Definition
M365 configuration backup is a class of cloud-protection tooling that snapshots the configuration of a Microsoft 365 tenant on a schedule, computes a diff against the previous snapshot, and (in tools that support it) provides a path to roll back unwanted changes. It is distinct from M365 mailbox or content backup, which captures the contents of mailboxes, OneDrive, SharePoint sites, and Teams channels.
The category emerged in response to a specific gap in Microsoft's native protections: tenants get compromised at the configuration layer (a disabled Conditional Access policy, an app registration granted excessive scopes, a role assignment promoting a service principal to Global Administrator), and Microsoft's native audit log retains 30 days, doesn't store previous-state values, and offers no one-click revert.
What gets backed up
Different products in the category cover different object types. The most comprehensive coverage typically includes:
- Entra ID identity objects — Conditional Access policies, named locations, authentication methods policy, authentication strengths, role assignments (directory roles and PIM eligibles), group memberships, custom security attributes.
- Application objects — app registrations, service principals, OAuth permission grants, role assignments to applications.
- Intune device-management objects — device-configuration profiles, compliance policies, app protection policies, autopilot deployment profiles.
- M365 tenant settings — organisation-wide settings, domain configuration, shared mailbox configurations.
- Azure subscription resources (in some products) — RBAC role assignments, Network Security Group rules, Key Vault access policies, managed identities, subscription-level policy assignments.
What's not backed up by configuration tools is the user-facing content: emails, documents, OneDrive files, Teams chats. That's the domain of mailbox/content backup products like Dropsuite mail backup, SkyKick, AvePoint, and N-able Cove.
Why it matters
Modern Microsoft 365 attacks rarely rely on stealing email content. They rely on changing tenant configuration to grant attackers persistent access. Examples:
- Disabled Conditional Access. Attacker phishes a global admin, disables the CA policy that requires MFA on admin sign-ins, then re-disables MFA on additional accounts at leisure.
- Malicious OAuth app registration. A new app registration is created with Mail.ReadWrite.All, then granted admin consent. The app exfiltrates email even after the original credentials are reset.
- Role assignment. A service principal is added to a built-in role with excessive privilege. Looks legitimate in audit log; persists across credential rotations.
- Intune profile modification. A device compliance baseline is loosened. Compromised endpoints continue to be marked compliant.
Endpoint EDR doesn't see any of these. Microsoft's native audit log records that the change happened — but only for 30 days on default plans, and without a rollback path. Configuration backup is the layer that closes the gap: continuous snapshotting, severity-rated change feed, audit-log correlation, and per-object rollback.
How configuration backup tools work
- Snapshot. The tool reads object state via Microsoft Graph (and Azure Resource Manager for Azure resources) on a schedule — typically every 15 minutes to 24 hours per object type. Snapshots are stored as content-addressable blobs (hash of the canonicalised JSON).
- Diff. Each new snapshot is compared with the previous “current state” for that object. Differences are computed as JSON Patch (RFC 6902) operations and the change is rated for severity.
- Correlate. The detected change is matched against Microsoft's audit log to identify who made the change, when (real change time, distinct from detection time), and from where (IP, country).
- Notify. Operators get a change feed they can filter by object type, severity, user, and time range. High-severity changes (CA policy disabled, role assignment added) get pushed proactively.
- Roll back. An operator selects a change (or multiple changes by user, or an entire object's history to a point in time) and creates a rollback plan. The plan is reviewed and approved. Then it's executed against Graph / ARM, with full action-by-action logging.
How Lavawall® helps with M365 configuration backup
Lavawall®'s configuration backup & rollback module covers ~25 object types across M365, Entra, Intune, and Azure subscriptions. Snapshots are content-addressable (SHA-256 of canonicalised JSON), gzip-compressed for objects over 8KB. Diffs use JSON Patch (RFC 6902). The change feed correlates each row with the M365 audit log to surface UPN, IP, and country.
Rollback follows a strict plan → approve → execute lifecycle with dry-run preview. The Go-based snapshot engine runs as a daemon on the m365sync host, reads tenant state on a configurable schedule, and writes diffs and changes to MySQL for the PHP console. Bundled in the Lavawall® Complete tier or available a-la-carte at C$3.95 / US$2.95 per user per month.
The module is complementary to existing M365 mailbox backup tools (Dropsuite, SkyKick, Veeam, N-able Cove) — those handle content, Lavawall® handles configuration.
Frequently asked
- Is M365 configuration backup the same as M365 mailbox backup?
- No. Mailbox backup captures the contents of mailboxes, OneDrive, SharePoint, and Teams. Configuration backup captures the tenant settings that control access to those workloads — Conditional Access policies, role assignments, app registrations. Most organisations need both.
- Why isn't Microsoft's audit log enough?
- Audit retention is 30 days for default plans. The audit log records that a change happened but doesn't store the previous value or offer rollback. Configuration backup tools snapshot the actual object state and provide a path to revert.
- Does Lavawall® do M365 configuration backup?
- Yes. The M365 / Entra / Azure configuration backup & rollback module covers ~25 object types across M365, Entra, Intune, and Azure subscriptions, with a plan / approve / execute rollback workflow.