What Are the Risks to Microsoft 365, According to Gartner?

In life, we must make informed choices and decisions about the services and products we consume and rely on recommendations and thorough research. In these cases, we often look to those we consider to be experts in their respective areas. Gartner is one of the top technology research firms that’s dedicated to delivering actionable objective observations to the industry.

This is the first installment of our three-part blog series where we’ll dive into the risks associated with Microsoft 365, suggested by the experts at Gartner. Gartner posted a document giving their answer to the question: “Should I Back Up Microsoft 365?”. Their response provided many great insights on risk, native Microsoft capabilities, the Shared Responsibility Model and the use of third-party backup solutions. The full paper can be found here and also aligns with Veeam’s experience in the field.

Who Is Gartner?

Gartner is a renowned analyst firm in the technology sector that focuses primarily on conducting research, consulting consumers and specialists and hosting conferences. While Gartner is renowned for its trusted research papers, benchmarking and tools.

The Magic Quadrant is a distinctive publication by Gartner that objectively presents competitors side by side for each industry. In fact, Veeam was recently named as a Leader for the seventh consecutive time and rated highest in Ability to Execute for the fourth year in a row. Beyond the Magic Quadrant, they also give strategic advice to IT leaders on a variety of products, including what to do with Microsoft 365.

What Is Gartner’s Recommendation for Microsoft 365 Data?

Gartner identified five major risk factors that organizations need to consider when they use Microsoft 365. Despite shifting to a SaaS environment, the responsibilities and vulnerabilities associated with Microsoft 365 data still exist. Here are the risks highlighted by Gartner:

  1. Human error: No matter how advanced Microsoft 365  becomes, human error can still lead to unintended data loss. The sprawling nature of Microsoft 365 with its different administrator centers and recycling bins can leave gaps for potential data loss. Compromised accounts and accidental deletion or data misplacement are among the factors that contribute to this risk.
  2. Malware/virus/ransomware: Some early Microsoft 365 users believed that SaaS solved the problem of data encryption attacks and compromised files, since data was stored in the cloud and subjected to scanning. However, bad actors have adapted, and ransomware attacks now target data stored in SaaS environments as well.. Resilient ransomware can pivot to SaaS storage and alter file versions, leading to data destruction.
  3. Hacking (internal/external): Threat actors with malicious intent are often the most destructive and impactful. They can compromise or delete data, resulting in diminished productivity and potential reputational damage.
  4. Programmatic errors or flaws: Microsoft provides a suite of APIs and PowerShell commands to help manage and scale your environment. However, leveraging these endpoints without the proper control or caution can lead to unintended effects, misconfigurations or data loss within an organization.
  5. Disgruntled user: Employees with inside knowledge can pose a significant threat. They may have the capability to cause substantial damage quickly or create irreversible damage that goes undetected for long periods.

While Microsoft does provide some native protection features within Microsoft 365, it’s essential to understand that these features may not fully address all the potential risks. This leaves organizations vulnerable to data loss.

More Research on Managing Microsoft 365

Veeam continually seeks out additional research to better understand where our products should go next. To do this, we partner with top analyst firms like Gartner and independent research bureaus to get answers to questions like those posed in the Cloud Protection Trends Report 2023. In that study, respondents were asked: ”What are your organization’s primary reasons for backing up data within Microsoft 365?”. This same question has been asked in years past, and there’s been a significant shift from “accidental deletion of data” to “preparation against cybersecurity attacks” and “compliance or regulation requirements” being the top concern among both Microsoft 365 and backup administrators.

This report gives insights across the board into IaaS, PaaS, SaaS, BaaS, DRaaS and other cloud related technologies. In the SaaS section, you can find deeper dives into who performs  the backups, who are the stakeholders are and  what Veeam’s perspective on the topic is.   If you haven’t already, download the Cloud Protection Trends Report, the Gartner guidance on Microsoft 365 and the newly released Gartner Magic Quadrant for 2023. 


There are still some IT leaders who may think that backup isn’t necessary for cloud-based workloads, but in most cases, this will leave your organization vulnerable to data loss and the business impacts that come with it. Microsoft does provide an organization with many security and compliance tools, but those tools do not mitigate against the risk associated with privilege boundaries, data separation and granular recovery. These enhanced features bring great value but aren’t a replacement for backup.

The next part of this blog series will explore what Microsoft does to protect Microsoft 365 data and what they expect their subscribers to do. We’ll delve into the specifics of Microsoft’s native protection within the premium tiers of Microsoft 365 and the concept of the Microsoft Shared Responsibility Model. Stay tuned!


Veeam Data Cloud for Microsoft 365
#1 Microsoft 365 backup solution, now delivered as a service
Similar Blog Posts
Business | July 16, 2024
Business | July 11, 2024
Business | July 10, 2024
Stay up to date on the latest tips and news
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam’s Privacy Policy
You're all set!
Watch your inbox for our weekly blog updates.