{"id":50000,"date":"2021-03-18T18:20:56","date_gmt":"2021-03-18T14:20:56","guid":{"rendered":"https:\/\/www.msp360.com\/resources\/?p=50000"},"modified":"2025-09-02T18:34:28","modified_gmt":"2025-09-02T14:34:28","slug":"understanding-microsoft-365-shared-responsibility-model","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/understanding-microsoft-365-shared-responsibility-model\/","title":{"rendered":"Understanding Microsoft 365 Shared Responsibility Model"},"content":{"rendered":"<p>Businesses frequently turn to SaaS platforms like Microsoft 365 because they are convenient. They eliminate the need to deploy and manage software on your own servers. That doesn\u2019t mean that <a href=\"https:\/\/www.msp360.com\/saas-backup\/\">SaaS solutions<\/a> free you from having to manage security. Although SaaS providers manage some facets of security, they delegate many security-related matters -- especially related to data protection and security - to their customers through a shared responsibility model.<!--more--><\/p>\n<p>Here\u2019s a look at how <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2018\/06\/19\/driving-data-security-is-a-shared-responsibility-heres-how-you-can-protect-yourself\/\" target=\"_blank\" rel=\"noopener\">Microsoft 365\u2019s shared responsibility model<\/a> works and what you should know if you deploy Microsoft 365 in your business or incorporate it into a managed service offering.<\/p>\n<h2>What Microsoft Is Responsible For<\/h2>\n<p>As part of the Microsoft 365 SaaS platform, Microsoft manages and guarantees the following:<\/p>\n<ul>\n<li><strong>Uptime<\/strong>: Microsoft guarantees maximum uptime for the infrastructure and software that hosts Microsoft 365.<\/li>\n<li><strong>Data replication<\/strong>: To ensure high availability and reliability for data stored in Microsoft 365, Microsoft replicates it across multiple locations. Microsoft data replication doesn\u2019t protect against user deletion; deleting a file removes all copies across its infrastructure.<\/li>\n<li><strong>Access control<\/strong>: Available access controls for Microsoft 365 include multi-factor authentication in addition to basic password-based authentication.<\/li>\n<li><strong>Setup and management<\/strong>: Microsoft configures and manages the infrastructure that hosts Microsoft 365. Management includes protecting against electrical failures, natural disasters and other problems that could disrupt service availability.<\/li>\n<li><strong>Physical access<\/strong>: Microsoft provides protection against unauthorized access to the physical infrastructure that hosts Microsoft 365, which ensures that attackers cannot gain access to data stored in the system by physically accessing the servers hosting it.<\/li>\n<\/ul>\n<p>In these ways, Microsoft manages parts of Microsoft 365 security and related issues like data and service availability.<\/p>\n<h2>What the User Is Responsible For<\/h2>\n<p>The primary responsibility of Microsoft 365 users lies in securing any data that they store and manage on the Microsoft 365 platform. Although Microsoft manages the infrastructure and services that host that data, users need to guard against risks such as the following:<\/p>\n<ul>\n<li><strong>Accidental data deletion<\/strong>: Microsoft provides tools like the Microsoft 365 recycling bin to mitigate the risk of accidental data loss, but they only store deleted data temporarily.<\/li>\n<li><strong>Internal and external attacks<\/strong>: A malicious employee could deliberately delete data, for instance, or a third party that gains access to your Microsoft 365 resources could encrypt it and hold it for ransom as part of a ransomware attack.<\/li>\n<li><strong>Regulatory compliance<\/strong>: Users must ensure that any sensitive data that they store in Microsoft 365 is managed in ways that comply with regulatory policies that govern that data. Microsoft\u2019s Litigation Hold feature can be helpful in managing data subject to litigation holds, but that is only one regulatory issue at stake.