Most businesses assume their Microsoft 365 data is safely backed up. It’s Microsoft, after all — one of the largest cloud providers on earth. Surely they have it covered?
They don’t. Not in the way you think.
This article explains exactly what Microsoft 365 does and doesn’t back up automatically, how the Shared Responsibility Model puts the burden on you, and what falls through the cracks even when you’re paying for a Microsoft 365 subscription. Whether you’re an IT admin, a business owner, or someone who just deleted the wrong email — read this before you need it.
This article draws on Microsoft’s own documentation, verified industry research, and hands-on knowledge of how Microsoft 365 data protection actually works in practice.
Microsoft’s Built-In Protections: The Good News First
Microsoft does protect your data — just not in the way most people imagine.
Microsoft 365 maintains multiple physically redundant copies of your data across geographic locations to mitigate the impact of physical disasters. If a data centre floods or a server rack fails, your files don’t disappear. That’s genuine resilience, and it’s excellent infrastructure-level protection.
OneDrive, SharePoint, and Exchange use append-only backup storage, meaning SharePoint can only add new content blobs and can never change old ones until they’re permanently deleted. This architecture makes it difficult for ransomware to silently corrupt historical versions — a real advantage over many legacy backup approaches.
Microsoft 365 also gives users several native recovery tools worth knowing:
- Recycle Bin: Deleted files in SharePoint and OneDrive go here first. Microsoft 365’s recycle bin holds items for up to 30 days before hard deletion.
- Version History: SharePoint and OneDrive keep previous file versions, so users can roll back individual documents.
- Deleted Items Folder: In Exchange Online (Outlook), deleted emails sit in a recoverable folder for up to 14 days by default, extendable via retention policies.
These are useful safety nets. But they’re not a backup. There’s a meaningful difference — and it matters.
What Data Is NOT Backed Up in Microsoft 365
Here’s where the picture changes fast.
Microsoft 365 cannot protect you from data loss at your end due to human error, malicious intent, outages, sync errors, or malware. The moment a problem originates within your tenant — a user deleting a folder, a ransomware attack encrypting files, a departing employee wiping their OneDrive — Microsoft’s infrastructure protections become largely irrelevant.
The specific gaps organisations regularly run into:
Teams Chat History
Microsoft Teams data isn’t automatically backed up. Microsoft provides limited retention options, but not full data recovery capabilities. If a team is deleted, it is permanently deleted (along with channels, conversations, files, and the Microsoft 365 group) after 30 days and cannot be restored unless you have a third-party backup solution in place.
Private channel messages and one-on-one chats are especially fragile. Even many third-party tools struggle here due to Microsoft Graph API restrictions.
OneDrive: Sync ≠ Backup
OneDrive is a file-syncing tool designed to optimise file sharing and collaboration — not a backup. Whatever happens to a local document happens to the document synced in the cloud. If a file is deleted or infected by malware on your local drive, that change propagates automatically to your OneDrive account.
If a file is deleted, all older versions of that file are also deleted. If permanently deleted and without immutable storage present, no viable recovery points are available.
Tenant Configuration Settings
Native backup typically only covers user data, not all configuration or policy settings. Manual exports or third-party tools are needed to protect conditional access rules, Teams policies, security settings, and admin configurations. Lose these, and you’re rebuilding your security posture from memory.
Long-Term Retention Gaps
After the default retention window (30 to 93 days), deleted items are permanently gone. For healthcare organisations subject to HIPAA, financial firms under SOX, or any business needing multi-year records, this is a compliance ticking clock — not a backup strategy.
Microsoft 365 Backup vs. Retention Policy: They’re Not the Same Thing
This is the most common source of confusion — and the most dangerous.
A retention policy in Microsoft 365 is a compliance tool. It preserves data so it can be exported or reviewed in an eDiscovery investigation. It is not designed for fast, granular restore. Legal holds retain data, but that feature is optimised for export (such as via eDiscovery), not for mass restore.
A backup is a restorable copy of your data at a specific point in time. You can pull out a single email, an entire mailbox, or a SharePoint site as it existed last Tuesday morning.
Versions give individual users a way to restore files or sites to prior points in time. However, that kind of recovery doesn’t scale well for large-scale ransomware attacks where an admin needs to orchestrate recovery. Versions might also be exhausted depending on the version limit set by the admin.
Microsoft itself acknowledged this distinction when it launched Microsoft 365 Backup as a separate, paid product. As of July 31, 2024, the price is $0.15 per GB per month for Backup data storage. The product covers SharePoint sites, OneDrive accounts, and Exchange mailboxes — with restore point frequencies as granular as every 10 minutes for Exchange and OneDrive for the trailing two weeks.
But even this paid product has limits. Today, only files stored in SharePoint sites for a Teams channel are backed up if those sites are in your Microsoft 365 Backup protection policy. Teams chat messages, private channels, and meeting recordings require separate handling.
The Microsoft 365 Shared Responsibility Model Explained
Microsoft is transparent about this, even if the message gets buried in the fine print.
The Shared Responsibility Model is a framework that divides data protection obligations between Microsoft and the customer. Microsoft secures the infrastructure. You secure your data.
The Microsoft Service Agreement states: “We recommend that you regularly back up your content and data that you store on the services or store using third-party apps and services.” That sentence has been in the agreement for years. Most organisations have never read it.
For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control.
In practical terms: Microsoft guarantees Exchange Online will be running. It does not guarantee the email your CFO deleted eight months ago can be recovered.
