Microsoft 365 Backup: Why Built-In Retention Is Not Enough

Most businesses assume Microsoft backs up their data. It is a reasonable assumption. You pay Microsoft for the service, your data lives in their cloud, and they have some of the best infrastructure on the planet. Surely they are backing it up. They are not. Microsoft keeps the platform running. They replicate your data across their data centers to protect against hardware failure and regional outages. But they do not back up your data in the way that matters for you: the ability to restore a specific email from three months ago, recover a SharePoint site someone accidentally deleted, or roll back a mailbox after a ransomware attack.

This distinction is the single most common misconception about Microsoft 365, and businesses discover it at the worst possible time. Cloud services like M365 protect against physical disaster scenarios (your office burning down does not affect Microsoft’s data centers), but they do not protect against data deletion, ransomware, or admin errors within your own tenant.

The shared responsibility model

Microsoft operates under what they call the shared responsibility model. It divides the obligations between Microsoft and the customer clearly, but most customers have never read it.

Microsoft’s responsibility:

• Infrastructure uptime and availability
• Physical security of data centers
• Geo-redundant replication (protecting against hardware failure, not data loss)
• Platform-level security (patching the Exchange, SharePoint, and Teams infrastructure)
• Network connectivity between their data centers

Your responsibility:

• The data itself (emails, files, Teams messages, SharePoint content)
• Access control (who can read, modify, or delete your data)
• Retention and backup (ensuring data can be recovered after deletion or corruption)
• Compliance (meeting your industry’s data retention requirements)
• Account security (MFA, conditional access, preventing unauthorized access)

Microsoft’s own Service Agreement makes this explicit. Section 6b states: “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.” They are telling you, in their own terms of service, to back up your data yourself.

The geo-redundant replication Microsoft provides protects against their infrastructure failing. If a data center burns down, your data exists in another location. But if you delete a file, an attacker encrypts your mailbox, or a rogue admin wipes a SharePoint site, the replication faithfully copies the deletion or corruption to every replica. Replication is not backup. Replication ensures availability. Backup ensures recoverability.

What retention policies actually do

Microsoft 365 has retention features, and they do provide some protection. But they are not backups, and understanding their limits is critical.

Deleted Items retention

When you delete an email in Outlook, it goes to the Deleted Items folder. If you empty the Deleted Items folder (or it is emptied automatically), the email moves to the Recoverable Items folder. The Recoverable Items folder retains deleted items for 14 days by default, extendable to 30 days by an admin.

After 30 days, the email is permanently deleted. There is no recovery.

SharePoint and OneDrive recycle bin

When a file is deleted from SharePoint or OneDrive, it goes to the site recycle bin for 93 days. After 93 days, it moves to the second-stage recycle bin for the remainder of the 93-day period, then it is permanently deleted.

93 days sounds generous until you realize that most accidental deletions are not discovered within 93 days. An employee leaves, their OneDrive is cleaned up, and three months later someone needs a file from their account. If the license was removed and the 30-day OneDrive retention expired, those files are gone.

Microsoft 365 retention policies (Purview)

Microsoft 365 Compliance (now Microsoft Purview) offers retention policies that can retain data for longer periods. These policies can prevent data from being permanently deleted, even if a user deletes it.

However:

• Retention policies are compliance tools, not backup tools. They are designed to satisfy legal hold and regulatory requirements, not to provide point-in-time recovery.
• Retained data is stored in hidden locations (the Preservation Hold Library in SharePoint, the Recoverable Items folder in Exchange) that are not easily browsable or searchable.
• Restoring data from a retention hold requires eDiscovery tools and administrative expertise. You cannot simply “restore” a mailbox to how it looked last Tuesday.
• Retention policies require Business Premium or E3/E5 licensing for full functionality. Business Basic and Standard have limited retention options.
• Configuring retention policies correctly is complex. A misconfigured policy can either fail to retain data you need or retain data you are legally required to delete.

