Veeam: M365 identity protection is now a backup problem | Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales

Veeam: M365 identity protection is now a backup problem

The M&S and Co-op attacks started with identity compromise, but backing up email and files alone would not have helped.
Softcat PPT Background Corner Lit Radial Aubergine Gradient RGB Mobile Softcat PPT Background Corner Lit Radial Aubergine Gradient RGB Mobile

The Softcat News Team

Microsoft makes its position clear - you own your data and you are responsible for protecting it. That statement sits in the Microsoft 365 service agreement, and now the consequences of ignoring it are becoming harder to dismiss. Marks & Spencer lost an estimated £300 million in operating profit after a ransomware attack rooted in identity compromise. The Co-op saw 6.5-million-member records exposed through Active Directory. These are household names with mature IT operations.

Microsoft customers face over 600 million attacks every day and Entra ID, the identity platform underpinning M365 access, has become the primary attack surface. Microsoft’s native recovery relies on a 30-day soft-delete window for many core objects. Conditional Access policies have no soft delete at all.

Backing up email and files is no longer enough. Identity data needs the same protection. Without it, a compromised tenant can lock your organisation out of its own systems.

Protecting collaboration and identity on a single platform

Veeam now protects over 25 million Microsoft 365 users. Veeam treats M365 protection as a unified problem, not a collection of point solutions.

Veeam Data Cloud for Microsoft 365 delivers SaaS-managed backup across Exchange Online, SharePoint, OneDrive, and Teams. Three plans offer different recovery profiles:

  • Foundation provides customisable retention and granular recovery.
  • Advanced adds Entra ID protection.
  • Premium adds integration with Microsoft 365 Backup Storage, enabling restoration at over one TB per hour with no throttling.
  • All plans include immutability at no extra cost, with data stored in your chosen Azure region.

In April 2025, Veeam launched Data Cloud for Microsoft Entra ID, which backs up users, groups, application registrations, conditional access policies, and Intune policies. You can compare your live tenant against backup data to spot inconsistencies. Recovery is also granular, down to individual attributes or entire user identities.

ServiceNow adopted Veeam Data Cloud to protect its own M365 environment, citing the need for fast backup and recovery while innovating at pace. For organisations self-managing backups, Veeam Backup for Microsoft 365 v8 provides complete immutability across Azure Blob Storage, Amazon S3, and S3-compatible storage.

Why UK organisations cannot afford to wait

The UK’s threat landscape has shifted sharply. The NCSC recorded 204 nationally significant cyber incidents in the year to August 2025, a 130% increase on the previous period. The Government’s Cyber Security Breaches Survey found that 43% of UK businesses experienced a breach or attack in the last year. This rose to 74% among large organisations.

Regulation is tightening in parallel. The UK Cyber Security and Resilience Bill will introduce turnover-based penalties, replacing the current fixed £17 million cap. Serious breaches could face penalties based on a percentage of worldwide turnover. The ICO has already signalled its direction: fines in H1 2025 exceeded the previous year.

UK GDPR Article 32 requires the ability to restore data availability in a timely manner. Microsoft 365 provides only short-term native recovery by default. Exchange Online retains deleted items for 14 days unless extended and SharePoint content is recoverable for up to 93 days - that does not constitute adequate independent backup for compliance. NHS organisations alone have 1.5 million staff on M365. The gap between native protection and regulatory expectation is real.

How Softcat helps you close the gap

Softcat is Veeam’s number one partner in the UK and Ireland. We hold Platinum status, Veeam’s highest accreditation tier, and support over 1,300 joint customers.

Together, Softcat and Veeam help you turn Microsoft's shared responsibility model into an operational reality. We assess what native retention covers, where the gaps sit, and how those gaps map to UK regulatory and audit expectations.

From there, we design backup architectures that protect both collaboration data and identity. The result is faster recovery of both access and data when an identity is compromised. Our managed backup services are delivered from a UK-based operations centre.

Taking responsibility for your data

Microsoft builds the platform, you own the data. That division of responsibility has always existed. What has changed is visibility. Identity attacks, regulatory enforcement, and high-profile UK incidents have made the cost of inaction a board-level concern.

Whether you are reviewing your Microsoft 365 protection posture or responding to new compliance requirements, Softcat can help. We assess your current position and design a protection strategy to help you regain access to your data and recover it when it matters most. Please click here to get in touch with our Sales team.