Looking for Office 365 backup methods that’ll work? Check out our free webinar “Practical Guide: Office 365 Backup Strategies That Scale” today!
Not Everyone Needs Office 365 Backup, But You (and many others) May!
Let me start this blog post by saying we are big Tony Redmond fans.
We have featured his comprehensive Office 365 admin guide on our blog, we have had him as a guest speaker at our annual ShiftHappens Conference (talking about backup/retention no less!) and will occasionally engage in public Teams chats with him on key topics like who in IT “owns” Office 365.
In an industry as crowded and as noisy as Office 365 backup, having a “police officer” to occasionally write tickets to repeat vendor offenders making dubious marketing claims is an invaluable service to the consumer.
So when I read his recent blog post, “Questioning Six Reasons Why Backing up Office 365 is Critical,” in which he critically examines one of our competitor’s (I won’t say who, but the lime green branding might give you a pretty good hint) eBooks, I was grateful for many of the points he made.
We’ve had these honest conversations in the past with Tony and have pulled back some of our marketing claims when we were guilty of over-reach as well, so let’s start with a big thank you!
And yet, I couldn’t also help but notice in his zeal to point out the technical and logical shortcomings of this eBook, Tony arguably overstates his case for the level of data protection Microsoft provides.
This post shouldn’t be mistaken as a defense of the indefensible claims made in our competitor’s eBook, nor a criticism of Tony for righteously tackling those claims head-on. Rather, it should be seen as a continuing, respectful dialogue around the question many organizations ask: “Do I need to back up Office 365?”
While you could infer from his blog post Tony’s answer would be no, I believe we could reach agreement on the answer: it depends.
Realistically Assessing Risk
Tony is right about the level of FUD (fear, uncertainty, doubt) claims made by Office 365 backup vendors. However, it’s important to distinguish what is and what isn’t FUD.
It’s impossible to talk about an insurance policy without talking about fire. What distinguishes more from less ethical Office 365 backup claims is the realistic portrayal of risk. As we have written in our “Mitigating Collaboration Risk” eBook, there are two components of risk: likelihood and severity.
Even if an event may not be likely, if it’s severe enough to significantly impact business operations, many organizations will still (rightfully) want coverage. By all means–if these scenarios seem too far fetched, or something you have the ability to simply wave off as “user-error,” that will help make your decision on where to spend your money much easier!
But with the power Office 365 gives to Group/Team Owners (this means YOU if you’ve ever requested your own Team!) there are ways data loss can happen—even if they are rarer than we promote in our marketing material.
If you happen to own a Team, try this:
- On the top right corner of one of your Team Channels, hit the ‘…’ and select “Open in SharePoint:”
- Now use the “gear” in the top right corner of your site to access the site settings and choose “Restore This Library:”
- You’ll be presented with a choice to roll this Team (and ALL content for ALL channels that are not private) back to a previous point in time:
You can see this option because you’re not just a Team Owner, but also a SharePoint site admin of the site underneath! This applies to your OneDrive as well.
You can absolutely undo this by choosing to “restore” to just before this destructive rollback, as described in this article with Microsoft. But to do so and capture the bad actor you’d have to recognize the event as potentially risky (requiring a SIEM or other log-monitoring profile), identify the risk behind the event, and grant yourself admin access to the Team to fix this.
While it’s a rare event, it does happen as Microsoft MVP and AvePoint partner Stephanie Donahue describes from real-world experience in our “Debunking Myths” backup webinar.
Another good example comes from our telemetry as one of the more popular restore requests: take a library or site with unique permissions and choose to “Inherit Permissions” from the parent site. A simple action for a user or admin to take, but there is no “undo” option (other than manual work) to recover to a workable state.
We deal with many smart Office 365 admins that evaluate those types of scenarios and make the informed decision to evaluate Cloud Backup.
Now that we’ve cleared up those events, Tony also makes a very valid point that native Office 365 data protection features are often criminally “undersold” or left unmentioned by backup vendors. So let’s talk about them.
When to Use Native Solutions
As a backup vendor – we often promote the fact that if you have native options available, you should use them!
A good example of this: our end-user recovery app for lost content actually starts every user by looking in their mailbox/recycle bin FIRST! Our Teams chatbot AVA first scans the recycle bin before the backup data in Cloud Backup when a user makes a restore request.
