Office 365 backup is a hot topic and there are a lot of opinions out there. My opinion and short answer is No, most organisations probably don’t need an extra backup solution for Office 365 data, or there are more important security investments to prioritise before cloud backup. However, there might be exceptions for compliance reasons and such, so here is my long answer. 🙂
It may be helpful to know that it is relatively rare that organisations make external backups of Office 365 data today. It is not a good enough reason to do backups, just because that is how it has always been. I would argue that in most cases it works just fine with the features included in the service. Backup is something you already pay for!
First, Microsoft always keeps multiple copies of your data in different fault domains (geographically separated datacenters).
Second, Office 365 features such as Versioning in OneDrive and SharePoint, Archiving, Retention policies, In-Place hold and Litigation hold, holds in SharePoint, self-service “restore deleted files”, eDiscovery, and Content search, help customers protect and restore lost data. These, if configured correctly, protects your data from human errors and ransomware in the cloud.
All the above are Office 365 E3 functionality.
You can even lock your data to keep it forever by turning on Preservation Lock which locks a retention policy so no one, including administrators, can turn off the policy, delete the policy, or make it less restrictive (use with caution).
Most customers want to do backups due to lack of knowledge in how Office 365 works and manages their data, and they are simply used to doing backups themselves. “It feels right.” One of the key reasons for buying Software as a Service is to avoid this kind of extra cost/extra work.
If you still want to do external backups of your data in Office 365, you need to buy this from a third-party backup provider. Remember to do your GDPR homework when choosing a backup provider. Also, remember that the external provider probably does not have the same level of security in their service as Microsoft (Conditional Access, MFA, Identity Protection, Password-less, etc). This is the biggest reason why I don’t like external Office 365 backup solutions. I don’t like the idea that a third-party service has full read access to my data when I have little knowledge and control of authentication and access to it. You need to be sure that the backup service is secure.
Do not let your new backup solution become your weakest link!
Not everything will be backed up. Office 365 includes many sub services such as Exchange, SharePoint, Lists, Forms, Teams, Planner, Yammer, Stream, Sway, Microsoft 365 Groups, etc. There is no backup tool on the market that can backup of all the services in Office 365. They are usually limited to Exchange, SharePoint, and OneDrive only.
Please evaluate the risks that comes with bringing in a third-party service and have a look at the built-in features before deciding on buying an extra service! It’s all about managing risks. You will be able manage more risks by investing in E5 licenses and implementing features like risk-based conditional access, Microsoft Cloud App Security, and advanced data governance, than buying backup licenses. If you already have E5 and still got money to spare, then backup might be an option but remember that it probably will lower your overall security posture in the cloud. I hope this helps!
Read more:
https://docs.microsoft.com/en-us/microsoft-365/compliance/retention?view=o365-worldwide
Please follow me here, on LinkedIn and on Twitter!
Daniel Chronlund Cloud Security Blog 
Well, I don’t really agree on this one. I think an back-up is an last resort to make sure the integrity of the data is guaranteed.
What if an new to be developed ransomware thread is locking data, in a way still unknown to us. It can cause allot of damage.
I always inform my customer, and let them know what the risks are and that they can choose what to do.
Thanks for the input! Yes, there are reasons for a M365 backup, but I’m afraid that the backup service will be the weakest link since it’s probably run by a company with just a fraction of Microsofts security budget. It might be dangerous to trust such a service with your data.
To this day, I’ve never heard of a customer who implemented the following protection in Microsoft 365 and got successfully ransomed:
– OneDrive Known Folder Move
– Defender for Endpoint Controlled Folder Access (great ransomware protection with OneDrive integration)
– Attack Surface Reduction Rules
– Defender for Endpoint XDR
– O365 Retention Policies
– Defender for O365 Safe Attachments and Safe Links
But I did hear of many customers who invested in backup and got infected because they did not have the right protection in place. I would first implement the above protection, then start looking for backup solutions.