Does Microsoft Backup Your OneDrive?

by Jon Lober | NOC Technology

What SMBs Need to Know

It's 2 PM on a Friday. You're pulling together documents for a client meeting in two hours when you realize a critical proposal is missing from your OneDrive folder. Someone deleted it. Maybe it was you, maybe it was a coworker with shared access, maybe it was three weeks ago, and you're just now noticing. You check the Recycle Bin–it's empty. Now what?

If you assumed Microsoft was backing up your OneDrive files and could restore that proposal, you're not alone. It's one of the most common misconceptions we see when talking with small business owners about their Microsoft 365 setup. The truth is more complicated, and understanding it can save your business from a painful lesson.

What Microsoft Actually Backs Up
(and What They Don't)

Here's what catches most people off guard: Microsoft does not backup your OneDrive data in the traditional sense. What they do provide is redundancy and short-term retention.

Microsoft stores your files across multiple data centers to protect against hardware failures on their end. If a server in their Azure infrastructure fails, your files are still safe. But this geo-redundancy protects Microsoft's infrastructure, not your data from human error, malicious deletion, or ransomware.

For deleted files, Microsoft offers a Recycle Bin that retains items for 93 days (with the second-stage Recycle Bin extending that for site collection admins). After that window closes, the file is gone permanently. There's no "call Microsoft and ask them to restore it" option. Version history helps with accidental overwrites, but it has limits too - typically 500 versions, and Microsoft can purge older versions without notice.

The gap becomes clear when you map it out: Microsoft protects the platform, but your organization is responsible for the data that lives on it. That deleted proposal from three months ago? Unless you had your own backup in place, it's unrecoverable.

The Shared Responsibility Model Explained

Microsoft operates under what's called the "shared responsibility model," and it's spelled out in their service agreement. In plain terms: they keep the service running, you keep your data safe.

Microsoft's responsibilities include physical security of their data centers, uptime and availability of the service, infrastructure-level redundancy, and protection against their own system failures. Your responsibilities include protecting against accidental or malicious deletion, maintaining compliance with data retention requirements, recovering from ransomware or other attacks that encrypt your files, and managing user access and permissions.

This division surprises business owners who assume that paying for Microsoft 365 means everything is handled. It's not a criticism of Microsoft–this model is standard across cloud providers (AWS, Google Workspace, and others work the same way). It's just not well understood by the people making IT decisions.

Think of it like renting office space. Your landlord maintains the building, keeps the lights on, and fixes the elevator. But if someone breaks into your suite and steals your equipment, that's not the landlord's problem. The shared responsibility model works the same way.

Real Risks: What Can Go Wrong Without Backup

Understanding the theory is one thing; seeing what actually happens to businesses without proper backup drives the point home.

Accidental deletion is the most common scenario. An employee cleans up their OneDrive, not realizing they're deleting files shared with the team. Someone leaves the company, and their account gets deprovisioned, taking their entire OneDrive with it (Microsoft gives you 30 days to recover a deleted user's OneDrive, then it's gone). A well-meaning cleanup of a SharePoint library removes files that weren't supposed to be touched.

Ransomware presents a different challenge. Modern ransomware often targets cloud-synced folders specifically. If an infected machine encrypts files locally and those encrypted versions sync to OneDrive, your version history fills up with encrypted copies. Sure, you can roll back...if you catch it within the version limit and before those versions age out. We've seen Greater St. Louis businesses spend days manually restoring thousands of files one version at a time because they didn't have a point-in-time backup option.

Malicious deletion from departing employees or compromised accounts is rarer but devastating when it happens. A disgruntled employee with access can delete files and empty Recycle Bins before IT even knows there's a problem. By the time you notice, the 93-day clock may have already run out on some files.

Data corruption from sync conflicts or application bugs can silently damage files over time. Without a backup system that lets you restore to a specific point in time, you may not realize the damage until months later when you need a clean copy.

Third-Party Backup Solutions: When and Why

Third-party backup for Microsoft 365 addresses the gaps in Microsoft's native retention. These solutions work by connecting to your tenant via API and creating independent copies of your data that you control.

What they provide that Microsoft doesn't includes true backup with configurable retention (keep deleted files for years, not 93 days), point-in-time restore (recover your entire OneDrive as it existed on a specific date), granular recovery (restore a single file, folder, or mailbox without touching anything else), protection against ransomware sync-back (restore from a clean backup taken before the infection), compliance and legal hold capabilities that don't depend on Microsoft's retention settings, and an independent copy that survives if your Microsoft tenant is compromised.

The cost varies widely. Entry-level backup services for Microsoft 365 run $2-5 per user per month. Enterprise solutions with advanced compliance features can run $8-15 per user per month. For a 50-person company, that's somewhere between $100-750 per month for comprehensive backup coverage.

