Read time: 8 minutes

Summary: The article emphasizes the importance of backing up Microsoft 365 data due to shared responsibilities in cloud data management. It discusses scenarios such as data deletion, ransomware attacks, and limitations of eDiscovery, highlighting the need for reliable third-party backup solutions like Kernel Export Office 365 to PST.

While remote work existed before the COVID-19 pandemic, the recent global health crisis has accelerated the adoption of hybrid work models. Organizations now embrace and sustain this flexible work environment with the help of software solutions like Microsoft 365. Microsoft 365 continually enhances its programs, fostering collaboration, communication, task management, and productivity across various sectors, including businesses, institutions, professionals, students, and individuals.

Before fully embracing cloud-based services, it’s essential for users to understand the security of their cloud-stored data and the shared responsibilities between cloud service providers and users for data maintenance and security. Despite rigorous testing by cloud providers, unforeseen issues can disrupt program efficiency. One particular concern is the storage and ongoing availability of user data in Microsoft 365. Hence, this discussion focuses on the critical importance of backing up Microsoft 365.

Understanding the shared responsibility model

It’s crucial to grasp that, in the realm of public cloud services, adhering to the ‘shared responsibility model’ is paramount. Users must understand the division of security tasks between the cloud service provider and themselves. Additionally, following Office 365 backup best practices is essential. The distribution of workload responsibilities varies depending on the type of service, whether it’s Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or an on-premises deployment (which is not a cloud service). Below, we outline this workload responsibility distribution in a tabular format.

Responsibility On-Premises IaaS PaaS SaaS
Classification and Accountability of Data User User User User
Client and End-Point Protections User User User Shared
Identity and Access Management User User Shared Shared
Application-Level Controls User User Shared Microsoft
Network Controls User Shared Microsoft Microsoft
Host Infrastructure User Shared Microsoft Microsoft
Physical Security User Microsoft Microsoft Microsoft
Understanding responsibilities

In a conventional on-premises deployment, all responsibilities lie with you, the user. However, in cloud services, these responsibilities shift, with some moving partially and others entirely to the cloud service provider, depending on the transition from on-premises services to IaaS >> PaaS >> >> SaaS, as illustrated in the table above.

  • Classification and accountability of data and compliance obligation

    Users must take responsibility for identifying, labeling, and securely classifying their data to meet compliance requirements. It’s crucial to distinguish between sensitive and public data and appropriately store it in the cloud.

    While SaaS solutions like Office365 and Dynamics 365 offer data protection features like Office Lockbox and Data Loss Prevention, users should actively manage, classify, and configure these solutions to align with their unique security and compliance needs.

    In the case of PaaS solutions, customers should configure and establish processes to safeguard their data, leveraging features such as Azure Rights Management Services, which integrates with SaaS solutions to enhance data protection.

    For IaaS solutions, customers are responsible for configuring and securing data storage and transfers. Data classification falls under the user’s purview, and compliance requirements necessitate auditing all virtual devices deployed within their solutions.

  • Client and end-point protection
    With the diverse and abundant array of devices in use today, it’s imperative to establish clear boundaries and responsibilities for those connecting to cloud services. Cloud solution providers may offer tools to manage endpoint devices, such as Microsoft Intune, which delivers secure device management, PC oversight, and mobile application management capabilities. However, users remain accountable for their devices’ proper utilization and security.
  • Identity and access management

    It empowers users to access and utilize organizational resources. In PaaS and SaaS solutions, this responsibility is shared and requires meticulous implementation, including configuring an identity provider, setting up administrative services, establishing user identities, implementing role-based service access control, and managing administrative controls for both users and control points. Azure Active Directory (Azure AD) serves as an example, offering multifactor authentication and identity protection.

    In contrast, IaaS solutions place the onus on customers to configure and oversee identity and access controls for managed hosts and virtual devices. While it supports identity and access management for virtual devices, solutions like Azure AD necessitate configuration at the virtual device level. When operating IaaS services, special attention should be given to additional security and compliance responsibilities.

