This article provides a high-level analysis of the Exchange Online and SharePoint Online data protection mechanisms. After migrating to Exchange Online and SharePoint Online, you need to consider the available Exchange Online and SharePoint Online data protection mechanisms. All Office365 components are adequately protected from accidental deletion via the usage of various Office365 features. The article discusses the Microsoft 365 services data protection mechanisms.
The following features are offered out of the box for Office 365 data protection.
| Feature | |
| Sharepoint and OneDrive for Business Recycle Bins | In SharePoint Online, items are retained for 93 days from the time you delete them from their original location. They stay in the site Recycle Bin (first stage Recycle Bin) the entire time, unless someone deletes them from there or empties that Recycle Bin. In that case, the items go to the site collection Recycle Bin (second stage Recycle Bin), where they stay for the remainder of the 93 days unless the site collection Recycle Bin exceeds its quota and starts purging the oldest items or unless the items are manually deleted by the site collection administrator from the site collection Recycle Bin. SharePoint Online retains backups of all content for 14 additional days beyond actual deletion. If content cannot be restored via the Recycle Bin or Files Restore, an administrator can contact Microsoft Support to request a restore any time inside the 14-day window. |
| Sharepoint and OneDrive for Business file versioning | Sharepoint Online versioning allows the users to create multiple versions of the same file or document and be able to revert to previous versions after accidental changes have been made to a file. Sharepoint Online supports 50,000 major versions and 511 minor versions. |
| Exchange Online journaling and data archiving (backup) | Firstly, it's important to understand the difference between journaling and a data archiving strategy: Journaling is the ability to record all communications, including email communications, in an organization for use in the organization's email retention or archival strategy. To meet an increasing number of regulatory and compliance requirements, many organizations must maintain records of communications that occur when employees perform daily business tasks. You can implement targeted journaling rules by specifying the SMTP address of the recipient you want to journal. The recipient can be a mailbox, distribution group, mail user, or contact. You can't designate an Exchange Online mailbox as a journaling mailbox. You can deliver journal reports to an on-premises archiving system or a third-party archiving service. Data archiving (backup) refers to backing up the data, removing it from its native environment, and storing it elsewhere, therefore reducing the strain of data storage. There are third party services offering mailbox backup solutions for Office365 services. A detailed description of Exchange Online data archival options can be found in this article. |
| Exchange Online Mailbox Protection https://docs.microsoft.com/en-us/exchange/back-up-email | How does Exchange Online protect mailbox data? Lots of things can disrupt service availability, such as hardware failure, natural disasters, or human error. To ensure that your data is always available and that services continue, even when unexpected events occur, Exchange Online uses the same technologies found in Exchange Server. For example, Exchange Online uses the Exchange Server feature known as database availability groups (DAGs) to replicate Exchange Online mailboxes to multiple databases in separate Microsoft datacenters. As a result, you can readily access up-to-date mailbox data in the event of a failure that affects one of the database copies. In addition to having multiple copies of each mailbox database, the different datacenters back up data for one another. If one fails, the affected data are transferred to another datacenter with limited service interruption and users experience seamless connectivity. You can get the latest information related to a service interrupting event by logging into the Service Health Dashboard. For more information, see View the status of your services. |
| Exchange Online Archiving https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-an-archive-and-deletion-policy-for-mailboxes | In Exchange Online, the best way to provide a backup for users is with Exchange Online Archiving. Using Outlook to backup data to .PST files isn't recommended due to the loss of discoverability and control of content. You can simply enable the Online Archive for each licensed user. In Office 365, admins can create an archiving and deletion policy that automatically moves items to a user's archive mailbox and automatically deletes items from the mailbox. The admin does this by creating a retention policy that's assigned to mailboxes and moves items to a user's archive mailbox after a certain period of time and that also deletes items from the mailbox after they reach a certain age limit. https://products.office.com/en-US/exchange/microsoft-exchange-online-archiving-email. A detailed description of Exchange Online data archival options can be found in this article. |
Exchange Online Deleted items folder and Recoverable items folder https://docs.microsoft.com/en-us/exchange/back-up-email | Deleted items are stored in the Deleted Items folder of the mailbox. Items deleted from the Deleted Items folder or deleted by pressing Shift+Delete are most likely recoverable if they're dealt with in a timely manner. |
