Disaster recovery plans are vital, not just important. Data becomes lost, deleted, purged, corrupted, all the time. Without that measure in place, data is truly lost.

There does seem to be confusion on what constitutes a Disaster Recovery plan, however.

While many systems have some form of data retention, they lack the necessary measures to be considered “disaster recovery”. This leaves security, compliance, and continuity all in question. Office365 is one of those systems.

What Office365 does

Office365 is a subscription-based service for Microsoft’s popular applications like Word, Excel, PowerPoint, and Outlook.

While Office365 uses language like “file-sharing and online storage” and “Microsoft-backed 24/7 Security”, at the end of the day, it is a singular system designed for Microsoft’s product line.

To present an example, as long as e-mails from Outlook are in an uncorrupted state, not deleted or purged beyond the unrecoverable period, and not beyond 3 years, you have your content. That is a standard retention policy for an active email system. But that sounds like a lot of conditions, am I right?

Likewise, collaborative platforms like OneDrive and SharePoint allow multiple users to access necessary documents. However, even those systems require a back up for catastrophic events.

Microsoft only provides any form of recovery under the following events:

  • Loss of service due to their hardware or infrastructure failure
  • Loss of service due to natural disaster or data center outage
  • Short-term (30-day) user-error with recycle bin/version history
  • Short-term (14-day) administrative error with soft-delete for Groups, Mailboxes or services-lead rollback

What Office365 doesn’t do

Under that same example mentioned above, if your email were to become encrypted via ransomware, that is not a situation in which Microsoft will support or recover.

Even in more common events, like an employee leaving, data that is lost in that user’s account is unrecoverable.

Microsoft does not support any of the following events:

  • Loss of data due to departing employees and deactivated accounts (outside retention period / delete and recovery periods)
  • Loss of data due to malicious insiders/hacktivists deleting content
  • Loss of data due to malware/ransomware
  • Recovery from prolonged outages
  • Long-term accidental deletion coverage with selective rollback

Where a Disaster Recovery Plan kicks in

A true data backup functions in one of three ways; an image backup, file and folder backup, or infrastructure redundancy.

Backups succeed by offering a replicate of your data, separated in a geographically different, unconnected storage so if you needed to recover any email or even rebuild the entire email system, you could from the last back-up.

You can’t have a disaster recovery and continuity of business policy without a back-up solution.

And Office365 is not a back-up solution or disaster recovery plan.


Download our infographic and learn how to identify a phishing scam when you see one.

Other Articles You Might Be Interested In:

Data Backups and Disaster Recovery

Data Backups and Disaster Recovery

Data backup is a critical part of an organization’s overall disaster recovery plan. The concept of data backup is simple: you make copies of your data and store them in a different location in case data is lost or destroyed.

read more

Founded in 1999, ITonDemand helps businesses and associations across the US achieve growth by guiding and supporting IT infrastructure and providing cybersecurity management. ITonDemand’s Core Solution and Security+ have been recognized among both Managed Services and Cybersecurity Providers as a member of the MSP Pioneer 250 and the Top 200 MSSPs.

1423 Powhatan St, Alexandria, VA 22314

233 SW 3rd St, Ocala, FL 34471