Best Practices for Exchange Online Backup

If your organization has just started to use Microsoft Office 365, you may be wondering, what is Exchange Online? Exchange Online is a cloud email service that allows you to access and use your email from any part of the world. Exchange Online has numerous features that can help your organization run — contacts, calendars, eDiscovery tools, and admin center. Exchange Online offers high-end security, protecting user accounts from phishing scams, insider threats and accidental data loss.

However, Exchange Online customers can still fall victim to permanent data loss. If a soft-deleted item gets hard-deleted from the Exchange Online recycle bin, you can no longer retrieve it with native data recovery tools. Yet you can still recover your data from the Microsoft Office 365 email backup that you store onsite, in Microsoft Azure, or offline on your computer. Thus, backing up your Exchange Online mailboxes is crucial for making sure your files are recoverable in case of a data loss event. Let’s take a deep dive into the reasons for backing up your Exchange Online mailboxes and explore the best practices for Exchange Online backup.

Before We Start

Your Exchange Online data is not immune to ransomware and accidental deletion. To avoid data loss, run regular backups of Exchange Online and other Microsoft 365 apps using NAKIVO Backup & Replication. The solution allows backing up Exchange Online data to local storage for recovery after ransomware. When necessary, search and instantly recover individual emails, folders, contacts and calendar items. 

Get a year’s worth of free Exchange Online data protection with the Free Edition of NAKIVO Backup & Replication! Download now. No credit card required.

Reasons for Exchange Online Backup

Microsoft Office 365 data may not be 100% safe in the cloud. Under the services agreement, Microsoft is only responsible for platform uptime and services availability. Users are responsible for making sure that their data is safe and can be recovered. You may face a few data-loss risks to your Exchange Online emails, ranging from accidentally deleted accounts to cybersecurity threats. Exchange Online security involves two major types of risks: data protection risks and compliance-related risks.

Data protection risks

Data can be at risk of loss as a result of external threats and insider threats. Malicious actors unrelated to the company are responsible for external threats. These threats include phishing, ransomware and viruses. Cybercriminals use different methods to breach systems and gain access with the goal of stealing or deleting data.

External threats

  • Phishing. Attackers often use this method to mislead you and get you to click an infected link. Once you click the link, you may end up on a malicious website. A compromised website is a dangerous place to be; cybercriminals can harvest your credentials and get partial or full access to your organization’s business data. Just by clicking a single link or URL or opening attached files in the email, you can grant the attacker access to sensitive information without even knowing it. With privileged access, the attacker can bring evil plans to life by deleting, selling, or otherwise misusing your organization’s business data. The attacker may also steal your passwords and credentials and use this information to log in to your accounts and run unauthorized transactions. Sometimes, cybercriminals trick employees by luring them to a malicious website. The website may appear legitimate and an employee may start using it as part of a hypothetical work assignment.
  • Ransomware. A type of malware that can invade your computer and insert a payload. A payload is malicious code that can send information about your system to a cybercriminal. And when the time is right, the attacker can freeze your computer or your Exchange Online email and demand a ransom for releasing your data. You can inadvertently download a payload by interacting with a phishing mail.
  • Other Malware. Spyware and viruses are other types of malware. Viruses can spread through your networks and computers, infecting them. Spyware can monitor your systems undetected. It can collect your passwords and personal credentials and forward them to the attacker.

Insider threats

Insider threats include unlawful actions committed by a company’s current or former employees. These threats involve destruction or theft of company assets. Insider attacks can arise from an employee’s dissatisfaction with the company and the urge to seek retribution. Another reason for an insider attack is financial gain. An employee may get the idea to get rich overnight by selling the company’s intellectual property. Negligence is often another reason for a cyber threat. New employees can make unintentional mistakes that can cause a security breach. There are two types of insiders:

  • Pawns. They accidentally expose valuable data, such as sending an email to the wrong recipient, losing a company laptop, or keeping passwords and vital credentials in an insecure location.
  • Turncloaks. They intentionally use knowledge about the company to inflict harm or to achieve financial gain. Turncloaks can be incredibly sophisticated and knowledgeable. Because of this, they often are discovered only after they cause irreversible damage.

