Microsoft 365 backup is NOT an option - It's mandatory

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode where you're talking with Microsoft 365 expert Vanessa

Toves about backing up Microsoft 365.

It was, uh, one of our most listed to episodes a few years back,

and I wanted to play it again.

I did trim it down a bit for length to make it a little easier to

listen to and remember, please, Microsoft doesn't back up your data.

They just host it.

You own it, you're responsible for it, and if something happens to it,

you will be the one to restore it.

Vanessa breaks down exactly what Microsoft does and doesn't do and what you need

to do to protect your data in the cloud.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr. Backup,

and I've been passionate about backup and recovery for over 30 years, ever since.

I had to tell my boss that we had no backups.

Of the database that we just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated admins into Cyber Recovery Heroes.

This is the backup wrap up.

Hi, and welcome to Backup Central's podcast.

I'm your host, w Curtis Preston, AKA, Mr. Backup, and I have with me all

the way from the Bay Area, none other.

Prasanna, MALDI, how's it going?

Prasanna?

I'm good.

And our uh, Microsoft 365 expert, Vanessa Tove.

How's it going?

Hello.

Thank you guys.

It's going well.

I'm excited to be here and, uh, be on my second podcast with

you, your second podcast.

Anyway, uh, so we had a really good conversation, Vanessa, I find myself

arguing when I'm talking to, you know, random people and sometimes not

random people online is, well, gee, isn't this the whole point of SaaS?

Right?

I, I, I moved my application up into Salesforce, or I moved it into G Suite,

or I moved it into Microsoft 365 and, you know, this person told me that I now

don't need to worry about backing it up.

What's your thoughts on that?

I think that's false.

I know this would be a great surprise, but I agree with you.

Right?

I, I really look back to, uh, let's just talk about the, the,

the companies that migrated or are migrating to 365 from on-prem.

Um, it was never really a question, uh, for an organization to say,

we, this is our environment.

We must back it up.

We, you know, whether and they, they've made those investments

because of whatever the situations were that drove them to do that.

Right?

And the type of companies, and it's no different.

So I'd say the first and foremost, the reason to back up your SaaS base

information is that you own it and you have a responsibility to, you know, uh,

to the organization that you work for, to, uh, to right safeguard that information

regardless on what platform it is.

And, and then of course, for whatever the, uh, the other reasons that

everyone else that we all talk about.

But truly, the, the most important reason is that you own that information.

I, I mean, there, there's a number of reasons why, but ultimately,

uh, you have responsibility for that to your organization.

Right.

And, and

wait, doesn't the SaaS application company or the SaaS company.

Own your information.

Aren't they responsible for protecting it, making sure it's

available, all the rest of that?

Yeah.

I mean, they have a platform, uh, and their responsibility, you know, they,

they basically sell a service for you to access their services and to save whatever

information, you know, uh, however many rows of information, however many files,

and use that service and to be able to a, you know, access your access that,

but it's not, I, I don't, I don't believe that if you were to ask, um, uh, bank of

America, if they think that Microsoft owns their information, the answer would be no.

Hmm.

And that would be no different for the small company like my sister's,

uh, hard cider company in Auburn.

Uh, common cider, you know, she's been on 365 and Microsoft

does not own her information.

They do not own, you know, she is paying for a service to utilize their technology.

Um, and, and where that's concerned, you know, the first and foremost

reason is that it is your information.

Uh, it is the company's information.

And I think a lot of people fail.

Like they think that I'm going SaaS, but SaaS is just another application, another

platform, a manner in which to right to interact with, uh, whether it's, you

know, using a Dynamics or Salesforce.

Um, it is just another application by all means or another platform,

but what's in it is yours,

right?

And yeah, I think I agreed that that's, that's sort of why you like, from a Phil

philosophical perspective, I completely agree that this is your information.

And, and also there's, there's what we call the shared

responsibility model, right?

Doesn.

Doesn't Microsoft lay this out?

Or, or, or not?

Yeah.

I, I think Microsoft, or from my understanding too, is that Microsoft

wants to ensure that you have access to their platform and they will do

everything that they need to, to ensure that, um, you know, that you can access

it, that you can get to your information, that your users can log in, and all

of the infrastructure that goes into that, that is absolutely why, you know,

they back up their systems, um, and why they back up all of their servers.

Right?

So that's, that's exactly why they're doing it.

So, um, it's more from an

availability perspective rather than Correct.

And I think that some, well, in fact, I know that some people when they read

the SLAs, uh, if they read the SLAs, right, uh, big assumption, you know.

Yeah.

If, if they read the SLAs, they see avail.

Guarantees, and they immediately translate that into that, that

that's the availability of my data.

And it's not, it's the availability of the platform,

which is a really big difference.

It is.

It's a, it's a completely different thing.

I can log into Outlook, but as a good example, I logged into my Outlook

and or I, I, my Outlook client and my online archive wasn't there.

I didn't see it there.

And, you know, so I had to just, I, knowing how it works, sometimes

I closed my client and I opened it back up and there it was.

So you you did the old turn it off and turn

it on.

Yes, turn it on.

Turn it off.

Um, and, but, but that's the kind of the concept is that I, right.

I use that online archive and there's, excuse me, some rules that are set

in place that allow me to move things to that online archive for a reason.

So I rely on that online archive.

Everything, you know, and what that service is there for.

Uh, so the availability of that, I mean, underlying to this is Microsoft's,

um, investment in ensuring that you and millions of other companies out

there and all of their, you know, the millions, hundreds of millions

of other, uh, employees can ac access this information at any time.

Right.

