๐ŸŽฏMost Actionable

Backing Up Microsoft 365 and Entra ID: Cyber Resilience Beyond the License

Vanessa Toves · 25:38 · 2025 · Track 2

cloudincident-responsefundamentals

Vanessa Toves on backing up microsoft 365 and entra id. A Track 2 session from Simply CyberCon 2025.

Open this segment on YouTube โ†— ยท jumps to 9:31 in the Track 2 livestream

Backing Up Microsoft 365 and Entra ID: Cyber Resilience Beyond the License

Vanessa Toves spent her career growing up alongside Microsoft's stack, breaking it, fixing it, and eventually following it into the cloud. Now a solutions architect at Druva, she came to Simply CyberCon 2025 with a blunt message for anyone running Microsoft 365: the license you bought is the tip of the iceberg, and the assumptions baked into your incident response plan are probably wrong.

The License Is Not the Plan

Companies pour budget into Microsoft 365 and Entra ID licenses, then treat security as a checkbox someone else owns. Vanessa watched enterprise after enterprise migrate business-critical systems into the cloud while skipping MFA, ignoring service principal monitoring, and assuming SSO had them covered. SSO solved password fatigue. It also handed attackers a single key to dozens of connected SaaS tenants. If a credential gets compromised, every app pulling your data inherits the blast radius.

Threat Actors Are Quiet on Purpose

Vanessa's favorite case study is Storm-0501, a financially motivated group that lives in Microsoft tenants. They do not drop payloads on endpoints, because you are watching endpoints. They read data, find sensitive data, exfiltrate it, encrypt it, and only then hand you a ransomware note. Microsoft's Digital Defense Report shows the encryption-plus-exfiltration pattern jumped from 16 percent in 2023 to 23 percent in 2024, and 42 percent of identity attacks that landed started with a credential compromise. If you are not alerting on Entra ID changes and 365 logs, the attackers are already comfortable.

Ask Better Questions, Cross Teams

Vanessa's central pitch: backup vendors hold metadata that incident response teams desperately need, and nobody is asking for it. Where is sensitive data? Who owns time-sensitive data? What does your cyber insurance actually require as evidence? Small teams collapse these roles into one person. Bigger teams have specialists who never talk to each other. Either way, the playbook breaks the moment an incident starts because nobody pre-negotiated who answers what. She told a story about an insurance customer with a mysterious user-status spike. It took them a week to admit an admin had run a PowerShell update against a dynamic distribution group and quietly cleaned up for 24 hours. Without backup-driven anomaly detection, that pattern would have been invisible.

Time-Sensitive Data Is Its Own Category

Point-in-time recovery is not enough. Vanessa described a construction firm sitting on a half-million-dollar bid worth a third of next year's revenue, due Monday, restored to a state from a week earlier. Sensitive data and time-sensitive data are different problems. Your recovery playbook needs to know which deadlines exist inside the data you are restoring and what state the business expects to find when the lights come back on.

Who Should Watch

Anyone responsible for Microsoft 365 or Entra ID security, IR planners who have never opened a backup vendor's metadata, and admins who think SSO and Defender are enough. Especially useful if you are building or refining a cyber incident response playbook and want better questions to ask your team and your vendors.