Air-Gapping Your Data: Why Pay for Microsoft 365 Backups

There is a lot of misconception about the capabilities of Microsoft 365 with regard to data protection.  Many organizations avoid backing up Microsoft 365 data because they assume that Microsoft takes care of that for them.  The reality is that, while Microsoft provides tremendous data protection capabilities, they require configuration and have some important limitations that need a third-party solution to address.

Microsoft 365 data protection capabilities can be divided into three general areas:

1) High availability and redundancy:

Microsoft 365 services are highly redundant.  Exchange Online, for example, uses technology that has been proven out for many years in on-premise scenarios including database availability groups and transport shadow redundancy to ensure that all data is stored in both primary and secondary data centers.  Similarly, Microsoft 365 file storage across SharePoint, Teams, and OneDrive are built on Azure georedundant storage.  All data is stored in at least three locations in a primary data center and replicated in three locations in a secondary data center.  While this protection ensures high availability, it does not protect against accidental deletion or allow for recovery from data corruption.

2) User-exposed data protection:

Microsoft 365 services have features to protect data in a way that supports end-users.  Exchange items move to a deleted items folder when deleted.  When an item is then also deleted from the deleted items folder, it moves to a recoverable items section of the mailbox that can be accessed by end-users.  By default, this is 14 days but is configurable up to 30 days.  Similarly, all file storage is built on SharePoint which retains version history as files are changed and allow for recovery in the event of data corruption.  When files are deleted, they move to a site (first-stage) recycle bin where they are user-accessible for 93 days.  From there, they move to a second-stage recycle bin where SharePoint administrators can restore data for another 93 days. 

3) Back-end data protection:

The final level of data protection is targeted more at regulatory compliance and legal protection, but it does add significant long-term protection from data loss and the downtime it would cause.  For those with any E3 or E5 licensing, content preservation policies can be configured that can support both minimum and maximum data retention.  Content retained under these policies is guaranteed – meaning that data is guaranteed to be preserved and safe.  While these can be done for specific types of data or specific locations, it is possible to set up a blanket level of minimum retention across all services.  While these protections still allow users to delete data in Outlook, OneDrive, etc., content is retained and can be recovered by a discovery search.

Limitations of Microsoft 365

We see significant data protection in Microsoft 365 that covers most scenarios.  However, here are the two key limitations:

First, long-term data protection is built on discovery search, not backup.  While you can do a search (if you know what you’re looking for), you can’t browse to a user mailbox, select a folder and click restore.  Instead, you must know what you’re looking for and then the system spits out a file(s) for SharePoint data or a PST file for Exchange content.  Discovery search is very clunky when being used to restore significant amounts of content.

Second, the data protection solutions from Microsoft 365 are built on Microsoft 365.  Since Microsoft 365 is awesome, that’s usually a great thing, but let’s consider a ransomware scenario.  In 2022, we don’t see ransomware attacks that are launched by clicking an infected file.  More likely, we see a user account that gets compromised and allows a threat actor to explore an organization’s environment.  They then lurk and look for opportunities to move laterally and, ideally for them, compromise an admin account.  Once the admin account is compromised, before launching the attack, they will likely attempt to delete backups and even alter retention policies. 

This introduces the importance of “air-gapped” backups. What are they? Air-gapped backups are a separate set of credentials used to manage backups whether on-premise or in the Cloud. One solution we recommend at Interlink is Metallic, which you can learn more about by downloading this free eBook: Protecting Your Microsoft Office 365 Data


In fact, we are seeing cybersecurity insurance companies beginning to require air-gapped backups in order to receive coverage.  The most devastating ransomware incidents we’ve seen were at organizations that implemented disk-to-disk backups across their own WAN but didn’t have a copy of their data offline while hackers could easily destroy the disk-based backup.  This was a very common setup in the 2010s as bandwidth and storage costs declined significantly.  This is where Metallic.IO comes in.  It’s managed entirely separate from Microsoft 365 and, therefore, meets both the air-gapped requirements while also allowing for the ease of the restoration of a traditional backup solution where you can click on a user mailbox or drill into specific folders and choose items to restore. 

Summing It All Up

Finding an air-gapped backup solution is essential to ensure you avoid data loss and organizational downtime. Learn more about Microsoft 365 and third-party backup solutions, and see if they may be the right solution for your team, by downloading a free eBook on Metallic Office 365 Backup.

Want to talk to an expert about guarding against ransomware attacks and other cyber threats? Reach out to us here at Interlink to discuss your strategies around data retention, data governance, and anti-ransomware strategies.