Does Microsoft Protect Microsoft 365 Data?

Welcome back to the second part of our three-part blog series, where we continue to revisit what leading IT analyst firm, Gartner, suggests for protecting Microsoft 365. In the first post, we looked at what Gartner identified as risks associated with Microsoft 365. This included:

  1. Human error: Compromised accounts and accidental deletion or data misplacement are among the factors contributing to this risk.
  2. Malware/virus/ransomware: Resilient ransomware can pivot to SaaS storage and alter file versions, leading to data destruction.
  3. Hacking (internal/external): Threat actors with malicious intent.
  4. Programmatic errors or flaws: Unintended effects, misconfigurations or data loss within an organization.
  5. Disgruntled users: Significant insider threats that have the potential for substantial damage  that can go undetected for long periods.

Now, let’s delve into what Microsoft does to protect Microsoft 365 data versus what they expect subscribers to do.

Native Protection Within the Tiers of Microsoft 365

Microsoft offers native tools to help companies curate Microsoft 365 data with varying levels of capabilities based on license tiers. For example, Microsoft provides first and second stage recycling bins that act as an easy first option for restoring data that may have been recently deleted within a user’s mailbox or OneDrive, for example.

However, it’s essential that you understand the limitations of these bins. Exchange retains data for up to 30 days and SharePoint retains data for 93 days, which makes it a challenge to recover data after this period. Additionally, the recovery process from these recycling bins can be complex and time-consuming. Plus, compromised privileged accounts can administratively delete or alter versioning and recycling bins, rendering the recovery process ineffective. In other words, if a bad actor can get to your production data, they can get to the recycle bins too.


While every Microsoft 365 license includes supplementary features like eDiscovery, Insider Threat protection, and Data Loss Prevention, these features alone may not be enough to fully protect yourself against all potential risks. Veeam talks about some of these points in more detail in our ”Why back up OneDrive for Business?” blog post.

Microsoft Shared Responsibility Model

A common misconception when using cloud-based services is that the cloud provider assumes responsibility for data protection. This misconception was especially prevalent among early adopters and those with less experience with SaaS platforms like Microsoft 365.


However, this isn’t the full picture. In all cloud-based relationships, there is a shared responsibility between the customer and the cloud provider, which  Microsoft calls the Shared Responsibility Model.

According to the Microsoft Shared Responsibility Model, the customer is responsible for maintaining their own data, devices, and accounts. As a SaaS solution, Microsoft manages their physical infrastructure and provides access servers and admin centers that allow users to configure and manage their services. However, the customer is still responsible for securing user access, managing devices connected to applications and protecting the data placed on the cloud servers. This is where the risks mentioned in the previous blog post come into play. If there are any misconfigurations or security gaps that enable bad actors to access the organization’s data, Microsoft is not responsible for the data loss.

Shared responsibility in the cloud

Advantages of Microsoft 365 Third-Party Backup

With such a wide range of potential risks that aren’t addressed by native tools, Gartner suggests that third-party backup solutions can help organizations overcome some of these challenges and protect their Microsoft 365 data. Based on Gartner’s recommendations, creating backups provide organizations with additional layers of protection that separate production data from backup copies. This reduces the potential impact of data loss incidents. Third-party backup solutions can also provide granular centralized recovery options and offer additional data and credential/privilege separation.


According to Gartner, organizations should look closer at business obstacles like regulatory compliance and long-term retention requirements when considering data protection. Gartner and Veeam recommend building around a solution that will simplify data protection and recovery across your Microsoft 365 applications.

In the final part of our series, we’ll assess how Veeam Backup for Microsoft 365 aligns with Gartner’s considerations for Microsoft 365 and the Shared Responsibility Model. Join us as we explore the benefits of using Veeam backup and its role in ensuring data protection for Microsoft 365 environments. Stay tuned!


Veeam Data Cloud for Microsoft 365
#1 Microsoft 365 backup solution, now delivered as a service
Similar Blog Posts
Business | April 22, 2024
Business | March 22, 2024
Business | March 15, 2024
Stay up to date on the latest tips and news
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam’s Privacy Policy
You're all set!
Watch your inbox for our weekly blog updates.