Skip to main content
Back to Blog
Microsoft 3659 min read

How to Back Up Microsoft 365: Why Native Retention Is Not a Backup

Brian Clayton|

Last updated . Added the short answer, a shared responsibility breakdown, a section on why native retention is not a backup, a 3-2-1 backup checklist, and an FAQ.

Most businesses assume that because their data is "in the cloud" with Microsoft 365, it's automatically backed up and protected. This is one of the most dangerous misconceptions in IT today. Microsoft provides infrastructure redundancy (they make sure their data centres stay online), but they do not back up your data on your behalf.

If an employee accidentally deletes a critical mailbox, a departing staff member wipes their OneDrive, or ransomware encrypts your SharePoint files, Microsoft will not restore that data for you. That responsibility falls squarely on your business.

The Microsoft 365 Backup Myth

The myth goes like this: Microsoft runs world-class data centres with geo-redundant storage, so the data inside Microsoft 365 must be backed up too. The first half is true. The conclusion is not. Microsoft replicates infrastructure so the servicesurvives a hardware or data-centre failure. It does not keep a separate, restorable copy of your mailboxes and files that you can roll back after a deletion or a ransomware event. Microsoft says so plainly in its own service agreement, which recommends that customers use a third-party app to back up their content.

The Shared Responsibility Model

Every major cloud platform runs on a shared responsibility model, and Microsoft 365 is no exception. Microsoft secures and operates the platform. You own and protect everything you put into it. Backup sits squarely on your side of that line.

Microsoft is responsible forYou are responsible for
Platform uptime and infrastructure redundancyBacking up and being able to restore your data
Physical security of the data centresAccess control, identity, and configuration
Service-level replication against hardware failureRecovery from deletion, ransomware, and admin error
Short-term retention windows (recycle bin, deleted items)Long-term retention and point-in-time recovery

The practical takeaway: the scenarios that actually lose business data (a deleted user, a malicious wipe, encrypted files, a bad retention policy) all fall on your side of the table. Microsoft keeps the lights on. Getting your data back is your job.

Why Native Retention Is Not a Backup

Microsoft 365 does include retention features, and they are useful for everyday "oops, I deleted that" recovery. But they are short-term safety nets inside the same environment, not a backup. Here is what is built in and where each one stops:

  • Deleted Items folder: Items stay for 30 days, then they are permanently purged
  • Recoverable Items folder: A secondary safety net that retains deleted items for up to 14 days (configurable to 30)
  • OneDrive recycle bin: Files are recoverable for 93 days after deletion, then purged
  • SharePoint version history: Keeps previous versions, but can be wiped if the file itself is deleted
  • Retention labels and policies (Purview): Govern how long content is kept or held, but an admin or a bad policy change can still alter or remove them, and they are not a separate, isolated copy

A real backup has three properties that native retention lacks: it is independent (stored outside your production tenant, so it survives a tenant-level event), it is point-in-time (you can roll back to a clean snapshot from before an incident), and it has retention you control(kept for months or years, not 30 to 93 days). Native retention is none of these. Once the window closes, or once an attacker or admin reaches the data, there is no "call Microsoft support and ask them to restore it" option.

These are the real-world events native retention does not protect against:

  • An employee accidentally deletes important files and nobody notices for 90+ days
  • A disgruntled ex-employee deletes their mailbox and OneDrive contents before leaving
  • Ransomware encrypts files synced to SharePoint and OneDrive, overwriting all versions
  • An admin misconfigures a retention policy and data is purged organization-wide
  • A compromised admin account disables retention and empties mailboxes on the way out

What Data Is at Risk

If you're using Microsoft 365 for your business, your entire digital operation is likely running through it. Here is exactly what is at stake without a proper backup strategy:

  • Exchange Online: Every email, calendar event, and contact. Years of business communication and scheduling history.
  • OneDrive for Business: Personal files and documents for every user. Proposals, spreadsheets, presentations, contracts.
  • SharePoint Online: Team sites, document libraries, lists, and company-wide shared resources. Often the single source of truth for operational documents.
  • Microsoft Teams: Chat history, channel conversations, shared files, and meeting recordings. For many businesses, Teams has replaced email as the primary communication tool.

Losing any one of these datasets would be disruptive. Losing all of them simultaneously, which is what happens in a ransomware attack, could be catastrophic. For most Ontario businesses, this data represents years of accumulated institutional knowledge that simply cannot be recreated.

How Third-Party Backup Works

Third-party backup solutions connect to your Microsoft 365 tenant via API and create independent copies of your data on separate, secure infrastructure. Here is what a proper backup solution provides:

  • Automated snapshots: Your data is backed up automatically one to three times per day, with no manual intervention required
  • Point-in-time recovery: Restore your data to any snapshot. Need to recover a file from two months ago? No problem.
  • Granular restore: Restore a single email, a single file, a single calendar event, or an entire mailbox. You choose the scope.
  • Unlimited retention: Keep backups for as long as you need, not just 30 or 93 days
  • Isolated storage: Backups are stored separately from your production M365 environment, so ransomware that encrypts your SharePoint cannot reach your backup copies

The result is complete peace of mind. No matter what happens to your Microsoft 365 data (accidental deletion, malicious action, ransomware, or admin error), you can recover it quickly and completely.

