Blog Articles
Read MSP360’s latest news and expert articles about MSP business and technology
Microsoft 365 Shared Responsibility Model header

Understanding Microsoft 365 Shared Responsibility Model

Understanding Microsoft 365 Shared Responsibility Model

Businesses frequently turn to SaaS platforms like Microsoft 365 because they are convenient. They eliminate the need to deploy and manage software on your own servers. That doesn’t mean that SaaS solutions free you from having to manage security. Although SaaS providers manage some facets of security, they delegate many security-related matters -- especially related to data protection and security -- to their customers through a shared responsibility model.

Here’s a look at how Microsoft 365’s shared responsibility model works and what you should know if you deploy Microsoft 365 in your business or incorporate it into a managed service offering.

What Microsoft Is Responsible For

As part of the Microsoft 365 SaaS platform, Microsoft manages and guarantees the following:

  • Uptime: Microsoft guarantees maximum uptime for the infrastructure and software that hosts Microsoft 365.
  • Data replication: To ensure high availability and reliability for data stored in Microsoft 365, Microsoft replicates it across multiple locations. Note, however, that data replication by Microsoft doesn’t protect against accidental data deletion by users: If you delete a file, all copies of it on Microsoft’s infrastructure will be deleted.
  • Access control: Available access controls for Microsoft 365 include multi-factor authentication in addition to basic password-based authentication.
  • Setup and management: Microsoft configures and manages the infrastructure that hosts Microsoft 365. Management includes protecting against electrical failures, natural disasters and other problems that could disrupt service availability.
  • Physical access: Microsoft provides protection against unauthorized access to the physical infrastructure that hosts Microsoft 365, which ensures that attackers cannot gain access to data stored in the system by physically accessing the servers hosting it.

In these ways, Microsoft manages some aspects of the security of Microsoft 365, as well as related issues, such as data and service availability.

What the User Is Responsible For

The primary responsibility of Microsoft 365 users lies in securing any data that they store and manage on the Microsoft 365 platform. Although Microsoft manages the infrastructure and services that host that data, users need to guard against risks such as the following:

  • Accidental data deletion: Microsoft provides tools like the Microsoft 365 recycling bin to mitigate the risk of accidental data loss, but they only store deleted data temporarily.
  • Internal and external attacks: A malicious employee could deliberately delete data, for instance, or a third party that gains access to your Microsoft 365 resources could encrypt it and hold it for ransom as part of a ransomware attack.
  • Regulatory compliance: Users must ensure that any sensitive data that they store in Microsoft 365 is managed in ways that comply with regulatory policies that govern that data. Microsoft’s Litigation Hold feature can be helpful in managing data subject to litigation holds, but that is only one regulatory issue at stake.
  • Data retention: Responsibility lies with users to ensure that they retain data in Microsoft 365 for the periods specified by any applicable laws or internal company policies. They may also need to delete certain data after a specified period. Microsoft automatically deletes data inactive accounts after ninety days, which may not be long enough to ensure compliance with data retention policies.

In short, while Microsoft keeps your infrastructure safe, it leaves it up to you to keep your data safe and compliant.

Microsoft 365 Shared Responsibility Model

Microsoft’s Security Responsibilities
Infrastructure stability
Microsoft 365 User Responsibilities
Data safety and compliance
M365 Infrastructure uptime
Maximum uptime for the infrastructure and software hosting Microsoft 365
M365 Data Availability
The data availability and access to it is the M365 user’s responsibility
Data replication
Data is replicated across multiple locations which doesn’t save from manual file deletion
Data retention
Data should be retained for the periods specified by the business need, applicable laws or internal company policies
Access control
Available access controls include basic password-based authentication and multi-factor authentication
Internal attacks
A malicious employee could deliberately delete data
Physical access
Protection against unauthorized access to the physical infrastructure
Virtual/Digital access
Protection against a third party that gains access to your Microsoft 365 resources could encrypt it and hold it for ransom as part of a ransomware attack
Setup and management
Microsoft configures and manages the infrastructure that hosts Microsoft 365
Regulatory compliance
The M365 user should store sensitive data in ways that comply with regulatory policies governing that data

How to Protect Microsoft 365 Data

As noted above, Microsoft 365 includes limited features for helping to manage data compliance needs and mitigating the risk of accidental data loss. However, these features fall far short of a complete data protection solution.

  New call-to-action

That’s why it’s critical to implement an external data protection solution and back up all of your Microsoft 365 data on a regular basis. Ensuring that any files you accidentally delete from the platform, or which malicious users delete (or hold for ransom) deliberately, can be recovered.

In addition, regular backups make it easy to meet data retention and regulatory compliance. Advanced backup solutions for Microsoft 365 allow you to create data lifecycles so that you can delete data automatically when you no longer need to retain it.

Without a comprehensive backup solution for Microsoft 365, you have very limited control over your and/or your customers’ data. You also face a higher risk of data retention policy gaps and regulatory non-compliance.

MSP360 Managed Backup for Microsoft 365

MSP360 Managed Backup provides full support for backing up Microsoft 365 data, while also giving you complete control over data backups.

With MSP360, you can easily back up your Microsoft 365 accounts, including Outlook mailboxes, calendars and contacts, as well as Microsoft Exchange server, OneDrive, SharePoint and Teams data. You can set custom data retention policies to meet your company’s needs, and you can store backup data on-premises or in any major public cloud.

In the event that you need to recover Microsoft 365 data, MSP360 Managed Backup lets you select and recover individual files, folders or emails. Or, you can choose to back up all of your data. You get maximum flexibility, depending on your or your customers’ business requirements.

To see for yourself, request a MSP360 Managed Backup demo or sign up for a free trial.

#1 Business Backup. Simple. Reliable.

Leverage AWS, Wasabi, Backblaze B2, and local storage. Eliminate expensive hardware investments. Improve recovery time objectives.

New call-to-action
Managed Backup icon