How to Back Up Microsoft 365: Why Native Retention Is Not a Backup
In This Article
Last updated . Added the short answer, a shared responsibility breakdown, a section on why native retention is not a backup, a 3-2-1 backup checklist, and an FAQ.
Most businesses assume that because their data is "in the cloud" with Microsoft 365, it's automatically backed up and protected. This is one of the most dangerous misconceptions in IT today. Microsoft provides infrastructure redundancy (they make sure their data centres stay online), but they do not back up your data on your behalf.
If an employee accidentally deletes a critical mailbox, a departing staff member wipes their OneDrive, or ransomware encrypts your SharePoint files, Microsoft will not restore that data for you. That responsibility falls squarely on your business.
The Microsoft 365 Backup Myth
The myth goes like this: Microsoft runs world-class data centres with geo-redundant storage, so the data inside Microsoft 365 must be backed up too. The first half is true. The conclusion is not. Microsoft replicates infrastructure so the servicesurvives a hardware or data-centre failure. It does not keep a separate, restorable copy of your mailboxes and files that you can roll back after a deletion or a ransomware event. Microsoft says so plainly in its own service agreement, which recommends that customers use a third-party app to back up their content.
The Shared Responsibility Model
Every major cloud platform runs on a shared responsibility model, and Microsoft 365 is no exception. Microsoft secures and operates the platform. You own and protect everything you put into it. Backup sits squarely on your side of that line.
| Microsoft is responsible for | You are responsible for |
|---|---|
| Platform uptime and infrastructure redundancy | Backing up and being able to restore your data |
| Physical security of the data centres | Access control, identity, and configuration |
| Service-level replication against hardware failure | Recovery from deletion, ransomware, and admin error |
| Short-term retention windows (recycle bin, deleted items) | Long-term retention and point-in-time recovery |
The practical takeaway: the scenarios that actually lose business data (a deleted user, a malicious wipe, encrypted files, a bad retention policy) all fall on your side of the table. Microsoft keeps the lights on. Getting your data back is your job.
Why Native Retention Is Not a Backup
Microsoft 365 does include retention features, and they are useful for everyday "oops, I deleted that" recovery. But they are short-term safety nets inside the same environment, not a backup. Here is what is built in and where each one stops:
- Deleted Items folder: Items stay for 30 days, then they are permanently purged
- Recoverable Items folder: A secondary safety net that retains deleted items for up to 14 days (configurable to 30)
- OneDrive recycle bin: Files are recoverable for 93 days after deletion, then purged
- SharePoint version history: Keeps previous versions, but can be wiped if the file itself is deleted
- Retention labels and policies (Purview): Govern how long content is kept or held, but an admin or a bad policy change can still alter or remove them, and they are not a separate, isolated copy
A real backup has three properties that native retention lacks: it is independent (stored outside your production tenant, so it survives a tenant-level event), it is point-in-time (you can roll back to a clean snapshot from before an incident), and it has retention you control(kept for months or years, not 30 to 93 days). Native retention is none of these. Once the window closes, or once an attacker or admin reaches the data, there is no "call Microsoft support and ask them to restore it" option.
These are the real-world events native retention does not protect against:
- An employee accidentally deletes important files and nobody notices for 90+ days
- A disgruntled ex-employee deletes their mailbox and OneDrive contents before leaving
- Ransomware encrypts files synced to SharePoint and OneDrive, overwriting all versions
- An admin misconfigures a retention policy and data is purged organization-wide
- A compromised admin account disables retention and empties mailboxes on the way out
What Data Is at Risk
If you're using Microsoft 365 for your business, your entire digital operation is likely running through it. Here is exactly what is at stake without a proper backup strategy:
- Exchange Online: Every email, calendar event, and contact. Years of business communication and scheduling history.
- OneDrive for Business: Personal files and documents for every user. Proposals, spreadsheets, presentations, contracts.
- SharePoint Online: Team sites, document libraries, lists, and company-wide shared resources. Often the single source of truth for operational documents.
- Microsoft Teams: Chat history, channel conversations, shared files, and meeting recordings. For many businesses, Teams has replaced email as the primary communication tool.
