Microsoft 365 Backup

by Jon Lober | NOC Technology

Why Microsoft Says You Need Third-Party Protection

You're paying for Microsoft 365. Microsoft backs up the cloud, right? Your data is safe.


Or is it?


Last month, a business owner in the St. Louis area called us in a panic. A well-meaning employee had accidentally deleted the entire sales folder while reorganizing files. Three years of proposals, contracts, and client communications—gone. The Recycle Bin had been emptied weeks ago during a "cleanup." Microsoft support's response? The data was beyond recovery. It took three weeks of forensic work with partial backups to piece together what they could. They never got everything back.


What went wrong? The same thing that catches thousands of businesses every year: a fundamental misunderstanding of what Microsoft actually protects.

The Shared Responsibility Model: What Microsoft Actually Protects

Microsoft publishes a document called the Shared Responsibility Model that clearly defines who is responsible for what. Most businesses have never read it. Those who have are often surprised by what it says.


Here's the core principle: Microsoft is responsible for the infrastructure. You are responsible for your data.

According to Microsoft's own documentation, regardless of whether you're using SaaS, PaaS, or IaaS services, you always retain responsibility for your data, your endpoints, your accounts, and your access management. Microsoft protects against hardware failures, datacenter disasters, and service availability. They maintain uptime. They keep the lights on.


What they explicitly do not protect against: accidental deletion, malicious deletion, ransomware that encrypts your data, users overwriting files, sync errors that propagate bad data across devices, or data that ages out of retention windows.


This isn't hidden. Microsoft states it plainly: "You're responsible for your data, including data classification, data protection, encryption decisions, and compliance with data governance requirements."


Most Missouri businesses discover this policy only after something goes wrong.

What Microsoft 365's Built-In Tools Actually Do (And Their Limits)

Microsoft 365 does include data protection features. Understanding what they actually do—and more importantly, what they don't do—is essential before assuming you're covered.


The Recycle Bin is the first line of defense. When you delete a file in SharePoint or OneDrive, it moves to the first-stage Recycle Bin where it stays for 93 days. If someone empties that, items move to the second-stage Recycle Bin (the site collection Recycle Bin) where admins can recover them. That 93-day clock runs across both stages—it's not 93 days in each.


Versioning lets you recover previous versions of files that were overwritten. SharePoint Online keeps up to 500 versions by default. This is genuinely useful for recovering from accidental changes—until someone deletes the file entirely, which deletes all versions with it.


Exchange Online keeps deleted emails in the Deleted Items folder indefinitely until a user empties it. Once emptied, items move to Recoverable Items for 14 days (or 30 days with certain license types). After that, they're gone.

These tools work reasonably well for simple "oops" moments caught quickly. The problems emerge when you need more.

What Microsoft 365 Built-In Tools Won't Protect You From

The 93-day clock is the first gap most businesses trip over. According to industry data, the average time before data loss is discovered is around 140 days. If someone accidentally deletes a folder in January and nobody notices until June, that data has been permanently purged for months.


Ransomware represents an increasingly dangerous threat. Microsoft's 2025 Digital Defense Report found that over 52% of cyberattacks with known motivations involved extortion or ransomware. Modern ransomware doesn't just encrypt local files—it often propagates through connected cloud storage, encrypting OneDrive files and spreading through SharePoint. Once encrypted files sync across devices and the original versions age out of the version history, you're left paying the ransom or losing the data.


Malicious deletion is another scenario where native tools fall short. A departing employee with grudges and admin access can empty Recycle Bins, delete mailboxes, and remove SharePoint sites. If the damage isn't discovered within the retention window, recovery becomes impossible through Microsoft's native tools.


Legal holds and compliance requirements create additional challenges. Many industries require data retention far beyond 93 days. Healthcare organizations in Missouri may need to retain patient communications for years. Legal firms require indefinite retention of client files. Microsoft's native retention features require specific licensing tiers and careful configuration; they're designed for compliance, not disaster recovery. They don't give you the ability to quickly restore a clean copy of your environment after an incident.


Sync errors and app integrations can corrupt data in ways that propagate before anyone notices. If a third-party application malfunctions and overwrites thousands of files with corrupted versions, those corrupted versions become your "good" versions once the originals age out of version history.

How to Evaluate Third-Party Backup for Microsoft 365

Not all backup solutions are equal. When evaluating options for your business, several factors matter more than others.


Recovery granularity determines how precisely you can restore. Can you recover a single email? A specific file version? A complete mailbox? An entire SharePoint site? The best solutions offer point-in-time recovery at multiple levels—from individual items up to full environment restoration.


