The Microsoft 365 Shared Responsibility Model

The number one question we get all the time: “Why do I need to back up my Microsoft 365 Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams data?”

And it’s normally instantaneously followed up with a statement similar to this: “Microsoft takes care of it.”

Do they? Are you sure?

To add some clarity to this discussion, we’ve created a Microsoft 365 Shared Responsibility Model, which is based on Microsoft’s more general Shared Responsibility Model for SaaS, PaaS, IaaS, and on-prem. It’s designed to help you — and anyone close to this technology — understand exactly what Microsoft is responsible for and what responsibility falls on the business itself. After all — it is your data.

What Is the Shared Responsibility Model?

Before we begin, let’s first define the model. The Shared Responsibility Model is a framework to help you understand what components and tasks you are responsible for in an IT environment. Therefore, the model is there to help you establish where your duties end and where a service provider’s duties begin. This gives you a better understanding as to what tasks and considerations you need to put energy towards versus the ones you don’t.

Understanding Roles and Responsibilities

In the case of cloud environments specifically, there are distinct roles that the customer has versus the cloud provider. Unlike an on-premises data center where a customer will likely own all the responsibilities related to that environment, a cloud environment will have a split of certain components you are responsible for versus the cloud provider. For some components, you will shoulder the entire burden of responsibility and for others you will not have to worry about at all. In some cases there will be a mix of a truly shared responsibility over a component.   

Microsoft’s Role in the Model

As we begin to explore the Shared Responsibility Model it will become very clear that Microsoft’s main responsibilities in Microsoft 365 hinge on all tasks related to the backend infrastructure. Microsoft’s responsibility focuses on providing resiliency in their service delivery so there is little to no interruption in the service. Microsoft take on the role as the data processor in Microsoft 365.

Customer’s Role in the Model

The customer takes on the role as the data owner in Microsoft 365. All their efforts and responsibility are directed towards making sure the data is available and protected.

How customers can protect their data and applications. The only sure way that a customer can make sure that their data is available is to make sure that they have a backup of their data, stored separately from the Microsoft cloud, which can be easily recovered at a moment’s notice and with an agreeable recovery time objective.

Over the course of this post, you’ll see we’re going to populate out this Shared Responsibility Model. On the top half of the model, you will see Microsoft’s responsibility. This information was compiled based on information from Microsoft documentation, in case you would like to look for yourself.

On the bottom half, we will populate out the responsibility that falls on the business, or more specifically, the IT organization.

Key Components of the Shared Responsibility Model

  • Primary Responsibility
  • Supporting Technology
  • Security
  • Regulatory

Primary Responsibility

Now, let’s kick this off by talking specifically about each group’s primary responsibility. Microsoft’s primary responsibility is focused on THEIR global infrastructure and their commitment to millions of customers to keep this infrastructure up and running, consistently delivering uptime reliability of their cloud service and enabling the productivity of users across the globe.

An IT organization’s responsibility is to have complete access and control of their data — regardless of where it resides. This responsibility doesn’t magically disappear simply because the organization made a business decision to utilize a SaaS application.

Supporting Technology

Here you can see the supporting technology designed to help each group meet that primary responsibility. Microsoft 365 includes built-in data replication, which provides data center to data center geo-redundancy. This functionality is a necessity. If something goes wrong at one of Microsoft’s global data centers, they can failover to their replication target, and, in most cases, the users are completely oblivious to any change.

But replication isn’t a backup. And furthermore, this replica isn’t even YOUR replica; it’s Microsoft’s. To further explain this point, take a minute and think about this hypothetical question:

Which has you fully protected: a backup or a replica?

Some of you might argue a replica — because data that is continuously or near-continuously replicated to a second site can eliminate application downtime. But some of you also know there are issues with a replication-only data protection strategy. For example, deleted data or corrupt data is also replicated along with good data, which means your replicated data is now also deleted or corrupt.

To be fully protected, you need both a backup and a replica. This fundamental principle has been the bedrock of Veeam’s data protection strategy for over 10 years. Look no further than our flagship product, aptly named Veeam Backup & Replication.