Versioning in SharePoint and OneDrive

SharePoint and OneDrive maintain version history for documents. If someone overwrites a file, you can restore a previous version. This is genuinely useful for accidental overwrites, but it has limits:

• Versioning does not protect against file deletion (that is the recycle bin’s job)
• Version history can be disabled by site owners
• The number of versions retained is configurable and defaults vary
• If the file itself is deleted, the version history goes with it
• Ransomware that encrypts files creates new “versions” that push old versions out of retention

What backup actually means

A backup is an independent copy of your data, stored separately from the production environment, that can be used to restore data to a specific point in time. The key properties that make a backup different from retention:

Point-in-time recovery. A backup lets you say “restore this mailbox to exactly how it was at 9 AM on Tuesday.” Retention policies cannot do this. They can tell you whether a specific item exists somewhere in the retention hold, but they cannot reconstruct the state of a mailbox or site at a specific moment.

Independence from the source. A backup exists outside the system it is protecting. If an attacker compromises your Microsoft 365 tenant and deletes data, they can also delete retention policies and empty recycle bins. A backup stored in a separate system, with separate credentials, is not affected by a tenant compromise. This is the same principle behind the 3-2-1 backup rule – keeping copies on different media in different locations so that a single event cannot wipe out everything.

Granular restore. A backup lets you restore a single email, a single file, a folder, a mailbox, a SharePoint site, or the entire tenant, depending on what you need. Retention tools provide much less flexibility in what and how you can restore.

Long-term retention. Backups can retain data for years without relying on Microsoft’s retention infrastructure. If you need to produce emails from two years ago for a legal matter, a backup can do that. Microsoft’s default retention may have already purged that data.

Scenarios where retention fails and backup saves you

Accidental deletion beyond the retention window

An employee accidentally deletes a folder of client contracts from SharePoint. Nobody notices for four months. The 93-day recycle bin retention has expired. Without a backup, those files are permanently gone. With a backup, you restore them from the most recent backup that contained them.

Ransomware or malicious attack

An attacker gains access to a user’s account (through phishing, credential stuffing, or a compromised device) and deletes emails, encrypts OneDrive files, or wipes SharePoint sites. If the attacker has admin access, they can also disable retention policies, empty recycle bins, and remove compliance holds. The damage is comprehensive, and Microsoft’s built-in protections are neutralized because they operate within the same tenant the attacker controls.

A backup stored in a separate system with separate authentication is not affected. You restore the entire mailbox or site from the backup taken before the attack.

For the full incident response process after a ransomware attack, see our step-by-step recovery guide.

Departed employee data loss

An employee leaves. The offboarding process converts their mailbox to a shared mailbox and copies critical OneDrive files. Six months later, someone needs a file that was not copied. The OneDrive data was deleted after the retention period. Without a backup, there is no recovery.

Rogue admin or insider threat

An admin with Global Administrator access can delete user accounts, remove retention policies, purge recycle bins, and wipe SharePoint sites. Microsoft’s built-in protections are all administered by the same admin accounts, which means a malicious or compromised admin can defeat all of them. A backup system with its own admin credentials, stored outside the Microsoft 365 tenant, is the only protection against this scenario.

Compliance and legal discovery

A legal hold is placed on a former employee’s data two years after they left. The retention policies were not configured to retain data that long, or the employee’s data was deleted during offboarding. Without a backup, you cannot produce the data the legal team needs.

Third-party backup options

Third-party backup solutions for Microsoft 365 connect to your tenant via API, pull copies of your data on a schedule, and store those copies in a separate location (typically the backup vendor’s cloud storage or your own cloud storage). For businesses that also have on-premises servers, the decision between cloud backup, on-premises backup, or a hybrid approach applies to the broader infrastructure, but M365 backup is almost always cloud-to-cloud since the source data is already in the cloud.

Common solutions include Veeam Backup for Microsoft 365, Acronis Cyber Protect, Datto SaaS Protection, AvePoint Cloud Backup, and Druva. These products vary in pricing, restore granularity, storage options, and how they handle Teams and SharePoint data. For a detailed walkthrough of solution categories, setup steps, and what to look for in a provider, see our guide on how to back up Microsoft 365 data the right way.