Is it worth it? That depends on the value of your data and your tolerance for risk. If losing three months of project files would cost your business $50,000 in recreated work and missed deadlines, the math is straightforward. If your data has minimal value and can be easily recreated, native Microsoft retention might be sufficient.

How to Evaluate Backup Needs for Your Business

Not every SMB needs the same level of backup. Here's how to think through what makes sense for your organization.

Start by inventorying your critical data. Where does your business actually store information that matters? OneDrive, SharePoint, Teams, Exchange–each has different native retention policies and different risk profiles. Most businesses have more critical data in Microsoft 365 than they initially realize.

Consider your retention requirements. Some industries have regulatory requirements (healthcare practices in Missouri need to retain certain records for years, law firms have similar obligations). Even without compliance requirements, think about how far back you might need to recover. If your longest projects span 18 months, 93-day retention is dangerously short.

Evaluate your recovery time tolerance. If OneDrive goes down or files get deleted, how quickly do you need them back? Microsoft's native tools can be slow and manual for large-scale recovery. Third-party backup solutions typically offer faster, more flexible restore options.

Factor in the human element. How many people have access to delete files? How tech-savvy are your employees? Businesses with lots of shared access and varying technical skill levels face higher risk of accidental deletion.

Finally, do the math. What would it cost your business to lose a week of work? A month? A year's worth of project files? Compare that to the annual cost of backup. For most St. Louis businesses we work with, the backup investment is a rounding error compared to the potential loss.

Making the Call

Microsoft 365 is excellent software, and Microsoft runs a world-class cloud infrastructure. But their service agreement is clear: data protection is your responsibility. The shared responsibility model isn't a gotcha–it's just how cloud services work.

For many SMBs, the native 93-day Recycle Bin and version history is enough for day-to-day "oops" moments. But it's not backup in the real sense. It won't save you from ransomware that syncs faster than you can react, from a departing employee who decides to burn bridges, or from compliance requirements that expect years of retention.

The right backup strategy depends on your specific situation. Evaluate your critical data, understand your retention needs, and make a conscious decision rather than assuming Microsoft has it handled.

Curious what backup actually costs for your business size? We publish our pricing because we believe you should know what IT costs before you ever pick up the phone.

Frequently Asked Questions

Does Microsoft backup my OneDrive files automatically? +

Not in the traditional backup sense. Microsoft provides geo-redundancy (copies across data centers) and short-term retention (93-day Recycle Bin). But they don't maintain long-term backups you can restore from. If a file is permanently deleted or ages out of the Recycle Bin, Microsoft cannot recover it.

How long does Microsoft keep deleted OneDrive files? +

Deleted files go to the Recycle Bin for 93 days total. Users can restore from the first-stage Recycle Bin, and admins can recover from the second-stage Recycle Bin. After 93 days, the file is permanently deleted with no recovery option from Microsoft.

What happens to a user's OneDrive when they leave the company? +

When you delete a Microsoft 365 user account, their OneDrive is retained for 30 days by default. After that, it's permanently deleted. You can extend this retention period in admin settings, but many businesses don't realize this until it's too late. Third-party backup preserves departed users' data regardless of account status.

Will OneDrive version history protect me from ransomware? +

Partially. OneDrive keeps up to 500 versions of each file, and you can roll back to a previous version. However, if ransomware encrypts files faster than you can react, those encrypted versions may fill up your version history. Microsoft does offer a "Restore your OneDrive" feature for mass rollback, but it has limitations and requires quick action. A true backup solution offers more reliable point-in-time recovery.

How much does third-party Microsoft 365 backup cost? +

Most third-party backup solutions for Microsoft 365 cost between $2-8 per user per month, depending on features and retention requirements. For a 50-person company, that's roughly $100-400 per month. Enterprise solutions with advanced compliance features may run higher. The cost is typically small compared to the value of the data being protected.

What is Microsoft's shared responsibility model? +

Microsoft's shared responsibility model divides security and data protection duties between Microsoft and the customer. Microsoft is responsible for infrastructure security, uptime, and protecting against their own system failures. You are responsible for protecting your data from accidental deletion, malicious attacks, and meeting your own retention and compliance requirements. This model is standard across all major cloud providers.

Do St. Louis businesses need Microsoft 365 backup for compliance? +

It depends on your industry. Healthcare practices, law firms, financial services, and other regulated industries often have data retention requirements measured in years, not months. Microsoft's 93-day retention doesn't meet those requirements. Even without formal compliance mandates, many Missouri businesses find that backup provides necessary protection for contracts, project records, and business-critical documentation.