Published:
Oct 3, 2025
|
Modified:
|
6
min read

Microsoft 365 Doesn’t Back Up Tenant Configurations: A Critical Blind Spot

Rob Edmondson
From email security to privileged access management to DevOps, Rob’s experience has led to his deep passion for solving the biggest challenges for IT and security teams across higher education, Fortune 1,000 companies, and more.

Microsoft 365 powers communication, collaboration, and security for millions of businesses, but there’s a critical blind spot most organizations miss. While data backups are common, Microsoft 365 tenant configurations are not natively protected. Losing these settings can lead to downtime, compliance failures, and costly breaches.

This article covers:

Executive summary

Microsoft 365 is the backbone of modern business operations, but most organizations are blind to a hidden security gap: M365 tenant configurations are not backed up by Microsoft. While 96% of companies protect their data, few safeguard the settings, policies, and controls that secure it. Losing these configurations can trigger downtime, compliance failures, and devastating breaches. This post explores why configuration backup is the biggest Microsoft 365 risk you don’t know about, and how to close the gap before it’s too late.

Microsoft 365 has become the operational backbone for modern organizations. It powers communication, collaboration, and identity. But at the core of this vital artery is a dangerous misconception that threatens the foundation of your security and cyber resilience posture: the common but incorrect assumption that Microsoft's built-in redundancy provides a backup of tenant configurations. 

This is a blind spot lurking in nearly every Microsoft 365 tenant today: there are no native backups of tenant configurations.

Upwards of 96% of companies have invested in robust backup solutions for data, including emails, files, and documents, according to the recent 2025 CoreView State of Microsoft 365 Security report, but they have completely overlooked the settings, policies, and configurations that secure and govern that data. This leaves enterprises exposed to a significant cyber resilience gap. 

And in the event of a disaster, a malicious attack, or even run-of-the-mill configuration drift, you face a situation where tenant configurations are lost or untrustworthy. And this can mean operational paralysis, regulatory consequences, or even business collapse.

This post dives into why the lack of tenant configuration backup is the single biggest Microsoft 365 security risk you don’t know about and how to close this critical gap before it’s too late.

The Truth About Microsoft 365 Backups: Configurations Aren’t Protected

The Microsoft Shared Responsibility Model can give M365 users a false sense of security. Users believe that because Microsoft is responsible for the uptime and available of the M365 service, this extends to backing up everything within this service. In fact, the shared responsibility model dictates that users are responsible for the protection, recoverability – and therefore backup – of data within the tenant. 

Microsoft has native safeguards in place against things like accidental deletion or hardware failures but nothing to guard against cyber threats like ransomware or insider threats, which makes both data and the tenants they live in vulnerable by default. 

This separation of concerns amounts to insuring every item in your home but neglecting to insure the house itself. If the house is destroyed, you can replace everything you own, but won’t have anywhere to put it. And that’s how data and tenant configurations work. Most businesses diligently back up their data but neglect their thousands of configurations,  which include, for example, the following:

  • Entra ID (formerly Azure AD): User accounts, groups, roles, application permissions.
  • Intune: Device management and compliance policies.
  • Defender: Security monitoring and response rules.
  • Purview: Data governance and retention settings.

Exchange, SharePoint, Teams: Mail flow rules, external sharing, guest access controls, and more.

For a quick explainer, watch this short video that breaks down why tenant configurations aren’t protected by default — and why that matters.

Why Data Backup Alone Isn’t Enough

The misconception that Microsoft natively protects tenant configurations is widespread. At least half of organizations mistakenly believe that Microsoft will restore tenant settings after an incident, according to the CoreView 2025 State of Microsoft 365 Security Report. 

This comes down to the failure to understand that data and configurations are two different things, and that configurations required to give your data meaning and context. 

A valid cyber resilience plan must protect this context – the structure and settings of the Microsoft 365 tenant, not just the files themselves. Losing this context can make the recovered data unusable, or at least unusable without a considerable effort to reconstruct over many weeks the configurations your organizations painstakingly built over the course of many years. 

CoreView’s Chief Revenue Officer, Mark Cravotta, used a simple analogy to explain this challenge: “Think of your personal home computer and all the information you have stored. If you lost that information or the setup of the computer, it would be very difficult to replicate a backup manually. There is always going to be missing information or configurations that you’ve spent years building.”

No Easy Way to Restore Critical Tenant Configurations

While Microsoft has some tools that can help close the gap, most critical configuration components are not easily or fully restorable using native tools, which essentially makes them blind spots and potential targets. 

