TheSupe87 - Fotolia


Microsoft 365 retention policy vs. backup: Why you need both

The Microsoft 365 retention policy offers some protection against data loss and the associated risks, but is it a replacement for a true data backup? Signs point to no.

Data retention is an important component of the data protection strategy for Microsoft 365. That strategy must also include a backup plan. Rather than viewing data protection as a choice of a Microsoft 365 retention policy vs. backup, IT professionals should determine the retention policy gaps that a backup strategy can fill.

Many enterprises have transitioned or begun to transition to Microsoft 365. It is generating business-critical data that organizations must retain and protect. Microsoft 365 also enables customers to apply and control retention settings, which is beneficial with pervasive and strict compliance requirements and cybersecurity concerns.

Policies help meet compliance requirements

Data retention is necessary for proactive regulatory compliance, to reduce the risk of litigation or a security breach, and to ensure users work with current and relevant content. It is important to ensure employees and storage systems cannot delete data until the end of a retention period or legal hold designation. To manage storage capacity requirements, organizations must delete unnecessary data at the end of its retention period.

However, a data retention policy is not a substitute for backup. When it comes to data protection, it is less a question of whether to institute a retention policy or a backup, than, "How can I use both tools with Microsoft 365 to my advantage?"

How a Microsoft 365 retention policy works

IT professionals should closely review the detailed documentation available on Microsoft 365 data retention capabilities and exemptions. Once aware of the capabilities and limitations of the retention policy, they can craft a thorough data protection plan in accordance with their organization's governance requirements.

Microsoft 365 facilitates control over data retention through retention labels and retention policies. These policies apply data retention settings across entire sites or mailboxes or to specific users. Retention labels, on the other hand, apply data retention settings to specific items, such as documents, emails or folders. Customers may use either retention policies or retention labels or use both in conjunction with one another.

Backups and backup software enable customers to write copies to a separate storage infrastructure. It is a best practice is to have data copies available on a third-party storage infrastructure along with Microsoft 365, in case there are any issues with Microsoft Azure.

Fill in policy gaps with backups

On-premises or third-party-provided backup software provides control over redundancy and replication for data copies, which helps ensure their availability and integrity. Along a similar vein, backup software provides more flexibility in terms of the recovery location of backup copies than a standard retention policy.

There are some gaps in retention settings that the right piece of backup software could fill.

There are some gaps in retention settings that the right piece of backup software could fill. For example, Microsoft 365 has some limitations in applying retention policies globally and on when data retention policies are applied. It only enables customers to apply one retention label at a time to emails and documents, and retention labels do not persist if the data is moved out of Microsoft 365.

There are some ways backup admins can alter or shorten retention periods. Microsoft uses a policy of "explicit over implicit," meaning a retention setting that an admin applies explicitly in a label takes precedence over one they apply implicitly with a policy. If there are two retention labels, the shortest one takes precedence. In theory, this setup could open the door to adjustable retention periods.

Backup software can ensure protection for Microsoft 365 data and simplify how backup admins control and oversee data retention. Organizations that integrate Microsoft 365 data protection as a component of overall data protection and implementation strategies can minimize complexity for administrators and meet data retention requirements. This integration includes the creation, implementation and management of Microsoft 365 data retention settings.

Dig Deeper on Data backup and recovery software

Disaster Recovery