<\/li>\n<li><strong>Data retention<\/strong>: Responsibility lies with users to ensure that they retain data in Microsoft 365 for the periods specified by any applicable laws or internal company policies. They may also need to delete certain data after a specified period. \"Microsoft automatically deletes data from inactive accounts after 90 days, which may conflict with retention policy requirements.<\/li>\n<\/ul>\n<p>In short, Microsoft secures your infrastructure, but you must protect your data and ensure compliance<\/p>\n<h2>Microsoft 365 Shared Responsibility Model<\/h2>\n<table>\n<tbody>\n<tr>\n<th style=\"background-color: #1360f3; color: #ffffff; text-align: left; width: 50%;\"><strong>Microsoft\u2019s Security Responsibilities<\/strong><br \/>\n<em>Infrastructure stability<\/em><\/th>\n<th style=\"background-color: #ff7527; color: #ffffff; text-align: left; width: 50%;\"><strong>Microsoft 365 User Responsibilities<\/strong><br \/>\n<em>Data safety and compliance<\/em><\/th>\n<\/tr>\n<tr>\n<td style=\"background-color: #d3e2ff; text-align: left; width: 50%;\"><strong>M365 Infrastructure uptime<\/strong><br \/>\nMaximum uptime for the infrastructure and software hosting Microsoft 365<\/td>\n<td style=\"background-color: #ffe3d3; text-align: left; width: 50%;\"><strong>M365 Data Availability<\/strong><br \/>\nThe data availability and access to it is the M365 user\u2019s responsibility<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: #d3e2ff; text-align: left; width: 50%;\"><strong>Data replication<\/strong><br \/>\nData is replicated across multiple locations which doesn\u2019t save from manual file deletion<\/td>\n<td style=\"background-color: #ffe3d3; text-align: left; width: 50%;\"><strong>Data retention<\/strong><br \/>\nData should be retained for the periods specified by the business need, applicable laws or internal company policies<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: #d3e2ff; text-align: left; width: 50%;\"><strong>Access control<\/strong><br \/>\nAvailable access controls include basic password-based authentication and multi-factor authentication<\/td>\n<td style=\"background-color: #ffe3d3; text-align: left; width: 50%;\"><strong>Internal attacks<\/strong><br \/>\nA malicious employee could deliberately delete data<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: #d3e2ff; text-align: left; width: 50%;\"><strong>Physical access<\/strong><br \/>\nProtection against unauthorized access to the physical infrastructure<\/td>\n<td style=\"background-color: #ffe3d3; text-align: left; width: 50%;\"><strong>Virtual\/Digital access<\/strong><br \/>\nProtection against a third party that gains access to your Microsoft 365 resources could encrypt it and hold it for ransom as part of a ransomware attack<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: #d3e2ff; text-align: left; width: 50%;\"><strong>Setup and management<\/strong><br \/>\nMicrosoft configures and manages the infrastructure that hosts Microsoft 365<\/td>\n<td style=\"background-color: #ffe3d3; text-align: left; width: 50%;\"><strong>Regulatory compliance<\/strong><br \/>\nThe M365 user should store sensitive data in ways that comply with regulatory policies governing that data<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 style=\"text-align: left;\">How to Protect Microsoft 365 Data<\/h2>\n<p id=\"last\">As noted above, Microsoft 365 offers limited features to manage compliance and reduce the risk of accidental data loss. However, these features fall far short of a complete data protection solution.<\/p>\n<div id=\"slidebox\"><span class=\"close\">\u00a0<\/span><!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-aa07fdb8-7776-46a5-9fa0-ec6e93f0f0a6\" data-portal=\"5442029\" data-id=\"aa07fdb8-7776-46a5-9fa0-ec6e93f0f0a6\"><span class=\"hs-cta-node hs-cta-aa07fdb8-7776-46a5-9fa0-ec6e93f0f0a6\" id=\"hs-cta-aa07fdb8-7776-46a5-9fa0-ec6e93f0f0a6\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/aa07fdb8-7776-46a5-9fa0-ec6e93f0f0a6\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-aa07fdb8-7776-46a5-9fa0-ec6e93f0f0a6\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/aa07fdb8-7776-46a5-9fa0-ec6e93f0f0a6.