Dynamics 365 Business Central online runs on Azure and uses Azure SQL Database as the database that stores your data. A tenant's data is stored at rest in the Azure region that is closest to their geographical location.
Databases are protected by automatic backups that are kept for 28 days. The backup includes data from any production and sandbox environments that the database contains. Administrators of a Business Central tenant cannot directly access or manage these backups because they are managed automatically by Microsoft. However, admins can restore their environments to a specific point in time using the Business Central admin centre.
If an Azure region is temporarily unavailable, for example, the customers' data is preserved using automatic geo-redundant backups, so your data becomes available again once the Azure region is back online. All these steps are triggered automatically.
In extreme cases—such as if the region would be expected to be offline longer—we would start the process of restoring the data from the various Business Central environment’s geo-redundant backups into another region within the same geography. Although such cases happen rarely, recovering data into another Azure region is a standard, well-described internal procedure, something we practice regularly at Professional Advantage as a part of our audits and internal drills.
Microsoft provides disaster recovery for production environments of Dynamics 365 software-as-a-service (SaaS) applications for business continuity if there is an Azure region-wide outage.
Microsoft creates a replica of Azure SQL storage and file storage in the secondary region for each production environment at deployment. These replicas are referred to as geo-secondary replicas.
Geo-secondary replicas are kept synchronised with the primary environment through continuous data replication. There is a small lag between the primary data sources and their geo-secondary replicas; typically, the latency is less than a few minutes.
In the event of an unanticipated region-wide outage—such as a natural disaster that affects the entire Azure region—and Microsoft has determined that the region will not become available within a reasonable amount of time, Microsoft will notify customers and switch over the traffic to route to the secondary environments. In this case, it is possible that customers might experience a data loss of up to 15 minutes, depending on the nature and timing of the outage. Recovery Point Objective (RPO) is small and could take up to a few seconds or couple of minutes.
Recovery Time Objective (RTO) varies depending on the nature of the outage and could take up to 4 to 10 hours.
When Microsoft determines that the primary region is back online and is fully operational, we switch the environments back. Users who are connected to affected systems could experience a brief interruption of up to one minute. The service, including all non-production environments, is fully restored. There is no data loss during the planned failback process.
Databases are protected by automatic backups. Full database backups are done weekly, differential database backups are done hourly, and transaction log backups are done every five minutes.