Vasil is a nine-time Microsoft MVP and expert with over a decade of experience in Microsoft cloud, lifecycle management, migration, adoption, and automation.
Most Microsoft 365 admins know how important it is to back up user data, but far fewer realize that Microsoft does not back up critical tenant-level configurations and administrative settings. These settings define how email flows, who can access what, how devices are secured, how Teams communicates, and how your entire tenant is governed. Losing them can bring business operations to a halt.
This guide explains exactly which Microsoft 365 settings and configurations you must protect, the limitations of native Microsoft tools, and the best third-party M365 configuration backup solutions, including how CoreView Configuration Manager can back up and restore the tenant-level configuration data Microsoft does not cover at all.
Backing up Microsoft 365 configurations is essential to protect against accidental administrative changes, misconfigurations, cyberattacks, failed updates, or permission changes that break workflows. While Microsoft protects some data, it does not provide full coverage for tenant-level policies, custom configurations, or governance settings.
Native options like PowerShelland Microsoft 365 DSC help but have gaps. That’s why organizations increasingly rely on third-party tools for Microsoft 365 configuration backup, recovery, and version control.
CoreView Configuration Manager stands out as one of the only tools that backs up and restores tenant-level settings across Microsoft Entra, Exchange, SharePoint, Teams, Intune, Purview, Defender, and more, including configurations Microsoft does not back up at all.
Which parts of Microsoft 365 should be backed up
Supporting the applications and resources powering your Microsoft Office 365 cloud infrastructure is a system of configurations and policies that keep things in your environment running as intended. While you may not interact with them day-to-day, these settings and policies are responsible for smooth operations and for ensuring business continuity for your cloud environment. The critical nature of this configuration management is invisible to most.
Unfortunately, unbeknownst to most, Microsoft does not offer a full-service backup platform for your configurations, opening up your Microsoft 365 environment to critical outages and significant disruptions to business. Microsoft users have either ignored the problem (if they were even aware that it existed), developed their own unofficial workarounds, or adopted third-party tools to provide the backup needed.
Let's take a look at the app-specific breakdown of the configurations that make up Microsoft Office 365 that organizations must protect and how to back them up.
Microsoft Entra ID
Identity configurations are often the root cause of major outages. Incorrect Conditional Access changes can lock admins out or block authentication across an entire organization.
Here are some of the critical identity and security configuration items that must be protected:
Entra ID feature
Description
Why it Needs Protection
Conditional Access policies
These are 'if-then' access control statements that use signals (user, device, location, risk) to enforce controls like Multi-Factor Authentication (MFA) or block access.
They are the primary gatekeepers to resources. If compromised, an attacker could grant themselves unrestricted access or disable critical security controls.
Authentication methods policies
These define which authentication methods (e.g., FIDO2 keys, Microsoft Authenticator, SMS, Temporary Access Pass) are available and who is allowed to use them for sign-in and MFA.
They control the strength of identity verification. Misconfiguration could allow the use of weak authentication methods, increasing the risk of account compromise.
Identity Protection policies
Automated policies that use risk detection signals (user risk, sign-in risk) to investigate and respond to potential threats, often by requiring a secure password change or MFA.
They are crucial for automated risk mitigation. Tampering with them could prevent the system from flagging high-risk users or sign-ins, allowing an attacker to operate undetected.
User and group settings
These settings control user and group creation permissions, group expiration, and external user (guest) collaboration rules.
They govern who can create and manage identities in the directory. Improper configuration can lead to unauthorized user/group creation or uncontrolled guest invitations.
User and group settings
These settings control user and group creation permissions, group expiration, and external user (guest) collaboration rules.
They govern who can create and manage identities in the directory. Improper configuration can lead to unauthorized user/group creation or uncontrolled guest invitations.
Enterprise applications
These are entries for third-party (SaaS) and other applications that rely on Entra ID for Single Sign-On (SSO) and access control.
They represent access to organizational data in external services. If compromised, an attacker gains access to the application and its sensitive data.
App registration configurations
These are settings for custom applications that use the Microsoft identity platform, including defining permissions, API scopes, and client secrets/certificates.
