← Back to blog

Whose job is security in Microsoft 365?

GRB Digital
  • Cloud
  • Security
  • Microsoft 365
  • Fundamentals

In the last post we looked at how to pick the right Microsoft 365 license. A fair assumption to make next is that Microsoft now handles your security. You are paying one of the largest technology companies on earth a monthly fee, so surely keeping your data safe is part of the deal.

It is, but only half of it. Microsoft works to a shared responsibility model, and the half that stays with you is the half that gets most businesses into trouble. Nobody sends you a reminder about the bits that are yours to handle, so it is worth knowing where the line sits.

The simple version

Think of Microsoft 365 like a serviced apartment building. Microsoft owns and runs the building. They keep the structure standing, the power on, the plumbing working. You never have to think about any of it.

What they do not do is lock your front door, decide who gets a key, or insure your belongings. You can leave your door wide open in a well-run building and still get robbed. Microsoft secures the platform. You secure how your business uses it.

Where the line sits

For Microsoft 365, the split looks roughly like this.

Microsoft’s jobYour job
Keeping the service running and availableWho has access and how they sign in
Physical data centres and hardwareTurning on security features (not all are on by default)
Patching the underlying platformYour data, and being able to recover it
Protecting the infrastructure from attackThe devices your team logs in from
Built-in platform safeguardsWhat your staff click on

Everything on the right is a decision, not a piece of infrastructure. Microsoft cannot decide whether you turn on multi-factor authentication, who holds admin rights, or whether a departed employee still has access months later. Those choices sit with you whether you make them deliberately or not.

The gap that catches people out

If you take one thing from this post, take this one. Microsoft does not back up your data the way most owners assume. They keep the service available and hold deleted items for a limited window, but recovering your data after something goes wrong is treated as your responsibility.

That matters more than it sounds. Delete a folder and miss it for a few months and it may be gone. Let ransomware encrypt files that sync into SharePoint or OneDrive and the encrypted copies sync too. In each case the platform did its job perfectly and the data loss still sits on your side of the line. That is why proper third-party backup for Microsoft 365 exists, and why we recommend it for any business that would feel real pain from losing its email or files. Most owners only discover this on the day they need it, which is the worst possible day to learn it.

Your half, in practice

The good news is your share is very manageable once you know it is yours:

  • Turn on multi-factor authentication for everyone. Highest impact, and it is included.
  • Keep admin rights tight. The fewer people with the keys to everything, the smaller your risk.
  • Offboard people properly. Removing access when someone leaves should be routine.
  • Look after the devices. A secured account on a compromised laptop is still a problem.
  • Back up your Microsoft 365 data. Assume recovery is your job, because it is.
  • Help your team spot phishing. Most breaches start with a person, not a server.

None of these need a large IT department. They need knowing they belong to you, and then doing them.

The rule of thumb

Microsoft keeps the platform secure. You keep your use of it secure. The platform being safe does not make your business safe on its own, and the gap between the two is where most avoidable incidents happen.

If you are not sure which side of the line your business is sitting on, that is exactly the kind of thing we help with at GRB Digital.

Start a conversation