In the first part of this series, we considered the position most people need to deliberate when they choose Microsoft 365 – what will happen if they lose data and need to restore it, and what are the likely scenarios which need protection.
To help better understand, from an independent viewpoint, what this looks like with Microsoft 365 alone, we covered and linked to the relevant Microsoft guidance to manage these scenarios. In the second part of this series, we’ll look at how you might reduce the likelihood of a problematic restore being necessary, and consider what other Microsoft 365 customers do, and why.
Prevention is better than cure
While it’s true that if you do nothing to protect your data in Microsoft 365 – then it’s likely that a computer could become infected with malware, and this could encrypt your data in OneDrive or SharePoint for Business. Or, a user could accept a carefully crafted phishing link to a site that requested access to data in their mailbox, which then attempted to destroy the data.
The challenge with or without a backup product is going to be the same. Restoring the data, whether it’s via a robust interface provided by a backup vendor, or by choosing the right method to restore data in Exchange or SharePoint Online is a task you will wish to avoid.
The amount of data you’ll store in Microsoft 365 will grow over time.
For example, on a Microsoft 365 Business or E1 subscription, users will have 1TB of available storage – with E3, up to unlimited and easily configured by an admin to reach 5TB.
You might not expect to actually use that amount of storage though, obviously. However, if we consider that you might over the next few years see OneDrive consuming, say, 50GB per user this adds up to 50 terabytes for a medium-size business with 1000 employees.
Backup tools use the same APIs as migration vendors. So if you want to get an appreciation for how long this might take, you’ll find a reasonably optimistic one here – and that’s assuming that the backup vendor is using modern APIs for migration. If we go with the Medium example for Office files, it could take 50 days to perform a full restore.
In a scenario you might be looking to protect against – such as most PCs being infected with ransomware and corrupting a large number of files in user OneDrive locations – 50 days isn’t really going to be helpful. If you dismiss the likelihood of that happening and assume that it might only be a smaller number of users, then the capabilities to either detect it client-side or recover as an admin will be just as useful.
Instead, preventing the likelihood of this occurring is a better strategy. Removing risks of users consenting to dangerous sites accessing their data, by eliminating the ability for a user to grant consent, enabling security defaults or conditional access policies, using advanced functionality like Microsoft Cloud App Security, Office 365 ATP, Defender ATP or equivalent functionality. Microsoft has a wealth of information available, if you want to hear it from Microsoft directly.
What do other Microsoft 365 customers typically do?
Large enterprises have so much data it takes years to move all their email and file data into Microsoft 365. Recently there’s a popular suggestion that a lot of digital transformation that typically takes years has taken place in weeks. In some cases, some organizations spent a lot of time thinking about what they’ll do before doing it – but in most cases, the multi-year program takes that long because there’s a maximum speed data can be migrated. For a full, complete digital transformation, they usually re-organize and relocate a large amount of existing data.
This typically means that buying a third-party backup service to backup supported services in Microsoft 365 in their entirety simply isn’t possible. Most organizations in this situation will be fortunate enough to employ outside consultancy, Subject Matter Experts and even whole teams who can take time to understand the protection features in the service, agree upon configuration settings that will be appropriate, and implement a suitable operating model for ensuring the aspects of the Microsoft 365 a customer is responsible for are managed correctly.
A sizable minority of enterprises supplement protection functionality in Microsoft 365 with third-party tools to provide backup capabilities, though. It might be understood that it’s not likely to be practical to back-up all data, or even all data that could be backed up and restored.
However, there may be certain SharePoint Sites (for example) that contain business-critical data that will provide additional assurance to have a secondary backup. In some other cases, there may be contractual stipulations that require a customer’s data to be backed up to a secondary service.
There are other organizations – not just enterprises – who consider email to be the most business-critical method of communication and decide to use email continuity services that work with Microsoft 365. These services are typically marketed as Office 365 backup, but obviously only work with email. These typically also work as an email protection gateway product, providing similar functionality to Office 365 ATP (but without SharePoint, OneDrive, Teams, and Office client protection) and also provide email journaling functionality.
The key selling point of a service such as this is that should Exchange Online become unavailable for a short period of time, an organization can continue to send and receive email using the email continuity service.
