Microsoft 365 Backup Reality: What Microsoft Doesn’t Actually Protect

If you’re using Microsoft 365, you might assume that Microsoft backs up all your data. After all, you’re paying for a cloud service, so your emails, files, and Teams chats should be safe, right?

Wrong.

Microsoft 365 does offer some data retention and recovery features, but it’s not a comprehensive backup solution. If you experience accidental deletion, ransomware, or a malicious insider threat, you could lose critical business data permanently.

Let’s break down what Microsoft actually protects—and what it doesn’t.

Microsoft 365 includes some built-in data retention features:

• Recycle Bin: Deleted emails and files are kept for 30 days (or 93 days with some settings). After that, they’re gone.
• Version History: OneDrive and SharePoint keep file versions, but only a limited number (typically 500 versions or 30 days).
• Litigation Hold: If enabled, mailbox items are preserved even after deletion—but this is for legal compliance, not disaster recovery.
• Geo-Redundancy: Microsoft replicates data across multiple data centres to prevent hardware failures.

These features are useful, but they’re not the same as a backup. They won’t save you from:

Microsoft’s Shared Responsibility Model makes it clear: you are responsible for backing up your own data.

Here’s what isn’t backed up:

• Permanently Deleted Emails: Once an email is removed from the Deleted Items folder and the retention period expires, it’s gone.
• Teams Messages & Channels: While Teams data is stored in Exchange and SharePoint, accidental deletion or corruption can still occur.
• OneDrive & SharePoint Files: If a file is deleted and the version history is exhausted, there’s no recovery option.
• Mailbox Rules & Settings: Custom rules, signatures, and configurations aren’t backed up.
• Third-Party App Data: Any data stored in third-party apps integrated with Microsoft 365 is your responsibility.

Scenario 1: Ransomware Attack
A ransomware attack encrypts your SharePoint files. Microsoft 365’s version history might help—unless the ransomware has been running for weeks, overwriting all previous versions.

Scenario 2: Accidental Mass Deletion
An employee accidentally deletes an entire SharePoint library. If it’s been more than 93 days, that data is gone forever.

Scenario 3: Malicious Insider
A disgruntled employee deletes critical emails and files before leaving. By the time you notice, the retention period has passed.

Scenario 4: Synchronisation Errors
A buggy app or sync issue corrupts your OneDrive files. Without a proper backup, you have no clean copy to restore.

For small and medium businesses, especially in construction, losing project files, contracts, or financial records can be catastrophic.

• Regulatory Compliance: Many industries require long-term data retention beyond what Microsoft 365 offers.
• Business Continuity: A proper backup ensures you can recover quickly from any disaster.
• Ransomware Protection: Immutable backups prevent attackers from encrypting your recovery data.
• Legal & Litigation Risks: If you can’t produce historical data when needed, you could face legal consequences.

A good Microsoft 365 backup solution should provide:

• Automated Daily Backups: Regular snapshots of all Microsoft 365 data
• Unlimited Retention: Keep backups as long as you need
• Granular Recovery: Restore individual emails, files, or entire mailboxes
• Ransomware Protection: Immutable backups that can’t be encrypted
• Compliance Features: Meet GDPR, ISO 27001, and industry-specific regulations
• Fast Recovery: Restore data quickly to minimise downtime

Microsoft 365 is a powerful platform, but it’s not a backup service. If you want to protect your business from data loss, you need a dedicated third-party backup solution.

At GoodChoice IT, we help businesses implement robust Microsoft 365 backup strategies that ensure your data is always recoverable—no matter what happens.

Don’t wait until it’s too late. Contact us today to protect your Microsoft 365 environment.