Published:
Jul 25, 2025
|
Modified:
Jul 28, 2025
|
7
min read

Why Microsoft 365 Backups Aren’t Enough: Protect Your Tenant Configurations and Data

Ivan Fioravanti
Ivan Fioravanti, Co-founder and CTO for CoreView, uses his system engineer and .NET development skills to lead CoreView’s technology team. He’s passionate about AI, automation and all things Microsoft 365.

$6.7 million. That’s how much a single enterprise organization of 5,000 employees spends on Microsoft 365 over three years. With that kind of investment, relying on incomplete backups can have massive consequences.

This article covers:

Executive summary:

Enterprises often believe Microsoft’s native tools provide complete data and configuration backup for Microsoft 365—but real-world experience and our new research show otherwise. Microsoft 365’s backup and restore options have critical gaps: configuration settings, roles, and policies are frequently uncovered, and long, uncertain support timelines exacerbate the risk. Without proactive, third-party configuration backups, business continuity, compliance, and security are all at stake.

For IT admins, CIOs, CISOs, compliance leaders, and anyone responsible for Microsoft 365 security and continuity—this article provides the facts and strategies you need to close critical backup gaps and ensure you can recover from any scenario.

Microsoft 365 backups: what’s really protected?

Every organization trusts that their Microsoft 365 setup—from user files and emails to security settings, Teams channels, and policy configurations—is backed up and readily restorable. But does Microsoft truly offer full, hassle-free protection for both your data and your configurations? 

Imagine these common situations: 

  • Tenant settings altered or deleted — and unbacked by Microsoft. If an attacker (or even a misconfigured automation) changes key tenant settings, what if you can’t restore them? In many cases, Microsoft doesn’t back up these critical configurations. 
  • Catastrophic data loss — and limited restoration options. What if your tenant is deleted or corrupted? You’re forced to rely on Microsoft’s internal mechanisms, which may be affected by similar bugs, delays, or undefined policies. Recovery timelines are uncertain: one day, one week, even a month or longer. 

Real-world Microsoft 365 recovery failure: a Teams channel example

Recently, CoreView’s product team had a hands-on lesson in the realities of Microsoft 365 backup—especially for critical configuration and collaboration objects like Microsoft Teams channels. 

A colleague accidentally deleted an important Microsoft Teams channel. Normally, this wouldn’t – or at least shouldn’t – be a big deal. Microsoft says these items are backed up and restorable directly from the Teams interface. 

Except, this time, restoration didn’t work. We tried multiple restoration methods—through the native Teams client, the Teams Admin Center, and even PowerShell and Graph API commands. Nothing worked: each approach encountered backend errors or returned non-actionable messages, even for global admins. No workaround or manual fix was possible.  

So, we immediately escalated a critical support ticket with Microsoft Unified Support. 

Despite having the highest available administrative permissions and logging a critical ticket, our access to backup or recovery tools was ultimately gated by Microsoft’s internal processes and support resources. 

And then — nothing. As of now, there’s no viable path to restoring that channel. The official backup is inaccessible. In the meantime, the team had to scramble to create a new, temporary Teams channel just to keep business moving, but all conversation history, files, and project context in the original channel remain unavailable.

 This incident exposes an uncomfortable truth: If Microsoft is the only controller — the only party with real access to backups and recovery tools — you’re vulnerable not just to user errors, but to software bugs, policy gaps, and even support bottlenecks. 

Data backup vs. configuration backup in Microsoft 365 

Microsoft has known limitations that are nevertheless not always well understood by organizations that rely on Microsoft 365 for end-to-end coverage. This is particularly true with tenant configuration backups. Let’s start with the differences between data backup and configuration backup:

  • Data consists of all the documents, emails, chat histories, video recordings, calendar events, and other user-specific data tied to your tenant account. Backing it up is essential to protecting your organization against data loss from external security threats like ransomware attacks and internal errors like accidental deletion.
  • Configuration consists of the user accounts, user roles, system settings, security policies, and other metadata that make up your organization’s tenant. These are the things that keep your account running under the hood, making them equally important to back up.
Half of organizations assume Microsoft backs up their tenant configurations. They don’t.

Surprising gaps: what most organizations overlook in M365 backups

Here’s what organizations often miss when it comes to Microsoft 365 backup: 

  • Many critical configurations are NOT backed up natively, including those for Exchange Online, Microsoft Teams settings, and SharePoint Online configurations. 
  • Complexity of security and permissions. Backups often require elevated permissions, and misconfigured roles can prevent access to crucial config data. Modern authentication methods (OAuth, MFA) can break automated or third-party backup tools if not properly integrated. 
  • Third-party tool gaps. Many solutions also focus only on data backups and not configurations. Any comprehensive solution for backup and restore should include backing up conditional access policies, security and compliance-center settings, data loss prevention policies, and Teams policies, and so on. 
  • Restoration isn’t straightforward. Even if configuration data is backed up, restoration is not always straightforward. Manual re-creation via PowerShell may be required. Some settings, such as Teams app permissions, cannot be restored automatically. Complex interdependencies between, for example, Teams and SharePoint, can cause failures or new misconfigurations. 
  • Gaps in change management tracking. Lack of version control or change history for configurations makes it hard to track what has changed and when.  