Um, now, so let's talk there.

Would you agree though that there is this perception that when you

go to a SaaS service like 365, like Salesforce, like G Suite, that

backups are part of the service?

Have you, have you run into that idea quite a bit?

Um, you know, I, for sure.

I would say people trust in the fact that it will be there.

They trust in it more.

Uh, you think about.

You know, when it was on-prem, you had your hardware, you had so many different,

you know, components that could go wrong, things that could go wrong.

Um, so I think it provides people with a sense of, of, of, uh, maybe

comfort or trust that yes, uh, I can go there and it's always there.

Yes, it's always up,

right?

And yes, it's always available.

I mean, un unless something really unfortunate happens.

Um, you

mean like last week?

Yes, like last week and, you know, sorry, that was just too easy.

Um, no, I know, but that's it.

I mean, I, they, they, they were able to turn turnaround and

probably roll back some, right.

Some update that they pushed out to

Right.

All of their infrastructure.

Mm-hmm.

Um, and they had the mechanisms to do that.

They made, they've made the investments to be able to recover in moments like that.

Yeah.

And, and it's, um, it's.

I, I, I, I, I'm glad you mentioned that that's, that's part of the idea.

Because I think the same true when I think of, you know, I, I, I often say the phrase

young whippersnappers, when I think about young Whippersnappers, um, in it, like all

their di, all their devices are all flash.

Right.

And so they, they, they've grown up in a world where their storage

device is a thousand times more reliable than the ones I grew up on.

We backed up everything like every second because that, that hard drive

could just die any moment, right?

Yes.

And if, and if it was a, if it was a laptop hard drive, and it, you

know, it was being banged around, you know, around all the time.

So you really had to back that up.

But now we have these, I mean, my phone, my iPhone has a bigger, hard

drive than the entire data center when I, when I joined the IT industry.

Okay.

And it's flash and nothing has ever gone wrong with that device.

I'm sure some people have lost it, but, but I think it's the same

problem that there's this perception of like, well, it's Microsoft.

They know what they're doing, they're gonna take care of my data.

And even when they have an outage, as much as I like to make fun of

it, the, the it, it came back up and all my stuff was still there.

Right.

Um, so I, I think that's a valid, um, what Prasanna, what do you think,

what do, do you have any idea like why people feel this way about SaaS apps?

I think it's just that SaaS apps have given that perception, right?

That you, everything is handled for you, right?

They're simplifying things and so people just kind of assume, Hey, if

everything is done for me, I don't have to worry about anything, right?

I also go ahead.

And so I think, and then no one questions it, right?

They're like, oh, it's not running.

It's not something that I would've had to manage or worry about before.

'cause it's kind of like either infrastructure or it's

the underlying mechanisms.

Everything I'm just interacting with is like a browser or a service.

So why do I have to worry about backing it up?

And they don't always tell you or give you those APIs, for instance,

to be able to pull your data out.

So you're like, oh, if they're not giving me the APIs, then maybe

I don't need to worry about it.

Yeah.

And, and, and so, and here's where I'm, here's where I'm

gonna sort of gripe the most.

Uh, there's a couple rip away.

There's a, there's a couple of bones I have to pick with Microsoft.

One is the API one, and we'll come back to that.

But the other is, I don't think that Microsoft specifically, and I,

and I'm gonna say G Suite as well, that I don't think that they have.

Plainly stated that they could settle this, they could easily

settle this with a position, you know, on their website that says, we

are not responsible for your data.

We've, yes, we've built in some nice, like recovery features, but

your data is your responsibility.

You need to use some sort of backup system.

They could settle this once and for all, but they don't, uh, my so, so in contrast,

Salesforce for example, did do this.

They, they actually had this, they had this, uh, I dunno if you, uh,

Vanessa, are, are you aware with, uh, are you aware of this thing that was

called the Salesforce Recovery Service?

Oh, no, I'm not.

Okay.

It was horrible.

I I'm not gonna spend that.

That never worked your time on it.

Yeah.

Yeah.

Well, so basically if, if you didn't back up Salesforce, you could go

to the company and you could say, listen, we didn't back it up.

We screwed up, here's $10,000.

And then they would, uh, they would create a, a, a zip, a bunch of zip files of each

of the objects in your Salesforce account.

The objects, you know, in Salesforce is like a table.

So each of you know users, uh, opportunities, uh, you know, contacts,

leads, these are all objects.

So they would create a zip file for you of the, of each object, which you would then

download unzip, and then use data loader, which is their tool, uh, to upload these.

And you have to upload them all in a certain order or it won't work.

'cause there's like refer referential integrity issues.

And for this, you paid the.

You, it was $10,000 and it took six to eight weeks.

And it, and it never, and it, there was no guarantees of recovery.

So it was just the worst service ever.

And they eventually, uh, the end of July this year, they

eventually said, you know what?

Basically this product stinks.

We're not gonna do this.

And we're, we're not gonna offer it anymore because people were

using it as a crutch to say they didn't need to back up Salesforce.

And they're like, you know what?

If you ever actually a asked for this thing, we were kind of

embarrassed to give it to you.

It was so horrible.

So we're gonna pull it off the market and you guys need to back up your, your stuff.

So they've made a public statement that says that Salesforce customers

need to back up their data.

Microsoft has not done that thing.

And I, and, and I'm, I have my theories as to why they have, uh,

do, do you think they've helped this?

Uh, issue at all.

I don't think that they make it a point to, to bring it up.

Uh, I think they talk about reliability.

Uh, they talk about their platform, their investment, their growth.

That's their focus, right?

That's the focus.

