$6.7 million. That’s how much a single enterprise organization of 5,000 employees spends on Microsoft 365 over three years. With that kind of investment, relying on incomplete backups can have massive consequences.
This article covers:
Enterprises often believe Microsoft’s native tools provide complete data and configuration backup for Microsoft 365—but real-world experience and our new research show otherwise. Microsoft 365’s backup and restore options have critical gaps: configuration settings, roles, and policies are frequently uncovered, and long, uncertain support timelines exacerbate the risk. Without proactive, third-party configuration backups, business continuity, compliance, and security are all at stake.
For IT admins, CIOs, CISOs, compliance leaders, and anyone responsible for Microsoft 365 security and continuity—this article provides the facts and strategies you need to close critical backup gaps and ensure you can recover from any scenario.
Every organization trusts that their Microsoft 365 setup—from user files and emails to security settings, Teams channels, and policy configurations—is backed up and readily restorable. But does Microsoft truly offer full, hassle-free protection for both your data and your configurations?
Imagine these common situations:
Recently, CoreView’s product team had a hands-on lesson in the realities of Microsoft 365 backup—especially for critical configuration and collaboration objects like Microsoft Teams channels.
A colleague accidentally deleted an important Microsoft Teams channel. Normally, this wouldn’t – or at least shouldn’t – be a big deal. Microsoft says these items are backed up and restorable directly from the Teams interface.
Except, this time, restoration didn’t work. We tried multiple restoration methods—through the native Teams client, the Teams Admin Center, and even PowerShell and Graph API commands. Nothing worked: each approach encountered backend errors or returned non-actionable messages, even for global admins. No workaround or manual fix was possible.
So, we immediately escalated a critical support ticket with Microsoft Unified Support.
Despite having the highest available administrative permissions and logging a critical ticket, our access to backup or recovery tools was ultimately gated by Microsoft’s internal processes and support resources.
And then — nothing. As of now, there’s no viable path to restoring that channel. The official backup is inaccessible. In the meantime, the team had to scramble to create a new, temporary Teams channel just to keep business moving, but all conversation history, files, and project context in the original channel remain unavailable.
This incident exposes an uncomfortable truth: If Microsoft is the only controller — the only party with real access to backups and recovery tools — you’re vulnerable not just to user errors, but to software bugs, policy gaps, and even support bottlenecks.
Microsoft has known limitations that are nevertheless not always well understood by organizations that rely on Microsoft 365 for end-to-end coverage. This is particularly true with tenant configuration backups. Let’s start with the differences between data backup and configuration backup:
Half of organizations assume Microsoft backs up their tenant configurations. They don’t.
Here’s what organizations often miss when it comes to Microsoft 365 backup:
Retention policies are not the same as configuration backups. While retention keeps some deleted data for a time, it doesn’t allow for a full backup. Default retention policies only protect data for 30–90 days, some items autodelete after 14 days, and backups run every 12 hours with no selfservice filelevel restore. (Read Microsoft’s retention documentation.)
Ultimately, retention is designed to ensure deleted data can be recovered for a short time, but does not restore lost configurations, permissions, or policy settings after accidental or malicious changes.
While M365 provides incredible productivity and security, backup and restore are a shared responsibility between Microsoft and you (and whatever solution you choose to help you back up your tenant data).
Here are a few reasons why you should back up your configurations:
An inability to easily restore configurations leads to potential gaps in reliability, performance, and security. But there are even further-reaching consequences for your business in the event of configuration data loss, including:
For a step-by-step look at how attackers target M365 tenants (and how configuration gaps get exploited) see our Anatomy of a Microsoft 365 Attack guide.
Still, configuration backup is often misunderstood or overlooked.
And this is a widespread issue. The 2025 CoreView State of Microsoft 365 Security report underscores just how common and risky these misunderstandings are:
And that’s not all: the report found that as many as 65% of organizations manage M365 configurations without following best practices. This leaves them exposed to avoidable risk and operational disruptions. Download the full 2025 CoreView State of Microsoft 365 Security report to benchmark your backup practices against industry standards.
Our research also found something encouraging: organizations with formal disaster recovery plans are 58% less likely to experience significant operational disruptions from misconfigurations. And with formal change control processes in place, they experienced 72% fewer security incidents tied to misconfigurations.
Simply having a plan makes a measurable difference. Here are some tips to get you started.
