If your business uses Microsoft 365, you're in good company. It's the platform of choice for millions of organisations worldwide. But there's a common assumption that quietly creates serious risk: the belief that Microsoft is backing up your data.
They're not. At least, not in the way you probably think.
What Microsoft Actually Does
Microsoft operates on what they call a shared responsibility model. They are responsible for keeping the platform available — ensuring the servers stay online, the infrastructure is resilient, and the service keeps running.
What they are not responsible for is protecting the content inside your tenant from accidental deletion, malicious action, or data corruption. Their own documentation states that data recovery is your responsibility.
Microsoft does retain deleted items for a limited period — typically 30 to 93 days depending on the item type and your licence — but this is a recycle bin, not a backup. Once that window closes, the data is gone permanently.
What This Means in Practice
Here are some real scenarios where the absence of a proper backup causes serious problems:
Accidental deletion. A team member permanently deletes a folder of client documents, or an entire SharePoint site is removed. If it's discovered after the retention window, Microsoft cannot recover it.
Ransomware. Modern ransomware increasingly targets cloud storage. If your OneDrive or SharePoint syncs encrypted files across your estate, the damage propagates quickly. Version history helps, but only up to a point.
Disgruntled employees. A departing staff member deletes their emails or clears their OneDrive before leaving. By the time you notice, the retention window may have already closed.
Licence changes. When you remove a user's licence, their data — mailbox, OneDrive, Teams messages — can be purged after a relatively short period if not explicitly retained.
Microsoft service errors. Rare, but not unheard of. Platform-level issues can occasionally result in data loss, and Microsoft's liability in such cases is limited.
The 3-2-1 Rule for Microsoft 365
The industry-standard approach to backup remains the 3-2-1 rule: three copies of your data, on two different types of media, with one copy offsite. Microsoft 365 only gives you one — the live copy in their cloud.
A proper Microsoft 365 backup solution sits outside of Microsoft's infrastructure entirely, creating independent, point-in-time copies of your mailboxes, SharePoint sites, OneDrive data, and Teams conversations. This means that regardless of what happens inside your Microsoft 365 tenant, your data can be restored quickly and completely.
What to Back Up
A comprehensive Microsoft 365 backup should cover:
- Exchange Online — all mailboxes, including shared mailboxes and distribution groups
- SharePoint Online — sites, document libraries, and lists
- OneDrive for Business — all user drives, including files shared with leavers
- Microsoft Teams — channel conversations, files, and chat history
- Microsoft 365 Groups — associated mailboxes and sites
Many businesses focus on email and miss SharePoint or Teams — often where the most operationally critical files actually live.
How Quickly Can You Recover?
The other question worth asking isn't just "do we have a backup?" but "how quickly could we actually restore from it?"
Recovery time matters. A backup that takes three days to restore is a problem if your business cannot operate without the lost data. When evaluating any backup solution, test a restoration — not just once at the start, but quarterly.
If you're unsure whether your Microsoft 365 data is properly protected, it's worth finding out before you need to recover something. We can review your current setup and recommend the right backup approach for your business.
Get in touch to arrange a no-obligation conversation about Microsoft 365 backup.