I can't speak for that, but I have my own theories, but I don't think

I can share, share that right now.

Yeah.

Um, right.

But, uh, I mean

I, yeah, I, I, I think

ultimately when you, yeah, when you're dealing, when you're dealing with

any SaaS platform, uh, I'm not even Microsoft, you have to ask yourself,

um, you know, if I'm an IT director of, uh, whatever, VP of it, I, what is the

risk of the loss of this information?

I mean, that is what, why we do this, right?

This is why we back up.

What is the risk if this was not here tomorrow?

Right.

Uh.

Doesn't Microsoft offer backup?

I think they're building a backup, um, uh, enterprise,

sorry, sorry.

With their like E three, E five.

E nine.

Don't they offer No, no,

there's no, there's no backup

feature.

No, no, there's no backup.

Oh, it's E three, E five, E one, E three, E five plus the

other ones, the other letters.

Yeah.

Those come with like e-discovery and stuff like that.

The two bones were, I don't think that they, they make this clear enough.

They just, they basically just, it's like, it's like the elephant in the

room that nobody wants to bring up.

Right?

They don't, they don't, they don't say one way or the, I do find it weird that

the consumer version of the product does have a very clear statement in it

that says you need to back up your data.

The business version of the product, which is, I'm gonna say very similar

from a data protection standpoint, um, does not have that verbiage in it.

But anyway, there's that, and then there's the issue of they make some.

Of the data, I'm gonna make up a word not backable.

Right.

So in the previous, in the previous, uh, podcast, we talked about things

like Yammer and Planner, and these are products that they, my understanding is

they're products they've acquired, right?

Is that correct?

Yes.

Right.

For sure.

Uh, uh, Yammer.

Yes, I know.

Yeah.

So they, they brought 'em in and they brought 'em to production

without providing any APIs for anyone like dva, uh, to, to get

the data out and back it up.

Right.

Um,

and that's very likely because of its original architecture, right?

Not so much.

Um, you know, one of the, I'll, I'll just say in defensive of the

acquisition concept that Microsoft does is that, uh, the life of that

product will change once it's brought into the Microsoft, the true Microsoft

ecosystem of, of development, I think.

Uh, so yes, as, as.

Applications are acquired, uh, and incorporated in as an app.

Um, initially probably we don't have an API for certain things because

there might not have been one at all.

Right?

Right.

Yeah, I, I guess I've just, I live in this weird world, Vanessa, where a backup

is like super important, and then I would never go to production with an app

that doesn't have a way to back it up.

But I know that I wear, I live in this, this very, uh, distorted view

of the world, but I, I understand that's exactly the, the situation.

And hopefully this will be resolved over time, and then companies like Druva will

be able to, uh, to back up that data.

Um,

but I think at the last podcast we had talked also right about how

all this data is important, right?

If you don't have the Yammer or you don't have your planner data, right?

It's not that you truly have a full backup of your environment.

Right.

Agreed.

Right.

Yeah.

So it's important to get that data.

It's just frustrating that we can't, that, you know, we and other

vendors are not able to do so.

Um, so, uh, which is, I, I was actually just, just prior to recording this

co this podcast I was editing our other, um, we have a, an interesting

podcast where you have a, a, a, what, what's you call ba a backup Anac.

Have you heard that term before, Vanessa Anac?

I, I have not.

So it's a, it's a British slang term, which means a person who follows sort

of a fringe or boring topic, right?

So like, you could be like a train anac.

You can't be a Microsoft 365 anac because there's millions of people using

it and love it and blah, blah, blah.

But you could be like a, you know, but, and so he's a backup anac and what he

is, his complaint was that the, there's a lot of consumer, uh, SaaS services that

there is not a way to back up that data.

Not, not in any sort of normal way that I would recognize.

And so we, that's, we talked about that and you guys should

check that up, podcast as well.

So let's talk about some of the things that, um, I know that there's some

users that are, some, uh, sorry, I know that there's some listeners that

are listening and saying, but, but I can restore, like in Microsoft,

I can restore previous versions.

I can restore an entire OneDrive account.

Um, I can, you know, I can restore deleted files.

Uh, you know, I could do all of these things in, uh, you know, Microsoft 365.

So how is that not backup?

Well, I think it, it comes down to also the situations that, you know,

um, the end u we kind of have to split that as a, as an end user.

I have a feature.

A feature is to be able to go back to a prior version.

And the prior version, literally just being.

Still in the same spot still there, and I can absolutely create a new version.

So I wouldn't say that they're restoring anything, but they're

literally just copying a prior version and they're making a new one.

Um, uh, so there's the, the, the end user expectation and features, right?

That, that's one thing I can go into my recycle bin if I

deleted something and Right.

Uh, hopefully if I've, if I, you know, I go in there before it actually gets purged

and goes to the second stage, then, uh, you know, I can, I can get to that file.

But it's never really in the, the typical that backup solutions are needed.

Uh, it's always in the, you know, the situations that are unexpected.

Um.

Or even whether it's, you know, maybe intentional or even malicious.

But you know, I would say malicious being less than intentional.

Um Right.

If that makes sense.

No.

Does

that make sense?

Okay.

Okay.

May maybe I understand, but help me understand.

Yeah.

Uh, I, I also like to say users happen.

Okay.

They happen and they act in certain ways, uh, and applications.

I, I think, like my son can get on, I actually had my

son get on and I was curious.

I asked him to create a page and I wanted to see how well he can, he's nine.

How well he could actually create a page, like was it user

friendly, you know, for a child.

Mm-hmm.

Um, but users happen.

He was doing things that, uh, the application.