With more than 10,000 unique policy elements across M365’s configuration types, the day-to-day operation of an M365 tenant relies on potentially hundreds of thousands of unique configurations. Given this complexity, organizations need to understand their current backup status, including policies, permission settings, and user roles.
Disaster recovery can be compared to different stages of broken glass. Chipped glass can be likened to minor misconfigurations that can take hours to debug. Cracked glass can be compared to outages that slow productivity but can be recovered. And shattered glass represents a total loss of all configurations, resulting in downtime and real business consequences.
Look at your current plans through the glass lens to recognize gaps and the level of effort you need to make to achieve adequate backups for real recovery in the event of a disaster.
With a clear mapping of your current situation and gaps identified, you can start to evaluate what tools or solutions you need to back up and restore critical tenant configurations. The next section covers the criteria to use when selecting a config backup solution.
To benchmark your resilience strategy and improve your backup/disaster recovery plans, use our Cyber Resilience Maturity Model for M365 as a practical framework.
After seeing how native Microsoft 365 options—and even many third-party tools—leave critical configuration data unprotected, it’s clear not all backup solutions are created equal. Organizations face complex backup requirements and real business risks if configurations, roles, and policies can’t be quickly restored. For true cyber resiliency and compliance, your backup strategy should include the right tools designed specifically for both data and configuration protection.
When evaluating a Microsoft 365 configuration backup tool, include these capabilities in your search criteria:
Don’t wait for a disaster to highlight the limits of your backup—proactively choosing the right tool is the fastest route to operational resilience.
When it comes to backing up your Office 365 configuration files — such as user data, system settings, and security policies — the options available are few and far between. The only “native” solution for backing up configuration files is to use Microsoft 365 DSC, an open-source module for PowerShell.
Microsoft 365 DSC can be used to create a snapshot of your current tenant configuration across services like Exchange Online, SharePoint, Teams, and more. This snapshot is then exported to a file that can be used to restore your tenant configuration to that state at any point in future.
However, Microsoft 365 DSC is very code-heavy and often not intuitive enough for large-scale enterprise organizations. At CoreView, we have developed the first premium end-to-end configuration management and backup solution for Microsoft 365, which uses a no-code web interface to easily backup, monitor, and restore tenant configurations.
Veeam is a backup tool and recovery solution that specializes in securing files across Office 365 services like Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams. It also works with other systems and platforms like Salesforce, and Kubernetes.
Veeam differentiates itself by offering a high degree of control over how and where your data is stored. You can backup your data to any on-premises or cloud-based storage location, including Amazon S3, Azure Blob, IBM Cloud, or S3-compatible on-premise storage options.
While it doesn’t offer configuration backup, Veeam is a robust solution for many businesses looking to secure their data using a cloud-to-cloud storage platform.
Organizations like Veeam back up your Microsoft 365 data. But what happens if your tenant goes down? You’ll have a copy of your data, but nowhere to actually put that data.
With its headquarters in Switzerland, Acronis is an industry leader in data backup and disaster recovery solutions for enterprises. Through its Cyber Protect Cloud product line, Acronis offers endpoint protection, email security, and data loss prevention for Microsoft 365.
Acronis Cloud Backup is one of the fastest disaster recovery solutions available thanks to its runVM technology, enabling businesses to get back up and running within near instantaneously.
Apart from Microsoft 365 and OneDrive, Acronis also works with other cloud solutions like Google Workspace and VMWare, making it a good choice for enterprises using multiple cloud workspace platforms.
Don’t let a simple bug or delayed support ticket become an existential threat. At CoreView, we’ve seen too many organizations suffer costly disruption from missing configuration backups. That’s why we built CoreView Configuration Manager—the no-code solution that gives you full visibility, versioning, and rapid restoration of all your Microsoft 365 settings.
You don’t have to risk compliance fines, weeks of downtime, or lost trust. Take control of your Microsoft 365 configurations. Get a demo, and we’ll show you how easy true configuration protection can be.
Does Microsoft 365 back up tenant configurations and settings?
No, native backup typically only covers user data, not all configuration or policy settings. Manual exports or third-party tools are needed.
What’s the difference between retention and backup in Microsoft 365?
Retention temporarily keeps deleted data; it’s not a full backup/restore solution for configurations or tenants.
What best practices help ensure full M365 tenant recovery?
Regularly back up configurations, review recovery processes, and use automation to monitor changes and protect all policy/settings.