“But what about the Microsoft 365 recycle bin?” Yes, Microsoft has a few different recycle bin options, and they can help you with limited, short-term data loss recovery. But if you are truly in complete control of your data, then “limited” can’t check the box. To truly have complete access and control of your business-critical data, you need full data retention. This is short-term retention, long-term retention and the ability to fill any / all retention policy gaps. In addition, you need both granular recovery, bulk restore and point-in-time recovery options at your fingertips.


The next part of the Microsoft 365 Shared Responsibility Model is security. You’ll see that this is strategically designed as a blended box, not separate boxes — because both Microsoft AND the IT organization are each responsible for security.

Microsoft protects Microsoft 365 at the infrastructure level. This includes the physical security of their data centers and the authentication and identification within their cloud services, as well as the user and admin controls built into the Microsoft 365 UI.

The IT organization is responsible for security at a data-level. There’s a long list of internal and external data security risks, including accidental deletion, rogue admins abusing access and ransomware to name a few. Watch this five-minute video on how ransomware can take over Microsoft 365. This alone will give you nightmares.


The final components are legal and compliance requirements. Microsoft makes it very clear in the Microsoft 365 Trust Center that their role is of the data processor. This drives their focus on data privacy, and you can see on their site that they have a great list of industry certifications. Even though your data resides within Microsoft 365, an IT organization’s role is still that of the data owner. And this responsibility comes with all types of external pressures from your industry, as well as compliance demands from your legal, compliance or HR peers.

Examples and Scenarios

What happens if you rely on Microsoft for a responsibility which is yours instead? In the case of data loss incidents, like accidental deletions or ransomware attacks, Microsoft does provide some safety nets. But these are for short-term data loss needs in the case of the recycle bin, or simply compliance tools like retention policies. which are primarily compliance tools. If you choose to rely on Microsoft to return your lost data, there is no real guarantee if and when you might get that data returned. This is why it’s so important to take your role as the data owner seriously, when you have control over the data, you have the power to restore it at will.

Benefits and Challenges

The Shared Responsibility Model provides organizations with the advantage of knowing with absolute certainty what they are responsible for. It helps keep organizations and IT departments accountable for duties and tasks they are truly responsible for. The risk is not taking your responsibilities seriously. There are still many organizations that are aware of their responsibilities in this model but would much rather convince themselves that they have less responsibility for their Microsoft 365 data than they actually do.

Best Practices for Implementing the Model

The first step to effectively implementing the Shared Responsibility Model as the data owner in Microsoft 365 is to make sure that your data is protected. That means implementing best practices like the 3-2-1-1-0 rule: having three copies of your data, storing the data on two different media, storing one copy off-site, having one air-gapped copy, and making sure you have zero backup errors. But it takes more than any backup solution. You need to ensure you have backup customization, recovery flexibility and powerful search capabilities your business requires.

How Veeam Can Help

In summary, now you should have a better understanding of exactly what Microsoft protects within Microsoft 365 and why they protect what they do. Without a backup of Microsoft 365, you have limited access and control of your own data. You can fall victim to retention policy gaps and data loss dangers. You also open yourself up to some serious internal and external security risks, as well as regulatory exposure. While third-party Microsoft 365 backup adoption is on the rise, a survey found that surprisingly 71% of businesses were still unprotected1. 

All of this can be easily solved with a backup of your own data, stored in a place of your choosing, so that you can easily access and recover exactly what you want, when you want.

Looking to find a simple, easy-to-use Microsoft 365 backup solution?

Look no further than Veeam Backup for Microsoft 365. This solution is already protecting 13 million Microsoft 365 users across the globe. Veeam was also named to Forbes World’s Best 100 Cloud Companies and is a Gold Microsoft Partner. Give Veeam a try and see for yourself.

Still not convinced? Read about why having a backup of Microsoft 365 data is essential.


¹Segment Sentiment Research 2021, Veeam

Related Content

Microsoft 365 Backup for Dummies

Microsoft 365 Backup for Dummies
Free E-book

The post The Microsoft 365 Shared Responsibility Model appeared first on Veeam Software Official Blog.

from Veeam Software Official Blog

Share this content:

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top