How to Back Up Microsoft 365 Data the Right Way

Microsoft does not back up your data. They keep the platform running, replicate it across data centers for availability, and protect against their own infrastructure failures. But if an employee deletes a mailbox, ransomware encrypts your SharePoint files, or a compromised admin wipes your tenant, Microsoft’s built-in protections run out faster than most businesses expect. If you have read our breakdown of why Microsoft 365’s built-in retention is not enough, you already understand the problem. This guide covers how to solve it – what to back up, how often, what tools to use, and what to look for in a provider.

Why Microsoft 365 needs backup at all

Microsoft operates under a shared responsibility model. They are responsible for platform uptime and infrastructure security. You are responsible for the data inside your tenant – including protecting it from accidental deletion, malicious attacks, and compliance failures.

The built-in protections are real but limited:

• Deleted Items retention. 14 to 30 days for email, then permanent deletion.
• SharePoint and OneDrive recycle bin. 93 days, then permanent deletion.
• Retention policies (Purview). Compliance tools, not backup tools. They hold data in hidden locations that require eDiscovery to access and cannot provide point-in-time restore.
• Versioning. Protects against overwrites but not deletion. Ransomware that encrypts files pushes clean versions out of retention.

None of these give you what a backup gives you: the ability to restore any mailbox, file, or site to exactly how it was at a specific point in time, stored independently from the system it protects.

The 3-2-1 backup rule applies to cloud data just as much as on-premises data. Your Microsoft 365 tenant is one copy of your data on one platform. A backup adds the second copy on separate infrastructure. Without it, a single incident in your tenant can result in permanent data loss.

What needs to be backed up

Microsoft 365 is not one application. It is a suite of interconnected services, and each one stores data differently. A complete backup covers all of them.

Exchange Online

Email, calendar, contacts, and tasks. For most businesses, email is the single most important data set in Microsoft 365. Client communications, contracts, approvals, and institutional knowledge all live in mailboxes. Losing email is not just inconvenient – in regulated industries, it can be a compliance violation.

What to back up:

• All active user mailboxes
• Shared mailboxes
• Archive mailboxes (if used)
• Calendar data and contacts
• Mail flow rules and distribution group membership (configuration, not just content)

OneDrive for Business

Individual user file storage. OneDrive is where employees save documents, spreadsheets, presentations, and project files. Some businesses treat OneDrive as their primary file storage, which means losing OneDrive data is equivalent to losing a file server.

What to back up:

• All active user OneDrive accounts
• Files shared with external parties (the sharing links break if the source files are lost)

A common gap: when an employee leaves and their license is removed, their OneDrive data is retained for only 30 days by default. If nobody backed it up or migrated it during the offboarding process, it is gone after that window.

SharePoint Online

Team sites, document libraries, lists, and pages. SharePoint is where shared business data lives – project files, company policies, knowledge bases, and departmental resources. A single SharePoint site can contain thousands of documents accumulated over years.

What to back up:

• All SharePoint sites (team sites, communication sites, hub sites)
• Document libraries and their version history
• Lists and list data
• Site configurations and permissions (some backup tools capture this, others do not)

Microsoft Teams

Teams data is deceptively complex because it is stored across multiple services. Chat messages are stored in Azure, channel files are stored in SharePoint, and meeting recordings are stored in OneDrive or SharePoint depending on the channel type.

What to back up:

• Channel messages and conversations
• Files shared in channels (these are in SharePoint and should be covered by SharePoint backup)
• Chat messages (1:1 and group chats)
• Meeting recordings (stored in OneDrive or SharePoint)
• Teams configurations (channels, tabs, connectors)

Teams backup is where many solutions have gaps. Some products back up SharePoint and Exchange comprehensively but miss Teams chat data or channel conversations. Verify coverage before selecting a solution.

What most businesses miss

Groups and distribution lists. Microsoft 365 Groups tie together a shared mailbox, SharePoint site, OneNote notebook, and Planner board. If a group is deleted, all associated resources go with it. Backing up the individual services does not always capture the group structure itself.

Public folders. Businesses migrated from on-premises Exchange may still use public folders in Exchange Online. These are often overlooked in backup configurations.

Power Platform data. If your business uses Power Automate flows, Power Apps, or Power BI reports, these are not typically covered by standard M365 backup solutions. They require separate backup strategies.

Backup frequency and retention

How often your backup runs and how long it retains data are the two decisions that determine your actual protection level.

Backup frequency

Your backup frequency determines your RPO – Recovery Point Objective. The RPO is the maximum amount of data you can afford to lose, measured in time. If your backup runs once daily at midnight and an incident happens at 5 PM, you lose 17 hours of data.

Backup frequency	RPO	Best for
Once daily	24 hours	Low-change environments, archive data
Three times daily	8 hours	Most small businesses, general office use
Every 4 hours	4 hours	Businesses with high email volume or active SharePoint use
Near-continuous	Minutes	Transaction-heavy environments, regulated industries

For most small businesses, three-times-daily backup strikes the right balance between protection and cost. Critical mailboxes (executives, finance, legal) may warrant more frequent backup if the data changes rapidly.

