Understanding the gaps in the shared responsibility model
Microsoft 365 is a powerful productivity platform, but a common misunderstanding is that it is also a complete protection solution. Many organisations assume critical safeguards are “included by default”, only to discover gaps when something goes wrong.
Here are seven areas that are not safeguarded:
1. Your data from accidental deletion
2. Protection against ransomware
3. Insider threats
4. Long-term data retention
5. Complete compliance coverage
6. Protection from misconfiguration
7. Guaranteed recovery after an incident
1. Your data from accidental deletion
Most people believe deleted files can always be recovered. In reality, Microsoft 365 has limited retention windows. Once those expire, or if retention isn’t configured correctly, deleted data is gone. There’s no guaranteed long-term recovery without a dedicated recovery capability beyond Microsoft 365.
2. Protection against ransomware
Built-in security tools help detect threats, but they don’t guarantee recovery. If ransomware encrypts your OneDrive, SharePoint, or Exchange data and that encrypted state syncs, Microsoft won’t restore clean versions for you. Recovery is your responsibility.
3. Insider threats
Microsoft 365 assumes users act in good faith. If a user – maliciously or accidentally – deletes, alters, or shares sensitive data, it’s still considered authorised activity. Microsoft does not protect you from your own users’ actions.
4. Long-term data retention
Many organisations assume Microsoft stores everything indefinitely. In reality, retention depends on how policies are configured, and misconfiguration is common. Legal, regulatory, or historical data can be lost without purpose-built archiving or backup independent recovery controls.
5. Complete compliance coverage
Microsoft provides tools, not compliance guarantees. You are responsible for configuring policies, maintaining evidence, and proving compliance. Microsoft explicitly states that compliance remains the customer’s responsibility.
6. Protection from misconfiguration
Security features don’t protect against human error. Incorrect permissions, over-sharing, or disabled controls can expose data instantly. Microsoft won’t alert you to every risky configuration, or fix it for you.
7. Guaranteed recovery after an incident
There’s a common assumption that Microsoft will “just restore everything”. Microsoft operates on a shared responsibility model. They ensure platform availability, not recovery of your business data. If data is lost, corrupted, or overwritten, recovery is on you.
The bottom line is that Microsoft 365 is not a backup, not a recovery service, and not a complete protection layer. It’s a productivity platform, and protecting the data inside it requires independent continuity, recovery, and governance controls.
“Digital resilience isn't found in a single app; it’s a cohesive protection layer that ensures nothing is left exposed, no matter where your data lives or how your teams work.”
Continuity you can count on
Companies need a continuity and cybersecurity solution that integrates data protection, disaster recovery, and cybersecurity protection across applications, servers, workstations, and cloud workloads. iOCO’s fully managed solution delivers a cohesive protection layer across your entire environment, ensuring nothing is left exposed, no matter where your data lives or how your teams work.
Don’t leave your business continuity to chance. Whether it’s an accidental deletion or a sophisticated cyberattack, iOCO ensures your data is resilient, recoverable, and always protected.
Get in touch with our team via the form below to secure your environment.
Share this
Your AI and Cloud strategy is dead
iOCO achieves AWS Migration and Modernisation Competency Status