However, longer-term, an email continuity service might become less useful. Message protected by technologies like AIP might not be accessible in the event of a supposed Microsoft 365 service failure. And most organizations that plan to use email less, and use technologies like Teams and Yammer more, and wisely collaborate on documents in SharePoint or OneDrive, will either need to accept that the service will provide less value to them over time, or hold back from adopting those services.
Like any rule, though, there is an exception. Smaller to medium size customers often have a more durable case for finding value in a Microsoft 365 backup service.
An IT professional in a medium-size organization, responsible for the system administration of a variety of platforms and services has a broad set of knowledge that many enterprise IT professionals with technology specializations don’t possess.
Crucially, in many medium-sized organizations, Microsoft 365 isn’t the focus of their day-to-day job, in much the same way the Exchange Server wasn’t something they spent each day carefully managing. Microsoft 365 is an evergreen service, which does mean there is a continuous learning process about upcoming changes and new functionality, and even Microsoft 365 specialists struggle to keep up with the various changes weekly.
Understandably, therefore, more small and medium-size customers opt for Microsoft 365 backup solutions. Hearing from those customers it may be that they don’t have the level of licensing available to provide the complete protection discussed earlier, or in many cases, the relative cost of an Office 365 backup solution for the number of users or amount of data they have provides a good value offering.
Summary
If you’re dead-set on opting for a Microsoft 365 backup solution, then it is crucial to look for a solution that covers all the scenarios you are looking to protect against – and the services you need to protect.
Overwhelmingly the better option for most organizations appears to be cloud-based Microsoft 365 backup solutions. These solutions tend to either be from companies who have developed their solutions from the ground-up to support Microsoft 365. Therefore many will keep pace with available opportunities to backup and restore.
More traditional backup solutions, while familiar, tend to lag behind the cloud-first vendors. These solutions often offer a Hybrid backup solution – such as backup of on-premises Exchange Servers – and generally only extend to the most basic scenarios. Rudimentary Teams backup, for example, appears non-existent in on-premises backup tools for Microsoft 365 I’ve looked at.
Hi Steve. Two excellent articles. Prevention is better than cure is something worth considering when it comes to backups especially when you look at the time it could take to do a restore given some of the examples you gave here. When we talk about backups in MS365 it is usually in the context of Teams, SP online, Exchange online, ODfB etc. But where I struggle to find some definitive information is around backups for areas in MS 365 like Azure AD (all cloud only objects stored in Azure AD), conditional access policies (incl MFA policies), App registrations, Enterprise apps, Intune config profiles, polices, scripts, compliance policies, Autopilot deployment profiles and AP registered devices. And most importantly for all of the above listed the assignments (i.e, the security groups assigned to all these services. If in the event of a major outage and you had to restore all or some of the above, it would be a nightmare to have to try and restore all the assignments. Does MS provide any help with this or should we be looking to have some sort of backup process in place for these services? For example you can export all your Intune settings and assignments via PowerShell and store them locally or in Azure. It seems to me that organization’s plan for disaster recovery all the time for on-prem resources but dont seem to give as much thought to DR planning for cloud resources.
Hi, Steve.
This is very really unique helpful information. I learn so much from you as well! Thank you so much for sharing your helpful information. Keep it up.
It will be interesting to read your opinion about Nakivo backup for Microsoft 365
https://www.nakivo.com/microsoft-office-365-backup/
Thanks Steve, just caught this part 2 of your article, which was quite helpful especially for myself in consideration of small organizations.
I was very glad to see your stated recognition that IT Pros for small- or mid-size organizations may often have a broad set of knowledge and skills beyond a specialized focus. I think that this is often not a recognized value.
Hi Steve, have you had a look at Veeam Backup for Office365?
VBO can be deployed on-premise or in a cloud/IaaS as long as it has a Windows Server to run on. VBO does, for now, support the basic backup of Teams data (which is stored in different sub parts of O365 like Sharepoint, Mailbox). Starting the next version of VBO it will also support Teams backup (and restores) from a MS Teams perspective.
With kind regards,
Wouter (Veeam Software)
Hi Wouter,
When I ask backup product vendors if they can granular or wholly recover both Planner and Forms objects stored within a 365 Team, the response is not what I am used to. The lack of 100% all objects recovery makes me think long and hard about where to go with this. I’ve yet to find something that works 100%. Try before you buy recommended.
Regards,
Mark.