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/div>\n<p>That\u2019s why you must implement external protection and regularly back up all your Microsoft 365 data. Ensuring that any files you accidentally delete from the platform, or which malicious users delete (or hold for ransom) deliberately, can be recovered.<\/p>\n<p>In addition, regular backups make it easy to meet data retention and regulatory compliance. Advanced Microsoft 365 backup solutions let you build data lifecycles and automatically delete data you no longer need.<\/p>\n<p>Without a <a href=\"https:\/\/www.msp360.com\/products\/microsoft-365\/\">comprehensive backup solution for Microsoft 365<\/a>, you have very limited control over your and\/or your customers\u2019 data. You also face a higher risk of data retention policy gaps and regulatory non-compliance.<\/p>\n<h2>Discover more about our backup software and Microsoft 365<\/h2>\n<p><span style=\"font-weight: 400;\">Find more about our dedicated managed backup service <\/span><a href=\"https:\/\/www.msp360.com\/saas-backup\/\"><span style=\"font-weight: 400;\">like Microsoft 365 and Google Workspace<\/span><\/a><span style=\"font-weight: 400;\">. For <\/span><a href=\"https:\/\/www.msp360.com\/resources\/blog\/selling-microsoft-365-msp\/\"><span style=\"font-weight: 400;\">MSPs looking to expand their offerings, selling Microsoft 365 provides a robust framework<\/span><\/a><span style=\"font-weight: 400;\"> for delivering value to clients. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">To safeguard data, <\/span><a href=\"https:\/\/www.msp360.com\/resources\/blog\/explore-top-microsoft-365-best-practices-for-data-protection-in-the-cloud\/\"><span style=\"font-weight: 400;\">adopting Microsoft 365 best practices for data protection<\/span><\/a><span style=\"font-weight: 400;\"> is essential, particularly for cloud-based environments. When evaluating cloud storage, a comparison of <\/span><a href=\"https:\/\/www.msp360.com\/resources\/blog\/dropbox-vs-onedrive-for-business-vs-google-g-suite\/\"><span style=\"font-weight: 400;\">Dropbox, OneDrive for Business, and Google G Suite<\/span><\/a><span style=\"font-weight: 400;\"> highlights key differences in functionality and integration. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">When choosing email solutions, <\/span><a href=\"https:\/\/www.msp360.com\/resources\/blog\/exchange-online-vs-exchange-on-premises\/\"><span style=\"font-weight: 400;\">comparing Exchange Online vs. Exchange On-Premises<\/span><\/a><span style=\"font-weight: 400;\"> can guide decisions based on scalability and maintenance needs. For organizations transitioning to Microsoft 365, resources on <\/span><a href=\"https:\/\/www.msp360.com\/resources\/blog\/migrate-gmail-to-office-365\/\"><span style=\"font-weight: 400;\">migrating from Gmail to Office 365<\/span><\/a><span style=\"font-weight: 400;\"> offer step-by-step guidance. For comprehensive backup solutions, tools like MSP360 <\/span><a href=\"https:\/\/www.msp360.com\/resources\/blog\/msp360-backup-for-m365-and-google-workspace-2-0-with-export-to-pst\/\"><span style=\"font-weight: 400;\">Backup for M365 and Google Workspace provide robust options, including PST<\/span><\/a><span style=\"font-weight: 400;\"> export capabilities. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Additionally, securing Google Workspace requires adherence to a <\/span><a href=\"https:\/\/www.msp360.com\/resources\/blog\/google-g-suite-security-guide\/\"><span style=\"font-weight: 400;\">Google G Suite security guide<\/span><\/a><span style=\"font-weight: 400;\">, while <\/span><a href=\"https:\/\/www.msp360.com\/resources\/blog\/office-365-sharepoint-backup-guide\/\"><span style=\"font-weight: 400;\">Office 365 SharePoint backup<\/span><\/a><span style=\"font-weight: 400;\"> and <\/span><a href=\"https:\/\/www.msp360.com\/resources\/blog\/backup-office-365-mailbox\/\"><span style=\"font-weight: 400;\">Office 365 mailbox backup strategies <\/span><\/a><span style=\"font-weight: 400;\">ensure data resilience across critical workloads.