The SharePoint backup paradox I outlined earlier is just the tip of the iceberg. The same terrifying dependencies exist across OneDrive, Exchange, and virtually every "single source of truth" system organizations rely on today. Let's expand this critical discussion to encompass the full scope of modern data vulnerability.
The Universal Cloud Dependency Problem
Whether it's SharePoint, OneDrive, Exchange, Google Workspace, or any other platform, the fundamental issue remains:
If you can't access your data without the platform that hosts it, you don't truly own your data.
Authentication and Identity Flow
If you are using Azure natively as a managed identity then your login process will look something like this, this is lots of moving parts required before you can event access you backup files:
If you then using a Federated domain which in this example uses ADFS (Federation) then you have another layer of complexion to the mix as this will not be hosted in the cloud and will be locally in a datacentre, which means if that service is not avaliable your whole login process is compromised:
Now lets look at the individual components in Office 365 that could be a problem when certain parts of this process are unavailable or are compromised.
OneDrive: Personal Data, Enterprise Dependencies
OneDrive presents unique challenges:
- Sync Conflicts: Local copies might be outdated or corrupted
- Selective Sync: Users rarely sync everything locally
- Encryption Keys: Files encrypted with corporate keys become unreadable without Azure AD
- Known Folder Backup: Desktop/Documents/Pictures tied to cloud authentication
A user with 1TB in OneDrive but only 256GB local storage has already made a choice that assumes perpetual cloud access.
Exchange Online: The Communication Lifeline
Email might be even more critical than files:
- Archive Policies: Older emails moved to cloud-only storage
- Shared Mailboxes: Critical for departments, inaccessible offline
- Calendar Data: Meeting history, future schedules vanish
- Contacts: Entire relationship databases locked away
When Exchange goes down, how would you survive without your Inbox?
The Multi-Platform Multiplication Effect
Most organizations use multiple platforms:
- Files in SharePoint and OneDrive
- Email in Exchange
- Chat in Teams
- Projects in Planner
- Notes in OneNote
- Forms data in Forms
- Passwords in a cloud password manager
Each system has its own backup needs, and each depends on the same authentication infrastructure.
The "All Your Eggs" Syndrome
Single Sign-On: Convenience Becomes Catastrophe
SSO is marketed as security, but it creates a massive single point of failure:
- One identity system controls everything
- MFA on that one account gates all access
- Password reset flows depend on... email you can't access
API Integration Cascades
Modern platforms are interconnected:
- Power Automate flows stop working
- Third-party integrations fail
- Backup tools that use APIs can't authenticate
- Monitoring systems go blind
Real-World Disaster Scenarios
Let me share some scenarios that have actually happened in the wild, what would you do in these situations with your backup and restore solution - would it be up to scratch?
Scenario 1: The Tenant Takeover
A company's global admin account was compromised. The attacker:
- Changed all admin passwords
- Disabled MFA
- Modified email routing
- Demanded ransom for access
Your "backups" all required Azure AD authentication to access.
Scenario 2: The Accidental Deletion
An admin ran a "cleanup" PowerShell script with a typo:
- Deleted all sites starting with "Project" instead of "ProjectOld"
- 500GB of active project data gone
- Retention policies had been reduced to 30 days to save costs
- By the time they noticed, it was too late
Scenario 3: The Geographic Isolation
A regional Azure AD outage lasted 14 hours:
- No email access
- No file access
- No Teams communication
- VPN required Azure AD, so no remote work
- Even the office printers required cloud authentication
The Myth of Provider Responsibility
Every cloud provider's terms include some variation of:
- "We ensure service availability, not your data recovery"
- "Customer is responsible for data backup"
- "Service credits don't cover data loss"
Yet organizations operate as if the provider is their backup strategy.
The Backup Strategy No One Wants to Implement
Here's the uncomfortable truth about real backup resilience, it is more that previous versions and recycle bins and "admin recycle bins" as many malicious software can comprise all these invalid backup solutions.
1. True Air-Gapping
- Monthly full exports to disconnected storage
- Quarterly tape backups (yes, tape)
- Annual archive to off-site safety deposit boxes
- Critical data on encrypted USB drives in multiple locations
2. Platform Independence
- Every critical process documented in plain text
- Key data exported to CSV/XML/JSON
- No proprietary formats for long-term storage
- Alternative tools identified and tested
3. Authentication Independence
- Local accounts on backup systems
- Hardware tokens for critical access
- Printed recovery codes in safes
- Break-glass procedures that assume zero cloud access
4. Regular Chaos Testing
- Monthly: Restore random files
- Quarterly: Full department restoration drill
- Annually: Complete infrastructure failure simulation
- Document every failure and fix it
Building a Resilient Backup Strategy
The 3-2-1-1-0 Rule
An evolution of the classic 3-2-1 backup rule:
- 3 copies of important data
- 2 different storage media types
- 1 offsite copy
- 1 offline/air-gapped copy
- 0 errors after testing restoration
The Philosophical Shift Required
Moving from "backed up" to "recoverable" requires accepting that:
- Convenience is the enemy of resilience
- Cloud providers are vendors, not partners
- Your data strategy must assume hostile conditions
- Testing restoration is more important than making backups
- Documentation is as critical as data
Conclusion
Whether it's SharePoint, OneDrive, Exchange, or any other single-source system, the principle remains constant: If your backup requires the original system to function, it's not a backup—it's a copy with the same vulnerabilities.
Real data resilience means:
- Multiple copies
- Independent access methods
- Regular testing
- Assuming hostile conditions
- Accepting inconvenience for security
The question every organization must answer: "When (not if) our primary platform fails, can we continue operating?"
Remember: Your cloud provider's uptime SLA doesn't include your ability to authenticate, your data's recoverability, or your business's survival. That's on you.