Why O365 Exchange Online needs a backup

By Saurabh Singh • May 2, 2019

In the second blog of this series, we will look at Microsoft Office 365 as a SaaS Application from a backup and recovery perspective. We will look at the out of the box backup and recovery features provided by Microsoft and find out how they fare in terms of organizational backup and recovery SLAs.

Microsoft Office 365 (O365) is a subscription service that bundles the traditional Office productivity applications and delivers them as a SaaS model. Not only do organizations have the latest and greatest from Microsoft, they get the flexibility of a pay as you go model but without any of the pains of managing an IT infrastructure.

While the Office 365 infrastructure is owned and managed by Microsoft, the data is owned by the organizations. With more than half of all businesses relying on Office 365 today , its rapid adoption has sparked fresh conversations about the division of responsibilities between Microsoft and organizations for data protection. As we discussed in the previous blog, backup and recovery in SaaS world is a shared responsibility.

While the above is in context of O365, the above is valid for all SaaS offerings. In general, SaaS providers, are responsible for maintaining their platform and guarding it against infrastructure failures, application failures and other failures resulting from disaster scenarios. The responsibility of data protection in the event of logical failures like user deletions, security breaches, administrative issues and service failures lies with the organization.

Taking this further, the organisation also bears the responsibility of defining the SLAs for the RPO and RTO and align it with their requirements. This further implies complementing the capabilities of the SaaS vendor to ensure data protection for SaaS is as comprehensive as those of legacy enterprise systems.

Let’s look at the out of the box data protection features provided by Microsoft O365 for Exchange Online.

Exchange Online is by far the most adopted O365 application services. Let’s study the Exchange Online service and examine the out of the box data protection provided by Microsoft and see how it fares against the traditional data protection SLAs.

  • Recoverable Items Folder
    • Deletions – Deleted items retention for 14 days by default, can increase up to 30 day
    • Recoverable items folder is part of the mailbox itself. If mailbox gets corrupted so does recoverable item folder.
    • As data grows it may introduce issues with user experience while searching for emails.
  • In-place or Litigation Hold
    • Meant for legal hold, not meant for point in time recovery
    • Data resides in recoverable item folder, such as purges (litigation hold) and Discovery hold (In-place hold)
    • Recovery needs expertise
  • Archive Mailboxes

    Archive mailboxes is just another mailbox and has the same vulnerabilities as primary mailbox. It comes only with a premium prize. Also, if administrators use MRM (Messaging Record Management) deletion policies in Exchange Online to permanently delete expired mailbox items, expired items located in the auto-expanded archive will also be deleted.

  • Long term retention for deleted user mailboxes
    Maintaining a O365 licenses for all the deleted users can be expensive.

The aforementioned pointers outlines the reasons why Microsoft clearly states, “Point in time restoration of mailbox items is out of scope for the Exchange Online service.

As evident from the above discussion, the out of the box data protection solution for O365 seems inadequate and warrants a third-party solution which could bridge the gaps and provide a robust, consistent and seamless backup/restore solution across these services.

In next blog of this series, we will look at OneDrive and Sharepoint online as SaaS Applications from data protection standpoint. We will analyze the out of the box data protection features provided by Microsoft for both and see if they are sufficient in entirety or we need a solution to complement the same. Stay tuned.