Pro Blog | PK Tech

FYI Microsoft's "Shared Responsibility Model" for Office 365 Means YOU Are Responsible Backups, NOT Microsoft!

Written by Megan Schutz | April 10, 2021

Are you under the impression that Microsoft is responsible for the backups inside of solutions like Office 365, Exchange Online, OneDrive and SharePoint Online? Think again.

It’s a common question–really an assumption–that many of our clients make and we’re always quick to correct. It’s important to understand that under Microsoft’s “Shared Responsibility Model” for Office 365, you are responsible for your data and backing it up, not Microsoft. 

If you doubt us, here’s a quote and picture from official Microsoft material: “Point in time restoration of mailbox items is out of scope for the Exchange Online service” (reference).

As with any software that houses your business data, it’s important to make sure you understand what responsibility lies with you, as a business, and what responsibility falls on the software company, in this case Microsoft. Because at the end of the day, while you don’t own the software, the data is yours and it’s your responsibility to protect first and foremost.

Let’s dig in a bit more. The Shared Responsibility Model from Microsoft is based on information from the Microsoft Office 365 Trust Center, which you can access here.

What is Microsoft’s responsibility?

Microsoft is primarily focused on their global infrastructure and their commitment to millions of customers to keep their software running smoothly and reliably. Their goal is to deliver their cloud service and enable the productivity of Microsoft users around the globe. Microsoft does keep replicas of your data incase of internal failures in their data centers. However, it is an exact copy, not a backup, and it’s not accessible by anyone but Microsoft. If you need data restored, see above regarding Microsoft’s stance on that (hint: not in Microsoft’s scope). 

To summarize, Microsoft provides the infrastructure and a place to store your “working copy” of data — they do not include backups.

What is your responsibility?

You are responsible for access to the data in your control (via username(s) and password(s)) and the data itself. You must bring a third party backup solution to the table. If you’re in an industry with compliance requirements regarding archiving, ediscovery, or encrypting ePHI intransit, you must also implement another solution to comply.

If you use Office 365 without a third party backup solution, you are opening yourself up to serious internal and external risks, and potential regulatory exposure. Per Microsoft: “That’s why you need to use a reliable backup and recovery solution to save your skin when things go wrong.” (reference: Microsoft Office 365 Trust Center).

If you have more questions about what you are responsible for when it comes to Office 365 data, we are here to answer your questions. PK Tech has successfully implemented and supported third party solutions for backup, archiving, and encryption for Office 365 and your other critical data for over ten years. Contact us here