Many small businesses do not understand the need for backup and recovery services for their Microsoft 365 deployments.  They beleive Microsoft is backing up their systems but this is not accurate.  Microsoft does not provide the tools needed  to fully protect your Microsoft 365 environment from malicious, accidental or intentional data loss.  This lack of understanding comes from two issues:

  • Customers are not familiar with the distinction between email archiving and data protection
  • Customers believe that Microsoft’s highly resilient software-as-a-service (SaaS) offering protects all data and applications

Email archiving

Email archiving provides e-discovery, regulatory compliance, and legal protection of your email data.  Put simply, it captures every email that has been sent and received by your organization and ensures that these messages can be found and retrieved.  A good archiving solution also has the following qualities:

  • The archived emails and attachments cannot be changed or manipulated.
  • Items can be retrieved by using clever searches grouped together or complex searches called tags.
  • Search results can be placed into legal hold so that they are not purged and can be easily retrieved as needed. This feature is most often used for compliance audits, litigation, or related reasons.
  • End users are able to search an retrieve their own messages as needed, according to the policies configured by the system administrator.

We recommend that  businesses have a good email archiving solution in place to protect the company from potential compliance and legal incidents.  The risk of not having an archiving solution in place leaves a company wide open and exposed to any legal ramification that relies on email evidence.

Email archiving is not a backup

Even if you have email archiving services in place, you should still maintain a backup and recovery solution for Microsoft 365. Archiving can hold and retrieve specific messages, but it cannot restore a complete mailbox and all of its contents to a single point in time.  Imagine the following scenarios:

  • Somebody hacks your Microsoft 365 account, deletes everything in your mailbox, and empties the recycle bin. This type of deletion is common during account takeover attacks, so that there is less evidence of the attack left behind.
  • You accidentally delete a sub folder containing important work email and various documents (attachments). You may not notice this straight away as often you have lots of sub folders in your mailbox, and this type of thing is easy to do by mistake on your phone.
  • A former employee’s account was deleted, and you realize you need to restore the mailbox. Using an email archiver for this task would be tedious and require multiple steps outside of the archiver.
  • A cyberattack, a human error, or a catastrophic event has caused data loss in OneDrive for Business, SharePoint Online, Microsoft Teams, or Microsoft Entra ID. Email archiving does not store this content.

With an archiving solution, you could search and retrieve specific email items from the archive, but even if you knew what to retrieve from the archiver, do you have the time to reconstruct your inbox structure and contents?

Can you remember what your mailbox looked like last night or last week? How long would this take if you have lost your calendar items, contacts, tasks, journal items, etc.? And as noted above, email archiving doesn’t protect everything in Microsoft 365.

Disaster recovery — who does what?

Microsoft has a highly resilient infrastructure that rarely suffers an outage, which is good, because Microsoft is responsible for making sure your Microsoft 365 environment is always available. This makes it easy to assume that you should not have to provide a third-party disaster recovery service for Microsoft 365.  Disaster recovery appears to be Microsoft’s responsibility.

Unfortunately, that is not the case.  Microsoft is only responsible for the Microsoft 365 infrastructure that supports your data.  It is not responsible for the data in your Microsoft 365 environment. Microsoft calls this out in their Managed Services Agreement — Section 6B — “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps.”

Recycle bin is not a backup

Microsoft provides a recycle bin for Exchange Online, SharePoint Online, and One Drive for Business — so even without an archiver there is some native protection for these items.  However, the recycle bin is not a backup.  Similar to a PC recycle bin or a Mac trash can, the Microsoft 365 recycle bin is just a folder that contains items that you have deleted. You cannot do a point-in-time recovery from your deleted items folder because this folder only holds items that were deleted and would not contain the good emails or files that you need to restore. Additionally, the maximum extended retention of the Recycle Bin is 93 days, and your items may be purged and unrecoverable after that time.

Cloud-to-Cloud Backup

That’s whereour cloud-to-cloud backup solution comes in.  It can restore your whole mailbox or individual emails, contacts, and other items back to any daily revision (recovery point) very easily. We work with several vendors to ensure your data is backed up fast, reliably and without your intervention. It’s a complete backup solution for Microsoft 365 that operates entirely in the cloud.

Recommended Posts

Cloud-to-Cloud Backup For Microsoft 365
The Easiest Way To Disaster-Proof Your Cyber Security
Want To Make Sure Your Business Is Protected From A Data Disaster?