Is your Microsoft 365 data actually backed up?

24 March 2026

Microsoft 365

Is your Microsoft 365 data actually backed up?

If your business uses Outlook, SharePoint, OneDrive, or Teams, you might assume Microsoft is looking after your data. The reality is quite different — and it is something many businesses only discover when it is too late.

Microsoft does not back up your data

Microsoft operates under what is known as the Shared Responsibility Model. Microsoft is responsible for keeping the service up and running — the infrastructure, the data centres, and platform availability. The protection of your actual data is your responsibility.

"For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control."

— Microsoft Azure: Shared Responsibility in the Cloud (learn.microsoft.com)

Microsoft's own Online Services Agreement goes even further:

"We recommend that you regularly backup your content and data that you store on the services or store using third-party apps and services."

— Microsoft Online Services Agreement

Microsoft themselves are telling you to back up your data using a third-party solution. They are not doing it for you.

The shared responsibility model

Here is exactly how responsibility is divided between Microsoft and your business:

Microsoft's responsibility Your responsibility
Service availability and uptime Protecting your data from loss or corruption
Physical security of data centres Recovery after accidental deletion or attack
Infrastructure-level replication Meeting your own data retention requirements
Platform and network security Compliance with legal and regulatory obligations
Authentication infrastructure Independent, restorable backup copies

An important distinction: Microsoft's built-in replication is designed to protect against hardware failure — not data loss. If a file is deleted or encrypted by ransomware, that change is replicated too. It does not help you recover your data.

What Microsoft does and does not provide

Microsoft includes some built-in features for short-term recovery, but these are not the same as a proper backup:

  • Recycle bins — deleted files in SharePoint and OneDrive can be recovered for up to 93 days
  • Version history — documents retain previous versions for a limited period
  • Geo-redundancy — data is replicated across multiple data centres to protect against hardware failure
  • Microsoft 365 Backup — a paid add-on launched in 2024 offering some point-in-time restore for OneDrive, SharePoint, and Exchange

Without a third-party backup solution, you have no reliable protection against:

High risk Accidental deletion — once a file ages out of the recycle bin, it is permanently gone
High risk Ransomware — encrypted files may be retained by Microsoft; after the recovery window closes, originals are lost
High risk Departing staff — Microsoft purges data from deleted user accounts after approximately 90 days
Risk Malicious deletion — a staff member with the right permissions can permanently delete large volumes of data
Risk Long-term retention gaps — if your business has legal or compliance obligations beyond Microsoft's default windows, that is entirely your responsibility
93 days
SharePoint recycle bin retention
90 days
before deleted account data is purged
71%
of businesses had no third-party backup in place

What a proper backup solution covers

A dedicated Microsoft 365 backup service provides genuine protection that Microsoft's built-in tools cannot match:

Exchange Online
Email, calendar, contacts, and tasks — backed up daily and restorable at the item level
SharePoint Online
Sites, document libraries, and lists — with point-in-time recovery to any previous state
OneDrive for Business
All files and folder structures, stored independently outside Microsoft's environment
Microsoft Teams
Chat messages, channel content, and associated files retained long-term
  • Point-in-time recovery — restore data to a specific moment, not just the last available version
  • Independent storage — backups held outside Microsoft's environment so a Microsoft-side issue does not affect them
  • Long-term retention — keep data as long as your business or compliance requirements demand
  • Leaver protection — retain departing staff data without paying for an ongoing Microsoft 365 licence
  • Granular recovery — restore a single email, a specific file, or an entire mailbox as needed

The bottom line

Moving to Microsoft 365 was a smart decision. But being in the cloud does not mean your data is automatically protected. Microsoft keeps the lights on — it is your responsibility to protect what is inside.

A Microsoft 365 backup is not a luxury. It is a straightforward safeguard that every business using the platform should have in place. If you are not sure whether your data is currently backed up, it is worth finding out before you need to.

Sources: Microsoft Azure — Shared Responsibility in the Cloud · Microsoft Online Services Agreement · Microsoft 365 Backup Best Practices White Paper (Microsoft, adoption.microsoft.com)

Back to Articles