They contain secrets and elevated permissions that allow applications to act on behalf of a user or the organization. Compromise can lead to data exfiltration or privilege escalation.
Role assignments and custom roles
These define which security principals (users, groups, service principals) hold privileged roles and the specific scope of those permissions.
They are the root of all privilege in the tenant. An attacker targets this area to gain administrative control over the entire environment.
Company branding configurations
These customize the appearance of the sign-in and sign-up pages (logos, background, custom text).
While low-security, a breach could lead to phishing attempts by an attacker changing the page appearance to look untrustworthy, leading to credential theft.
Tenant defaults, security defaults
Security Defaults are pre-configured, baseline security settings from Microsoft that provide a basic level of protection (e.g., block legacy authentication, enforce MFA for admins).
They are the base security foundation. Disabling them without replacing the protection with Conditional Access policies leaves the tenant vulnerable to common identity attacks.
Cross-tenant access settings
These control the level of inbound access users from external Entra ID organizations have to your resources, and the level of outbound access your users have to external organizations.
They define the security perimeter with partners. Misconfiguration could allow untrusted external users to bypass your MFA requirements or gain inappropriate access.
Microsoft Exchange Online
The primary items that need protection within Microsoft Exchange Online are the various forms of mailbox data and the underlying system configuration that controls access and security. While Microsoft handles the security of the cloud infrastructure, organizations are responsible for protecting the configurations and data itself against various threats like user-initiated deletion, malware, and compliance risks.
Even the smallest changes to mail flow rules or domain settings can disrupt email delivery tenant-wide.
Here are some of the key settings that require configuration backup:
Item to Protect
Description
Why It Needs Protection
User Mailboxes
Primary email, calendar, contacts, tasks, and notes for individual users.
Business continuity, preventing loss of intellectual property and sensitive communications.
Shared Mailboxes
Mailboxes used by multiple people for a common function (e.g., 'support').
Operational continuity for key business functions.
In-Place Archives
Secondary mailboxes used for long-term email storage.
Regulatory compliance and access to historical business records.
Mail Items & Attachments
Individual emails and their attached files.
Protecting against malware infection and data exfiltration or corruption.
Mail Flow Rules
Automated rules that inspect and act on emails (e.g., block sensitive data).
Preventing security and compliance policy bypasses.
Security Policies
Settings for Anti-Malware, Anti-Spam, and Anti-Phishing protection.
Ensuring a strong frontline defense against current email-based threats.
Retention/Legal Holds
Settings dictating how long data is preserved for compliance.
Meeting legal and regulatory data preservation requirements.
SharePoint Online
SharePoint controls how content is shared and governed. Misconfigurations can expose sensitive data or block collaboration.
Here are the basic SharePoint configurations that need backed up and protected:
Item to Protect
Description
Why It Needs Protection
Sharing and Access Policies
Rules that govern who can share content (internally/externally) and how content permissions are inherited or granted.
To ensure that sensitive data is only accessed by authorized users and to prevent excessive sharing. Data leakage and unauthorized access can result, as well as non-compliance with data privacy regulations.
Site-Level Settings
Configuration for individual SharePoint sites, including security settings (e.g., site permissions, member groups), external sharing toggle, and feature activation.
To control the scope of access and the capabilities available on a per-site basis, ensuring site-specific content is properly segregated. Users gaining elevated privileges creates risk, and also opens the door to configuration drift across the tenant.
Sharing Domain Allow/Block Lists
A list of specific external domains that are either permitted (Allow) or prohibited (Block) from receiving shared content from your organization.
To restrict external sharing to trusted business partners and block sharing with known risky or unauthorized domains.
Admin Center Settings
Global configurations managed within the SharePoint Admin Center (e.g., default sharing settings, retention policies, global site creation rules, sync policies).
These settings apply tenant-wide and set the baseline for all sites. They are crucial for governance and compliance. A misconfiguration can expose the entire tenant to excessive external sharing, allow users to bypass compliance rules, or grant broad admin rights, which can lead to tenant-wide data loss or data breach.