No, maybe they didn't quite test for or Right, of course.

Yeah.

And right.

That, that's a user, but that same thing happens too for the administrative side.

Uh, you don't find an individual with just the, generally the

job of 365 in most companies.

You know, most companies, 365 is administered by the, you

know, it maybe the help desk.

And you have a, a team of people that someone needs to go do this.

That person, this person creates an account, uh, the accounts,

this, this person does, you know, uh, groups, whatever it is.

Um, so it's not just necessarily one person.

So when you also don't have a level of, of knowledge, of a deep knowledge of what

it does, and you don't understand the relationships from one thing to the other

users, that that concept of users happen.

Also happens on the admin side.

So, um, and those are the things like the users happen.

Unintentional things that happen when I interact with an application

I'm not aware of, I, I may not know.

Uh, and then absolutely the, the malicious, uh, part where you might have

third party, um, you know, people coming in from the outside, like ransomware,

um, that you're trying to protect again.

And then you also might have somewhat of a trusted person that might be, you

know, a, a contractor or a vendor or whatever it is, or an, uh, honestly,

an ex-employee that logged in and you hadn't shut down their account and Right.

Those are malicious, uh, intent.

So there's, there are very specific reasons beyond your, your responsibilities

as an organization to back up, um, right.

Users happened and malicious intent.

Yeah.

Users happen and admins happen, you know, just because somebody's in it doesn't mean

they know what the heck they're doing.

Right.

Yeah.

I mean, they, they manage, I mean, like, you know, they, they'll manage, um,

10 different enterprise applications.

And especially since, you know, everyone thinks it's all, it's very easy, oh,

we've got, uh, 365, it's in the cloud.

I don't need an exchange admin anymore.

Yeah.

How, how hard can it be?

Right, so that, that organizations look to tighten their belts as they,

um, take on these SaaS applications.

So you have admins that are stretched relatively thin and may not know an

application as deeply as they need to.

And

that's actually interesting.

Be effective.

That's actually interesting.

Like even if I look at Salesforce, right?

You have specialists like admins who are very specialized in

understanding how Salesforce works.

Because even though SaaS is supposed to be simple, it's powerful and

complex and you need an admin, right?

I think Microsoft 365 is the same way, even though it's they've took away

managing infrastructure, there's still other aspects you have to administer and

be a specialist in that requires you the time to be able to do that effectively.

Absolutely.

I mean, you can't just, uh, go roll out multi-factor authentication

without understanding, you know, the self-service password reset.

Uh, I, there's just a number of things and it's, it's when you have, and not

everyone invests in their employees on the administrative side to become it, to

go, to get education on the admin side.

Um, it's supposed to be easy.

Yeah.

It's supposed to be easy.

Right.

Uh, you know, and I'm, I'm flashing back to, um, yeah, so it's, I think

it's the problem that you just talked about and then honestly, you know.

I, I, I love, I love all my admin friends, but like I said, not

all admins are created equal.

Uh, I, I do remember that was a, that was a person in, in early in my career,

there was a person that, uh, me and another guy would, he would, he was a

customer and we interacted with him a lot.

And you would, you would explain something to him and it would seem like he got it.

And then five minutes later, if you asked him a question about the

thing, you just explained it to him.

It, he, he, it was like he didn't, he didn't get it.

The thing that you just explained that you thought he understood.

And so we developed the term, you know, the term, uh, worm, and

it's a, it's a, it's an acronym, uh, acronym write once read many.

So it means like, like a DVD or there, there are, there are.

Storage options like an S3 to do worm as well, where basically once it's

written, you can't be changed and then, and then you just read it many times.

So we developed a term for this guy.

We, we called his memory, uh, worn memory, uh, write, often read never.

So, yeah, so, so it's the people make mistakes and then

there's bad people, right?

And, and

yes, I mean truly that like, people make mistakes and then there's bad people.

I mean, yeah.

Um, the, yeah.

Uh, and bad people.

I think the bad people part has, well, I don't know.

What, what's your perception?

Has the bad people part gotten worse recently?

You know, when the, the last, the last couple weeks?

Um, I know from what my understanding is, right, there was an authentication,

uh, issue with, um, with 365.

And I just, you just have to wonder how often these SaaS.

Applications are being, um, you know, attacked, I guess I should say.

That's the easiest thing.

Yeah.

Yeah.

Um, and I'm sure that they're not gonna necessarily always come out and say that.

Um, but I think that that with more people going to SaaS applications, that

Absolutely, that becomes more of a target.

Just like, um, you know, as every version of Windows has always

had their issues, you know, and it was always a target, right?

For viruses, uh, that came through your email because people work, right?

They work and they live in Outlook.

But I do think that, yes, I think that malicious intent is happening

more and more by all means.

And especially as more and more companies store more of their data, valuable

data in the SaaS applications, right.

It becomes sort of a great spot to target.

Yeah.

Is, it is both a point to share things and a point to steal things,

you know, and, and with both of those, right, users happen, admins

happen and malicious intent.

Um, it doesn't, you know, Microsoft has as, as great, um, tools in terms of

like, they have their e-discovery, they have retention, but that's still, that

doesn't address the underlying issue of how do you protect against, right.

Those two other things.

Yeah, we,

I want, uh, retention is completely different than, uh, backing up.

Yes.

Thank you.

We're gonna, I, that's gonna be our next topic.

I, I'll just fill in on this, like, admins happen, so, you know,

especially since I, I spent a few minutes making fun of another person.

I'm gonna throw myself out there.

I try, like, I try really hard not to, uh, not to get subject to.

My, you know, I, I get attacked.