Retention vs. real backups: why the difference matters

Retention policies are not the same as configuration backups. While retention keeps some deleted data for a time, it doesn’t allow for a full backup. Default retention policies only protect data for 30–90 days, some items autodelete after 14 days, and backups run every 12 hours with no selfservice filelevel restore. (Read Microsoft’s retention documentation.)

Ultimately, retention is designed to ensure deleted data can be recovered for a short time, but does not restore lost configurations, permissions, or policy settings after accidental or malicious changes.

Retention ≠ Backup: Retention policies only delay deletion—they don’t provide full tenant restore capabilities.

Why backing up Microsoft 365 configurations (not just your data!) is essential 

While M365 provides incredible productivity and security, backup and restore are a shared responsibility between Microsoft and you (and whatever solution you choose to help you back up your tenant data).  

Here are a few reasons why you should back up your configurations:

  • Malware Protection: You should always back up your Microsoft 365 setup to ensure that any malicious attacks, such as malware and ransomware, don’t corrupt or destroy system data.  
  • Data Recovery: Backing up Microsoft 365 data and configurations will ensure that IT engineers can easily recover any lost data due to system malfunctions or other unforeseen issues.  
  • System Updates: Backups will enable you to easily restore the system to an earlier state if a system update fails or causes unexpected issues. This will help avoid having to manually troubleshoot each issue.  
  • Easier Migration: IT engineers may need to migrate their system's data to a different environment or platform. Backing up your data and configurations will make the process much easier and faster.  
  • Regulatory Compliance: Backups are crucial for data-heavy enterprises that need to comply with regulations such as GDPR and HIPAA. This ensures that their data is secure and that there’s an audit trail to ensure proper accountability.

What’s at stake without complete Microsoft 365 backups?

An inability to easily restore configurations leads to potential gaps in reliability, performance, and security.  But there are even further-reaching consequences for your business in the event of configuration data loss, including:  

  • Downtime: Halting business operations for hours — or worse, days — waiting for data or configuration restoration 
  • Compliance risks: Inability to demonstrate recoverability of sensitive data or business records 
  • Regulatory fines: For regulated industries, inadequate protection of data can expose your business to penalties 
For a step-by-step look at how attackers target M365 tenants (and how configuration gaps get exploited) see our Anatomy of a Microsoft 365 Attack guide.

Data and configuration backup by the numbers

Still, configuration backup is often misunderstood or overlooked.  

And this is a widespread issue. The 2025 CoreView State of Microsoft 365 Security report underscores just how common and risky these misunderstandings are:

  • 96% of organizations say their data is backed up,
  • but nearly half incorrectly assume Microsoft also backs up tenant configurations,
  • and only 18% actually take additional steps, such as manually backing up configurations or keeping detailed documentation to allow restoration.

And that’s not all: the report found that as many as 65% of organizations manage M365 configurations without following best practices. This leaves them exposed to avoidable risk and operational disruptions. Download the full 2025 CoreView State of Microsoft 365 Security report to benchmark your backup practices against industry standards.

Quick Guide: how to back up your Microsoft 365 configurations  

Our research also found something encouraging: organizations with formal disaster recovery plans are 58% less likely to experience significant operational disruptions from misconfigurations. And with formal change control processes in place, they experienced 72% fewer security incidents tied to misconfigurations. 

Simply having a plan makes a measurable difference. Here are some tips to get you started.

Assess your current backup and recovery plan for Microsoft 365 

With more than 10,000 unique policy elements across M365’s configuration types, the day-to-day operation of an M365 tenant relies on potentially hundreds of thousands of unique configurations. Given this complexity, organizations need to understand their current backup status, including policies, permission settings, and user roles.   

Identify gaps in current backup and disaster recovery plans 

Disaster recovery can be compared to different stages of broken glass. Chipped glass can be likened to minor misconfigurations that can take hours to debug. Cracked glass can be compared to outages that slow productivity but can be recovered. And shattered glass represents a total loss of all configurations, resulting in downtime and real business consequences.  

Look at your current plans through the glass lens to recognize gaps and the level of effort you need to make to achieve adequate backups for real recovery in the event of a disaster.  

Develop your recovery plan and select your config backup and recovery solution 

With a clear mapping of your current situation and gaps identified, you can start to evaluate what tools or solutions you need to back up and restore critical tenant configurations. The next section covers the criteria to use when selecting a config backup solution.

