It’s a classic scenario; someone leaves the company and the IT department delete them from the system. Why pay for an Office 365 subscription you don’t use? But when the team goes to pick up one of their projects from where they left off, they discover they are missing some vital information. Unfortunately, they don’t have their O365 data backed up, and it is gone forever.

We have talked about Disaster Recovery and Backup already, but today we are looking specifically at Office 365. It is a common misconception that if you are running Microsoft Office 365, you don’t need to think about backing up your data. Indeed they take care of it for you, right? Wrong.

Microsoft Office 365 operates under a “Shared Responsibility Model.

To quote the Microsoft website, “Office 365 subscriber data – such as mailboxes and files stored within OneDrive and SharePoint Document Libraries – is not backed up by Microsoft as part of their subscription. Microsoft does not provide Office 365 data protection services.”

Can’t I use the Office 365 Data Replication to access my data?

Part of the confusion around Office 365 backups relates to terminology. A robust data backup and recovery plan generally include both data backups AND replication. As a quick guide to the difference:


When a copy is made of the data at a pre-determined point, giving a snapshot of that point in time, and is handy for long-term data storage and data that doesn’t change as frequently


Copying and moving data to another company site to ensure you don’t lose data for mission-critical applications.

However, both of these options rely on both data retention and data accessibility. While Microsoft offers very limited, short-term data loss recovery – for example, you can fish it out of your recycle bin – they do not provide any point-in-time recovery.

You can check out the Resiliency and continuity section of their site for the complete list of these features, but in short, they are replicating data as required to keep the software up and running. If you do run into an issue, such as accidental user deletion, a ransomware attack or data corruption with saved files, this is out of their scope of work (read: not their problem).

What could possibly go wrong?

The most common issues leading to data loss are deletion, a cyberattack or a natural disaster. Here are a few examples:

  • You lose user data when someone leaves to the company (as per the example above)
  • Someone accidentally deletes something from SharePoint or OneDrive
  • You assume you can use your emails as an archive of crucial information, not realising that Outlook only retains data for two years
  • There is a ransomware attack and your data is encrypted
  • A car rams through the front wall of your office and crushes your server, critically damaging it #truestory #coltonofficecrushed (never fear; our servers, Colton staff and data all survived unscathed)
  • There’s a data breach and you are found to be non-compliant with data protection laws – you suffer a financial loss, damage to your reputation, loss of sensitive and important data and face legal action and a serious fine

What do you need to do to keep your Office 365 user data safe and available?

In practical terms, this means that it is your responsibility to secure and backup your data. This responsibility includes:

  • Regular backups of data, software and configuration settings stored offline or online in a non-rewritable and non-erasable manner in line with The Essential 8
  • Backup restoration testing
  • A cybersecurity strategy
  • Penetration testing
  • Exposure resolution services
  • Employee cyber-security awareness training
  • Data Compliance, including data breach reporting, policy compliance, information management, remediation of issues, and financial audits

If you are one of our Managed Services customers, rest assured we are taking care of business, and making sure you are covered. We keep our clients Office 365 backups for 12 months to ensure that you can access the data when you need it (as well as sorting out all your cyber security and compliance requirements).

If you aren’t on an MSP arrangement and aren’t sure whether you are covered, get in touch on 02 6361 1116 and we can work through it with you.