What to Look For in a Backup

A good starting principle is the long-standing 3-2-1 backup rule: keep at least three copies of your data, on two different types of media or storage, with one copy kept off-site or in a separate, isolated environment. For Microsoft 365, your production tenant is the working copy; a third-party backup adds the independent, off-tenant copies the rule calls for. That isolation is what makes the backup survive a ransomware event or a compromised admin account that reaches your live data.

The Microsoft 365 backup market has matured significantly. Established solutions include Veeam Backup for Microsoft 365, Datto SaaS Protection, AvePoint Cloud Backup, and Acronis Cyber Protect. The product matters less than matching it to these criteria:

  1. Coverage: Does it back up Exchange, OneDrive, SharePoint, and Teams? Some solutions only cover a subset, and Teams in particular is easy to miss.
  2. Point-in-time recovery: Can you restore to a clean snapshot from before an incident, not just the latest copy?
  3. Granularity: Can you restore a single email, file, or calendar item, or do you have to restore an entire mailbox?
  4. Retention you control: Can you keep backups for months or years to meet your records retention obligations, rather than a fixed vendor limit?
  5. Recovery speed: How quickly can you actually restore? Minutes or hours matters when an entire mailbox is down.
  6. Storage location: Where does the backup data live? For Canadian businesses subject to PIPEDA, Canadian data residency is increasingly important.
  7. Tested restores: A backup you have never restored from is an assumption, not a safeguard. Restores should be tested on a schedule.

For most small and mid-sized businesses, the best approach is to have your managed IT provider handle backup entirely. They select, deploy, monitor, and manage the backup solution so you never have to think about it. Backups happen automatically, restores are tested, and when you need something back, one call or email gets it done.

How ClayGen Handles M365 Backup

Microsoft 365 backup is included with our managed IT services. We deploy and manage automated, daily backup for your entire Microsoft 365 environment:

  • Complete coverage: Exchange Online, OneDrive, SharePoint, and Teams are all backed up automatically
  • Point-in-time recovery: Restore to any daily snapshot with granular item-level recovery
  • Long retention: Your backups are kept for as long as you need them, not just 30 or 93 days
  • Canadian data residency: Backup data is stored in Canadian data centres, supporting your PIPEDA compliance obligations
  • Fully managed: Backups, monitoring, and restore requests are handled by our team

If your business relies on Microsoft 365 and you do not have third-party backup in place, you are exposed. It is not a question of if data loss will happen, but when. The good news is that setting up proper backup is straightforward and affordable.

Contact ClayGen for a free assessment of your current Microsoft 365 backup posture. We will show you exactly what is protected, what is not, and how to close the gaps.

For the broader view of this topic, see our complete Microsoft 365 management guide.

Microsoft 365 Backup FAQ

Common questions Ontario businesses ask about backing up Microsoft 365.

Does Microsoft 365 back up your data automatically?
No. Microsoft replicates its infrastructure so the service stays online, but under the shared responsibility model it does not keep a separate, restorable backup of your mailboxes and files. Microsoft's own services agreement recommends that customers use a third-party app to back up their content. Native features like the recycle bin and deleted items are short-term recovery windows, not a backup.
Is the Microsoft 365 recycle bin or retention policy a backup?
No. The recycle bin (93 days in OneDrive and SharePoint), deleted items (30 days), and retention labels are safety nets inside your live tenant. They are time-limited, they sit in the same environment that a ransomware attack or a compromised admin can reach, and a bad policy change can alter or remove them. A real backup is independent, point-in-time, and kept for as long as you choose.
How long does Microsoft keep deleted Microsoft 365 data?
It varies by service and is short. Deleted email sits in the Deleted Items folder for about 30 days and the Recoverable Items folder for up to 14 days (configurable to 30). Files in the OneDrive and SharePoint recycle bins are recoverable for 93 days. After those windows close the data is purged and Microsoft cannot restore it for you.
Do I need third-party backup if I already pay for Microsoft 365?
For most businesses, yes. Your subscription covers the productivity apps and platform, not an independent backup of your data. Third-party backup protects against the events native retention does not cover: accidental deletion discovered late, a departing employee wiping a mailbox, ransomware, and admin error. For a business that depends on email and files, that protection is essential.
Can ransomware reach my Microsoft 365 backup?
Not if the backup is isolated. A proper third-party backup stores copies on separate infrastructure outside your production tenant, so ransomware that encrypts your live SharePoint or OneDrive cannot reach the backup copies. This is the off-site, isolated copy in the 3-2-1 backup rule, and it is what lets you roll back to a clean point in time after an attack.

Need Help With Your IT?

ClayGen provides managed IT services, cybersecurity, and Microsoft 365 management for Ontario businesses.