Skip to content
Avanet
Sophos Backup and Recovery for Microsoft 365 with Rubrik

Sophos Backup and Recovery for M365 with Rubrik

Sophos Backup and Recovery for Microsoft 365 is now available. The solution is powered by Rubrik and integrated into Sophos Central. Sophos is addressing a topic that has long been critical for many organisations: restoring Exchange Online, OneDrive, SharePoint and Teams after ransomware, compromised accounts, accidental deletion or internal incidents.

In principle, this is a sensible step. Microsoft 365 is no longer just email for many organisations, but file storage, collaboration, Teams communication, calendars, identity and often a large part of operational memory. If data is lost or manipulated there, it is not enough for Endpoint and Firewall to report cleanly that something happened. The data must also be recoverable reliably.

Even so, the announcement should be viewed soberly. When I think of Microsoft 365 backups, many organisations will first have providers such as Veeam, AvePoint, Acronis, Hornetsecurity, Dropsuite, Rubrik or Microsoft 365 Backup itself on the shortlist. Sophos is particularly strong in security operations around Endpoint, MDR, XDR, Firewall and Central Management, and now brings a specialised backup provider into that environment with Rubrik. That can make sense, but it does not replace a proper comparison.

What Sophos and Rubrik now offer

Sophos Backup and Recovery Powered by Rubrik is a cloud-based backup and recovery service for Microsoft 365. According to Sophos, the four core workloads are protected:

  • Exchange Online
  • OneDrive
  • SharePoint
  • Teams

The solution is integrated into Sophos Central, but the underlying backup technology comes from Rubrik. That matters, because Rubrik is an established name in the backup and cyber-recovery market. The value is mainly in the combination of Sophos Central and a specialised Rubrik platform.

The most interesting points are:

  • Immutable backups: Backups are intended to be protected against manipulation with WORM locks and air-gap architecture.
  • Granular recovery: Individual emails, folders, mailboxes, OneDrive content, SharePoint sites or larger areas can be restored.
  • Restore to alternative users: This matters when accounts are disabled, compromised or no longer exist.
  • Flexible retention: Sophos mentions retention options of one year, seven years, ten years or longer.
  • SLA Domains: Backup frequency and retention period are controlled through Rubrik policies.
  • Data residency: Backups are stored in Microsoft Azure; the region is selected during onboarding.

From a technical point of view, these are the right building blocks. The combination of immutable backups, granular restore and definable retention is more important for Microsoft 365 than many people think.

Why Microsoft 365 still needs backup

A common misconception is: “Microsoft runs Microsoft 365, so my backup is already covered there.” It is not that simple. Microsoft ensures platform availability, infrastructure, redundancy and many protection mechanisms. That does not replace a customer-side backup and recovery concept.

Retention Policies, recycle bin, versioning, Litigation Hold and eDiscovery are valuable features, but they solve different problems. These functions help with governance, retention, compliance or short-term recovery. A backup, however, must answer other questions:

  • Can data be restored after a compromised admin account?
  • Is there a clean restore point before manipulation?
  • Are backups protected against deletion and modification?
  • How quickly can a larger volume of data be restored?
  • Who is allowed to restore, and is it logged?
  • Are Teams, SharePoint, OneDrive and Exchange data really fully covered?

Especially with ransomware or account takeover, a recycle bin is not enough. If an attacker with high privileges changes retention settings, deletes data or encrypts content, an independent and tested recovery path is needed.

What is interesting about the Sophos integration

The obvious benefit is centralised operation. Many Sophos customers already work with Sophos Central every day: Endpoint, Server, MDR, XDR, Email, Firewall Management, NDR, identity signals and reporting run there together. If backup and recovery become visible there too, this can save time during an incident.

This is especially relevant when Sophos MDR or XDR is in use. During an attack, it is not only important to detect the attacker, but also to narrow down and restore the affected data set quickly. When security and recovery information move closer together, there is real operational value.

