In Blog

If you spend time perusing online IT communities, you’ll eventually find someone asking a variation of this question: Can my company use Microsoft Office 365’s retention policies as a suitable backup and recovery solution for our O365 data?

Unlike a lot of those chat threads, we’ll cut straight to the bottom line: The answer is no. There are many reasons for this, but here are a few of the more compelling.

Microsoft itself doesn’t view retention as data backup

This is the most fundamental reason your company shouldn’t rely on Microsoft’s retention policies as the only means of backing your O365 data and making sure it’s accessible in the event of a disaster. The company itself views retention policy and data backup as two different sets of services.

For example, Microsoft’s Overview of Office 365 Retention Policies document is nearly 7,000 words. It describes the company’s principles of retention. It discusses the differences in retention policy among the various Office 365 apps. But one term that does not appear anywhere in the overview’s dozens of pages is… “backup.”

Administering the retention policies is complicated and time-consuming

In that 25-page retention policy overview, Microsoft explains the many rules, options, and overrides for setting retention policies on specific types of data and for specific situations. Here are just a few of the many scenarios covered in the overview, each of which describes a detailed process for setting unique retention rules:

  • Content paths for delete-only retention policy
  • Content paths for retain-only retention policy
  • When the retention policy is both to retain and delete
  • Retaining content that has specific keywords
  • Applying retention or deletion rules to a specific team, a location, or the entire organization
  • Understanding the differences in retention and deletion rules for:
    • Exchange email
    • SharePoint site collections
    • OneDrive accounts
    • Office 365 groups
    • Exchange public folders

As you can see above, each solution in Office 365 — SharePoint, Exchange, OneDrive — has its own retention and deletion rules, all of which require you to manually set the instructions. This means you will need to think through and maintain not one but many individual retention policies for the various types of data your company generates and maintains in O365.

The retention policy says nothing about recovery time

With a true O365 backup solution, if any of your company’s data becomes lost, corrupted, accidentally deleted, or hijacked by cybercriminals, you will be able to restore that data — often within minutes — to a secondary system and access it from any connected device.

Microsoft’s retention policies, by contrast, have nothing to say about how quickly you will be able to access lost data, how exactly the restoration process will work, and whether it will be easy or difficult.

If someone in your company accidentally deletes an important file, folder, or mailbox, that mistake could have profound consequences for your company’s business operations, intellectual property, and even your reputation. In a real-world scenario like that, you won’t want to have to contact Microsoft to ask how their retention policies can help you recover your lost corporate data — and whether they can get it back for you in the timeframe you need.

Back up your O365 data with a trusted third-party expert

As one final piece of evidence that Microsoft doesn’t consider itself responsible for backing up your corporate data in Office 365 — or in any other Microsoft tools — consider this quote from an article written by acknowledged Microsoft expert Brien Posey, MCSE, who headed the IT department at Fort Knox:

“Microsoft says they also perform traditional backups of Office 365 servers. However, those backups are used for internal purposes only if they experienced a catastrophic event that wiped out large volumes of customer data. Although Microsoft may occasionally restore data for a customer, the company seems to discourage the practice. The Office 365 service-level agreement addresses availability, not recoverability.

If you’re using Office 365, setting retention policy rules for your corporate data is a smart move. But it’s only one small component of a comprehensive data-protection strategy. A much larger and more important step is to implement a true backup and recovery solution — from a trusted Office 365 backup provider.

Read our Office 365 Data Protection white paper >>