Losing any one of these datasets would be disruptive. Losing all of them simultaneously, which is what happens in a ransomware attack, could be catastrophic. For most Ontario businesses, this data represents years of accumulated institutional knowledge that simply cannot be recreated.
How Third-Party Backup Works
Third-party backup solutions connect to your Microsoft 365 tenant via API and create independent copies of your data on separate, secure infrastructure. Here is what a proper backup solution provides:
- Automated snapshots: Your data is backed up automatically one to three times per day, with no manual intervention required
- Point-in-time recovery: Restore your data to any snapshot. Need to recover a file from two months ago? No problem.
- Granular restore: Restore a single email, a single file, a single calendar event, or an entire mailbox. You choose the scope.
- Unlimited retention: Keep backups for as long as you need, not just 30 or 93 days
- Isolated storage: Backups are stored separately from your production M365 environment, so ransomware that encrypts your SharePoint cannot reach your backup copies
The result is complete peace of mind. No matter what happens to your Microsoft 365 data (accidental deletion, malicious action, ransomware, or admin error), you can recover it quickly and completely.
What to Look For in a Backup
A good starting principle is the long-standing 3-2-1 backup rule: keep at least three copies of your data, on two different types of media or storage, with one copy kept off-site or in a separate, isolated environment. For Microsoft 365, your production tenant is the working copy; a third-party backup adds the independent, off-tenant copies the rule calls for. That isolation is what makes the backup survive a ransomware event or a compromised admin account that reaches your live data.
The Microsoft 365 backup market has matured significantly. Established solutions include Veeam Backup for Microsoft 365, Datto SaaS Protection, AvePoint Cloud Backup, and Acronis Cyber Protect. The product matters less than matching it to these criteria:
- Coverage: Does it back up Exchange, OneDrive, SharePoint, and Teams? Some solutions only cover a subset, and Teams in particular is easy to miss.
- Point-in-time recovery: Can you restore to a clean snapshot from before an incident, not just the latest copy?
- Granularity: Can you restore a single email, file, or calendar item, or do you have to restore an entire mailbox?
- Retention you control: Can you keep backups for months or years to meet your records retention obligations, rather than a fixed vendor limit?
- Recovery speed: How quickly can you actually restore? Minutes or hours matters when an entire mailbox is down.
- Storage location: Where does the backup data live? For Canadian businesses subject to PIPEDA, Canadian data residency is increasingly important.
- Tested restores: A backup you have never restored from is an assumption, not a safeguard. Restores should be tested on a schedule.
For most small and mid-sized businesses, the best approach is to have your managed IT provider handle backup entirely. They select, deploy, monitor, and manage the backup solution so you never have to think about it. Backups happen automatically, restores are tested, and when you need something back, one call or email gets it done.
How ClayGen Handles M365 Backup
Microsoft 365 backup is included with our managed IT services. We deploy and manage automated, daily backup for your entire Microsoft 365 environment:
- Complete coverage: Exchange Online, OneDrive, SharePoint, and Teams are all backed up automatically
- Point-in-time recovery: Restore to any daily snapshot with granular item-level recovery
- Long retention: Your backups are kept for as long as you need them, not just 30 or 93 days
- Canadian data residency: Backup data is stored in Canadian data centres, supporting your PIPEDA compliance obligations
- Fully managed: Backups, monitoring, and restore requests are handled by our team
If your business relies on Microsoft 365 and you do not have third-party backup in place, you are exposed. It is not a question of if data loss will happen, but when. The good news is that setting up proper backup is straightforward and affordable.
Contact ClayGen for a free assessment of your current Microsoft 365 backup posture. We will show you exactly what is protected, what is not, and how to close the gaps.
For the broader view of this topic, see our complete Microsoft 365 management guide.
Microsoft 365 Backup FAQ
Common questions Ontario businesses ask about backing up Microsoft 365.
Does Microsoft 365 back up your data automatically?
Is the Microsoft 365 recycle bin or retention policy a backup?
How long does Microsoft keep deleted Microsoft 365 data?
Do I need third-party backup if I already pay for Microsoft 365?
Can ransomware reach my Microsoft 365 backup?
Need Help With Your IT?
ClayGen provides managed IT services, cybersecurity, and Microsoft 365 management for Ontario businesses.