The answer is absolutely yes, and anyone who thinks you don’t need to do so should not be put in charge of your data. Also, anyone who thinks I’m saying this just because I work for a company that backs up Office365 should read this blog post from seven years ago when I basically said exactly the same thing: Cloud services need to be backed up.
I was reading a spiceworks thread on this topic and was shocked at some of the anti-backup recommendations I saw there. One person pointed to TechEd article that talks about how redundant the storage is for Office365. That has absolutely nothing to do with this topic. That’s the equivalent of saying “I have RAID, so I don’t need backups.”
I saw another post where someone explained that the recycle bin is sufficient for “oops” recovery needs, and that vendors just try to scare people with things like rogue admins to get them to buy their products. He/she went on to say nothing like that had every happened to them, so… It’s not just rogue admins, people. There are all sorts of things that can corrupt your entire datastore that can only be addressed via a good third party backup solution.
Backups aren’t included
Take a look at the feature page for Office365. You will find that backups aren’t included. The references to data protection features are more about loss prevention and things like that. They have nothing to do with recovering corrupted data.
MCSE Brian Posey points out that “the Office 365 service-level agreement addresses availability, not recoverability.” So if you or someone else messes up your Office365 data, Microsoft is under no obligation to help you.
MCSE Experts think so
Microsoft MVP Brien Posey says that “you might not have as many options for restoring your data as you might think. As such, it is critically important to understand your options for disaster recovery in an Office 365 environment.”
“Microsoft says they also perform traditional backups of Office 365 servers. However, those backups are used for internal purposes only if they experienced a catastrophic event that wiped out large volumes of customer data…”
He also points out that there is no “provision for reverting a mailbox server to an earlier point in time (such as might be necessary if a virus corrupted all the mailboxes on a server).”
You can delete your primary & secondary recycle bin
A lot of people talk about using the recycle bin to recovery accidentally deleted or corrupted folders. It is true that it can keep such items for up to 90 days, depending on your settings. However, it is also true that a well-meaning or malicious person can easily clean out both the primary and secondary recycle bin. And a malicious person would indeed do just that.
Litigation hold doesn’t protect public folders
Some say that litigation hold protects you from such things. It keeps a copy of most messages forever; however, it does not protect public folders. Someone could easily delete everything in a public folder and then empty the recycle bin, and you would no recourse if you did not have a third-party tool.
Litigation hold has no separation of powers
An important concept in many environments is the separation of powers between a person like the Exchange admin, and a backup person. That protects the organization from rogue admins doing very bad things and then covering them up by deleting the backups as well.
But litigation hold has no such protection. Office 365 administrators could (rightly or wrongly) assign themselves eDiscovery Manager rights and have full access to search and export from Exchange mailboxes, SharePoint folders, and OneDrive locations. They could even modify the Litigation Hold policies. One way to describe this is that it helps a good person to do the right thing, but it does not stop a bad or incompetent person from doing the wrong thing.
The OneDrive restore feature is all or nothing
The OneDrive restore feature is a bit puzzling. It can only restore things that are in the recycle bin, and it is all or nothing. Meaning you have to restore the entire OneDrive system to a single point in time; you cannot just restore parts of it. That has to be the most worthless restore I’ve ever heard of.
You need to backup Office365
You need to backup Exchange, OneDrive, and Sharepoint. Microsoft isn’t doing it for you, and the features that protect you against accidents do not go far enough. Look into a third-party solution, such as what my employer (Druva) provides.
----- Signature and Disclaimer -----
Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Architect at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.