• Products & Services
  • Community & Resources
  • Why ConnectWise
  • Support
Talk to Sales
Explore Business Management
PSA
Professional services automation designed to run your as-a-service business
CPQ
Advanced quote and proposal automation to streamline your quoting
BrightGauge
KPI dashboards and reporting for real-time business insights
ITBoost
Centralized, intuitive IT documentation
Service Leadership
Increase shareholder value and profitability
SmileBack
Customer service feedback for MSPs
WisePay
Payments automation to increase cash flow and streamline processes
Business Management Packages
Curated packages designed to streamline, standardize, and automate your business processes
PSA
Professional services automation designed to run your as-a-service business
CPQ
Advanced quote and proposal automation to streamline your quoting
BrightGauge
KPI dashboards and reporting for real-time business insights
ITBoost
Centralized, intuitive IT documentation
Service Leadership
Increase shareholder value and profitability
SmileBack
Customer service feedback for MSPs
WisePay
WisePay
Payment automation to increase cashflow and streamline processes
Business Management Packages
Optimize your business operations through curated packages designed to streamline, standardize, and automate your business processes
Explore Business Management

See new and upcoming product enhancements in our monthly innovation webinar series!
Register now >>

Explore Cybersecurity
MDR
Monitor and stop malicious activity on endpoints
MDR for Microsoft 365
Monitor, protect, and remediate Microsoft 365 exposures
SIEM
Centralize threat visibility and analysis
SaaS Security
Deliver, manage, and monetize cloud security more easily
Vulnerability Management
Identify cybersecurity risks and routinely scan for vulnerabilities
Access Management
Eliminate shared admin passwords and protect customers
Secure Access Service Edge (SASE)
Apply zero trust secure access for users, locations, and devices
Security360
AI-Driven MSP cybersecurity solutions
MDR
Monitor and stop malicious activity on endpoints
MDR for Microsoft 365
Monitor, protect, and remediate Microsoft 365 exposures
SIEM
Centralize threat visibility and analysis
Co-Managed SIEM
Deploy 24/7 managed detection and response with SOC services
Vulnerability Management
Identify cybersecurity risks and routinely scan for vulnerabilities
Access Management
Eliminate shared admin passwords and protect customers
Secure Access Service Edge (SASE)
Apply zero trust secure access for users, locations, and devices
Security360
AI-Driven MSP cybersecurity solutions
Explore Data Protection
SaaS Backup
Safeguard customer cloud app data
Co-Managed Backup
Streamline third-party backup management
Backup360
Comprehensive MSP backup management
x360Recover
Hyper-flexible disaster recovery and business continuity
Cloud Backup
Intelligent data protection for Microsoft 365
x360Cloud
SaaS application data protection
SaaS Backup
Safeguard customer cloud app data
Co-Managed Backup
Streamline third-party backup management
Backup360
Comprehensive MSP backup management
Explore Cybersecurity and Data Protection

See new and upcoming product enhancements in our monthly innovation webinar series!
Register now >>

  • IT Nation

    Industry events and networking

  • ConnectWise

    Peer groups and product training

  • Open Ecosystem

    Top-rated vendors and integrations

  • Resources

    Business-driving insights and guidance

IT Nation
IT Nation Connect
Premier MSP industry conference
IT Nation Secure
MSP cybersecurity industry conference
IT Nation Evolve
Peer groups
IT Nation Grow
Expert guidance for business transition
IT Nation PitchIT
Accelerator program for incubating growth
Wise Up Podcast
Insights and strategies to help your business
IT Nation Europe
Regional MSP industry conference
IT Nation Sydney
APAC MSP Industry Conference
Automation Nation
AI & hyperautomation training
IT Nation Connect
Premier MSP industry conference
IT Nation Secure
MSP cybersecurity industry conference
IT Nation Evolve
Peer groups
IT Nation Grow
Expert guidance for business transition
IT Nation PitchIT
Accelerator program for incubating growth
Wise Up Podcast
Insights and strategies to help your business
IT Nation Europe
Regional MSP industry conference
IT Nation Sydney
APAC MSP Industry Conference
Automation Nation
AI & hyperautomation training
Explore The IT Nation

Join the premier thought-leadership conference for MSPs.
Register Now>>

  • About Us

    Company profile, values, and leaders

  • News

    The latest ConnectWise updates

  • Markets

    Roles and industries we support

The only truly unified platform purpose-built for MSPs.
Learn more >>

  • Partner Support

    ConnectWise solution resources

  • Partner Education

    Certifications and resources

Understanding the Shared Responsibility Matrix for Microsoft 365 security and recovery

Posted:
03/06/2025
| By:
Michael Leison

We often find SMBs are unaware of the Shared Responsibility Matrix for Microsoft 365®, which outlines responsibilities that Microsoft owns and responsibilities the customer owns.

As many MSPs know, this gap in knowledge can be detrimental to the security and recoverability of a customer’s Microsoft 365 environment, but we—the MSP community—often fall short of educating the customer about the true risks and skills needed to close those gaps. 

A challenge for many MSPs and customers alike can surface in areas where both Microsoft and the client hold a level of responsibility to ensure the security and recoverability of customer information, such as accounts, data, etc.

To enhance the overall security posture of Microsoft 365 environments, MSPs must proactively educate their customers on the Shared Responsibility Matrix and collaborate closely with them to implement robust security measures.

What is the Shared Responsibility Matrix for Microsoft 365?

The Shared Responsibility Matrix for Microsoft 365 outlines the division of responsibilities between Microsoft and customers in ensuring the security and recoverability of data within the Microsoft 365 environment. Microsoft is responsible for securing the underlying infrastructure, such as servers and data centers, while customers are tasked with managing critical areas like account creation, security configurations, and user access control.

Microsoft 365 security: understanding the shared responsibility

While Microsoft is responsible for the underlying infrastructure and identity platform, they are not responsible for incorrect or improper security deployment that results in a breach. It’s the customer or the MSP’s responsibility to implement and manage the cybersecurity features that control authentication and access to data.

Some examples include:

By recognizing and fulfilling their role in this shared responsibility model, organizations can strengthen their overall security posture and better protect their data from potential threats.

Microsoft 365 recovery: who owns the responsibility?

While recovery falls under the customer's responsibility according to the Microsoft Shared Responsibility Matrix, there is often confusion regarding Microsoft's role in data recovery. Many customers and even some MSPs believe that Microsoft is responsible for data recovery.

Microsoft is clear that while they provide version history and data resiliency—the ability to recover a file—they are not traditional backups.

Here are some key considerations to close the gap and enhance data management practices:

  • Data backup  
  • Data retention policies 
  • Data classification 
  • Compliance requirements 

Conclusion

Identifying the responsibilities on each end is the first step to ensuring the security and recoverability of information. MSPs who manage their customer’s environments may struggle to keep up with changes to the Microsoft 365 platform, and managing those changes across every tenant can be extremely challenging.

Some recommendations to simplify the process and add efficiency while ensuring consistency across tenants include: 

  • Recurring security assessments 
  • Best practice implementation templates 
  • Specific compliance assessments (NIST, HIPAA, GDPR, etc.) 
  • Microsoft Secure Score monitoring  
  • Streamlined remediation approach 

While each of these bullets will help with consistency and efficiency, considering all of them as part of a centralized SaaS security platform can holistically change the approach and profitability of MSP services that include Microsoft 365. 

Explore ConnectWise SaaS Security, the most powerful application to manage and monetize Microsft 365 security.