OneDrive for Business
OneDrive inherits many SharePoint policies, and accidental changes can cause sync failures or data exposure.
The following are must-do back-ups:
Item to Protect
Description
Why It Needs Protection
Sharing Policies
Controls for how users can share files and folders, both internally and externally (e.g., ability to create anonymous links, link expiration dates, external user authentication requirements).
Prevents over-sharing and controls the scope of external access, which is a major data leak vector.
Sync Restrictions
Policies that govern which devices or organizations can synchronize OneDrive files (e.g., preventing syncing to personal OneDrive accounts or non-compliant, unmanaged devices).
Maintains the security boundary between corporate data and personal/unmanaged environments, stopping unauthorized data egress.
Storage Settings
Administrative settings related to file retention, deletion, and overall storage limits (e.g., retention period for deleted users' data, storage quotas).
Ensures data is available for business continuity and legal/regulatory eDiscovery purposes, and manages resource usage. There is a risk of permanent loss of critical data if retention policies go unset.
Access Control Settings
Rules determining who can access files and under what conditions (e.g., conditional access policies based on user location, device compliance, or Multi-Factor Authentication (MFA) requirements).
Enforces the principle of Least Privilege and secures access based on identity and device security posture.
Compliance and Retention Controls
Settings related to Data Loss Prevention (DLP), retention labels, audit logging, and legal hold policies.
Helps the organization meet legal, industry, and internal governance requirements (e.g., GDPR, HIPAA) for data handling and preservation.
Microsoft Teams
Teams outages today often stem from policy misconfiguration, especially guest access and calling policies.
Teams is complex, with many interdependent settings. Those that need to be backed up include:
Item to Protect
Description
Why It Needs Protection
Teams Policies (Messaging, Meeting, Calling)
Control user features like chat deletion, recording, screen sharing, anonymous joins, and who can bypass the meeting lobby.
Unrestricted messaging/meeting features can allow users to share sensitive data externally, record meetings without consent (compliance issue), or host unsecured meetings that unauthorized parties can join, leading to potential data leakage and compliance risk.
App Setup Policies
Determine which apps (first-party, third-party, and custom) are available, allowed, or pinned for users, and in what order.
Allowing unrestricted use of third-party apps can introduce malware, permit apps to access sensitive data (data exfiltration), or simply lead to decreased productivity and "app sprawl." This poses a security vulnerability and the possibility for data exfiltration.
Meeting Configurations
Global settings controlling meeting security defaults, such as anonymous join capabilities, dial-in settings, and default lobby behavior.
If anonymous users can bypass the lobby, confidential meetings can be "crashed" or monitored by external, uninvited parties, compromising sensitive discussions.
External and Guest Access Settings
Define if external users (federated tenants) and Guests (users with accounts in another organization) can communicate, be added to teams, or join meetings.
Overly permissive settings can lead to guests being added to teams with sensitive information, or users communicating with unauthorized external organizations, leading to significant data loss and governance failure.
Teams Templates
Pre-defined team structures (channels, apps, policies) used to standardize new teams.
If users can create unmanaged teams without templates, you lose control over naming conventions, required security settings (e.g., sensitivity labels), and app usage, making auditing and compliance difficult.
Microsoft Intune (Endpoint Manager)
Intune controls your entire device fleet. Losing policies can break device enrollment, compliance, and cause you to lose your entire security posture.
Intune is one of the most configuration-heavy M365 services, meaning you should back up the following:
Item to Protect
Description
Why It Needs Protection
Device Compliance Policies
Rules that devices must meet (e.g., minimum OS version, encryption enabled, device not jailbroken) before they are allowed to access corporate resources.
Ensures only trusted and secure devices can access organizational data, forming the basis for Conditional Access.
Device Configuration Profiles
Policies that configure device settings and features (e.g., enabling device passwords, managing Wi-Fi/VPN profiles, setting up security features like firewalls).
Enforces a standardized, secure operational environment across all managed devices, reducing misconfiguration risks.