But this integration should not be confused with complete one-console magic. According to Sophos, the Rubrik portal still starts fresh: authenticate the Microsoft 365 tenant, grant permissions, configure SLA Domains and define backup policies properly. Existing Sophos Central configurations do not automatically become a finished backup strategy.

That is also right. Backup is not a switch that can be enabled somewhere and then forgotten. It needs design, ownership and testing.

Where I would look closely before buying

With backup products, what counts in the end is not positioning, but operation. The decisive questions are whether the solution fits the environment, whether it restores quickly enough in an emergency and whether the costs after two years still look like the first offer. That is where Sophos Backup and Recovery needs a closer look.

Before making a recommendation, these points would matter to me most:

  • Does the licence model fit the actual company size?
  • Is the included storage realistic for Exchange, OneDrive, SharePoint and Teams?
  • Is it clear who administers backups and who may restore?
  • Has a restore test been performed with real data?
  • Is there an exit strategy if Sophos or Rubrik later change the model?
  • Is backup really required, or is the actual need archiving, eDiscovery or Legal Hold?

Only once these questions have been answered can one judge seriously whether the Sophos Central integration also fits the organisation’s backup strategy from a technical and commercial point of view.

Minimum purchase of 200 seats

The minimum order is 200 seats. Smaller organisations can also use the product, but they still have to buy 200 seats. For many SMEs, that is a fairly high entry point. This is exactly where one must honestly compare whether another Microsoft 365 backup solution is a better commercial fit.

5 GB storage per seat

Each seat includes 5 GB of storage as a shared pool. That sounds clean at first, but it can quickly become tight in real Microsoft 365 tenants. Exchange, OneDrive and SharePoint often grow much faster than planned. According to Sophos, additional storage is not purchased separately, but extended through additional seats.

This becomes particularly relevant for longer retention periods. One year of backup history is very different from seven or ten years. The longer the retention, the more mailbox growth, OneDrive usage, SharePoint versions and Teams files affect storage. In many productive environments, 5 GB per seat does not get very far when Microsoft 365 is used intensively.

This is a point that should be checked with real numbers before an offer:

  • current Exchange Online data volume
  • OneDrive usage per user
  • SharePoint sites and Teams files
  • expected growth
  • desired retention
  • restore points and backup frequency

Otherwise the licence may look suitable at first, but become unattractive after a few months.

Manual provisioning

After the order, there is a manual provisioning step by Rubrik. Sophos typically mentions two days, and up to nine days in individual cases. That is not dramatic for a new project, but it is not ideal for “we need backup tomorrow”. Especially when a customer only realises after an incident that Microsoft 365 is not properly protected, that realisation comes too late.

No dedicated archive

Backup and Recovery is not a full archiving solution. Sophos itself points out that features such as eDiscovery or Legal Hold are not included in the sense of a dedicated archive platform. Anyone who needs legal archiving, journaling, discovery processes or long-term audit-proof retention must check this separately.

My assessment

I think the direction is right. Sophos has recognised that security without recovery is incomplete. Prevention, detection and response are important, but at some point the simple question comes up: “Can we get the data back?” If the answer is unclear, the security architecture is not finished.

Even so, I would not automatically make Sophos Backup and Recovery the default recommendation. The reason is not Rubrik; quite the opposite. Rubrik is the part that builds confidence. The central question is more strategic: does Sophos Central fit as the commercial and operational entry point for Microsoft 365 backup in this environment, or is a direct backup provider with M365 backup as a core product more suitable?

This question matters especially with backup, because a backup product is not bought for a quarter. Processes, retention, audit requirements, restore tests and operational ownership are built around it. If the platform, licensing or product strategy changes later, switching is far more involved than with many other security services.