To benchmark your resilience strategy and improve your backup/disaster recovery plans, use our Cyber Resilience Maturity Model for M365 as a practical framework.

Choosing the right tools for Microsoft 365 backup

After seeing how native Microsoft 365 options—and even many third-party tools—leave critical configuration data unprotected, it’s clear not all backup solutions are created equal. Organizations face complex backup requirements and real business risks if configurations, roles, and policies can’t be quickly restored. For true cyber resiliency and compliance, your backup strategy should include the right tools designed specifically for both data and configuration protection.

What to look for in a M365 backup tool

When evaluating a Microsoft 365 configuration backup tool, include these capabilities in your search criteria: 

  • Full configuration backup: Ensure that your solution securely archives all rules, policies, and permissions within the tenant. 
  • Fast and full restoration capabilities: An ideal solution will offer automated recovery to return your organization to full operation without any delay, easily deploying configurations across dev, test, and prod tenants. 
  • Error prevention: Avoid compliance risks by deploying a backup solution that will restore original configurations accurately. 
  • Ability to template your ideal configurations: Ensure that you are able to create configuration templates based on best practices and your policies, then save all your current and historic variations as code. 
  • Detect configuration drift: Once you have an ideal baseline, you will want to be able to monitor any drift away from the ideal state and receive alerts and easily be able to roll back changes as needed.
Don’t wait for a disaster to highlight the limits of your backup—proactively choosing the right tool is the fastest route to operational resilience.  

Microsoft 365 DSC: Microsoft’s native configuration backup tool

When it comes to backing up your Office 365 configuration files — such as user data, system settings, and security policies — the options available are few and far between. The only “native” solution for backing up configuration files is to use Microsoft 365 DSC, an open-source module for PowerShell.

Microsoft 365 DSC can be used to create a snapshot of your current tenant configuration across services like Exchange Online, SharePoint, Teams, and more. This snapshot is then exported to a file that can be used to restore your tenant configuration to that state at any point in future.

However, Microsoft 365 DSC is very code-heavy and often not intuitive enough for large-scale enterprise organizations. At CoreView, we have developed the first premium end-to-end configuration management and backup solution for Microsoft 365, which uses a no-code web interface to easily backup, monitor, and restore tenant configurations. 

Veeam Backup: secure data backup for Microsoft 365, Salesforce, and Kubernetes

Veeam is a backup tool and recovery solution that specializes in securing files across Office 365 services like Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams. It also works with other systems and platforms like Salesforce, and Kubernetes.

Veeam differentiates itself by offering a high degree of control over how and where your data is stored. You can backup your data to any on-premises or cloud-based storage location, including Amazon S3, Azure Blob, IBM Cloud, or S3-compatible on-premise storage options.

While it doesn’t offer configuration backup, Veeam is a robust solution for many businesses looking to secure their data using a cloud-to-cloud storage platform.

Organizations like Veeam back up your Microsoft 365 data. But what happens if your tenant goes down? You’ll have a copy of your data, but nowhere to actually put that data.

Acronis Cyber: easy data backup for Microsoft 365 enterprise users

With its headquarters in Switzerland, Acronis is an industry leader in data backup and disaster recovery solutions for enterprises. Through its Cyber Protect Cloud product line, Acronis offers endpoint protection, email security, and data loss prevention for Microsoft 365.

Acronis Cloud Backup is one of the fastest disaster recovery solutions available thanks to its runVM technology, enabling businesses to get back up and running within near instantaneously.

Apart from Microsoft 365 and OneDrive, Acronis also works with other cloud solutions like Google Workspace and VMWare, making it a good choice for enterprises using multiple cloud workspace platforms.

CoreView: no-code, end-to-end backup

Don’t let a simple bug or delayed support ticket become an existential threat. At CoreView, we’ve seen too many organizations suffer costly disruption from missing configuration backups. That’s why we built CoreView Configuration Manager—the no-code solution that gives you full visibility, versioning, and rapid restoration of all your Microsoft 365 settings.

You don’t have to risk compliance fines, weeks of downtime, or lost trust. Take control of your Microsoft 365 configurations. Get a demo, and we’ll show you how easy true configuration protection can be.  

Frequently asked questions: Microsoft 365 backups

Does Microsoft 365 back up tenant configurations and settings?
No, native backup typically only covers user data, not all configuration or policy settings. Manual exports or third-party tools are needed.

What’s the difference between retention and backup in Microsoft 365?
Retention temporarily keeps deleted data; it’s not a full backup/restore solution for configurations or tenants.

What best practices help ensure full M365 tenant recovery?
Regularly back up configurations, review recovery processes, and use automation to monitor changes and protect all policy/settings.

Get a personalized demo today

Created by M365 experts, for M365 experts.