How to Protect Your Microsoft 365 Data

Many schools have moved email, files and collaboration into Microsoft 365. It is a significant step forward in terms of availability and flexibility. However, it also changes how data protection works.

Microsoft is responsible for keeping the service running. Schools are responsible for ensuring their data can be recovered if something goes wrong.

This distinction is important. Without the right approach, schools can find themselves unable to recover critical data following deletion, account compromise or misconfiguration.

What are the risks?

The most common risks in Microsoft 365 environments are:

• Accidental deletion of files or emails that are not noticed within the recovery window
• Malicious deletion or alteration following account compromise
• Ransomware-style attacks affecting synchronised files
• Misconfigured permissions leading to data exposure or loss
• Lack of a clear recovery point following significant changes

While Microsoft provides recycle bins, version history and retention policies, these are designed for short-term recovery and do not provide a full, independent backup.

What does good look like?

A well-managed Microsoft 365 environment should include:

• An independent backup of Microsoft 365 data, separate from the live environment
• Coverage of Exchange, OneDrive, SharePoint and Teams data
• Defined retention periods aligned with school policies
• Controlled and auditable access to backup and restore functions
• Regular testing of recovery processes

This ensures that data can be restored even in scenarios where native Microsoft tools are insufficient.

Recommended approach for most schools

For most schools and trusts, the most proportionate solution is a cloud-to-cloud backup service.

This involves using a third-party platform to take regular copies of Microsoft 365 data and store them independently. These services allow granular recovery of emails, files and entire accounts.

Key expectations should include:

• Automated daily backups
• Flexible retention (for example, 1 to 7 years depending on need)
• Ability to restore individual items and full datasets
• Clear reporting and audit logs

Some larger trusts may choose to maintain additional backup layers or use their own storage, but this introduces additional complexity and management overhead.

Questions to ask your IT provider

• Do we have a separate backup of Microsoft 365, or are we relying on Microsoft retention?
• What data is backed up, and how often?
• How quickly can we restore data if needed?
• Have restore processes been tested recently?
• Who can access backups, and how is that controlled?
• How long is data retained, and can this be adjusted?

If these questions cannot be answered clearly, this should be treated as a risk.

Alignment with DfE and safeguarding expectations

Protecting data is not just a technical consideration. It supports:

• DfE Digital and Technology Standards, particularly around resilience and data protection
• Cyber Essentials requirements for backup and recovery
• Keeping Children Safe in Education (KCSiE), where safeguarding records and communication may need to be retained and recovered

A lack of recoverable data can have significant consequences beyond IT, including safeguarding, compliance and governance risks.

Key takeaway

Microsoft 365 provides a reliable service, but it does not replace the need for backup.

Schools should ensure they have an independent, tested backup solution in place so that data can be recovered quickly and confidently when needed.