My recommendation is therefore pragmatic:

  • Organisations heavily using Sophos Central, Sophos MDR or Sophos XDR should evaluate the Rubrik integration.
  • Organisations that already know or use Rubrik have an additional reason to look more closely.
  • Smaller companies with significantly fewer than 200 users should calculate the economics very carefully.
  • Anyone who already has Microsoft 365 Backup properly solved through Microsoft, Veeam, AvePoint, Acronis, Hornetsecurity, Dropsuite or an MSP platform does not need a reflexive switch.
  • Anyone with no M365 backup at all should prioritise the topic now, but compare several solutions.

What I would look for in a comparison

With Microsoft 365 backups, it is not just about “has backup” or “has no backup”. The details in operation matter: what is backed up, how long the data remains available, how granular recovery is, how quickly restores run and who is allowed to access backup data at all.

That is why I would not compare Sophos Backup and Recovery only by price per user. The entire operating model must be considered. A solution can look inexpensive at first glance and still become expensive later if storage, retention, restore time or compliance requirements were not calculated properly.

For me, at least five areas belong in the comparison: workload coverage, restore quality, role model, retention/compliance and the procurement path.

Workload coverage

Teams is a good example. Some solutions only back up files stored in SharePoint. Chat content, private chats, Planner, Forms, Loop components or other M365 data can be covered differently depending on the product, or not at all. For each solution, one must therefore check specifically what is meant by “Teams backup”.

One of the most important questions is: how long does the data really need to be retained? Sophos mentions retention options of one year, seven years, ten years or longer. That sounds flexible, but the right answer does not come from the datasheet; it comes from accounting, compliance, data protection, HR and the respective industry.

In Switzerland, business records and accounting documents typically have to be retained for ten years. For certain VAT-relevant documents related to immovable property, twenty years may also be relevant. In addition, there are industry-specific requirements, internal policies, contractual obligations and data protection duties. A Microsoft 365 backup must therefore not only work technically, but also fit the organisation’s retention concept.

The distinction is important: backup retention is not automatically legally compliant archiving. A backup is primarily intended for recovery. Archiving, eDiscovery, Legal Hold, journaling, immutable evidence and targeted deletion concepts are different requirements. Anyone who has to retain M365 data for legal reasons should not simply set “10 years backup” and consider the topic closed.

This is exactly where the storage model becomes important. Long retention consumes storage, and 5 GB per seat is quickly used up when Exchange, OneDrive, SharePoint and Teams grow over the years. Before making a decision, one should therefore calculate with real tenant data and not with averages from a presentation.

Sophos powered by Rubrik or Rubrik directly?

A natural customer question is: if the technology comes from Rubrik, why buy through Sophos and not directly from Rubrik or via a Rubrik partner?

The honest answer: the advantage of the Sophos route is not primarily a different backup technology, but the operating and procurement model. Sophos Central can be attractive when Endpoint, Firewall, Email, MDR or XDR are already operated through Sophos and recovery is meant to move closer to those security processes. The role model, delegated administration, familiar partner routes and a unified licensing process can also make a difference day to day.

If Sophos Central barely plays a role in the organisation, however, this added value must be weighed very carefully against the price. In that case, Sophos Backup and Recovery Powered by Rubrik should be compared directly with Rubrik itself and with other Microsoft 365 backup providers. If buying through Sophos costs more, the premium must be justified by lower operational effort, simpler administration, better incident workflows or a clearer support path.

I would therefore always offer or at least check both variants:

  • Sophos Backup and Recovery Powered by Rubrik through Sophos Central
  • Rubrik directly or through a Rubrik partner
  • depending on the environment, additionally Veeam, AvePoint, Acronis, Hornetsecurity, Dropsuite or Microsoft 365 Backup

Only then can one see whether Sophos Central is a genuine advantage in the specific environment or merely an additional sales route for the same underlying technology.

Restore quality

A backup is only as good as the restore. I would always test:

  • restore a single email
  • restore an entire mailbox
  • restore the OneDrive of a disabled user
  • restore SharePoint files to a point before manipulation
  • simulate a large restore involving several users
  • test restore to an alternative target user or location

Such tests are not optional. Many backup projects look good on paper and fail in an emergency because of permissions, performance, missing documentation or unclear responsibilities.