| Exchange Server Hybrid configuration | Only the described hybrid features at https://docs.microsoft.com/en-us/exchange/exchange-hybrid are supported out of the box. This means there is no way to have the same mailbox in two locations/Organizations (and mix and match DAG between on-premise and cloud organizations). In a hybrid setup, some users have an on-premises email server and some users use Exchange Online, but all users share the same e-mail address space. Each mailbox however can be homed on either on-premise organization or cloud organization. Another comment, as per https://practical365.com/exchange-server/hybrid-exchange-office-365/ Q: Is it possible to use hybrid deployment for high availability solution? when exchange on premise down, we can still send/receive email with office 365. A: No. The mailbox can only exist on-premises or in the cloud, not in both at once. If you have availability concerns about your on-premises servers then I would suggest to you that Office 365 is the better place to put your mailboxes. Or maybe add extra DAGs/DAG members to increase H/A on-premise. However manual mailbox moves are feasible from on-prem to cloud and from cloud to on-prem, since the two organizations are considered a single email space. |
Exchange Online In-place hold and litigation hold | In-Place Hold and Litigation Hold operates as per the following description. https://docs.microsoft.com/en-us/exchange/security-and-compliance/in-place-and-litigation-holds |
| Exchange server retention policies https://docs.microsoft.com/en-us/office365/securitycompliance/retention-policies | For a user's mail, calendar, and other items, a retention policy is applied at the level of a mailbox. For a public folder, a retention policy is applied at the folder level, not the mailbox level. Both a mailbox and a public folder use the Recoverable Items folder to retain items. Only people who have been assigned eDiscovery permissions can view items in another user's Recoverable Items folder. By default, when a person deletes a message in a folder other than the Deleted Items folder, the message is moved to the Deleted Items folder. When a person deletes an item in the Deleted Items folder, the message is moved to the Recoverable Items folder. In addition, a person can soft delete an item (SHIFT+DELETE) in any folder, which bypasses the Deleted Items folder and moves the item directly to the Recoverable Items folder. A process periodically evaluates items in the Recoverable Items folder. If an item doesn't match the rules of at least one retention policy, the item is permanently deleted (also called hard deleted) from the Recoverable Items folder. When a person attempts to change certain properties of a mailbox item — such as the subject, body, attachments, senders and recipients, or date sent or received for a message — a copy of the original item is saved to the Recoverable Items folder before the change is committed. This happens for each subsequent change. At the end of the retention period, copies in the Recoverable Items folder are permanently deleted. If a user leaves your organization, and their mailbox is included in a retention policy, the mailbox becomes an inactive mailbox when the user's Office 365 account is deleted. The contents of an inactive mailbox are still subject to any retention policy that was placed on the mailbox before it was made inactive, and the contents are available to an eDiscovery search. For more information, see Inactive mailboxes in Exchange Online. After a retention policy is assigned to a mailbox or public folder, content can follow one of two paths: If the item is modified or permanently deleted by the user (either SHIFT+DELETE or deleted from Deleted Items) during the retention period, the item is moved (or copied, in the case of edit) to the Recoverable Items folder. There, a process runs periodically and identifies items whose retention period has expired, and these items are permanently deleted within 14 days of the end of the retention period. Note that 14 days is the default setting, but it can be configured up to 30 days.If the item is not modified or deleted during the retention period, the same process runs periodically on all folders in the mailbox and identifies items whose retention period has expired, and these items are permanently deleted within 14 days of the end of the retention period. Note that 14 days is the default setting but it can be configured up to 30 days. |
| Microsoft teams data retention policies |
All the above features are normally fully enabled in the Microsoft 365 environment. Therefore, in most cases, there is no apparent need for an additional backup mechanism for Microsoft 365 data. For the purposes of backup for data disaster recovery or point-in-time recovery, for examples in cases of ransomware, a full cloud-to-cloud backup solution will need to be configured.
A Microsoft 365 backup solution which is offered with zero cost, since it is open source software is Corso Backup. Corso is the first open-source tool that aims to assist IT admins with the critical task of protecting their Microsoft 365 data. It provides a reliable, secure, and efficient data protection engine. Admins decide where to store the backup data and have the flexibility to perform backups of their desired service through an intuitive interface. As Corso evolves, it can become a great building block for more complex data protection workflows. Corso supports Exchange Online, OneDrive for Business, SharePoint Online and Teams. Coverage for more services, possibly beyond M365, will expand based on the interest and needs of the community. Exchange Online and SharePoint Online data protection mechanisms can be extended by backup tools such as Corso.