Compliance-related risks

The law requires businesses to store documentation for legal compliance or e-discovery. One day, this data may be required in a courtroom or for a financial audit. Countries have different requirements for keeping documentation. The United States relies on:

  • Fair Labor Standards Act
  • The Sarbanes-Oxley Act
  • The Bank Secrecy Act
  • Payment Card Industry Data Security Standard (PCI DSS)

European countries rely on:

  • General Data Protection Regulation (GDPR)

Because of legal requirements, your organization should follow retention policies. You should retain the email accounts of former employees for a specified period as they may contain critical data. One reliable method to ensure compliance and avoid legal trouble is backing up Office 365 data regularly, including Exchange Online. You can always restore the deleted Exchange Online messages or accounts using Microsoft native data protection policies and tools. But if it is past the retention period, backups are your only chance to recover the data you need.

Best Practices for Exchange Online Backup

To have your Exchange Online data available right when you need it, you should backup Microsoft Office 365 regularly and use Microsoft Office 365 backup best practices to guide you through the backup process.

1. Determine what needs to be protected

Microsoft 365 has built-in data protection that you can use. However, Microsoft is not legally responsible for protecting your data. The Shared Responsibility Model states that while Microsoft provides infrastructure for millions of users worldwide, it is not responsible for data loss and security-related issues. 

Microsoft utilizes retention policies that help you to store or delete data. You can have your retention policies run automatically or set them up manually on an individual basis. You can decide for how long to keep data and when is the time to remove it. Microsoft 365 gives you three options for data retention:

  • Retain only. Store your data indefinitely or set a specified period
  • Delete only. Delete data at a specified time
  • Retain and then delete. First, store and then delete your data

You can soft-delete or hard-delete your Exchange Online accounts and emails. A soft deletion places your item in the recycle bin, where it can stay for 14-30 days before it gets hard-deleted. After you hard-delete your item, you can no longer recover it with Microsoft Office 365 tools.

Additionally, Microsoft 365 offers advice about how to protect Exchange Online data from being destroyed or misused. To reduce the incidences of phishing attacks, follow these steps:

  • Ignore suspicious demands to open an attachment now
  • Don’t open attachments from an unknown sender
  • Get alarmed if the sender doesn’t address you by your name
  • Check for the slightest changes in the domain name
  • Watch out for grammar and spelling errors

Once you have identified a phishing attack, follow these simple steps:

  1. Don’t open the attachment or link
  2. Document the details of the attack
  3. Report the attack to the person in charge
  4. Delete the malicious email

The native data protection features can help you identify what data to protect, set up the retention policies and adopt correct security measures. However, in case of permanent deletion, backups are your best bet for bringing your data back. Therefore, you should analyze your data assiduously to determine which data has the highest backup priority. A modern backup solution should enable you to backup just those messages and accounts you need to back up.

2. Set RTOs and RPOs

Before you back up your Exchange Online data, set clear-cut Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

A security incident may be a cause for the temporary unavailability of your Exchange Online services. The RTOs specify the amount of time your organization can handle without having an operable Exchange Online app. To be prepared in case your Exchange Online goes down, estimate how many minutes your organization can function without having the information from your Exchange accounts up and running. Setting up the downtime limits can help you estimate how to store your backups and make them instantly available if the need arises.

The RPOs indicate how much data you can afford to lose. If you can lose none of your Exchange Online data, you should run your backups as frequently as possible.

3. Run regular incremental backups

This type of backup is perfect for Exchange Online emails. Incremental backups copy only the data that has changed since the previous backup. Incremental backups are lightweight, which means that they don’t put any strain on the IT infrastructure. Compared to full backups, incremental backups take much less time in addition to saving storage space.