When you look to roll back a Team or Group, our software first checks to see if there’s a “soft delete” option available! Even before Microsoft enforced its mandatory “minimum version” settings for libraries, we had policy-driven products that enabled that for all customers.
Granular Restore And Retention Policies
When it comes to retention policies, Tony is a strong advocate that they can be used broadly as a means of granular, item-level backup. He’s right in that this feature may be a fit for certain organizations as a backup strategy. However, he does not mention some of the very real and very severe shortcomings.
One of the biggest limitations is that it still depends on manual work done by humans, and to err is to be human. There is a classic example of human error mixed with retention policy complexity ripped from today’s headlines, “IT blunder permanently erases 145,000 users’ personal chats in KPMG’s Microsoft Teams deployment – memo.”
The article states:
“In the execution of this change, a human error was made and the policy was applied to the entire KPMG Teams deployment instead of the specific account,” said the internal memo. “This error resulted in the deletion of chat history from end users throughout KPMG….”
…That may be something of an understatement since the chat discussions at issue are said to have vanished forever. “Microsoft has confirmed the Teams chat data is not recoverable,” the message explains.
You can see below how you might find challenges as an admin in just simply updating retention policies without care:
Imagine making those updates with a list of more than 140,000 users when a mistake happens and losing user chat data. What is your option?
Yes, there are limitations in APIs for advanced workloads such as Teams Chats as Tony talks about. However, for the purposes of legal discovery and being simply able to recover the chat records to a mailbox archive for future eDiscovery, a third-party backup solution would prevent those potentially damaging losses.
In the same vein, we talk to Office 365 admins every day that have issues restoring data because they didn’t set the retention policy ahead of time and want a third-party solution where they don’t have to worry about it–backup takes place automatically.
You could set a policy to retain everything. However, as Tony acknowledges, that creates a need to purchase more storage from Microsoft. In my opinion, Tony underestimates the associated scale and cost.
At the 2019 ShiftHappens conference, a representative of one Fortune 500 company that I presented with indicated they had adopted a “retain everything” approach at substantial costs to their business and were now considering a more careful application of retention policies in the future.
I’m not saying it’s a guarantee that we will come out cheaper; for that reason go ahead and run our ROI calculator if you find yourself in their shoes!
Layered Coverage vs. Blanket Policies
Selling blanket coverage is just as dangerous as selling an E5 as a solution to all your problems in that it lacks nuance.
Vendors need to be more nuanced in their materials to include the many good policies and securities Microsoft offers natively, but still insist that this coverage for many needs to be layered. It should also be appropriate to the risk level of the particular organization.
For example, even when customers ask AvePoint as a backup vendor for things like Geo-Redundancy of our backups (multiple copies stored around the world) there’s a cost to that option! Letting customers make an informed cost-based and risk-based decision is an important step.
Or on the other hand, are you able to live without insurance? Absolutely! There are many enterprises that say, “At the end of the day, the cost to protect from user error outweighs the risks. We’re happy to let users make mistakes and if we can’t recover, we can’t recover.”
And the 60% of Office 365 admins surveyed in the competitor’s eBook that said they had not purchased an Office 365 backup solution could have made a good risk-based decision (hopefully it was a decision and not a default position).
But I argue that the 40% of Office 365 admins that decided to purchase a third-party backup solution also made a good risk-based decision.
Do You Need To Backup Office 365? It Depends
Tony Redmond is a great resource who has given this topic more serious consideration than most. We can agree on the following points:
- Not everyone needs backups, it’s a risk-based decision.
- Not everyone needs cover-to-cover backups; most of the things that really hurt are focused on the SharePoint workload vs. Exchange!
- Not all vendors are perfect, and we are cobbling together stories to help protect against data loss events as well as we possibly can. Is it common to have to restore Teams Chats to an on-prem folder to respond to a legal request? NOPE! But if the alternative is “nothing” if we lost access to Microsoft, then we need to provide something to serve our customers.
If you fall in that 40 percent that look at your desired RTO, RPO, coverage areas, and other key backup considerations and think you might need some additional protection, give us a call and we will have a real and frank conversation with you about the pros and cons.