Retention period

How long your backup keeps data determines how far back you can restore. This matters more than most businesses realize because many data loss events are not discovered immediately.

Retention period	Use case
30 days	Minimum viable, covers accidental deletion caught quickly
90 days	Covers most accidental deletion and employee departure scenarios
1 year	Recommended minimum for most businesses, covers seasonal data needs
3 to 7 years	Regulated industries (HIPAA, financial services, legal)
Unlimited	Litigation-heavy industries, long-term compliance requirements

One year is the practical minimum for most businesses. Shorter retention saves money but creates gaps that surface during legal holds, compliance audits, or the delayed discovery of data loss. If your industry has specific retention requirements – HIPAA for healthcare, for example – your backup retention must meet or exceed those requirements.

Storage considerations

Backup storage costs are driven by the number of users, the size of their mailboxes and OneDrive accounts, and the retention period. A 50-person company with average mailbox sizes and one year of retention typically needs 1 to 5 TB of backup storage. Longer retention periods and larger mailboxes increase storage linearly.

Some backup providers include storage in their per-user pricing. Others charge separately for storage. Understand the pricing model before comparing solutions, because a $3/user/month product with separate storage charges can end up costing more than a $5/user/month product with storage included.

Third-party backup solution categories

Microsoft 365 backup solutions fall into three categories, each suited to different business sizes and management models.

SaaS backup (cloud-to-cloud)

The backup software runs in the vendor’s cloud, connects to your Microsoft 365 tenant via API, and stores backup data in the vendor’s cloud storage or a cloud storage provider of your choice (Azure, AWS, etc.).

Advantages: No infrastructure to manage, automatic updates, scales with your tenant size, accessible from anywhere.

Disadvantages: Ongoing subscription cost, data stored with a third party (evaluate their security and compliance posture), restore speed depends on internet bandwidth.

Examples: Veeam Backup for Microsoft 365 (cloud edition), Datto SaaS Protection, AvePoint Cloud Backup, Druva, Spanning.

Best for: Most small businesses, especially those without dedicated IT staff or on-premises infrastructure.

Self-hosted backup

You install the backup software on your own server (on-premises or in your own cloud VM) and manage the storage yourself. The software connects to your M365 tenant and pulls data to your infrastructure.

Advantages: Full control over data location, no per-user subscription for the storage component, data stays on your own infrastructure.

Disadvantages: Requires infrastructure to run and maintain, you manage updates and monitoring, storage capacity planning is your responsibility.

Examples: Veeam Backup for Microsoft 365 (self-hosted), Acronis Cyber Protect.

Best for: Businesses with existing on-premises infrastructure and IT staff, or businesses with strict data sovereignty requirements.

MSP-managed backup

A managed service provider deploys, configures, monitors, and manages the backup on your behalf. You do not interact with the backup software directly. The MSP handles setup, monitoring, alerting, and restores.

Advantages: No management overhead, backup is monitored by professionals, restores are handled for you, often includes regular backup testing.

Disadvantages: Slightly higher cost than self-managed (you are paying for the management service), dependency on the MSP for restores.

Best for: Businesses without internal IT expertise, businesses that want backup managed as part of a broader IT service.

Microsoft 365 Backup (native)

Microsoft launched a native backup product in 2024 as a paid add-on. It covers Exchange, OneDrive, and SharePoint with backup and restore capabilities integrated into the Microsoft 365 admin center.

The native solution is improving but currently has limitations compared to established third-party tools: Teams chat coverage is incomplete, the restore experience is less mature, and it is priced as an additional per-user charge on top of existing licensing. It is worth evaluating alongside third-party options, but its existence does not change the fundamental requirement – backup needs to be explicitly added to your Microsoft 365 environment.

What to look for in a backup provider

Whether you choose SaaS, self-hosted, or MSP-managed, evaluate these criteria:

Complete service coverage. The backup must cover Exchange, OneDrive, SharePoint, and Teams. Missing any one of these leaves a gap. Ask specifically about Teams chat data – it is the most commonly missed component.

Granular restore. You need the ability to restore a single email, a single file, an entire mailbox, or an entire SharePoint site. Restore should work to the original location or to an alternate location (useful when restoring alongside existing data or to a different user’s account).

Point-in-time recovery. The backup should let you browse and restore data as it existed at a specific date and time, not just the most recent backup. This is critical for ransomware recovery where you need to find the last clean backup point before the attack.

Independent authentication. The backup system’s admin credentials must be separate from your Microsoft 365 tenant admin accounts. If an attacker compromises your Global Admin, they should not automatically gain access to your backups. This is the same principle that makes offsite backup valuable for on-premises infrastructure – independence from the system being protected.

Encryption. Data should be encrypted in transit (between your tenant and the backup storage) and at rest (in the backup storage). Verify the encryption standard (AES-256 is the baseline) and who holds the encryption keys.

Monitoring and alerting. The backup system should alert someone when backup jobs fail. A backup that silently fails for weeks provides zero protection. If you are managing the backup yourself, configure alerts to go to an actively monitored inbox. If an MSP manages it, verify that failed job alerting is part of their SLA.

