The Office 365 Shared Responsibility Model

The Office 365 Shared Responsibility Model

Most people wonder why you need back up for your Office 365 because they assume “Microsoft takes care of it.” Sorry to burst your bubble Sonny Jim but only YOU are responsible for your data.

We are going to talk you through The Office 365 Shared Responsibility Model created by our good friends at Veeam. This will help clarify exactly what Microsoft is responsible for and what responsibility falls on the user.

The Office 365 Shared Responsibility Model 2



Lets start things off by highlighting each groups primary responsibility. As shown in the diagram above, Microsoft’s primary responsibilities only focus on THEIR global infrastructure and their commitments to millions of customers to keep things running smoothly, enabling the productivity of their users through consistent uptime reliability.

Your responsibility is to have complete control of your data. This responsibility doesn’t magically disappear simply because the organisation made a business decision to utilise a SaaS application.


The terms backup and replication are often (and inaccurately) used interchangeably.  There are advantages and disadvantages to both, and knowing the difference between these two technologies is very important.

Replication is the process of copying data and then moving data between a company’s sites, whether those be datacenters, colocation facilities, public, or private clouds. This is often brushed over as an acceptable form of data management on its own, which could cause you to run in to a few problems. For example, deleted data or corrupt data is also replicated along with good data, which means your replicated data is now also deleted or corrupt.

Backup involves making a copy or copies of data and storing them offsite in case the original is lost or damaged. Because they exist separate from both your network and office, they are protected from anything and everything that can harm your business.

Yes, we’ve all had moments where we want to give our recycling bin a big sloppy kiss for saving that important file we thought we’d never see again. But we’ve also had moments we want to punch it in the face. But we can all agree reliability is not it’s middle name. Microsoft has a few different recycle bin options, and they can help you with limited, short-term data loss recovery. But if you are truly in complete control of your data, then ‘limited’ isn’t going to cut the mustard. Full data retention is only achieved when you have complete control of your critical data. This covers short-term retention, long-term retention and the any retention policy gaps in between.


Both Microsoft and the IT organisation hold responsibility for data security. Office 365 protects data at an infrastructure level. This covers areas like physical security of their datacentres, the authenticity of their services, to name a few. The IT organisation is responsible at a data level. Managing security at a data level means taking responsibility for things such as accidental deletion, ransomware, rogue members of staff abusing their access and many others.


The final  part to this model is the legal and compliance requirements. Microsoft is known as a data processor. The data processor does not own the data that they process nor do they control it. You are the data owner. This responsibility comes with all types of internal and external pressures from your customers, as well as demands from your legal, compliance or HR peers.

Hopefully now you hold a stronger understanding of what responsibilities lie between you as a user and Microsoft. Its apparent that without a backup of Office 365, you have limited control of your own data. Veeam Backup for Microsoft Office 365 lets you back up your data and store everything in your preferred location, whether that’s onsite, in the public cloud or with your service provider.

Want To Know More? Get In Touch…

Speak To a Cloud Specialist Today