-party backup service provider.
Microsoft 365 — The basics
Microsoft 365 is a cloud-based subscription service comprising a suite of productivity tools, including Word, Excel, PowerPoint, OneNote, Outlook, Teams, and many more. The suite also contains collaboration tools including Exchange Online, a messaging app; OneDrive for Business, a cloud-based file storage app; SharePoint Online; and access to online versions of the Office applications.
M365 tools enable cloud storage, email and calendar management, and communication. You can easily collaborate on documents, spreadsheets, and presentations, with multiple users able to work on a single document simultaneously. However, since all M365 tools share data, the backup, security, and recoverability of that data are crucial.
Your data, your responsibility
M365’s data backup capabilities are limited. Microsoft 365 supports a shared responsibility model based on the principle that each party in a relationship is partially responsible for the success of that relationship. By implication, both Microsoft and its customers have roles to play in ensuring the availability and security of data.
While Microsoft is well known for its high availability of the physical infrastructure on which M365 runs, data protection is not included in the standard license of M365, and it requires additional and complex configuration to set up. The Microsoft documentation also states that data integrity and retention are the users' responsibility. In essence, Microsoft is responsible for the underlying cloud infrastructure, while the security of Microsoft 365 data is the users’ responsibility.
How secure is Microsoft 365 data?
M365's built-in backup feature has the following limitations users should be aware of.
Inadequate protection against human error
Accidental file deletion is the most common cause of data loss after ransomware. If you discover that a file has been accidentally deleted and your discovery is beyond the recovery windows specified below, the data is gone forever.
By default, SharePoint Online retains deleted items, including files, for a period of 93 days. During this time, deleted files can be restored using the Recycle Bin or the SharePoint Online admin center. After the 93-day retention period, deleted files are moved to the SharePoint Online second-stage Recycle Bin, where they are retained for an additional seven days. If the file is not restored during this time, it is permanently deleted and cannot be recovered. However, some regulations require businesses to keep specific data for not days but years.
M365 regulation limitations
Microsoft 365 integrates and shares data with many third-party services, which can be a concern when it comes to regulations in force. For example, GDPR protects an individual’s data, and transfers of such data outside the E.U. / EEA (European Economic Area) must comply with this regulation. The U.K. has its own implementation of GDPR as well. Although Microsoft provides data transfer mechanisms such as standard contractual clauses (SCCs) to facilitate and regulate transfers, they have been reportedly nontransparent.
GDPR and UK GDPR both also dictate that individuals have the right to access, rectify, and erase their personal data. Microsoft provides tools such as the Microsoft 365 Compliance Center to help organizations respond to data requests, but these tools have proven to be complex to use.
Microsoft stores M356 data in data centers around the world. But certain consumer data privacy regulations require organizations to store data in designated locations. For example, according to GDPR, the data of E.U. residents must be stored within the E.U. Hence, M365 data of E.U. organizations stored in the U.S. violates GDPR. However, according to the United States Cloud Act, U.S. intelligence agencies must have access to any data stored by companies based in the U.S., and Microsoft will thus statutorily save its user data in cloud data centers across the United States.
This scenario results in a clash of regulations. Add to this the lack of transparency on how data is stored and collected by Microsoft, and M365 can potentially take a toll on organizations in terms of both sanctions and reputational damage. In 2022, Germany outright banned the use of Microsoft in schools due to third-party data access concerns.
The benefits of using third-party backup services for M365
As noted above, Microsoft actually encourages customers to use a third-party backup solution for their data. This alone is a sufficient reason to do so.
OneDrive’s synchronization functionality also differs from backup. With OneDrive storage, any operation on local data is replicated in the synchronized copy. So, if local data is corrupted, that data corruption is replicated in the synchronized copy. This can be disastrous for large and complex organizations. But there are other benefits of using third-party backup services as well.
Third-party backup services save your data in an off-site location, offering granular data restoration that is faster and simpler than M365’s piecemeal data recovery strategy. Third-party backup solutions are easy to use and manage, with intuitive interfaces that enable quick access to your data.
Faster recovery times
In the event of data loss, third-party backup services offer faster recovery times than Microsoft's built-in backup tools; this can be critical for minimizing downtime and ensuring business continuity. They are also scalable, meaning that as your business grows, external solutions can handle higher quantities of data.
Turning to a provider outside of Microsoft gives you more flexible data backup and recovery windows. They also offer additional data security features like encryption and multifactor authentication, making them a best-fit for organizations operating in heavily regulated industries such as healthcare and finance.
Best practices for choosing a third-party backup service
There are some guidelines you should follow when choosing a third-party backup service for your M365 data. The factors below are the most key.
Identify your backup needs. Ensure that the provider offers data recovery capabilities that align with your needs and delivers easy and quick results. Check for automated backups, encryption capability, point-in-time recovery, granular restores, and the ability to back up multiple types of data including email, files, and SharePoint. The service should also adhere to the 3-2-1 backup standard regarding diversity of backup media and locations.
Reputation and reliability of the provider
Search for reviews and feedback from other customers; make sure the provider has been in business for a while and has experience with Microsoft 365. Check to see if it uses next-generation technology like machine-learning-enabled data encryption, which restricts access to data backups both in transit and in the cloud, or AI-based anti-ransomware technology to detect and terminate ransomware attacks.
Customer support and service-level agreements (SLA)
The backup service provider should offer 24/7 support, quick response times, and multiple channels for reaching the help desk, such as phone, email, and chat. Their service should be governed by an SLA defining, among other things, response times and the quality of service you can expect.
Compliance and regulatory requirements
Make sure the backup provider meets compliance requirements. If you handle sensitive data, the provider must adhere to compliance standards relevant to your industry, such as HIPAA in healthcare. You also may need support for compliance with government-imposed consumer data privacy standards such as GDPR in the European Union and the CCPA in California, USA. Furthermore, your provider should be able to provide proof of compliance and demonstrate that its approach aligns with end-to-end cybersecurity frameworks like the NIST CSF, CIS Controls, or ISO 27001.
Finally, consider the pricing of the backup service. Choose a solution that offers transparent pricing with no hidden fees and that fits your budget.
Third-party backup services are critical to maintaining the integrity and accessibility of Microsoft 365 data, as they provide an additional layer of protection and fill the functional gaps in Microsoft’s protections for M365.
Acronis is a reputable third-party backup service that follows all the best practices highlighted above. You can back up your entire Microsoft 365 environment, including emails, contacts, calendars, OneDrive files, SharePoint sites, and Teams data, to a secure and reliable off-site location.
Acronis is a Swiss company, founded in Singapore. Celebrating two decades of innovation, Acronis has more than 2,000 employees in 45 locations. Acronis Cyber Protect solution is available in 26 languages in over 150 countries and is used by 18,000 service providers to protect over 750,000 businesses.