I get phished, I get, you know, ransomware attacked and Right.

And so I'm, I'm constantly Don't click on that.

Don't click on that.

I actually got successfully phished the other day and ended up accidentally

giving my credentials to a really important site to a black hat.

Um, because I, because I was tired and not paying attention.

And the, and the email came right at the right time and it looked like an

official email from the place in question, and I immediately changed my password.

Um, and so I, I, I think because I, I realized what it was one of those, one

of these things where I'm trying to be, I'm trying not to say what it was, but

it was one of these things where like, we do this service for you and you need

to log in once a year to, um, renew.

Like, to reconnect us.

To your, this other thing that we look at for you.

And it was coming right at the same time that my renewal was happening.

So it was just very fortuitous and I to, I, I totally fell for it.

And I went in and I clicked.

And within, as soon as I logged in, I realized, and it didn't ask

me to do the thing I was asked to come do, I realized crap, I, I just

successful, I just got phished.

And I immediately changed my password.

And then I contacted the vendor.

And here's the part that made me the most angry.

They don't, they couldn't tell me if anyone had logged in with my credentials,

which is bonkers.

Which is bonkers.

And I was like, you can't tell me if it, like, just, I'm like, literally

the last minute has anyone other than you know, this IP address.

Like, and they were like, no, we don't, we don't, we don't have that information.

Uh, they, they, they didn't, and then I got even more angry when I realized that

this particular system, which I'll just say it's, it's a kind of system where you

store really sensitive information and they don't have two-factor authentication.

So

Curtis was a little annoyed that day.

I was a little annoyed.

And so I guess what I'm saying is, you know, I, I feel, I feel I'm a pretty

smart person and I'm a person who focuses so much on data protection and data

integrity, and I, you know, I, I I, I get annual training from, you know, at, at dva

we have to do annual security training, and I, I know all that stuff, but

sometimes you're tired and sometimes you mess up, and then you click on something

and then next thing you know, you've given elevated privileges to a, to a bad

actor, to your Office 365 environment.

And then boom, bad things happen.

That was my really long story to get there.

But let's get, let's get back to retention policies.

I'll give my summary.

When, when there are those who say you don't need to back up, they

point at retention policies as the reason why you don't need to.

Because I can go in and I can say, um, you know, every email, every document, every

version of every document, everything, and SharePoint, every chat, everything

is gonna be kept for, you know, 90 days or 180 days, whatever number, right?

And, and, and that, and that, that is what gets around like a black hat.

If they were get in, like if a user did something and then they want to delete the

history of the bad thing that they did, that, that, you know, that, that they,

they, they can't delete the spreadsheet because we have a retention policy

that says that they can't be deleted.

Um, and my experience with that was that it's really good for

retaining all that information.

But it's an e-discovery tool, not a restore tool.

And so getting all that back and saying, okay, take all of Curtis's

emails and all his folders and all his OneDrive stuff, and all his folders

go put it back where it came from.

It just simply isn't designed to do that.

So is that, that's been my perception.

But again, we established on the last podcast that I am a 365 noob.

So yeah.

So

Oh, oh, you didn't have to agree with that so strongly.

She

was like,

yep, that is

true.

Oh, yeah, yeah.

We totally, we totally agree.

Curtis doesn't know.

He's talking about,

you know, the difference between a group and a team.

I, you know what, it's a big, it's a big, it's a big step for me.

Alright, alright.

Important.

Okay.

Right.

Yeah.

Um, no, I, I think you made the point, but one of the things that

you have to also realize is that, uh, let's talk first, we'll talk

second about retention policies.

Okay.

But first in 365, more importantly.

Is not everyone uses retention policies.

Agreed.

In fact,

what do you think, what do you think the percentage is?

Oh, I would probably say it's with, like, if we talk about companies that

would use retention policies, the actual feature of retention, uh, within

365, it's a very small percentage and your, it's more your large enterprise.

Um mm-hmm.

Maybe, hopefully companies that are publicly traded, um, you know,

well, why wouldn't they use it if it's part of the platform?

Is there a cost?

Is there,

oh, it's a, it's once again comes down to the implementation

of it, the management of it.

Um, you know, when you, when you build out or design retention, there's a process

and a flow that goes to that, uh, retain x, you know, if something happens, right.

I'll talk about a policy.

If, um, I, I guess it goes beyond, just click the button.

Um.

If something happens.

Uh, well, let's first talk about like the, the companies and why they don't.

Mm-hmm.

Um, it goes back to the, uh, one admin managing multiple platforms and the

fact that there is retention possibly available for their license, right?

They have a help desk ticketing system that they've got 30 tickets to deal with.

Retention is a strategic, uh, initiative by an organization to do something.

And there is you, you know, you require people to actually plan

it, to implement it, to monitor it, to ensure that it, right, that

there is a purpose for retention.

Still functioning still, and it's still going versus, yeah.

These buyers that you have, that you are immediate,

you alluded to licensing, is it not in all of the versions.

I don't think it's in, in all the licenses.

And once again, right.

That changes.

I think they, um, you know, I think there was a change to, uh, the business.

So I think it is in enterprise licensing, but don't, I don't take my word on that.

I'm not the licensing expert

right now.

So it's safe to say it might not be in all versions.

Yeah.

But even if it were, uh, when

you, you might not know that it's, there might not.

Absolutely.

You know, it's not on by default, someone has to turn it on, which means

you need to know to turn it on, and then you need to turn it on correctly.

Yeah.

I, I would say people use SharePoint more than they use retention.

Mm.

Um, right.

And, and SharePoint is what, third, right?