App Protection Policies
(Also known as Mobile Application Management/MAM) Rules that protect organizational data within specific apps (e.g., blocking copy/paste to personal apps, requiring an app-level PIN, enforcing data encryption).
Prevents corporate data leakage from managed apps, especially in Bring Your Own Device (BYOD) scenarios where the device itself is not fully managed.
Security Baselines
Pre-configured sets of security settings recommended by Microsoft for specific operating systems (e.g., Windows 10/11) to help meet security standards.
Provides an immediate, expert-vetted minimum security posture to quickly configure devices based on industry best practices.
Endpoint Security Policies
Focused security controls for device protection, including settings for Antivirus (Microsoft Defender), Disk Encryption (BitLocker), and Firewall.
Proactively defends endpoints against malware, unauthorized network access, and data theft, going beyond compliance checks.
Custom Configuration Scripts
PowerShell scripts or shell scripts used to deploy granular, highly specific configurations or actions not available through standard Intune policies.
Allows for deep customization and remediation of unique organizational or legacy requirements across devices.
Enrollment Restrictions
Rules that define which devices (based on OS, manufacturer, or number of devices per user) are allowed to enroll in Intune management.
Controls the security standard of devices entering the environment and limits the number of devices per user to manage risk and licensing.
Windows Update for Business Policies
Policies that manage how and when Windows devices receive feature updates and quality updates from Windows Update.
Ensures devices are regularly patched against known security vulnerabilities, a primary vector for cyberattacks.
Microsoft Purview
Purview policies control your regulatory compliance framework.
Must-back-up governance configurations include:
Item to Protect
Description
Why It Needs Protection
Data Loss Prevention (DLP) Policies
Rules that identify, monitor, and automatically protect sensitive information (e.g., credit card numbers, PII) from being accidentally or maliciously shared, transferred, or used improperly.
Failure risks sensitive data leakage or exfiltration via email, cloud services, or endpoint devices, leading to regulatory non-compliance, financial loss, and reputational damage.
Information Protection & Sensitivity Labels
Classifies and applies persistent protection (like encryption and access restrictions) to sensitive data, even when it leaves your organization's control.
Absence or misuse results in uncontrolled access to sensitive files, allowing unauthorized users to view, edit, or share confidential information, nullifying data security efforts.
Label Policies
Governs how sensitivity labels are published and made available to users in applications like Outlook, Word, and SharePoint, including mandatory labeling and default labels.
Misconfiguration can lead to unlabeled sensitive data, meaning protection actions (like encryption) are never applied, or to user confusion that results in the incorrect application of labels.
Retention Policies & Retention Label Policies
Rules for retaining data for a specific period (to meet legal/regulatory needs) or deleting it (to reduce risk) across Microsoft 365 locations like Exchange, SharePoint, and Teams.
Failure leads to compliance violations (not retaining data for required legal holds) or increased risk exposure (retaining ROT—Redundant, Obsolete, Trivial—data that can be breached).
Insider Risk Management Settings
Policies that use machine learning to detect and mitigate potential malicious or inadvertent risky activities by employees (e.g., excessive downloading, emailing sensitive data before resignation).
Lack of settings allows for undetected and unmitigated insider threats (malicious data theft or inadvertent data leaks), which are a leading cause of major data breaches.
Microsoft Defender for Office 365
Incorrect Defender changes could weaken security tools or disable protections entirely.
Critical security posture settings to back up include:
Item to Protect
Description
What Protection Is Needed
Anti-phishing policies
Users, domains, and brands from impersonation (spoofing) and phishing attempts. This includes protecting high-profile users (VIPs, executives) who are frequently targeted.
Business Email Compromise (BEC), financial loss from fraudulent wire transfers, credential theft leading to account takeover (ATO), data breaches, and significant reputational damage. Attackers impersonate trusted senders to trick users into giving up sensitive information.
Anti-malware & safe attachments
Email attachments and files in SharePoint, OneDrive, and Teams from malware (including viruses, spyware, and ransomware). Safe Attachments specifically detonates (scans in a virtual environment) unknown attachments before delivery.
