Key Points
- What M365 Shared Responsibility Model Does: The Microsoft 365 shared responsibility model delineates data-protection obligations between Microsoft and MSPs, specifying backup, retention, and governance ownership.
- Build a Tenant RACI and Control Map: Assign clear RACI roles for key operational controls like MFA, retention, and DLP to enhance accountability.
- Protect Identity and Access First: Implement Zero Trust with MFA, Conditional Access, and Privileged Access Management (PIM) to mitigate accidental or malicious data loss.
- Define Workload Backup Coverage: Standardize backup scope, frequency, retention, and restore testing across OneDrive, SharePoint, and other tools.
- Apply Least Privilege with Azure RBAC: Enforce RBAC, remove unused admin rights, and use Privileged Identity Management for JIT access.
With the rise of cloud computing, data management is more important than ever. Microsoft’s work suite doesn’t provide full native backups for tools like OneDrive, SharePoint, and Teams, so MSPs need a Microsoft 365 shared responsibility model to efficiently standardize work data preservation across work apps.
This helps track what gets auto-saved on the cloud and establishes workflows to preserve the rest, warranting a centralized solution. This guide explains how to operationalize internal data backups with concrete steps.
How to build a Microsoft 365 shared responsibility model
This guide builds upon Microsoft’s own shared responsibility model while incorporating client-specific context to elevate your backup and recovery standards with a Remote Monitoring and Management (RMM) platform.
📌Prerequisites:
- Agreed RTO and RPO per workload and a named business owner for each
- Admin access to Microsoft 365, Azure AD roles, and backup tooling
- A document workspace for policies, RACIs, and monthly evidence packs
- A change window and ticketing process for configuration updates
Step 1: Build the tenant RACI and control map
Start by listing operational controls you need to monitor in each workspace and mapping roles and responsibilities. This enhances governance from the start and improves incident response. For each control (e.g., MFA, Data loss prevention, retention policies), set someone:
- Responsible: Individuals or a team tasked with overseeing operational controls
- Accountable: An entity that deals with risk and outcome
- Consulted: Sources of expert advice and vital input
- Informed: Persons who should receive updates and final results
For example, your backup and recovery control map should look something like this:
| Activity | Responsible | Accountable | Consulted | Informed |
| Select a backup solution | IT operations team | IT Manager | Microsoft partner | Executive leadership |
| Schedule backups | IT operations team | IT Manager | Vendor support line | Relevant business units |
| Test restore workflows | IT operations team | IT Manager | Data security team | Executive leadership |
Step 2: Protect identity and access first
Enforce a zero-trust system with privileged access controls and conditional access to control who can keep or delete Office 365 data. Doing this locks down your system, lowers the chance of accidental data loss, and hardens security protocols.
📌 Use Cases: Taking precautions (e.g., time-bound admin rights and additional approvals) for seamless data preservation.
📌 Prerequisites: Microsoft 365 Business Premium, Administrative privileges in Microsoft Entra.
- Sign in to Microsoft Entra Admin Center.
- To enable Multi-Factor Authentication (MFA), go to Security > Authentication Methods > MFA.
- Select users/groups to enforce MFA.
- To configure Conditional Access. navigate to Security > Conditional Access > New Policy.
- Apply baseline policies for admins and users.
- To set up Privileged Access, go to Identity Governance > Privileged Identity Management.
- Create approval workflows and define Just In Time (JIT) access.
Step 3: Define workload backup coverage
Set backup and restore goals based on technical constraints and tools you and your clients rely on. Define and document the following:
- Backup scope
- Backup frequency
- Data retention
- Encryption protocols
- Storage locations
- Scheduled restore tests per workload
- Backup gaps (e.g., unsupported file types, workarounds done, etc.)
Step 4: Separate retention, archiving, and backup
Backups in your Microsoft 365 shared responsibility model need to be distinct enough for legal needs, compliance policies, and cross-workload restores.
Microsoft’s risk management platform can handle the bulk of retention and SLA adherence, but it doesn’t come with point-in-time recovery and increases overhead. Strengthen your storage management and backup with an all-in-one backup tool that shows clear ROI.
Step 5: Apply least privilege with Azure RBAC
Role-based access control (RBAC) helps specify user permissions across your enterprise, enhancing your Microsoft 365 shared responsibility model. To enforce this, your IT team needs to do the following:
Assign role-based tasks
- Assign read-only permissions to security staff who need to review reports.
- Give compliance admin rights to your SLA team for retention policies.
- Set Exchange Administrator privileges to email managers for mailbox visibility.
- Provide Helpdesk admin rights for password resets, not global admin privileges.
Remove unused global admin rights
- Run monthly audits on global admin users.
- Remove “Master Key” rights from former contractors.
- Maintain 2-3 emergency accounts with global rights.
Implement approvals and time-based rights
- Managers must approve elevated roles.
- Enforce Privileged Identity Management (PIM) to manage short-term user access.
- Configure real-time alerts for permission changes.
- Use MFA to create secure approval workflows.
Audit new role assignments regularly
- Audit responsibility shifts every week.
- Review new admin role assignments every month.
- Compare current permissions with your control map to detect approval drift.
Step 6: Monitor, test, and ship evidence
Regular audits help maintain operational standards in between major stakeholder meetings. When you include your Microsoft 365 shared responsibility model in your monthly newsletter:
- Keep track of backup tests with a centralized platform.
- Create scorecards for backup success rates.
- Coordinate track licenses with asset managers.
- Include snapshots to demonstrate the success of your shared responsibility model.
Step 7: Package your Microsoft 365 shared responsibility model as a managed service
Your on-premises backup policies can not only protect your data, but also attract new business while keeping existing ones.
Market your shared responsibility model in your latest offerings to gain new clients, increase retention, and maintain your competitive edge over other MSPs without an operationalized Microsoft 365 responsibility model.
NinjaOne integration streamlines Office 365 shared responsibility model backup plans
NinjaOne’s intuitive dashboard provides meaningful insight into role-based permissions and endpoint health. Here’s how an all-in-one RMM simplifies the process:
| Step | Without NinjaOne | With NinjaOne |
| Build the tenant RACI and control map. | Spreadsheets tracked and updated manually; no version control | Focused dashboard with role-based views and automated mapping |
| Protect identity and access first. | Multiple tools for authentication, conditional access, identity management, etc. | Unified visibility of global identity policies with real-time alerts |
| Define workload backup coverage. | Separate backup schedules across workloads and manual restores | Automated backup scheduling, restore validation, and reports all in one platform |
| Separate retention, archiving, and backup. | Reliance on basic Microsoft practices without time-based recovery | Granular restore options, built-in recovery feature, and compliance tracking |
| Apply least privilege. | Manual permissions reviews with risk of drift | Monitoring of role changes with automated alerts and evidence packs. |
| Monitor, test, and ship evidence | Manual data collection and inconsistent report templates | Built-in data visualization, scorecards, and client-friendly reports |
| Package your Microsoft 365 shared responsibility model | Limited insights and difficulty in demonstrating ROI | Branded dashboards showcasing compliance, backup success, and SLA compliance |
Systematize your shared responsibility model
Creating data-backed workflows to safeguard data on and off the cloud reassures your current clientele while attracting new business. To operationalize your Microsoft 365 shared responsibility model, establish tenant RACI, enforce MFA, create backups per workload, test regularly, archive results, and publish them monthly.
Related topics:
