This question gets posed frequently and there is some confusion about who has responsibility for data protection in O365 environments. Microsoft’s documentation is a little…. vague in some areas which doesn’t help matters.
Lets break this down a little.
Microsoft take care of the infrastructure and ensure the availability of the application. They ensure that this environment is resilient, with redundant hardware, ensuring data replicated across multiple sites and a whole host of security measures.
They do backup data, but this is to ensure platform availability and in the event of a major disaster have a recovery point, this backup is not necessarily for the benefit of the user community. The administration of the application, the application of security recommendations and the protection of data is the clients responsibility.
In part yes, in part no. Microsoft are providing a highly available platform and as such they have a highly redundant setup that ensures that users experience the minimal amount of downtime. If Microsoft has a serious failure, rest assured that they have your data failed across to another site and/or a copy of your data to recover from.
That’s great, historically, there would be concern over hardware failure, site redundancy and so on, but these issues are largely eradicated with Office365, Microsoft host applications and data across multiple sites providing some comfort against issues affecting the Data Centre, Hardware or OS. One headache removed and a big tick in the box.
However, the level of data protection Microsoft are providing is to ensure the application remains available. True data protection is the responsibility of the customer. If data is accidentally (or intentionally) deleted, if there is a malicious attack or if data is corrupted via a virus or other means, Microsoft wont take responsibility for the recoverability of that data, that is your responsibility.
Retention Policies go part way to offering a solution, but only protect you from data loss in limited scenarios. Some examples of the policies / controls that can be implemented natively include:
Unfortunately, these policies don’t offer full proof protection and have some practical limitations. Examples include:-
Our recommendation would be yes, absolutely.
In a real world customer example, it took 72 hours for data to be recovered after a major incident (not of the customers making). When SharePoint, OneDrive and Exchange data is pivotal to business operations, thats just too long.
To our knowledge no and Azure Backup doesn’t currently support O365 backup, although we’d anticipate that it will in time.
There are lots of providers on the market providing a cloud to cloud solution. The first place to go would be to ask you existing backup vendor if they have a solution that integrates with your existing backup mechanism. Some have modules (others have bought a completely different business and rebadged it). The ideal would be to have a single console to work from, but not always possible.
We use a SaaS tool (Backupify), which is a Datto product. Its licensed per user, so there is no additional storage charges which makes life easier. It provides a cloud to cloud backup solution for O365 which just works; ensuring several roll back periods are available for:-
Hopefully this helps if you are asking this very question, but if there is something we’ve not covered, feel free to get in touch.
You can read Microsoft’s documentation on retention policies here