Compliance certifications. If your business operates under HIPAA, SOC 2, or other compliance frameworks, the backup provider needs to meet those standards. Ask for their SOC 2 report, BAA (for HIPAA), or equivalent documentation.

Restore testing. Ask how the backup can be tested. Can you run a test restore without affecting production? Is there a verification mechanism that confirms backups are restorable, not just complete? The only way to know a backup works is to test the restore.

Setting up Microsoft 365 backup: the practical steps

If you are implementing backup for the first time, here is the general process regardless of which solution you choose:

Step 1: Inventory your tenant

Before configuring backup, understand what you are backing up:

• How many active users and shared mailboxes?
• How large are mailboxes on average? (Exchange admin center shows this)
• How much OneDrive storage is in use across all users?
• How many SharePoint sites exist, and how large are they?
• Are Microsoft Teams channels actively used for file sharing and conversations?

This inventory determines your storage requirements and helps you estimate costs accurately.

Step 2: Define retention requirements

Decide how long backup data needs to be retained. Start with your business continuity and compliance requirements, not the vendor’s default settings. If you have regulatory obligations, those set the floor. If not, one year is a reasonable starting point.

Step 3: Choose and deploy the solution

Based on your inventory, retention requirements, and management model (self-managed, SaaS, or MSP-managed), select a solution. Deployment typically involves:

1. Creating a service account or app registration in your Microsoft 365 tenant with the permissions the backup solution needs (usually Application permissions for Exchange, SharePoint, and Teams APIs)
2. Configuring the backup scope (all users or specific users/groups)
3. Setting the backup schedule (frequency)
4. Setting retention policies
5. Running an initial full backup (this takes longer than subsequent incremental backups – hours to days depending on data volume)

Step 4: Verify the first backup

After the initial backup completes, run a test restore. Restore a few emails, a SharePoint document, and a OneDrive file to verify the backup contains what you expect and the restore process works. Do not skip this step – a backup that completes without errors is not the same as a backup that produces restorable data.

Step 5: Set up monitoring

Configure alerts for failed backup jobs. If you are using a SaaS solution, verify the alerting is active and going to a monitored inbox. If an MSP manages the backup, confirm their monitoring SLA.

Step 6: Document the setup

Record the backup configuration in your disaster recovery plan: what is backed up, how often, how long data is retained, where the backup is stored, and how to access the backup system in an emergency. Include the service account credentials in your secure credential storage (not in the DR plan document itself).

Common mistakes

Backing up only email. Exchange is the most obvious target, but SharePoint and OneDrive often contain more total data. A backup that covers mailboxes but misses SharePoint sites leaves significant gaps.

Using the same admin account for backup and tenant management. If the backup system authenticates with your Global Admin account and that account is compromised, the attacker can access your backups. Use a dedicated service account with only the permissions the backup needs.

Assuming Microsoft’s native retention is “good enough” and not backing up at all. Retention is not backup. It cannot provide point-in-time restore, it is vulnerable to admin-level attacks, and it does not store data independently from the tenant.

Not testing restores. A backup that has never been tested is a theoretical backup. Test it quarterly – restore a sample of emails, files, and SharePoint content to verify the data is there and the restore process works.

Ignoring Teams data. Teams adoption has accelerated and many businesses now conduct significant client and internal communication through Teams. If your backup does not cover Teams conversations, you have a blind spot.

Setting retention too short. Thirty-day retention is barely better than Microsoft’s built-in recycle bin. Most data loss events that require backup (not just recycle bin recovery) are discovered weeks or months after the fact.

What it costs

Microsoft 365 backup typically costs $2 to $6 per user per month for a SaaS solution, depending on features, storage, and retention. MSP-managed backup runs $4 to $8 per user per month, which includes the management overhead.

For a 30-person company:

Model	Monthly cost	Annual cost
SaaS, self-managed	$60 to $180	$720 to $2,160
MSP-managed	$120 to $240	$1,440 to $2,880

Compare this to the cost of data loss or the cost of manually recreating lost email, documents, and SharePoint content. A single incident where an employee’s mailbox is unrecoverable costs more in lost productivity and client impact than years of backup fees.

For a full breakdown of backup pricing across all infrastructure types, see our backup and disaster recovery cost guide.

How Sequentur handles Microsoft 365 backup

Microsoft 365 backup is part of our managed services. We deploy, configure, and monitor backup for every M365 workload – Exchange, OneDrive, SharePoint, and Teams. Backup runs multiple times daily with retention configured to the client’s compliance and business requirements, typically one year minimum.

We monitor backup jobs daily. Failed jobs are investigated and resolved the same day, not discovered weeks later during a restore attempt. We run periodic test restores to verify data integrity and recoverability.

When a client needs a restore – whether it is a single email from three months ago, an entire mailbox after a compromise, or a SharePoint site that was accidentally deleted – we handle it. The client tells us what they need and when they need it from, and we recover it.

If your business does not currently have Microsoft 365 backup in place, or if you are not sure whether your current backup covers all workloads, reach out through our contact page. We can audit your tenant, identify gaps in your current protection, and set up backup that matches your business requirements.