The third used application, uh, in, so there's just so many

things, but even beyond that.

You have to think about what's the, the direction of the right, of the, the IT

department that, that is managing this 365 is, um, right, is retention or compliance.

Uh, if they're not under some SOX compliance, they're, you know, and

they're not a publicly traded company maybe where they just, there's

things that they have to do going in and creating an eDiscovery case.

Uh, and, and you know, and, and everything that goes into that.

There is a, there's a purpose to that.

Uh, so your IT person is not gen generally going to be the one that says, let me go

create more work for myself, to be honest.

Right.

I that's, that's

true.

It's very true.

It's like, uh, if I turn that on, that is more work.

And that's why I tell people, like one of the first things I would do when I would

go interact with a company, any company, whether they, they called me in to do a

build a Power BI dashboard or, uh, build an intranet, um, the very first thing I

would do is a 365 audit, a backend audit.

It's like 30 points of do you know this is where you are.

Because before I build something like an intranet, I want you, you know, you

have to understand where you are with all these other things that could potentially

impact it as an example, you know, so I know we're not, we're kind of straying

away from retention, but that's, um, the point being No, you're doing, you're fine.

Yeah.

There's so many components to 365 that if I had to give you a percentage of how

many companies actively use retention.

I would be surprised if it were over 5%.

I was gonna go with 5% as well.

Yeah, small.

But, but, but again, I'm totally, I'm totally making that number up.

Yeah.

You've actually, you've actually been out there in the wild, so

that's a really good point of that.

Basically it's just not widely used, number one.

Number two, and I think this, this is, I think, equally important

for people who have turned it on and they think, now I have backup.

If you think that you've clearly never used it to restore anything.

Right.

Unless it was like a single email or a single document, because

Yeah.

And, and, and in the, and in the world of 365, let's say, let's do retention because

I want to use it as a, i, I think I wanna use it as a backup retention and, and

creating, you know, retention for content is, um, once again, there's a. Processes

that are generally part of retention.

A company doesn't wanna keep anything over seven years.

So they create a retention policy in X for content, maybe on SharePoint, wherever.

Um, but then what about, you know, there's retention for my email.

Okay, let me see.

I've gotta go create a retention on every single person.

I mean, every single person, person

creating and different have, and different people might have different

retentions too, like your ccio and Absolutely everyone else might

have different retention policies

than, so it is, it's, people go about, uh, creating retention generally.

Generally from what I've seen, retention policies drive are

driven down at the content level.

And yes, on emails usually for, um, your manager, you know, your VP level

and up, um, individuals you might wanna retain and hold their emails, but.

It's rare that you find, uh, companies using, um, really effectively using

the retention policies of 365.

I thought I had seen that.

I could if I want to, although I might not want to.

If I wanted to, I could do a single retention policy at the very tippy

top of Microsoft 365 and just say, I want everything Exchange online,

SharePoint, OneDrive, uh, all of the things, I want, everything in here

retained for at least 90 days go.

Is that not the case?

Okay.

So first of all, I've never seen that.

Um, and usually retention is, from my understanding and what I've done for right

mm-hmm.

Is at an individual level.

Or at potentially a site level, like a URL specific, like this

site, uh, everything underneath it.

This person

probably because you're viewing retention more from like a

normal use, not a backup use.

Correct.

But if I was gonna use it from a backup use, that's the way I would do it.

I would say I wanna retain every single thing for 90 days

or whatever the, the term.

And I, I think I could do that, but I know that if I do

that, I can impact the storage.

Going back to one of Prasanna's original questions, I can impact

the amount of storage that 365 uses and as a result, increase my cost.

Oh yeah, the cost, the cost of the cost of storage.

I mean, not even, I'm not sure of the cost of storage associated with

the retention, but general storage, uh, you know, if you reach your,

your current storage, it's something like $200 a month, uh, for a gig.

I mean, that's not, that's, that's a,

it's, it's, by the way, this is something that it shares with Salesforce.

I had, I I, I, I was, I remember being a Salesforce customer and, and the, uh,

an enterprise Salesforce account came with like five gigabytes of storage or

four gigabytes of storage or something.

And I, I had 2 million records.

So we went over that by like two gigabytes, and they came back with

the price, and, and they're like, and, and it was highway robbery.

It was the same kind of pricing.

I was like, are you serious?

Like, they're, they're like, you know, this is the most expensive

storage I have ever seen in my life.

And they were like, well, this is really high end.

I'm like, you're talking to a storage person?

Yes.

This, this better.

They, they better be writing this on gold tablets for this price.

Um, but, but let's talk about, so, so the, the, the, the workflow of, of.

Retrieving 'cause that, that's the term I like to use for pulling stuff

out of an e-discovery, the workflow of retrieving a large amount of data

from, uh, the edc because you used the e-discovery workflow in 365 to

get data that, that has been retained.

Um,

um, yes and no.

I mean, you have okay, if you use e-discovery yes,

Uhhuh,

right?

It actually creates a set.

And let's say I have a, a rule, everything that Vanessa does, all of her emails,

all of her files, everything in her OneDrive and these six SharePoint sites,

um, maybe these three groups, right?

That, that will have a, a very specific defined case.

Um, so a case is something where I would create this case.

I would want to go look for someone and look for any content across all the apps.

Um, and that brings it all together.

Uh, and, and so all of that is all within one, one UI once you're

actually navigating through it.

So it, it does bring it together in a set by all means.

Mm-hmm.

Um, but with regards to content retention, um, what happens with content

retention is I am, you know, I have a finance, uh, secured site and I want

to ensure that I purge everything after, uh, after the last modified

date was, uh, two years ago, right?

