What Microsoft 365 Actually Backs Up (And What It Doesn't)

There's a sentence buried in Microsoft's own Services Agreement that most business owners have never seen: "We recommend that you regularly back up your content and data that you store on the services."

That sentence does a lot of work. It quietly signals that Microsoft considers your data your problem. Not theirs.

Most businesses paying per user per month for Microsoft 365 assume the data is covered. Emails, files in OneDrive, Teams chats. All safely stored somewhere in a Microsoft datacenter, protected forever. That's not quite how it works.

What Microsoft Does Protect

To be fair: Microsoft does protect against infrastructure failure. If a datacenter goes dark, your data is replicated across regions and the service keeps running. Physical hardware fails; the service stays up. That part works, and it works reliably.

But that's datacenter resilience, not backup. The difference matters enormously when the threat isn't a datacenter failure. It's an employee, a ransomware attack, or a departing team member.

The Retention Windows That Most Businesses Don't Know About

Microsoft 365 has default retention windows. They're not secret. They're just not prominent.

Exchange Online (email): Deleted items stay in the Deleted Items folder until a user empties it. After that, they move to a Recoverable Items folder. The default retention on that folder is 14 days. Microsoft allows extending it to 30 days through configuration. After 30 days, the emails are gone.

OneDrive and SharePoint (files): Deleted files go to the Recycle Bin and stay there for up to 93 days across both the first-stage and second-stage bins. After 93 days, permanent deletion.

Microsoft Teams: Teams inherits the SharePoint and OneDrive rules. Files shared in channels live in SharePoint. Chat attachments live in OneDrive. Same 93-day clock applies.

Ninety-three days sounds like a lot until you consider how these situations actually unfold. A sales proposal that vanished two days after a rep left. A shared folder accidentally deleted by someone cleaning up their desktop before quitting. A project archive no one thought to check until a client called four months later.

The clock runs whether anyone is watching it or not.

Why Replication Is Not the Same as Backup

Here's where even technically-minded business owners get tripped up. Microsoft replicates your data across multiple datacenters. Ask them directly and they'll confirm it. It sounds like backup.

It isn't. Replication copies the current state of your data to multiple locations. If a file gets deleted, the deletion replicates across all of them. If ransomware encrypts a folder, the encrypted version replicates too. Geo-redundancy protects against infrastructure failure. It does nothing to protect against changes to the data itself.

Microsoft's shared responsibility model makes this explicit: Microsoft is responsible for the infrastructure and the uptime. You are responsible for your data. Veeam, one of the larger backup vendors operating in this space, has written extensively on the distinction. Their short version: Microsoft keeps the lights on. You keep your data safe.

Three Scenarios That Actually Wipe Data

Where do businesses actually lose data in Microsoft 365? A few patterns come up repeatedly.

Accidental deletion. Someone cleans up a shared drive, deletes a folder they thought was outdated, and moves on. Nobody notices until the 93-day window has closed and recovery through Microsoft's native tools isn't an option.

Departing employees. A user account gets deactivated or deleted after someone leaves. Depending on how that's handled and how quickly licenses get reallocated, mailbox data and OneDrive files can disappear with the account. Without proper off-boarding and backup in place, that data is often unrecoverable.

Ransomware through sync. Ransomware has increasingly targeted cloud-connected storage. A device that syncs files to OneDrive can, in certain scenarios, push encrypted versions of files into the cloud before the infection is detected. Geo-replication makes sure the encrypted versions are consistent across datacenters. It doesn't undo the encryption.

None of these are unusual situations. Businesses relying on managed IT services in the 30-to-200-person range run into all three scenarios, often without realizing the exposure beforehand.

What Third-Party Backup for Microsoft 365 Actually Does

Third-party backup for Microsoft 365 works alongside your M365 tenant and creates independent copies of email, OneDrive, SharePoint, and Teams data on a regular schedule. Usually daily.

The retention isn't 14 days or 93 days. It's whatever the business defines: 1 year, 3 years, or longer, depending on regulatory requirements and internal policy. And because the backup is stored independently of Microsoft's infrastructure, recovery is available even if something happens at the tenant level.

The main solutions in this space are Veeam Data Cloud, Datto SaaS Protection, and Barracuda Cloud-to-Cloud Backup. Pricing typically runs $3 to $6 per user per month depending on features and whether a managed IT partner is handling it.

The configuration work is ongoing, not a one-time setup. Setting up the integration, defining retention policies, testing recovery, and adjusting as the organization grows all require ongoing attention. That's the managed part.

The Gap Most Businesses Don't Know They Have

According to Kaseya's 2025 State of SaaS Backup and Recovery Report, 71% of businesses don't have third-party backup protecting their Microsoft 365 data. That's a majority of M365 customers with a protection gap they may not know exists.

If your business is paying for Microsoft 365, you're covered for service uptime. For the actual data your business runs on, the question worth asking is whether backup is in place and who is managing and testing it. If you don't have a clear answer, that's the conversation to have with whoever handles your IT.

---

Frequently Asked Questions

Does Microsoft 365 have a built-in backup feature?

Microsoft has been rolling out a Microsoft 365 Backup add-on product, but standard M365 subscriptions don't include comprehensive long-term backup. The built-in tools (Recycle Bin and Recoverable Items folder) are short-term retention features with hard time limits. They are not backup solutions with flexible recovery options or long retention periods.

What happens to my files if I delete them in OneDrive?

Deleted files move to the OneDrive Recycle Bin, where they're held for up to 93 days across the first-stage and second-stage bins. After that window closes, they're permanently deleted. Microsoft's native tools offer no recovery after that point.

Does Microsoft 365 protect against ransomware?

Microsoft builds ransomware detection and file version history into M365. These features help in some scenarios. They don't guarantee recovery if a sync-connected device encrypts and overwrites cloud files before the infection is caught. Third-party backup provides an independent recovery point that isn't connected to the potentially compromised sync path.

How much does third-party backup for Microsoft 365 cost?

Most third-party backup solutions for M365 run $3 to $6 per user per month for standard coverage. What's included in that price, including support, monitoring, and recovery testing, depends on the solution and who manages it.

What should I ask my IT provider about Microsoft 365 backup?

Ask whether you have a third-party backup solution in place, what the retention period is, and when recovery was last tested. If the answer to any of those is unclear, that's the conversation worth having before something goes wrong.