Office 365 Data Protection: Part 1 – Is Doing Nothing Really Good Enough?

Spanning Backup for Office 365 is backup as a service for Office 365 Mail, Calendars, and OneDrive for Business. We do the backups, and restores, that you would have done on-premises for these applications.

People still ask us…”Wait, doesn’t Microsoft do this for me?” After all, you pay Microsoft a monthly per-user fee to host these critical collaboration applications, surely they are protecting this data just as you did when you hosted it on-premises, right? The thing is, data protection in Office 365 is a shared responsibility, with Microsoft taking on the tasks that would have typically been done on-premises for disaster recovery. But you’re still ultimately responsible for your data, and it’s up to you to decide how to protect and recover any data that is lost by human error or even malicious attacks.

In this series of blog posts, we’ll review what Microsoft has done to build in protection against data loss, and you can decide for yourself if these safeguards are really good enough.

Part 1: Disaster Recovery and Retention times

How Microsoft protects your data

Microsoft has done an amazing job “SaaS-ifying” their applications. And just as with other SaaS providers, they do a great job with the data protection activities that we typically relate to disaster recovery situations. For example, they say this in a TechNet article about backing up email in Exchange Online:

… Exchange Online uses the Exchange 2013 feature known as Database Availability Groups to replicate Exchange Online mailboxes to multiple databases in separate Microsoft datacenters. As a result, you can readily access up-to-date mailbox data in the event of a failure that affects one of the database copies. In addition to having multiple copies of each mailbox database, the different data centers back up data for one another. If one fails, the affected data are transferred to another data center with limited service interruption and users experience seamless connectivity.”

Microsoft has architected a resilient environment to maintain their uptime SLA (99.9%), which also will protect your data. However, none of the snapshots created are available to administrators or end users for quickly and easily restoring lost data. If users accidentally delete data from their mailboxes (according to our Global SaaS Data Protection survey earlier this year, user error is the leading cause of SaaS data loss), Microsoft provides manual recovery from the Deleted Items folder and Single Item Recovery from the Recovery Items folder. But are these methods enough for your organization’s retention requirements?


Microsoft Office 365’s Default Retention periods

The retention times for those folders can be customized to fit your organization’s requirements using retention tags and policies, but you can see that there are still limitations and data can ultimately be lost from any of these folders due to various circumstances. Here’s how the folders work:



Deleted Items Folder

Unlimited N/A Although Microsoft tries to mitigate end-user data loss by making the retention period for this folder unlimited, users can skip this folder with keystroke combos, or Outlook rules. More importantly, users can delete data from this folder at any time. Deleted items from this folder move to the Recoverable Items folder.

Recoverable Items Folder

14 days Admins can extend to 30 days Users can recover from this folder, one item at a time (single item recovery) using the web interface. Admins can also recover items for users, using the Single Item Recovery feature via remote PowerShell.

Purge Folder

14 days None This is the last stop for items that have been deleted – admins (only) can use the Single Item Recovery feature via remote PowerShell to recover items for their end users. Once the 14-day retention period expires, the data is permanently deleted from the tenant.

Next week in Part 2 we will discuss Litigation Hold.