  • Application-level control
    PaaS-managed applications and services, such as web services, docDb, IoT, analytics, and media services, offer inherently secure solutions, significantly reducing user responsibilities.
    In contrast, within IaaS, users bear the responsibility of safeguarding the operating system and application layers of the virtual devices they deploy, ensuring protection against potential threats and avoiding compromises.
  • Network control

    Network control involves configuring, managing, and securing network components, including virtual networking, load balancing, DNS, and gateways, to facilitate communication and interoperability.

    In SaaS solutions, network control management and security are seamlessly integrated into the software, as the network infrastructure is inherently part of the service.

    Similarly, in PaaS solutions, much like in SaaS, the service provider handles the network configuration.
    In IaaS solutions, network control is a shared responsibility between the user and the service provider, requiring collaboration to deploy, manage, secure, and configure the necessary networking solutions.

  • Host Infrastructure

    The responsibility for host infrastructure encompasses configuration management, securing compute resources, storage, and platform services. The cloud solution provider operates and secures host services, including the operating systems of the service.

    In IaaS, responsibility is shared between users and the provider to ensure optimal configuration and security of the service. This shared responsibility includes configuring permissions, implementing network access controls to facilitate proper network communication, and correctly attaching and mounting storage devices.

  • Physical Security
    Parts of physical security comprise building facilities, servers, and networking devices. Cloud solution providers have security processes and policies for the protection of infrastructure from any unauthorized physical access maintenance. In case of occurrence of any disaster, then there is a new physical location as well for continued service(s). Other fields for security are capabilities like cooling, air quality management, device management, and power regulation.
Reasons to backup office 365

Before we discuss various scenarios and reasons when and why you need a backup of your Microsoft 365 data, it is good to know why you should upgrade your Microsoft 365 subscription.

  • Deletion of data
    Data can be lost due to various reasons, including deliberate or accidental deletions, as well as the removal of duplicate files. Without a backup solution in place, such data losses can occur. However, with an Office 365 backup solution, you can effortlessly recover and restore your data when needed.
  • Ransomware attacks and phishing
    Ransomware attackers gain unauthorized access to an organization’s data by sending cloned emails with virus-laden attachments to encrypt the data. They then demand a ransom for decryption, and if the organization doesn’t comply, they may erase the data. Additionally, phishing attacks can compromise your credentials. However, when you back up Microsoft 365 data, it automatically scans your backup archive for ransomware. Microsoft advanced threat protection is a new feature that also guards against phishing, although users may not always be aware when falling into attackers’ traps.
  • Entry of malware and virus through OneDrive

    Syncing your OneDrive data to a desktop and vice versa is convenient for accessing and storing Microsoft 365 files. However, this method is vulnerable to virus and malware attacks. If your desktop gets infected, and you’ve configured the OneDrive application, it can also become compromised, potentially leading to data corruption.

  • Limitations of eDiscovery
    eDiscovery tool of Microsoft 365 is generally used for legal purposes like identifying and retrieving archived data of an organization to use it as evidence in litigation or inquiry. However, it is not a complete backup mechanism.
  • Teams data structure
    Microsoft Teams stores data chronologically, but for security and compliance, Microsoft automatically removes it after a specific period. However, data adhering to the Retention Policy is relocated to hidden folders within respective mailboxes. In Microsoft 365 Business subscriptions, if you’ve enabled data storage in Exchange mailbox, SharePoint, and Exchange Public Folder, it will be stored there. Sometimes, you may find it impossible to restore deleted Teams files. In such cases, having a backup would have allowed you to retrieve the data whenever needed.
  • Outage and shutdown
    Users often experience outages and shutdowns of Microsoft Cloud services, rendering them unable to access their data. In these instances, having a Microsoft data backup becomes incredibly valuable.
  • Illicit consent acquired by third-party applications
    Occasionally, third-party applications illicitly acquire consent on your Microsoft 365 account, whether through phishing attacks or by injecting malicious code to steal your data. In such scenarios, having a data backup proves invaluable for data retrieval.


In this blog, we’ve emphasized the shared responsibilities between Microsoft 365 users and the platform itself. It’s crucial to understand that Microsoft 365 alone doesn’t bear complete responsibility for user data. We’ve highlighted the importance of data backup, ensuring that in any data loss scenario, you can recover it from your backups. For this purpose, a dependable third-party solution like Kernel Export Office 365 to PST is both user-friendly and highly efficient.