<\/span><\/p>\n<h2>MSP360 Managed Backup for Microsoft 365<\/h2>\n<p>MSP360 Managed Backup provides full support for <a href=\"https:\/\/www.msp360.com\/products\/microsoft-365\/\">backing up Microsoft 365 data<\/a>, while also giving you complete control over data backups.<\/p>\n<p>With MSP360, you can easily back up your Microsoft 365 accounts, including <a href=\"https:\/\/www.msp360.com\/saas-backup\/m365\/outlook-backup\/\">Outlook mailboxes<\/a>, calendars and contacts, as well as Microsoft Exchange server,<a href=\"https:\/\/www.msp360.com\/saas-backup\/m365\/onedrive-backup\/\"> OneDrive<\/a>, SharePoint and Teams data. You can set custom data retention policies to meet your company\u2019s needs, and you can store backup data on-premises or in any major public cloud.<\/p>\n<p>In the event that you need to recover Microsoft 365 data, <a href=\"https:\/\/www.msp360.com\/managed-backup\/\">MSP360 Managed Backup<\/a> lets you select and recover individual files, folders or emails. Or, you can choose to back up all of your data. You get maximum flexibility, depending on your or your customers\u2019 business requirements.<\/p>\n<p>To see for yourself, <a href=\"https:\/\/www.msp360.com\/managed-backup\/\">request a MSP360 Managed Backup demo or sign up for a free trial<\/a>.<\/p>\n<div class=\"call-to-action\">\n<div class=\"call-to-action__left\" style=\"width: 40%;\"><img decoding=\"async\" class=\"aligncenter\" src=\"\/wp-content\/uploads\/2025\/04\/Why-You-Need-to-Back-Up-Microsoft-365-preview-2-3.png\" alt=\"Whitepaper Microsoft 365 icon\" \/><\/div>\n<div class=\"call-to-action__right\" style=\"width: 60%;\">\n<div class=\"call-to-action__title\">Why You Need to BackUp Microsoft 365 and How MSP360 Helps<\/div>\n<div class=\"call-to-action__text\">Discover the ins and outs of a cloud to cloud backup strategy using MSP360 Backup for Microsoft 365.<\/div>\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-a03f1309-f6ae-439a-9be0-d11b29410547\" data-portal=\"5442029\" data-id=\"a03f1309-f6ae-439a-9be0-d11b29410547\"><span class=\"hs-cta-node hs-cta-a03f1309-f6ae-439a-9be0-d11b29410547\" id=\"hs-cta-a03f1309-f6ae-439a-9be0-d11b29410547\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/a03f1309-f6ae-439a-9be0-d11b29410547\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-a03f1309-f6ae-439a-9be0-d11b29410547\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/a03f1309-f6ae-439a-9be0-d11b29410547.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Businesses frequently turn to SaaS platforms like Microsoft 365 because they are convenient. They eliminate the need to deploy and manage software on your own servers. That doesn\u2019t mean that SaaS solutions free you from having to manage security. Although SaaS providers manage some facets of security, they delegate many security-related matters &#8212; especially related [&hellip;]<\/p>\n","protected":false},"author":53,"featured_media":50078,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[883,877],"tags":[],"class_list":["post-50000","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-backup-and-dr-articles","category-blog-articles"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/50000","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/53"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=50000"}],"version-history":[{"count":7,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/50000\/revisions"}],"predecessor-version":[{"id":60917,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/50000\/revisions\/60917"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media\/50078"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=50000"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=50000"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=50000"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}