Microsoft 365 powers communication, collaboration, and security for millions of businesses, but there’s a critical blind spot most organizations miss. While data backups are common, Microsoft 365 tenant configurations are not natively protected. Losing these settings can lead to downtime, compliance failures, and costly breaches.
This article covers:
Microsoft 365 is the backbone of modern business operations, but most organizations are blind to a hidden security gap: M365 tenant configurations are not backed up by Microsoft. While 96% of companies protect their data, few safeguard the settings, policies, and controls that secure it. Losing these configurations can trigger downtime, compliance failures, and devastating breaches. This post explores why configuration backup is the biggest Microsoft 365 risk you don’t know about, and how to close the gap before it’s too late.
Microsoft 365 has become the operational backbone for modern organizations. It powers communication, collaboration, and identity. But at the core of this vital artery is a dangerous misconception that threatens the foundation of your security and cyber resilience posture: the common but incorrect assumption that Microsoft's built-in redundancy provides a backup of tenant configurations.
This is a blind spot lurking in nearly every Microsoft 365 tenant today: there are no native backups of tenant configurations.
Upwards of 96% of companies have invested in robust backup solutions for data, including emails, files, and documents, according to the recent 2025 CoreView State of Microsoft 365 Security report, but they have completely overlooked the settings, policies, and configurations that secure and govern that data. This leaves enterprises exposed to a significant cyber resilience gap.
And in the event of a disaster, a malicious attack, or even run-of-the-mill configuration drift, you face a situation where tenant configurations are lost or untrustworthy. And this can mean operational paralysis, regulatory consequences, or even business collapse.
This post dives into why the lack of tenant configuration backup is the single biggest Microsoft 365 security risk you don’t know about and how to close this critical gap before it’s too late.
The Microsoft Shared Responsibility Model can give M365 users a false sense of security. Users believe that because Microsoft is responsible for the uptime and available of the M365 service, this extends to backing up everything within this service. In fact, the shared responsibility model dictates that users are responsible for the protection, recoverability – and therefore backup – of data within the tenant.
Microsoft has native safeguards in place against things like accidental deletion or hardware failures but nothing to guard against cyber threats like ransomware or insider threats, which makes both data and the tenants they live in vulnerable by default.
This separation of concerns amounts to insuring every item in your home but neglecting to insure the house itself. If the house is destroyed, you can replace everything you own, but won’t have anywhere to put it. And that’s how data and tenant configurations work. Most businesses diligently back up their data but neglect their thousands of configurations, which include, for example, the following:
Exchange, SharePoint, Teams: Mail flow rules, external sharing, guest access controls, and more.
For a quick explainer, watch this short video that breaks down why tenant configurations aren’t protected by default — and why that matters.
The misconception that Microsoft natively protects tenant configurations is widespread. At least half of organizations mistakenly believe that Microsoft will restore tenant settings after an incident, according to the CoreView 2025 State of Microsoft 365 Security Report.
This comes down to the failure to understand that data and configurations are two different things, and that configurations required to give your data meaning and context.
A valid cyber resilience plan must protect this context – the structure and settings of the Microsoft 365 tenant, not just the files themselves. Losing this context can make the recovered data unusable, or at least unusable without a considerable effort to reconstruct over many weeks the configurations your organizations painstakingly built over the course of many years.
CoreView’s Chief Revenue Officer, Mark Cravotta, used a simple analogy to explain this challenge: “Think of your personal home computer and all the information you have stored. If you lost that information or the setup of the computer, it would be very difficult to replicate a backup manually. There is always going to be missing information or configurations that you’ve spent years building.”
While Microsoft has some tools that can help close the gap, most critical configuration components are not easily or fully restorable using native tools, which essentially makes them blind spots and potential targets.
Without these configurations in place, you stand to face significant operational disruption and expensive downtime on one hand, and on the other, you are wide open for data breaches. Your configurations are one of the key safeguards standing between threat actors and access to your systems and data. Without your configurations, you Zero Trust architecture collapses, and your ability to demonstrate compliance also disappears.
While it remains common, underestimating the essential nature of configurations puts the blueprint of your digital enterprise at risk, compromising:
When tenant configurations are lost, the business consequences can be devastating:
For regulated industries like finance, healthcare, and government, these consequences can escalate into existential crises. One financial firm reportedly failed an audit because they had “no meaningful way to restore configurations after a disaster.”
CoreView’s CRO added, “It's very important that a company can demonstrate that it has a plan for business continuity. That it has tested the business continuity plan at least annually and is in compliance. This includes backing up critical data, as well as Microsoft tenant configurations, which are essential components of the critical infrastructure requirements. Many companies are unaware that their Microsoft tenant isn’t automatically backed up by Microsoft or their data backup provider. It is a matter of time before compliance auditors require proof of a tenant backup from all organizations to satisfy key business continuity requirements.”
Closing the tenant configuration backup gap requires a dedicated, third-party solution that treats configuration backup as a core pillar of cyber resilience. It should provide:
Prioritizing tenant configuration backup also demands a kind of culture change, shifting how enterprises think about configurations, blind trust in Microsoft 365 backups, and cyber resilience strategy.
Tenant configuration backup isn’t just a technical checkbox — it’s a strategic imperative. To embed it into your cyber resilience framework:
Organizations with formal disaster recovery plans are 61% less likely to experience major operational disruptions from misconfigurations. The evidence is clear: resilience comes from planning and practice, not assumptions.
Global enterprises spend millions protecting and backing up their data but often fail to recognize the existential threat posed by losing the house that data lives in: the Microsoft 365 tenant.
The misconception that Microsoft has you covered is the biggest invisible threat to your cyber resilience. Without tenant configuration backup, your organization is one misstep, one malicious actor, or one invisible drift away from catastrophic failure.
Your business lives inside Microsoft 365 tenants. Make sure you can protect, monitor, and restore them.
Don’t leave your configurations exposed. Get the full picture on how to safeguard your Microsoft 365 environment and strengthen your cyber resilience.
Download and read the Microsoft 365 Tenant Configuration Recovery Guide