Microsoft 365 Backup: What Your Plan Actually Covers

A common assumption in Microsoft 365 deployments is that the platform handles backup. It doesn't work that way. Microsoft keeps their infrastructure running. The data inside is your responsibility to protect. That distinction tends to stay invisible until someone needs a restore.

This comes up more often than it should in conversations with growing businesses. A team moves to Microsoft 365, trusts it's running on Azure datacenters, and figures the backup question is handled. Microsoft's own services agreement says otherwise.

What Microsoft 365 Actually Includes

There is data protection baked into Microsoft 365. It just isn't backup.

OneDrive and SharePoint include version history and a recycle bin. Exchange Online has deleted item recovery with a default window of 14 days. Microsoft also replicates your data across multiple data centers, which is about keeping the service available, not about recovering data that got deleted, overwritten, or encrypted.

Retention policies can extend some of those windows to 30 or 90 days depending on your plan and configuration. But retention preserves data in place for legal or compliance purposes. It's not a snapshot you can restore from. You can have retention policies in place and still lose data permanently if the deletion or corruption happened outside the window, or if you need to get back to a specific point in time.

The Shared Responsibility Model

Microsoft calls this the shared responsibility model, and it's in the terms of service. Microsoft owns the infrastructure: the hardware, the network, the application platform. The customer owns the data.

That's how every major SaaS platform works. Salesforce doesn't back up your CRM. Google doesn't back up Google Workspace. The platforms stay up. Your data is yours to protect.

For most businesses in the 25-to-150-employee range, nobody ever walked them through what that actually means for Microsoft 365. They see "cloud" and assume the backup question is handled. It isn't.

Microsoft Built a Backup Product. It Costs Extra.

Microsoft launched its own Microsoft 365 Backup service, priced at $0.15 per GB per month for backup storage. It covers three workloads: SharePoint Online, OneDrive for Business, and Exchange mailboxes.

It does not cover Teams chat history. It doesn't cover Planner. It doesn't cover Power Platform assets.

That last gap is getting more significant. A lot of teams that have been on Microsoft 365 for a few years are now running workflows and small automations through Power Automate, storing project tracking in Planner, and running most of their internal communication through Teams. That data lives in Microsoft's cloud. It's not covered by the native backup add-on.

Teams chat history also increasingly includes Microsoft 365 Copilot interactions. The conversations, the AI-assisted decisions, the drafts that went back and forth before a document was finalized. None of that is in the backup scope for Microsoft's own product.

The native backup tool also requires configuration, monitoring, and recovery testing. The storage cost goes on your bill whether the setup is correct or not.

Backup Without Testing Is a Risk, Not a Safety Net

Datto's 2025 State of BCDR Report tracked organizations through actual data loss events. More than 60 percent believed they could recover their critical systems within a day. Only 35 percent actually did.

The gap showed up in one predictable place: organizations that had some form of backup in place but had never tested a real recovery. The backup was running. When they needed it, the restore process failed or took three times longer than anyone expected.

Modern ransomware adds another layer to this. Attackers don't just go after primary data. They look for backup repositories in the same tenant or connected storage. A backup that lives entirely inside the same Microsoft 365 tenant that got compromised is a problem.

The practical question isn't whether backup exists. It's whether anyone has run a full restore test recently and whether the backup actually lives somewhere separate.

What Third-Party Backup Covers

Third-party solutions like Veeam, AvePoint, and Commvault run roughly $2 to $6 per user per month depending on features and retention. For a 50-person team, that's $100 to $300 a month.

They cover the workloads Microsoft's native tool skips. Teams chat history, Planner, Power Platform, SharePoint with deeper restore options. They also store backups outside the Microsoft tenant, which matters if the tenant is what gets hit.

Managed backup through a good IT provider includes regular recovery testing as part of the service. That's the piece most internal setups skip, not because anyone decided testing was optional but because it requires dedicated time and someone who knows what they're doing.

The Compliance Angle

If your business handles medical records, financial data, or anything under HIPAA, PCI-DSS, or a state data privacy requirement, your compliance and data retention requirements go well beyond what M365 provides by default.

Healthcare organizations can face record retention rules measured in decades. Financial firms operate under similar constraints. Litigation hold in Microsoft 365 preserves data in place but doesn't give you granular point-in-time restore capability. For regulated businesses, that gap has real consequences.

What to Do About It

The short version: find out what's actually backing up your Microsoft 365 data, and verify that recovery has been tested recently.

If your team is relying on version history and the recycle bin, you have partial protection with hard limits. If your managed IT services provider or internal team has Microsoft 365 Backup or a third-party solution in place, ask when the last full restore test happened and what workloads are covered. If nobody can answer that cleanly, the question isn't whether you have backup. It's whether the backup you have will actually work when you need it.

---

Frequently Asked Questions

Does Microsoft 365 automatically back up my data? No. Microsoft 365 includes short-term retention, version history, and deleted item recovery, but this is not backup. Microsoft's shared responsibility model puts data protection on the customer. Full backup requires either Microsoft's paid Backup add-on ($0.15 per GB per month) or a third-party solution, typically $2 to $6 per user per month.

What is the difference between Microsoft 365 retention and backup? Retention preserves data in place for legal or compliance purposes. Backup creates a separate copy you can restore to a specific point in time. You can have retention policies in place and still lose data permanently. They're different tools for different problems.

What data does Microsoft's native M365 Backup not cover? Microsoft's paid Backup tool covers SharePoint Online, OneDrive for Business, and Exchange mailboxes. It currently does not cover Teams chat history, Planner tasks, or Power Platform assets. These are workloads that increasingly hold business-critical data.

How often should Microsoft 365 backup be tested? At minimum quarterly, ideally monthly. Datto's 2025 State of BCDR Report found that 60 percent of organizations expected to recover quickly from a data loss event, but only 35 percent actually did during real incidents. The gap usually came down to backup processes that were never tested.

How much does backing up Microsoft 365 actually cost? Microsoft's native add-on runs $0.15 per GB per month for storage. Third-party solutions like Veeam, AvePoint, or Commvault typically run $2 to $6 per user per month depending on features and retention requirements. For most growing businesses, the monthly cost is minor compared to the exposure from unrecoverable data loss.