The scale of the risk is real. Human error contributed to 95% of data breaches in 2024. Accidental deletions, misconfigured retention policies, and departing employees with access they shouldn’t have — these are your threat vectors, not Microsoft’s data centre catching fire.
Does Microsoft 365 Need a Third-Party Backup? Here’s How to Decide
The honest answer: it depends on your risk tolerance and compliance obligations.
If you run a 5-person team and losing a week of emails would be an inconvenience, you might be fine with native tools. If you’re a 200-person professional services firm subject to regulatory retention requirements — you need more.
Ask yourself four questions:
- How long could your business operate if you lost all email from the past 90 days?
- Do any regulations (HIPAA, GDPR, SOX, FINRA) require you to retain data beyond Microsoft’s default window?
- Do you have a process for preserving data when an employee leaves?
- Could you restore a single email or SharePoint document from six months ago, right now, in under 10 minutes?
If you answered “no” to any of these, you have a gap.
Third-party Microsoft 365 backup solutions typically cost between $2 and $6 per user per month. For a 50-user organisation, that’s roughly $100–$300 per month — a fraction of the cost of a single data loss incident.
When evaluating third-party options, look for: automated daily backups of Exchange, OneDrive, SharePoint, and Teams; granular restore (single email, file, or entire mailbox); retention beyond 90 days; and storage that sits entirely outside your Microsoft 365 tenant. Tools like Veeam, Spanning, Druva, and AvePoint are widely used in this space by IT teams who work with Microsoft 365 environments daily.
Conclusion
Microsoft 365 protects its infrastructure brilliantly. Your data? That’s your job.
What Microsoft 365 backs up automatically: Infrastructure resilience, geo-redundant copies, short-term recycle bin recovery, and file versioning. Strong for disaster recovery at Microsoft’s end.
What it doesn’t protect: Data deleted beyond the retention window, Teams chat history, tenant configuration settings, granular point-in-time restores, and long-term compliance retention.
The Shared Responsibility Model isn’t a technicality — it’s a real line in the sand. Knowing which side your data obligations sit on is the first step.
Your next step: Review Microsoft’s default retention settings in your admin centre this week. If the gaps feel uncomfortable, start evaluating a third-party backup solution before you need one.
subscription would have prevented.
Frequently Asked Questions
What does Microsoft 365 backup automatically?
Microsoft 365 automatically maintains geo-redundant, infrastructure-level copies of your data to protect against physical outages. It also offers short-term recovery tools including the Recycle Bin (up to 30 days), file version history, and a Deleted Items folder for Exchange. These are availability features — not a full backup solution.
Does Microsoft 365 backup Teams chat history?
No. Teams chat messages are not automatically backed up by Microsoft. If a team or chat is permanently deleted after the 30-day grace period, it cannot be recovered natively. The paid Microsoft 365 Backup product covers Teams channel files via SharePoint, but private chats and direct messages require a separate third-party solution.
What is the Microsoft 365 backup retention period?
Microsoft’s default retention window is 30 days for most items (Recycle Bin, deleted Teams). Exchange Online extends this to 93 days with a Litigation Hold. The paid Microsoft 365 Backup product extends protection up to one year for Exchange, with restore points every 10 minutes. Beyond these windows, data is permanently deleted.
Can Microsoft restore deleted files after the retention period ends?
No. Once data moves past Microsoft’s retention window and leaves the Recycle Bin or second-stage recovery, it is permanently gone. Microsoft’s own service agreement recommends customers regularly back up their data. Without a third-party backup, there is no recovery path after this point.
What is the difference between Microsoft 365 backup and a retention policy?
A retention policy preserves data for compliance and eDiscovery — it is not designed for fast restore. A backup creates restorable point-in-time copies you can recover granularly. Retention keeps data visible to investigators; backup gets your business operational again after data loss. Both serve different purposes and neither replaces the other.
Does Microsoft backup SharePoint and OneDrive data?
Microsoft replicates SharePoint and OneDrive data across multiple locations for infrastructure resilience. However, if you delete a file and it exits the Recycle Bin, Microsoft cannot recover it. OneDrive is a sync tool — deletions on a local device propagate to the cloud immediately. True backup requires a separate solution with immutable, point-in-time restore capability.
Is Microsoft 365 backup enough for compliance?
For most regulated industries — healthcare (HIPAA), finance (SOX, FINRA), or businesses subject to GDPR — Microsoft’s native retention is not sufficient. Default windows of 30–93 days don’t meet multi-year retention requirements. Compliance teams often discover these gaps during audits, which is the worst possible moment to find out.
What happens when an employee leaves and their account is deleted?
When a user account is permanently deleted, associated data — emails, OneDrive files, Teams chats — enters a grace period before permanent deletion. Without a backup solution in place, this data disappears when the grace period ends. Many organisations discover this gap only after they need to retrieve a former employee’s records for a legal matter.
What is the Microsoft 365 Shared Responsibility Model?
The Shared Responsibility Model is a framework defining what Microsoft protects versus what the customer must protect. Microsoft secures physical infrastructure, uptime, and application availability. The customer is responsible for data access, recovery, and retention. Microsoft explicitly states in its Service Agreement that customers should regularly back up their own data.
Does Microsoft 365 back up emails automatically?
Microsoft 365 does not perform traditional email backup automatically. Exchange Online maintains redundant copies for uptime purposes and offers a Deleted Items folder and Recoverable Items folder as short-term safety nets. The paid Microsoft 365 Backup product can protect Exchange mailboxes with 10-minute restore point intervals for up to one year — but this requires an additional purchase and configuration.
