Your Microsoft 365 Tenant Has No Backup Plan — And That's a Crisis Waiting to Happen
| |

Your Microsoft 365 Tenant Has No Backup Plan — And That’s a Crisis Waiting to Happen

ByRagnar Heil

Most organizations think they’re protected because they back up their data. They’re not.

Here’s the uncomfortable truth: your emails, files, and SharePoint data might be recoverable — but if a cyber criminal walks into your Microsoft 365 tenant tonight and starts changing configurations, you have almost no way to detect it, roll it back, or even know exactly what broke. That’s not a data problem. That’s a governance problem.

I recently hosted Episode 26 of Guardians of M365 Governance with Rob Edmondson from Coreview, MVP Christian Buckley and myself the conversation hit on something that keeps coming up in every enterprise conversation I have: configuration resilience is the blind spot nobody is talking about.

The Gap Nobody Documents

Microsoft 365 isn’t a single app. It’s 60+ services — Exchange, Teams, SharePoint, Defender, Intune, Entra ID, Purview — each with its own settings, policies, and baselines. Your tenant has been shaped over years: a compliance policy adjusted here, a conditional access rule tightened there. That accumulated configuration is your security posture.

And almost nobody has it documented.

When Rob asked enterprise admins to walk him through their recovery plan after a total tenant takeover, most couldn’t answer. Even the diligent ones — those doing biweekly manual reviews with spreadsheets and screenshots — were operating with dangerous gaps. Because between those two-week check-ins? Anything could change.

Configuration Tampering: The Attack You Don’t See Coming

Here’s how attackers actually operate. They don’t always steal data immediately. They get a foothold, then quietly change configurations — opening access, adjusting mail flow rules, weakening Intune policies — so they can come back later or move laterally. Your expensive third-party security tools? Potentially bypassed, because the attacker changed something upstream.

The worst part: there’s no native “rewind button” in Microsoft 365. When Microsoft accidentally wiped custom Intune device compliance profiles for a batch of customers during an update rollout last year, those customers found out themselves. There was no alert. There was no restore function.

What “Configuration as Code” Actually Looks Like

This is where tools like Coreview Sync Manager change the equation. The approach is elegant: it continuously syncs your tenant state against a baseline (starting from a CIS security baseline if you need a reference point), stored as JSON. That gives you:

  • Drift detection — any configuration change triggers an alert
  • Rollback — restore to a previous state, not just a previous backup
  • Cross-tenant export/import — migrate 6,600+ configurations between tenants in ~14 minutes instead of weeks

My colleague Ascha estimated that a manual migration of configurations would take one to two weeks. With Coreview, it was done in 40 minutes. That’s not a feature — that’s a business continuity capability.

Least Privilege That Actually Works

The second governance gap Rob covered is virtual tenant segmentation — giving junior admins or regional teams scoped access to only the mailboxes, Teams groups, or SharePoint sites they need. Not global admin. Not “read everything.” Just what’s needed.

Microsoft’s own administrative units have existed for 11 years and still cover only ~30% of relevant use cases. Coreview fills the rest — and lets you deprovision standing privileges across the board, dramatically reducing the blast radius if an account gets compromised.

The Bottom Line for M365 Admins

You can’t manage what you can’t measure. And you can’t recover what you never documented. Start here:

  1. Audit your current configuration state — do you know what you’d lose?
  2. Evaluate configuration backup tooling — data backup alone is not enough
  3. Review standing admin privileges — how many could you deprovision today?
  4. Define your recovery SLA — how long can your org survive without M365?

Hope is not a strategy. Especially not for governance.

Have you done a configuration resilience review for your tenant? I’d love to hear where the gaps are — drop a comment or connect on LinkedIn.

Check out also my CoreView Blogpost “How to Export and Import Microsoft 365 Tenant Configurations”

PS: Are you ready to implement solid governance for AI Agents? Contact me, Ragnar Heil, for advice on Agent 365, SharePoint Advanced Management, Microsoft Purview, 3rd Party Governance Tools like CoreView or adoption strategies tailored to your organization. You can find my calendar here on our HanseVision Governance Landing Page.

Similar Posts

One Comment

  1. Pingback: How to Export and Import Microsoft 365 Tenant Configurations

Leave a Reply

Your email address will not be published. Required fields are marked *