Backup O365? Retention should be just fine, right?

Introduction:

If you recently migrated from on-premises you might be wondering: ok, but how do I backup the cloud? Fair question, especially if you were used to taking backups of your business critical applications and services on-premises.

Well.. Once migrated to M365, you'll find out that Microsoft takes good care of your data, and there are very few occasions where data can be irrevocably lost. The concept of backup-ing your user data (mailboxes, sites etc.) still exists, and can be done via 3rd party paid services. Most backup centric solution providers also extend their offer to M365.

I'll have to state that backup and retention are not the same thing!!! You may hear them being mixed with ease especially by upper management maybe 😂, but..

Backups generally offer:

• Point in time restore (restores the data in the service as it was at a precise point)
• Can be total or incremental (backup of everything vs increments since the last full backup)
• Can do a restore of a singular point of data (a specific mailbox, a particular site etc.)

Retention generally offers:

• Protection against accidental deletion
• Prevention against bad actors (rogue employee that wants to destroy all your data, or an attacker that gains access to your data)
• Can be used in some scenarios for conservation (GDPR, Lawsuit, country-specific fiscal or legal regulations etc.)

Retention in M365

So let's see what can we use in M365 to achieve retention of data? We can use the compliance.microsoft.com portal, which contains Microsoft Pureview.

Inside Pureview we have Data lifecycle management which is a section dedicated to retention. You'll observe there are 2 flavors:

The Exchange (legacy) one is still very useful for archiving, but we'll discuss that another time. We'll focus now on the Microsoft 365 one.

Create a retention policy in M365

1. Click on New Retention Policy
   
2. Set a name on the policy
3. Then I would choose static as I want to choose the location statically
   
   
4. I would personally only go with Exchange and SharePoint. I don't think I'm getting much out of the rest of the options. Also, beware that all this data kept around is counting against your quotas (Exchange Mailbox quota, SharePoint storage quota etc.).
5. Also keep this in mind when you choose the number of years. For my test lab, 2 years is enough, but you'll probably have to check with your legal team when deciding the duration. Also you have the option here to delete data after the retention, I would not advise doing that except for specific justified needs. So be careful to choose do nothing there
   
6. Save and you're done

It generally takes ~48 hours to propagate fully. After which you should be covered. For recovery scenarios, each service/product has its own quirks and features, I would suggest reading this and this for more info on how it acts in Exchange and SPO and what to expect from it.

You might be wondering how to recover data that was deleted beyond any GUI-recoverable folder or SharePoint Recycle Bin? And the answer lies with the Compliance Search which is a tool you can use to launch tenant-wide searches. I'll admit it is not the easiest to use, and it not exactly aimed at doing mass restores, but it can help in retrieving the needed data.

Conclusion

If you want to be protected against accidental or malicious deletion, or want to comply with your local regulations for keeping a record of things, then you may want to look into turning on M365 Retention in your tenant.