What to look for in a backup solution

Coverage. The backup should cover Exchange Online (email, calendar, contacts), OneDrive, SharePoint, and Teams. Some solutions only cover Exchange and OneDrive but miss Teams chat data and SharePoint site content. Teams data in particular is stored across multiple services (Exchange group mailboxes, SharePoint document libraries, Azure storage for chat messages), and a backup that misses any of these leaves gaps.

Restore granularity. You should be able to restore a single email, a single file, an entire mailbox, or an entire SharePoint site. The ability to restore to the original location or to a different location is important for scenarios where you are restoring alongside existing data.

Backup frequency. How often does the backup run? Once per day is the minimum. Three times per day is better. Some solutions offer near-continuous backup. The gap between backups is your maximum data loss window  – this is your RPO (Recovery Point Objective). If backups run once per day and an incident happens at 4 PM, you lose everything since the morning backup.

Retention period. How long does the backup retain data? One year is a reasonable minimum. For regulated industries, you may need three to seven years. Check whether the vendor charges per retention length or per storage volume, as long retention periods with large mailboxes can get expensive.

Storage location. Where is the backup data stored? Some vendors store it in their own cloud. Others let you choose (Azure, AWS, on-premises). For compliance-sensitive businesses, knowing where your backup data resides geographically can matter.

Security. The backup system has access to all of your Microsoft 365 data. It needs its own authentication (separate from your tenant admin accounts), encryption at rest and in transit, and role-based access control. A compromised backup system is as dangerous as a compromised admin account.

Ease of restore. The value of a backup is entirely in the restore. If finding and restoring a single email takes an hour of administrative work, the backup is technically functional but operationally painful. Test the restore process before you need it.

Microsoft 365 Backup (native solution)

Microsoft launched Microsoft 365 Backup in 2024 as a paid add-on. It provides backup and restore for Exchange, OneDrive, and SharePoint within the Microsoft ecosystem. It stores backup data in Microsoft’s own infrastructure and integrates with the admin center.

This is a step in the right direction, but as of now it has limitations: it is priced as an additional per-user charge, it does not cover Teams chat data comprehensively, and the restore experience is still maturing compared to established third-party solutions. It is worth evaluating alongside third-party options, but the existence of a native backup product does not change the fundamental point: the default Microsoft 365 configuration does not back up your data, and you need to add backup capability whether through Microsoft’s new product or a third-party tool.

The cost of not having a backup

Third-party backup for Microsoft 365 typically costs $2 to $5 per user per month. For a 50-person company, that is $100 to $250 per month, or $1,200 to $3,000 per year.

Compare that to the cost of losing data:

• Recreating lost emails and documents: hours of employee time, if recreation is even possible
• Legal exposure from inability to produce data during litigation or audit
• Client trust damage when you cannot deliver files you promised to retain
• Full breach recovery costs if the data loss stems from a ransomware or compromise incident
• Compliance penalties in regulated industries that require specific data retention periods

The cost of backup is a fraction of any of these scenarios. For a detailed breakdown of what cloud backup, on-premises backup, and managed DR services actually cost, see our backup and disaster recovery cost guide. For most businesses, the question is not whether they can afford backup. It is whether they can afford to discover they do not have it.

How Sequentur handles Microsoft 365 backup

Microsoft 365 backup management is part of our managed M365 services. Setting up backup is typically a short project scoped to the customer’s specific needs, covering which services to back up, retention periods, storage requirements, and compliance obligations. Once the backup is in place, ongoing management, monitoring, and restores are handled as part of the managed service.

When a restore is needed, whether it is a single email from last month or an entire SharePoint site from six months ago, we handle it. The client tells us what they need, and we recover it.

If your business does not currently have Microsoft 365 backup in place and you want to understand your exposure, reach out through our contact page. We can audit your current retention settings and recommend a backup configuration that matches your business and compliance needs.