Retention duration should match your business and compliance requirements, not Microsoft's 93-day default. Most third-party solutions offer configurable retention: one year, seven years, indefinite. Your legal and regulatory requirements should drive this decision.


Recovery speed matters when an incident occurs. How quickly can you get data back? Some solutions restore directly to production; others require intermediate steps. During an actual incident, the difference between a few hours and a few days can mean the difference between business continuity and serious disruption.


Coverage completeness is often overlooked. Does the solution back up Exchange mailboxes, OneDrive, SharePoint, Teams, Planner, and Groups? Many businesses discover too late that their "Microsoft 365 backup" only covered email.

Storage location and security deserve scrutiny. Where does your backup data reside? Is it encrypted at rest and in transit? Is it truly isolated from your production environment so ransomware can't reach it? Air-gapped or immutable backup storage provides critical protection against attacks that target backup systems.


Automation and monitoring ensure backups actually happen. A backup solution that requires manual intervention will eventually be forgotten. Look for automated scheduling, success/failure alerts, and regular verification that backed-up data can actually be restored.

The Bottom Line

Microsoft 365 is a platform, not a complete data protection strategy. Microsoft protects the infrastructure; you protect your data. That distinction matters, and Microsoft themselves make it clear in their documentation.


Third-party backup isn't an optional luxury or a nice-to-have feature for paranoid IT managers. It's essential infrastructure—the same way you wouldn't operate a business without insurance, you shouldn't operate on Microsoft 365 without independent backup. The businesses that recover quickly from data loss incidents are the ones that planned for them. The ones that struggle are the ones who assumed "the cloud" had it covered.


If you're not sure whether your current setup protects your Microsoft 365 data adequately, that uncertainty alone is worth addressing. We work with businesses throughout the St. Louis region to evaluate and implement backup strategies that match their actual risk exposure and compliance requirements.


Curious what proper M365 backup looks like in practice? Our pricing page breaks down what's included and what it costs—because we think you should know that before you ever pick up the phone.

Frequently Asked Questions

Isn't Microsoft 365 already backed up by Microsoft? +
Microsoft backs up their infrastructure to ensure service availability - if their datacenter has an issue, they can recover. But under their Shared Responsibility Model, you're responsible for your actual data. Microsoft explicitly states that protecting against accidental deletion, malicious deletion, and ransomware is your responsibility, not theirs.
How much does third-party Microsoft 365 backup cost? +
Third-party M365 backup typically costs between $2-5 per user per month, depending on the solution and storage requirements. For a 50-person company, that's roughly $100-250 monthly - a fraction of the cost of even minor data loss. Most St. Louis businesses find the investment trivial compared to the risk it mitigates.
Do small businesses really need Microsoft 365 backup? +
Small businesses often face greater risk because they typically lack dedicated IT staff to catch problems quickly. If a 10-person company loses their client email history or financial documents, the impact can be devastating. Size doesn't reduce risk - it often increases it. If your business data matters, it needs protection.
Can't I just use the Recycle Bin and version history? +
The Recycle Bin and version history are useful for quick recoveries, but they have strict time limits. SharePoint's Recycle Bin purges after 93 days, and the average data loss isn't discovered for 140 days. Version history disappears when files are deleted. These tools complement backup but don't replace it.
What about Microsoft's own backup solution for M365? +
Microsoft 365 Backup (their first-party backup product) became generally available in 2024. It's a solid option but comes at a premium price point compared to established third-party solutions. It also currently covers only Exchange, OneDrive, and SharePoint - not Teams conversations, Planner, or other workloads that third-party tools often include.
How long should we retain Microsoft 365 backups? +
Retention requirements vary by industry and data type. Healthcare organizations may need seven years or longer for patient-related communications. Legal and financial services often require similar extended retention. Most businesses should retain at least one year as a baseline, with longer periods for compliance-sensitive data.
Will backup protect us from ransomware? +
A properly configured third-party backup with air-gapped or immutable storage provides your best recovery option after ransomware. The key is that the backup must be isolated from your production environment so attackers can't encrypt or delete it. This lets you restore clean data without paying the ransom.

OneDrive for Business

By Jon Lober April 8, 2026
Is 1TB per user enough OneDrive storage? Honest breakdown of real-world usage, what counts against your limit, and strategies for St. Louis businesses.
Person using Microsoft Teams

How to Organize Microsoft Teams

By Jon Lober April 7, 2026
Learn how to organize Microsoft Teams for your small business. Practical channel strategy, naming conventions, and permissions for STL companies under 50 employees.
Computer server

SharePoint vs File Server

By Jon Lober April 6, 2026
Honest comparison of SharePoint vs file server for small businesses. Learn when to migrate, when to stay, and avoid costly mistakes. STL IT guidance.
More Articles