4. Adopt a backup rotation scheme

You need to know how to utilize the storage space available for backups. The type of your backup, the amount of storage it uses, and your storage media are three important factors for identifying your backup rotation scheme. When you back up your Exchange Online emails, you don’t use removable storage media. Instead, you can store your backups on-premises or in cloud storage. To back up your Exchange Online, employ a Grandfather, Father, Son (GFS) rotation scheme. GFS means:

  • Grandfather. A full backup monthly
  • Father. A full weekly backup
  • Son. An incremental daily backup

You start with a father backup on Monday. The following daily backups are sons. The last backup of the week is your next father. Your son backups are rotated according to the first in, first out (FIFO) scheme: when the storage media is out of space, the oldest backup is deleted and the new backup takes its place. Thus, the oldest son backup gets replaced and the weekly cycle repeats. Grandfather is the last backup of the month. At this point, father backups start to rotate by the FIFO scheme. 

5. Keep Your Data On-Premises

Accidental deletions and security threats are common nowadays. To ensure the highest level of protection, you can store your data offline on your local computer or server. If your Exchange Online data becomes corrupted or deleted, you can always recover the versions you need from an offline backup and have them readily available.

6. Automate the Backup Process

Manual backups can take a long time. An efficient backup solution can help you run your Exchange Online backup jobs automatically. You can use a backup job wizard to track your past, present and future backup jobs. You can also view the duration of your previous backup jobs and the estimated duration of your future backups. Schedule overlaps occur when your backup doesn’t obtain the right amount of bandwidth. Try to avoid schedule overlaps because they can cause network congestion. Knowing the approximate duration times of your future backup jobs can help you prevent schedule overlaps. However, if a schedule overlap occurs, you can diminish network congestion by using the bandwidth throttling feature.

7. Secure Access to Backups

You can protect your backups from unauthorized users by setting up role-based access control (RBAC) and two-factor authentication (2FA). RBAC allows only the assigned admins to perform backup-related tasks. You can assign one person to run backups and another person to run recoveries. Limited access ensures protection from human error, incompetent data handling and cyber invasion. 2FA creates an additional layer of security with codes generated by an authenticator (e.g., by Google Authenticator). When 2FA is enabled, both an authenticator code and a password are needed to log in.

8. Ensure Granular Recovery

Granular recovery is a helpful feature for instantly recovering your Exchange Online data from backups. It allows you to recover specific emails or other items (contacts, calendar items, etc.) that were accidentally deleted without running a full recovery. You can easily find the information you need by searching backups with the advanced search tool. Granular recovery saves time and storage space and it enables you to recover your data quickly.

9. Ensure Compliance Searches

The law requires you to store some data for legal compliance. That’s why you should perform regular backups of data that may be used in courts or for reporting. If your business data is accidentally deleted, you can find it easily by searching your backups. Your backup solution should offer an advanced search feature that allows you to browse your compliance data and restore it quickly. All you need to do to find your data is to enter the appropriate keywords.

Reasons to Backup Exchange Online with NAKIVO Backup & Replication

NAKIVO Backup & Replication is an all-in-one software for protecting your Exchange Online data. NAKIVO Backup & Replication is extremely lightweight and it offers high-end backup features at an affordable price, such as:

  • Quick, small backups
  • Granular recovery
  • Advanced search
  • Centralized web interface
  • Role-based access control
  • Per-user pricing


Your Exchange Online mailboxes require protection from accidental deletions, cyber attacks and insider threats. To protect your Exchange Online data, use a combination of native Microsoft features and an efficient third-party backup solution. Perform regular incremental backups to protect your Exchange Online data 24/7, and use granular recovery to retrieve emails, contacts, and calendar events.

NAKIVO Backup & Replication is an excellent choice for Office 365 Exchange Online backup. Get a year’s worth of free Exchange Online backup with the Free Edition of NAKIVO Backup & Replication!

People also read