Microsoft 365: What Are Your Duties Within The Shared Responsibility Model

Microsoft operates under the Shared Responsibility Model. This means that certain areas of security tasks are your duties, as a customer, and some are the cloud provider’s while others may be a shared responsibility. Most importantly, Microsoft is responsible for its global infrastructure, including each data center and the uptime of the Microsoft 365 service. Your responsibility as the user is to manage and protect your customer data within the Microsoft ecosystem. Here are some statistics to start off:

• 3.7 million companies use Microsoft 365 worldwide
• On average, almost 30 million users access and use MS365 per month
• Microsoft states that 70% of the Fortune 500 companies leverage the Microsoft 365 Copilot AI assistant tool

When a tool is used as widely as Microsoft 365 is, the responsibilities in terms of security, must be clearly understood. In 2024 alone, Microsoft dealt with 1.25 million DDoS attacks, which is a 4 times increase from the previous year.

Division of duties

In terms of SaaS data, Microsoft’s primary responsibility under the shared responsibility model for Microsoft 365 is their infrastructure – the uptime of the Microsoft Cloud service. While Microsoft makes basic DC to DC geo-redundancy and the short-term recovery in the form of the recycle bin, those are not sufficient for compliance requirements or reliable, advanced security features.

• Physical, logical, and app-level security, along with user and admin controls. 
• Data privacy, industry certifications, and regulatory controls.

Do not forget that responsibilities will vary depending on whether it is PaaS services (platform as a service), IaaS (infrastructure as a service), or SaaS (software as a service).

Users’ responsibilities

The customer’s responsibility for Microsoft 365 SaaS data is: data protection and secure backups that are stored at a different data center from your Microsoft 365 environment. Moreover, you should opt for a secure backup solution that covers full data retention to allow easy and flexible restore options, such as point-in-time and granular restores. You, as the user, are also responsible for security of endpoint devices, identity protection, and compliance: 

• Accidental or intentional deletions 
• Protection from outages 
• Industry regulations and compliance requirements
• Internal legal and compliance
• Cyber threats and ransomware

As Microsoft documentation outlines:

“For all cloud deployment types, you own your data and identities. You’re responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control.”

How to address the responsibility model

Now, when it comes to data protection, even with Microsoft’s native security, no system is untouchable. Ransomware, phishing, and malware still find their way in, so yes, cloud services do get targeted. They may be harder to attack, but it is not impossible. Now, given the shared responsibility model, once an organization gets hit with ransomware, Microsoft 365 allows you to do the following:

“If the ransomware created a new encrypted copy of the file, and deleted the old file, customers have 93 days to restore it from the recycle bin. After 93 days, there’s a 14-day window where Microsoft can still recover the data. After this window, the data is permanently deleted.”

Source: Microsoft documentation

That’s where third-party apps for backup of Microsoft 365 come in as your safety net. A proper solution can protect your business operations and IT environment even after a hit, and helps cut down recovery costs, which can climb to $9K per minute in downtime. So, Microsoft, as the cloud provider, handles the foundational security architecture, but it’s the customer’s responsibility to make sure that if something slips through, customer data stays safe.

You should also pay attention to identity protection for your Microsoft IT environments. The process of authentication must be secure as it is an entry point to your data. Make sure to leverage things like multi-factor authentication, strong access controls, as well as role-based access control. Secure permissions control management only allows authenticated users to access the organization’s data.

Use case #1

Since the same set of credentials can open files, mail, and chats, attackers often target Microsoft 365 logins. In 2025, the UK National Cyber Security Center (NCSC), stated that there are ongoing attacks being carried out on MS365 accounts by ATP28 or Forest Blizzard. The aim was to steal the Microsoft credentials and OAuth tokens.

For users, when attackers access their data, it can get deleted, corrupted, files might get poisoned, and there may be internal phishing, too. Now, in case of a Microsoft 365 data loss incident, secure backup software with immutable and WORM-compliant storage, along with a point-in-time restore feature, is your best way of rolling back data to a working state and effectively restoring assets like mailboxes.

Use case #2

Human error is still the top 1 contributor to data breaches. It is stated that human error contributed to 95% of data breaches in 2024. By human error, we mean accidental deletions or other cases of potential mistakes by humans that threaten security. One important thing to note regarding the Microsoft shared responsibility model is that native retention policies or native recovery are not enough for critical data to be properly protected. For the sensitive, admin type of data, it is best to opt for a secure, third-party software, with policy-driven backups and recovery features to guarantee the IT environment is safe.

Use case #3 

While Microsoft ensures some security features under the shared responsibility model, it still gets targeted by ransomware, leading to data loss incidents. The threat actors often use phishing emails, compromised credentials, or malicious attachments to put their foot through the door and access your account. Once your data gets encrypted by an attacker, be it OneDrive, Teams files, or SharePoint, the ransom will be demanded to get your data back (with no guarantee that your critical data will be returned).

In a case where the data encryption process is synchronized across the cloud storage, both the cloud version and the original files will be encrypted. No external backup and recovery solution can lead to: downtime, lost data, stop of business operations, financial impact, and damaged reputation. Therefore, it is important to implement network controls along with immutable backup storage to protect Microsoft data.

How does backup assist users in relation to the shared responsibility model?

Now, under the shared responsibility model, you are the one responsible for protecting and restoring your Microsoft 365 data, it is important to choose a reliable backup software. A strong solution will allow you to quickly restore lost data even if your files get deleted, corrupted, or encrypted by ransomware attacks or other threats.

This guarantees effective recovery without relying on Microsoft handling issues using built-in tools for short-term recovery. A crucial aspect of a reliable backup software is full coverage of the whole stack, which includes Exchange Online, SharePoint Online, and other Office 365 tools.

• Make sure to go for immutable, WORM-compliant, and encrypted storage. Encryption should go up to AES-256, and the solution should permit you to use your own secure key.
• Multi-storage replication is another key aspect. You should be able to store backups in the provider’s cloud, like the GitProtect Cloud, or bring your own (AWS, Azure, S3, on-prem, hybrid). This helps to meet internal policies along with your location-specific requirements and replication targets.
• Next in line, we have policy-based automation and smart scheduling. You should have the ability to use advanced GFS or Forever Incremental plans, with no manual effort. Moreover, there should be a pre-defined plan ready to use, and the possibility to create your own. Simply schedule the backups with a secure plan and get back to primary objectives.
• Do not overlook retention for Microsoft data either. It is often a compliance requirement to have unlimited retention, but it is also good for archiving purposes or bringing back lost data that was labeled as useless at the time.
• This brings us to flexible recovery. All the previous points are crucial for this one. Backup is as strong as your recovery. Make sure your provider allows point-in-time, granular, and cross-over restores as well as full data recovery. This accommodates all scenarios and keeps you protected from threats.

Takeaway

To sum up, with proper backup and recovery for Microsoft 365, you guarantee that the shared responsibility model is taken into account for data security. Let’s say it once again: the recycle bin is not a backup. Ransomware protection guarantees that you can recover unchanged data without paying the attackers a ransom, downtime is reduced, and human error and insider threats can no longer stop business operations, as you can roll back data. Moreover, your organization stays compliant and audit-ready at all times while staying in control of its part of the shared responsibility.

[Early Access] Get early access to GitProtect for Microsoft 365 🚀