Two years, three years, seven years, whatever it is.

And you have a, um, a process that basically sits there and says,

oh, take that and delete that.

That's a, that's a retention.

Like that retention policy is literally to, uh, hold information

and then when it's done, once it hits the certain, right, these certain

parameters, then go delete it.

Go do something with it.

Um.

So that's, there, there are two different types of retention.

So that's, um,

well, I'm, yeah, so I'm just trying to, I, I, I know that retention

is used for multiple things.

I'm just trying to focus on how retention could be used for backup

and recovery purposes and how it would therefore be really bad at that.

That's what I'm, that's what I'm trying to, yeah,

because, because, so right now, the retention that we've talked

about to date has been around the e-discovery use case, right?

It's all put together.

I could retrieve it, but if, say something happens, something was

deleted, can I restore from this retention copy back to say, well,

not directly is, is my understanding.

I, I, there's no way directly to pull something that was retained past,

let, let me rephrase past whatever would be captured by a recycle

bin or the secondary recycle bin.

Once it's gotten past that there's no way to directly pull

it out of the retention pool.

I don't know what the term would be and restore it back.

Would that be a correct assumption or a correct statement?

I'm just trying to visualize that.

I mean, ultimately, if, if,

so your, your problem is Vanessa, you don't

Yeah.

You don't think of it like this.

You don't, don't like,

I,

you're

right.

I

mean, you're like, the retention is not a restore tool, so why would

anybody try to use it that way?

I'm telling you, there are people, well-known, famous people who are

saying that retention policies are all you need for backup, and I'm saying.

There are horrible backup tools because A, you can't restore back directly.

If you do wanna restore, let's say Curtis Deletes or somebody

deletes my entire account, I get attacked by ransomware, whatever,

and my entire account is corrupted.

You cannot use that tool to restore my account.

You can use that tool to give me a giant pile of data.

Of

stuff

Yes.

Of stuff, right?

Yeah.

You know what it is stuff.

It's not data, it's not information, it's stuff, it's a bunch of

files, it's a bunch of emails.

Um, you know, it's a bunch of chat messages, but you can't put that you,

it's like a giant, it's like a big hay.

Here is a haystack.

All you need to do is take all the pieces of hay apart, rearrange them, and

put them back to where they came from.

Right.

And there's different types of, I mean, there's eDiscovery.

Absolutely.

And you know, the purpose of eDiscovery Absolu, uh, is not.

To use it as a, a retention tool.

I mean, I mean, sorry, as a backup tool, right?

It is there to help an organization create rule-based cases to go and find

information throughout the tenant.

Yeah.

It, it's, it's it's discovery tool.

Like that's

absolutely, that's its purpose.

It's, it's, it's to satisfy any discovery request, not a restore request.

Yeah.

I mean, you can also, I mean, people can put like an ar like a, a hold

on an email and say, I want to, you know, apply this policy to, to this

particular, you know, this person's email.

Uh, that's right.

And that, once again, that's over here in this other app.

So the concept of, of someone saying, we use retention as our backup, um,

that's going to be a, a, you know, a painful situation for them if

they actually ever have to restore.

More than just Right.

Restore something at, at a hole.

Right.

That's why I was kind of correcting what Yeah, you said Prasanna, because you

were saying if I, if I delete a thing, like a file or an email, yes, you can get

back a single file or a single email or something, or a document out of retention,

but you, you're not gonna be able to put back Prasannas entire world via that

without a ridiculous, um, level of effort.

Right.

And if, and if it's not just Prasanna, but it's Prasanna and, and everybody,

you know, anywhere related to you because you got infected and then

that got spread to other people, blah, blah, blah, uh, then you're not gonna

be, or some other attack right there.

There have been, you know, I, I do mention, again, trying not to sound

like I'm anti Microsoft, but Microsoft is no different than any other tool.

There have been vulnerabilities that have been published that if.

Um, uh, leveraged could result in someone gaining admin access in a 365 account.

It, it happens, right?

Um, and if they did that and then they did bad things, um, they

could potentially wipe out an entire, you know, organization.

And then you go to Microsoft and you say, we'd like to see our

backup, and they say, you know what?

Backup, right.

Um, 'cause I did, uh, Vanessa, I actually did, uh, like I created a, like an actual,

you know, an organization in 365 and um, and then I interacted with Microsoft

as a customer and I said, let's say the following happens because I mentioned,

so another thing that I've heard is the, that Microsoft has a delayed,

replicated copy of, uh, parts of 365.

Um, that, you know, that there's a copy that's replicated, but

it's, but it's behind in time.

Right.

And that, that could potentially be used to restore your environment.

I contacted Microsoft and I was like, suppose the following happens and

I basically, like some bad person comes in and deletes out my entire

world, can I use, can I contact res support and use your delayed

replicated copy to restore my account?

And they're like, no.

Like, like, that's not what it's for.

Right?

Yeah.

That's for us.

Right.

Um, and so, yeah.

Well, and even know, even in that scenario is you approach

them with a known question.

And it's not always the knowns that bite companies, right?

It's, I don't know what happened or where it happened, but something

is wrong, something happened.

Um, how do I get back up and running, right?

Is what they really wanna know.

Uh, you know, you know, I'd go back to even SQL Server, even whether it's

on-prem or right in Azure, is that I had a million rows and then I came back

the next day and I have 700,000 rows.

I don't know what happened and unless I wanted to go in there,

I just need to get it back.

Hmm mm-hmm.

And that's usually when we're dealing with, you know, any sort of data loss.