Ransomware attacks leading to data encryption and business downtime, data loss, device compromise via viruses or other malware, and the potential spread of malicious software throughout the organization's network.
Safe Links policies
URLs/Links in emails, Teams chats, and Office documents. Links are rewritten and scanned in real-time at the time of the click to ensure the destination is safe.
Malware infection via malicious websites, credential harvest from users who click deceptive links, and phishing attacks leading to account compromise. Real-time scanning prevents users from reaching a malicious site even if the initial email filter missed it.
Threat policies & alert settings
The entire environment by establishing rules for threat detection (policies) and ensuring security teams are notified immediately (alerts) when a threat or suspicious activity occurs.
Delayed incident response allows threats to spread and cause more damage (e.g., a malware outbreak or a successful data exfiltration), lack of visibility into the attack chain, and failure to meet compliance and regulatory requirements for timely reporting.
Attack simulation settings
The organization's human element needs to be tested to gauge and improve user susceptibility to social engineering attacks like phishing, credential harvesting, and malware delivery.
This is a proactive measure. If not utilized, employees remain a major vulnerability. The organization won't know which users are most susceptible to real-world attacks, leading to a higher risk of a successful breach when a real phishing campaign is launched. It helps manage the "human firewall."
Power Automate & Power Apps
Automation and app governance help protect data flow. Losing DLP configurations can allow unapproved data movement.
Configuration areas for backup include:
Item to Protect
Description
What Protection Is Needed
Environment-Level Settings
The configuration and security controls applied to an environment, which is a container for apps, flows, and data. This includes defining user roles (Admin, Maker), setting up Dataverse security, and separating development, testing, and production workloads.
Unauthorized access, privilege escalation, and unintended data exposure (e.g., development data in a production environment) can lead to security breaches, accidental data corruption, loss of governance oversight.
Data Loss Prevention (DLP) Policies
Rules that act as guardrails by classifying connectors (services like SharePoint, Twitter, SQL Server) into logical groups (Business, Non-business, Blocked). They prevent data flows between connectors in different groups (e.g., an app/flow cannot move data from a Business SharePoint to a Non-business personal email connector).
Sensitive business data (customer records, financial reports) could be inadvertently or maliciously transferred to unapproved external services (like social media or personal cloud storage), leading to massive data breaches and compliance penalties (e.g., GDPR, HIPAA fines).
Connector Governance
The centralized management and control over all pre-built and custom connectors available for use in an environment. This includes classifying them via DLP, controlling which actions within a connector are permitted, and managing connection endpoints.
Uncontrolled access to external services or over-privileged connector usage could be used in a way that exceeds a user's intent, such as allowing a flow to delete data when it only needed to read it, or connecting to an unapproved/malicious third-party service.
Custom Connector Configurations
The setup and security for custom connectors, which are essentially wrappers around third-party services that don't have a pre-built connector. This involves securing the connection details (API keys, authentication type), defining what services they connect to, and assigning them to a DLP data group.
Exposing authentication credentials or connecting to unsecure/unapproved internal or external APIs can lead to an attacker gaining direct access to the connected back-end system. If a custom connector is not correctly grouped by a DLP policy, it could become a backdoor for data leakage.
Ways to back up configurations in an M365 environment
Microsoft does not offer a built-in full-service backup solution for securing tenant configurations. However, a number of third-party tools and unofficial workarounds do exist. Here's an overview of each M365 configuration backup option:
Using PowerShell Scripts to Back Up Settings
What PowerShell Can Back Up
PowerShell is a powerful scripting language that allows administrators to automate and manage various tasks within Microsoft 365. With custom scripts, admins can back up settings and configurations in various services, such as Exchange Online, SharePoint Online, and Teams.
PowerShell can export some configuration items, including:
Conditional Access policies (via MSGraph modules)
Exchange Online transport rules & connectors
SharePoint Online org settings
Teams policies (limited)
Intune configuration profiles (partial)
On the plus side, PowerShell is free and flexible – making it a cost-effective option, offers a high degree of customization, and enables broad coverage for M365 services. Potential downsides, however, include the need for scripting knowledge and expertise, no centralized management, no versioning or rollback or built-in restore capability, the need for ongoing maintenance, and the likelihood of script breaking. Both creating and maintaining PowerShell script requires a time investment – and at the end of the day, PowerShell is not a comprehensive solution to configuration backup.