Tenant and role model

Backup access is highly sensitive. Anyone who can read and restore backup data has access to a very large amount of company data. Clear roles, MFA, logging, approval processes and regular reviews are therefore required.

Particularly important: backup administrators should not use the same accounts and roles that are active everywhere in normal Microsoft 365 operations. If a Global Admin is compromised, the backup must not fall with it.

Data residency and exit strategy

Data residency is not just a compliance checkbox. One should understand in which region the backups are stored, who has access, which encryption options exist and how a provider change would work.

With backup systems, the exit question always belongs in the discussion:

  • How long does data remain available after termination?
  • Can backups be exported?
  • What does a tenant change look like?
  • What happens if a licence is assigned incorrectly?
  • How are deleted users, shared mailboxes and former employees handled?

These are boring questions. That is exactly why they are important.

Conclusion

Sophos Backup and Recovery for Microsoft 365 is an interesting addition because Sophos brings recovery closer to security operations. For Sophos MDR and XDR customers, this can be practical during an incident. The fact that the technology comes from Rubrik is an important plus, because Rubrik is already established in the backup and cyber-recovery market.

But it remains a backup project and should be planned as one.

I would look at the solution, but compare it carefully. Minimum purchase, storage model, provisioning, archive requirements, restore tests and long-term product strategy all belong before a purchase decision. Sophos Central is an advantage if the organisation already works there. But it is not a sufficient reason to stop looking at proven M365 backup providers.

My recommendation: anyone without Microsoft 365 backup should prioritise the topic now. Whether Sophos Backup and Recovery Powered by Rubrik is the best choice depends on size, existing Sophos usage, compliance requirements, retention, storage growth and operating model. These are exactly the points that should be checked carefully before buying.

FAQ

What is Sophos Backup and Recovery for Microsoft 365?

Sophos Backup and Recovery Powered by Rubrik is a cloud-based backup and recovery solution for Microsoft 365. It is integrated into Sophos Central and uses Rubrik technology for backup, retention and restore.

Which Microsoft 365 data is protected?

Sophos names Exchange Online, OneDrive, SharePoint and Teams as protected workloads. Before buying, one should still check exactly which Teams data and which special cases are really covered in the tenant.

Is Sophos Backup and Recovery an archiving solution?

No. The solution can offer long retention and immutable backups, but it does not replace dedicated archiving with eDiscovery, Legal Hold, journaling or specialised compliance processes.

How long are Microsoft 365 backups retained?

Sophos mentions retention options of one year, seven years, ten years or longer. The right retention period depends on legal requirements, industry, internal policies, data protection and storage costs. Long retention should therefore be planned and tested deliberately.

Who is the Rubrik integration in Sophos Central interesting for?

It is especially interesting for organisations that already use Sophos Central, Sophos MDR or Sophos XDR heavily and want to bring recovery closer to security operations.

Why buy Sophos Backup and Recovery if the technology comes from Rubrik?

The benefit is mainly operation through Sophos Central: familiar console, role model, partner process and proximity to MDR/XDR. If these points do not matter much in the organisation, Rubrik directly and other M365 backup providers should be compared on price and functionality.

Should existing M365 backup solutions be replaced by Sophos?

Not automatically. If Veeam, AvePoint, Acronis, Hornetsecurity, Dropsuite, Rubrik directly or Microsoft 365 Backup are already operated and tested properly, there is no reason for a reflexive switch. A comparison based on restore quality, cost, retention, role model and operation is sensible.

What is most important before buying?

Minimum purchase, storage model, data growth, retention, data residency, role model, provisioning time, restore tests and exit strategy should be checked. The 200-seat minimum and 5 GB included storage per seat can be commercially relevant.

Sources

Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.