On 22 January 2026, Microsoft 365 services — Outlook, Teams, Defender, admin portals — went dark for hours. Microsoft's post-incident note attributed it to "elevated service load" during a maintenance event, compounded by a third-party networking issue in North America. No attack. No breach. Just a reminder that Microsoft is a vendor like any other, and vendors have bad days.
Most SMB resilience plans assume the Microsoft cloud is always there. It usually is. But "usually" is not the same as a written BCDR plan that covers the case where Exchange Online stops accepting connections at 2 a.m. The question to ask after every outage isn't "whose fault" — it's "what would we do for the next four hours if it happened again right now?"
The answer for a serious business is: documented runbook, alternate comms channel, offline-capable critical apps where the workflow demands it, and a CSP partner who picks up the phone before the customer notices. None of that requires moving off Microsoft. It just requires planning for the day Microsoft has a bad afternoon.