Using Microsoft 365 DSC to Back Up Settings
What Microsoft 365 DSC Can Back Up
Microsoft 365 DSC is an open-source solution for managing and deploying configurations in Microsoft 365. DSC allows administrators to define the desired state of their Microsoft 365 environment and automate the deployment of configurations across multiple tenants.
DSC collects configurations across Exchange, SharePoint, Teams, Power Platform, and Entra ID (limited coverage). Some of the pros of using M365 DSC include ease of use with pre-built resources, drift detection, maintained by Microsoft and the open source community, better coverage than PowerShell, and integration with Azure Automation for centralized management. Cons included limited support resources, deployment complexity, no automated restoration, no snapshots or version control, slow to update for new features, and requires familiarity with DSC and PowerShell.
Using Third-Party Tools for Microsoft 365 Configuration Backup
Several third-party tools have emerged to help organizations piece together a workable Microsoft 365 tenant-configuration backup strategy, largely because Microsoft provides only limited native options. Admins often rely on a mix of scripts, PowerShell export utilities, and niche SaaS tools that back up specific configuration areas, such as Exchange policies, Teams settings, or Intune device profiles.
While these tools can capture snapshots of certain workloads, they typically operate in isolation. This forces IT teams to stitch together multiple exports, maintain custom automation, and manually track configuration drift across different services. In effect, these solutions fill critical gaps in Microsoft’s native capabilities, but they do so in a fragmented, labor-intensive way.
Because each third-party solution covers only a portion of the tenant, organizations looking for full visibility and recoverability often struggle with complexity and inconsistent coverage. This is where CoreView stands out. CoreView provides the most comprehensive Microsoft 365 tenant-configuration management and backup capabilities in a single platform, offering unified visibility, automated configuration capture, and a clear way to restore from backup after a disaster.
Rather than assembling a patchwork of tools, organizations can rely on CoreView as an end-to-end solution for safeguarding and managing their Microsoft 365 configuration posture, including missing pieces from the other backup options, such as:
Automated configuration backup
Version control
Snapshots
Rollback
Change monitoring
Alerts
Cross-tenant replication
How to choose the right tool for backing up your M365 settings
Microsoft 365 is increasingly complex, and small configuration changes can lead to major outages. All of the backup exercises outlined should guard against accidental policy changes, misconfigurations, malicious admin changes, failed rollouts, complex identity changes, and data exposure due to policy or config misalignment.
In addition, tenant configurations are now part of your core digital infrastructure and operational practice, and they must be protected like any other critical asset. By backing up your tenant configuration, you are able to:
Deliver a consistent experience, even in the event of a disruption
Meet compliance and auditing requirements and have a reliable audit trail
Manage change with full visibility
Get up and running again quickly with a full disaster recovery backup
Migrate easily because you can recreate your environment accurately and efficiently
Coverage breadth (Does it support all Microsoft services?)
Tenant-level coverage (Does it back up settings Microsoft cannot?)
Automation (Backups should run continuously)
Version control (Snapshot, compare, audit)
Rollback capability
Change monitoring
Ease of use
Security & compliance controls
Automate your M365 configuration backup and recovery with CoreView
CoreView Configuration Manager is one of the most complete M365 configuration and settings backup solutions available. Unlike native Microsoft tools, CoreView protects tenant-level configurations, admin center settings, and multi-service governance policies across the entire Microsoft 365 ecosystem.
CoreView enables complete coverage across Microsoft 365 services, backs up tenant-level settings that Microsoft cannot restore, automates configuration capture, delivers drift detection, snapshots and version control, enables full rollback capability, lets you perform cross-tenant replication, and can automate monitoring and reporting. Built for enterprise-scale Microsoft 365 deployments, CoreView gives you what you need to back up your tenant configurations and secure your configuration and security posture.