It's not, you don't have a person that's, uh, you know, three levels up

from a, uh, let's say a a a, you don't have a CIO sitting up there saying,

I wonder what happened to my email.

They don't care.

What they care about is my email is gone.

And, or the C Right.

The CMOs email is gone.

The ccro email is gone.

That's what they care about.

They want to.

They want action.

It's like, I need you to go fix this.

So it's not usually in, um, you know, in the best interest of someone who's

trying to go restore something to, to fix the problem that they sit

and try and figure out what happened while they're trying to fix it.

Usually it's alright, we'll, we'll come back to that after.

Um, so, you know, when you approach them with a known of, can you,

can you, uh, restore with that?

You know, here's the situation.

The reality is most situations are not, they end up being

unreal.

No, that's, you know what, that's a really good point.

Um, I'm glad you made that point.

I, I make it, I make it in the following.

Um.

Using the following quote, right?

There are more things in heaven and earth, Horatio than I dreamt

of in your philosophy, right?

And it's like, listen, there are a lot of ways to do damages to your

environment that, that you don't even like know about or can dream about.

And that's why you have backup.

And while you might have a way to deal with the things that you know about,

there are other there, you know, there are bad people out there that are trying

to figure out how to do damage to you so that they can sue you or, or not sue

you, uh, you know, get ransom from you.

And, and why would you not have back to protect you from that?

I just, and, and, and I would really be remiss, we, we have to talk

about the, the companies that use retention are like the big, like

fortune, you know, 500 companies.

Um, to which I immediately wanted to say, you mean like KPMG?

Yes, yes, yes.

You're, you're referring to the, the issue.

So what do you wanna summarize?

What happened?

Yeah.

So if, if I recall this one correctly, um, there was a policy that they

wanted to apply to an individual

mm-hmm.

If I'm not mistaken, right?

Yeah.

They, Microsoft wanted to delete that person's personal

chat history was the policy.

Correct.

Right.

And they applied the policy, the group probably on the group policy, whatever

the group policy, whoever was involved in that group, and it deleted all of

the teams chat completely everywhere

for, for 146,000 people.

Oh my gosh.

That used, right.

Used teams.

And so it's, it's, you know, it, it's a, that was a hard, hard

day, week, month for that person

I feel, I feel.

But it was unintentional.

I

feel for that person, man.

Yeah.

Unintentional, right?

Like you saids happen.

Un

yeah.

And it's Right.

Knowledge la uh, and not quite understanding the, the.

What happens?

Yeah.

And education.

And they

con And

what

happened when they, what happened when they contacted Microsoft?

I think they said that they couldn't do it.

Yeah.

Didn't they?

Yeah.

They're like, yeah, sorry.

Right.

Yeah.

Sorry.

That, you know, you should have been backing that up, right.

By the way, actually, that, that was personal chats.

And most companies, uh, don't, aren't able to back up personal chats because again,

APIs, although we, we figured out a way to go get that data, but, um, but most

companies aren't able to back that up.

So, um, even if they had had backup, they wouldn't have been able to, to

fix this for, for most companies.

But amazingly, we've been talking about this just to backup for an hour now.

I'm just super excited that like, I mean, you,

he's giddy.

You actually touched this stuff and you, you speak from a, from a

frame of reference of like, I, it's funny, as frustrated as I was with

your answers on the, on the, um, the retention policies because you.

Coming at them from the way that you would normally use retention.

Right.

You know, it's like

how, right, how retention is actually used when, when used.

Um, I, I've read that and not just, I mean, I've read that in a number of

places and that basically when people talk about retention, they should not

speak back up in the same sentence.

It is not the same thing.

Yeah.

It serves, it might seem like it has the same thing, but it

serves two different purposes.

Um, and truly should not be considered to be, um, a method an organization

relies on to back up anything.

Um, let me,

let me ask you a question, Vanessa.

Can you, can you, using whatever tools, can I easily copy like an entire

user, like, like can I clone an entire user's stuff to another user in 365?

No.

Oh,

not, not give me an exact copy of every place and everywhere.

Uh, you know, the moment you log in to the moment, you, right.

Everything that you see about a user is in a transaction.

Uh, user uploaded, a user edited a, so there's, there could be

a million transactions mixed in with hundreds of millions of other

transactions that other users have had.

So to say, I wanna go make a copy of this.

And remember we talk about all of the a user and the fact that they

can belong to multiple groups.

So I can be in multiple groups, so I can't, I can't go and say, replicate

this user and everything about it.

Okay.

All right.

I was kind of hoping, I was kind of hoping the answer was yes,

but clearly the answer is no.

Okay.

Well, what, we're gonna have to close this out 'cause we're gonna talk all day.

Uh,

yeah.

Vanessa.

We have talked for like an hour.

I don't wanna sound like I'm anti Microsoft, right?

Even though, you know, I am a, I am an old, an old Unix guy.

Um, and, and I use a Mac.

Like, I, I don't dislike the company or, you know, whatever.

I care about their data and it bothers me tremendously that, that so many

Microsoft 365 customers and G Suite customers and Salesforce customers

think that their data is protected by the platform itself and it's not.

So, um, you know, thank you so much for explaining it

absolutely.

You guys are so welcome and I appreciate being.

Uh, we are, we appreciate you being on, we appreciate,

uh, the listeners' Prasanna.

I appreciate you.

I appreciate you too, Curtis.

Sometimes

it's like a mutual, mutual appreciation fest, um, even

if I am jealous of your hair.

All right.

And make sure, uh, listeners, thank you for sticking with us this

far, and make sure to subscribe