Without these configurations in place, you stand to face significant operational disruption and expensive downtime on one hand, and on the other, you are wide open for data breaches. Your configurations are one of the key safeguards standing between threat actors and access to your systems and data. Without your configurations, you Zero Trust architecture collapses, and your ability to demonstrate compliance also disappears. 

While it remains common, underestimating the essential nature of configurations puts the blueprint of your digital enterprise at risk, compromising:

  • Security posture: Conditional Access, MFA, and privilege assignments.
  • Compliance: DLP and retention rules that protect sensitive data and meet regulatory obligations.
  • Identity control: Who can access what, from where, and with what privileges.
  • Collaboration flow: External sharing, guest access, and app integrations.

The Business Fallout of Losing Tenant Configurations

When tenant configurations are lost, the business consequences can be devastating:

  • Business Downtime: Entire organizations locked out of email, Teams, and apps. Manual tenant rebuilds can take weeks.
  • Security Exposure: Without MFA, DLP, or auditing rules, attackers can exploit the environment instantly.
  • Regulatory Fines: Auditors demand proof of policies and controls. Without backups, compliance certifications fail, triggering penalties.
  • Loss of Zero Trust: Identity and access controls vanish, opening the door to privilege escalation and lateral movement.

For regulated industries like finance, healthcare, and government, these consequences can escalate into existential crises. One financial firm reportedly failed an audit because they had “no meaningful way to restore configurations after a disaster.”

CoreView’s CRO added, “It's very important that a company can demonstrate that it has a plan for business continuity. That it has tested the business continuity plan at least annually and is in compliance. This includes backing up critical data, as well as Microsoft tenant configurations, which are essential components of the critical infrastructure requirements. Many companies are unaware that their Microsoft tenant isn’t automatically backed up by Microsoft or their data backup provider.  It is a matter of time before compliance auditors require proof of a tenant backup from all organizations to satisfy key business continuity requirements.”

What a Strong Configuration Backup Solution Must Include

Closing the tenant configuration backup gap requires a dedicated, third-party solution that treats configuration backup as a core pillar of cyber resilience. It should provide:

  1. Complete Tenant-Wide Backup
    Cover all rules, policies, and settings across Entra, Exchange, Teams, SharePoint, Intune, and more.
  2. Automated Snapshots
    Continuous, automated backups with granular and full restore capabilities.
  3. Change Detection & Alerting
    Real-time monitoring for configuration drift or tampering, with alerts to administrators.
  4. Full Restore Capability
    Automated restoration to a known-good state, from a single policy to an entire tenant.
  5. Compliance & Audit Readiness
    Immutable, restorable proof of configurations to satisfy auditors and regulators.

Prioritizing tenant configuration backup also demands a kind of culture change, shifting how enterprises think about configurations, blind trust in Microsoft 365 backups, and cyber resilience strategy. 

Tenant configuration backup isn’t just a technical checkbox — it’s a strategic imperative. To embed it into your cyber resilience framework:

  • Acknowledge responsibility: Accept that Microsoft won’t cover this gap and foster a new way of thinking in your organization, taking responsibility for configuration backups and acknowledging just how important configurations are.
  • Adopt third-party tools: Third-party tools like CoreView are designed from the ground up to address precisely the challenges Microsoft does not, including tenant configuration backup and management. Trying to go it alone is a fool’s errand, as manual documentation is insufficient, error-prone and not scalable.
  • Integrate into disaster recovery and incident recovery plans: Regularly test restoration procedures like “fire drills.”
  • Monitor for drift: Don’t just back up your config data — actively detect and alert on unauthorized changes due to configuration drift

Organizations with formal disaster recovery plans are 61% less likely to experience major operational disruptions from misconfigurations. The evidence is clear: resilience comes from planning and practice, not assumptions.

Configuration as Blueprint: Protecting the House Your Data Lives In

Global enterprises spend millions protecting and backing up their data but often fail to recognize the existential threat posed by losing the house that data lives in: the Microsoft 365 tenant.

The misconception that Microsoft has you covered is the biggest invisible threat to your cyber resilience. Without tenant configuration backup, your organization is one misstep, one malicious actor, or one invisible drift away from catastrophic failure.

Your business lives inside Microsoft 365 tenants. Make sure you can protect, monitor, and restore them.

Protect Your Microsoft 365 Tenant Before It’s Too Late

Don’t leave your configurations exposed. Get the full picture on how to safeguard your Microsoft 365 environment and strengthen your cyber resilience.

Download and read the Microsoft 365 Tenant Configuration Recovery Guide

Get a personalized demo today

Created by M365 experts, for M365 experts.