everythingpossible - Fotolia

Tip

Do you need to make Exchange Online backups?

Microsoft has several protective measures in place to let customers restore deleted mail in Office 365, but backup vendors will say it's not enough to cover every scenario.

Moving from on-premises Exchange into Exchange Online is a big change for multiple reasons. These are different systems that require different administration strategies.

For administrators, one of the best reasons for moving to a cloud service such as Office 365 is that a lot of the tedious and difficult tasks are done for you. Building new servers, checking hard drives for enough space, replacing failed hardware, patching systems and making backups are areas that Microsoft and other cloud service providers will handle for your organization. But one area that requires some attention is Exchange Online backups.

We make backups for on-premises systems, so the same thing goes for a cloud service, right? It's a complicated question, and the answer depends on who you ask.

Microsoft says Exchange Online backups aren't necessary because it deploys hosted email in Office 365 in a way removes the need for traditional backups, specifically through its use of Exchange Native Data Protection (NDP). NDP is a collection of features that includes:

  • A minimum of four copies of every mailbox in at least two data centers.
  • The single item retention feature that gives users up to 30 days to restore deleted mailbox items.
  • The default retention setting in Exchange Online that does not purge mailbox items.
  • Microsoft can restore a copy of the Exchange Online database during a period of up to 14 days using point-in-time snapshot with lagged databases.

Third-party vendors that sell backup products will tell you the Office 365 backup arrangement isn't good enough because it fails to fill the gaps in several areas:

  • Rouge administrators. If someone in your IT department deletes user data, then there is little Microsoft can do to recover that material.
  • Malware/ransomware. If a user introduces a ransomware infection that encrypts your data in place, there is nothing Microsoft can do to restore that data.
  • Data loss from Microsoft's end. If some calamity occurs within Microsoft's data centers that completely deletes your data, then Microsoft will have no way to perform a recovery.
  • User error. If users delete their own data accidentally, then recovery through features such as single item recovery and legal hold might be possible if the administrator put those features in place.

For the most part, these reasons by these third-party vendors are overstated. If you sell an Exchange Online backup product, then you have to market your offering to prospective clients. But there is a grain of truth that there is a chance something could happen to your data in Exchange Online.

Anything is possible. Without traditional backups, you could lose valuable data. It's your responsibility as the Exchange Online administrator to understand the built-in recovery options offered by Microsoft and determine if those features are enough to meet your organization's needs.

Do you know what I never hear these third-party providers talking about with their Exchange Online backup products? Restores.

Consider this scenario: You're the CIO of a company with 5,000 users who moved to Exchange Online. Say the average user uses 50% of the space in his or her mailbox. You buy a third-party Exchange Online backup product that stores all your data every night.

You come into work on Monday morning and discover your Exchange Online data is gone. You check the online dashboard for your third-party backup product and see that it completed a full backup shortly before the outage started.

Where are you going to restore all that data? In this scenario, you need to restore 250,000 GB of mailbox data. Depending on the cause of the outage, you may not be able to restore that data into Exchange Online. It seems unlikely that you would have the on-premises infrastructure capable of handling a restore of that size. Wherever you decide to restore that data, it's certainly going to take a long time to get done.

Common questions about Exchange Online backups

Every customer has a unique situation with special legal or compliance requirements. To help guide your decision-making process, here are a few questions I've gotten related to Exchange Online backups and my response.

Say you're a Fortune 500 company and want the same backup protections you had in place with on-premises Exchange, how would you go about setting that up?

Exchange Online isn't the same product as on-premises Exchange, so you must think about it and treat it in a new way. Because Exchange Online operates in a way where much is outside your direct control as opposed to Exchange Server in the data center, you cannot do things the same way you would with an on-premises product. I recommend using as much of the Exchange NDP features as you can, then look for ways to fill in the gaps that are important to your organization.

Which Exchange Online backup vendors would you recommend and why?

No two vendor products are the same. Mimecast, Veeam, Carbonite and Quest offerings have slightly different features at different prices. Where are the areas that you need specific protection? Once you have that list, you'll have to match it up with the product that fits your criteria.

For example, Mimecast has an online feature to access email via their portal even when Exchange Online is down. Veeam backup works across multiple Office 365 workloads and stores data either in its cloud or your on-premises infrastructure. Carbonite's Office 365 backup product is easy to set up and use but might lack some features available by other vendors. Quest's offerings are feature-rich but are more difficult to setup and maintain than other options.

Say someone had deleted an email, but it expired after the default purge setting (14 days). Is there any way to set up something for these minor types of restore procedures? Or should the Office 365 admin adjust certain settings beforehand?

It comes down to what your organization requires. Some companies I have worked with only want data to be retained in the cloud for a short time -- around three years -- and then deleted. If this is the case for your organization, then having backups could expose your company to unwanted legal issues. Take the time to fully understand your organization's needs, and then find ways to meet them under various disaster scenarios.

Dig Deeper on IT operations and infrastructure management