Ransomware preparedness for Microsoft 365

Ransomware against Microsoft 365 tenants targets cloud content directly — encrypting SharePoint sites, OneDrive accounts, mailboxes, or destroying access via credential theft and admin-account compromise. Even cloud SaaS doesn't make you immune. The good news: Microsoft 365 has strong defences built in, and Microsoft provides specific tooling for recovery. The hard part is having it ready before it happens.

Prevention

Identity hardening

MFA enforced for everyone, phishing-resistant (FIDO2 / passkeys) for admins.
Conditional Access blocking legacy auth, requiring device compliance.
PIM for every privileged role — no standing Global Admins.
Identity Protection policies blocking high-risk sign-ins.
Break-glass admin accounts stored offline, MFA-exempt but with very strong unique credentials.

Endpoint hardening

Defender for Endpoint onboarded everywhere, Tamper Protection on.
Attack Surface Reduction rules in block mode for high-confidence rules.
Local admin removed for most users (Intune EPM for elevation).
Patch SLA kept short — Defender Vulnerability Management drives priority.

Email hardening

Defender for Office 365 P2 with Strict preset policies.
DMARC at p=reject.
Attack Simulation Training running monthly.
OAuth consent restrictions — limit user consent to risky scopes.

Detection

Defender XDR monitoring with alerting on critical signals.
Automatic Attack Disruption enabled.
Microsoft Sentinel for cross-product correlation and longer retention.
Microsoft Defender for Identity sensors on every domain controller.
Unusual activity alerts for mass-download patterns, mass-share-link creation, unusual sign-in countries.

The earlier you detect, the smaller the impact. Microsoft's case data consistently shows that fast disruption changes outcomes dramatically.

Response

When ransomware is suspected or confirmed:

Isolate affected devices via Defender for Endpoint.
Disable affected accounts in Entra ID, revoke sessions.
Stop active sharing links — sometimes mass-share is the attack pattern.
Snapshot SharePoint / OneDrive sites that are still healthy to capture recoverable state.
Engage Microsoft Support — for severe incidents, Microsoft has incident-response support.
Document the timeline as you go.

Recovery

This is where many organisations were unprepared in past incidents:

Native SharePoint and OneDrive recovery

Version history — every file in SharePoint and OneDrive has version history. For ransomware that encrypts files, previous versions are typically still healthy.
Recycle bin — two-stage recycle bin retains deleted content for 93 days.
Restore your OneDrive — built-in feature lets users restore their OneDrive to a point in time (up to 30 days back). The single most useful per-user recovery feature.
SharePoint site restore — admin can restore a site to a point in time.

Microsoft 365 Backup

For larger and structured recovery, Microsoft 365 Backup provides:

Point-in-time restore at SharePoint / OneDrive / Exchange scale.
Hourly snapshots retained per configured policy.
Rapid restore measured in items / hour — orders of magnitude faster than typical third-party restore.

For tenants subject to ransomware risk, Microsoft 365 Backup is increasingly part of the baseline.

Third-party SaaS backup

For air-gapped off-platform copies (insurance against a tenant-wide compromise), third-party SaaS backup tools (Veeam, Druva, AvePoint, Acronis, Barracuda, others) provide additional resilience.

The right answer for most organisations is both: Microsoft 365 Backup for fast in-platform recovery, plus a third-party off-platform copy.

Operational readiness

The single most underrated activity: test restoration. Run a quarterly tabletop exercise where you actually restore a SharePoint site, a OneDrive, a mailbox to verify the procedure works. The only backup that matters is one you've recovered from.

Document the runbook. Train the team. Hope you never need it.