Does Microsoft 365 Back Up Your Data? What SMBs Need to Know

You're paying Microsoft for cloud email, file storage, and collaboration tools. So it's reasonable to assume Microsoft is also backing up your data. It doesn't.

Microsoft 365 is a highly reliable service. Their infrastructure uptime is excellent, their redundancy is enterprise-grade, and the data centers running Exchange Online have outlasted most on-premises servers. But reliability isn't the same as backup. Microsoft protects the infrastructure. Protecting your data — from accidental deletion, ransomware, or a departing employee clearing a shared drive — is your responsibility under the terms of the service.

Microsoft says this directly in their shared responsibility documentation. For most small and mid-size businesses, it's worth understanding before something goes wrong.

Here's what Microsoft does cover, what it doesn't, and what that means for a business running 10 to 100 people on M365.

What Does Microsoft 365 Guarantee?

Microsoft guarantees 99.9% uptime and infrastructure redundancy, but explicitly does not back up your personal or company data.

When you subscribe to Microsoft 365, Microsoft's commitments operate across three infrastructure layers:

1. Physical infrastructure redundancy — Microsoft stores your data across multiple data centers with hardware-level failover. A failed hard drive or server rack at one facility doesn't affect your data.
2. Geographic redundancy — Data is replicated across regions. A regional outage doesn't bring down your mailboxes.
3. Service availability — Microsoft's SLA commits to 99.9% uptime for most M365 plans. When Exchange Online experiences an incident, Microsoft is responsible for restoring service.

These are real, significant guarantees. The confusion arises when businesses conflate "my data is replicated across multiple Microsoft data centers" with "my data is backed up."

Replication protects against hardware failure and infrastructure-level outages. It does not protect against events that happen within that infrastructure — which is where most data loss scenarios actually originate.

The right framing: Microsoft acts as a reliable landlord who maintains the building's structure and systems. They are not responsible for the contents of each unit. That's cloud storage, not backup — a distinction worth understanding before you need it.

Does Microsoft 365 Protect Against Accidental Deletion?

No. Microsoft permanently deletes Exchange emails after 14 days and SharePoint or OneDrive files after 93 days by default.

Exchange Online moves deleted emails to the Deleted Items folder, then to the Recoverable Items folder. Without a litigation hold or Purview retention policy actively applied, items are purged after 14 days and become unrecoverable. Microsoft offers no escalation path at that point.

For SharePoint and OneDrive files, the Recycle Bin extends the window: 93 days total across both the first-stage and second-stage recycle bins. After 93 days, the file is permanently deleted. Microsoft's own documentation confirms this limit and it is not user-configurable.

A common scenario: a shared SharePoint library gets deleted in January, but the team doesn't notice until May. At that point, the 93-day window has closed and the data is gone. Organizations that assumed digital files are always recoverable tend to find this out this way.

How to Check Your Current Retention Policies

If you're unsure whether your tenant has active retention policies in place, you can verify in three steps:

1. Open the Microsoft 365 Admin Center → navigate to Compliance (or go directly to compliance.microsoft.com)
2. Go to Data lifecycle management → Retention policies — any active policy will appear here with its scope and duration
3. Check for litigation holds under Purview → eDiscovery → Core cases — if none exist, your users' data is subject to the default retention windows only

If your retention policy list is empty and no litigation holds are active, your organization is operating on default windows: 14 days for email, 93 days for SharePoint and OneDrive.

Can OneDrive Version History Stop Ransomware?

Version history offers limited rollback capabilities, but it is not a true backup — and attackers with admin credentials can disable or purge it entirely.

OneDrive's version history allows users to roll back to previous, unencrypted file states. Under Microsoft's Automatic versioning setting, versions are retained at decreasing frequency over time: all versions for the first 30 days, hourly versions from 30–60 days, daily versions from 60–180 days, and weekly versions beyond 180 days — all subject to a 500-version limit per file.

Microsoft's own guidance acknowledges that ransomware recovery via version history is not a substitute for backup. The feature is designed for everyday file recovery, not adversarial scenarios involving compromised credentials.

What Happens to Data When You Remove a Microsoft 365 License?

When a user's Microsoft 365 license is removed and the account is subsequently deleted, their OneDrive data enters a 30-day grace period during which an admin can still access it. After 30 days, the data moves to a deleted state and remains there for an additional 93 days — but can only be restored by a SharePoint Administrator, and only if someone knows to look for it.

In practice: a business reduces from 25 seats to 20 as part of cost optimization, and later discovers that several of those users stored project files only in their personal OneDrive. The data retention window was running from the moment the licenses were removed.

For departing employee data security, this is one of the higher-risk moments in an organization's data lifecycle — worth addressing during offboarding rather than after.

Why M365 Credentials Are a Primary Ransomware Target

These retention gaps have always existed. What's changed is how frequently they're being exploited.

Ransomware targeting reached record levels in 2025. Independent tracking platforms documented over 2,000 confirmed incidents in Q1 2025 — Ransomware.live recorded 2,251 incidents across 67 active groups in that quarter (Emsisoft, April 2025). NCC Group's annual threat data confirms 2025 was a record year for global ransomware, with attacks increasing 50% year-on-year. Microsoft 365 credentials are a frequent target because M365 is where business-critical data lives for hundreds of millions of users worldwide.

For context on adoption: 44% of Microsoft 365 organizations still rely solely on native Microsoft tools for data protection, according to Spin.AI's 2026 survey. That's a substantial portion of M365 deployments operating without an independent backup layer.

The average ransomware recovery timeline — for organizations that do ultimately recover their data — runs 21 to 24 days using conventional restoration approaches (Spin.AI, 2026). That extended timeline reflects the operational complexity of recovering from native tools rather than a purpose-built backup system.

Microsoft 365 credentials are compromised through phishing, stolen credentials, and third-party app vulnerabilities — not through failures in Microsoft's infrastructure. The platform itself is working as designed. The exposure point is the user layer, which is outside Microsoft's responsibility boundary.

Can Microsoft's Native Backup Tool Fix This?

Microsoft launched Microsoft 365 Backup (generally available since 2024) as a paid add-on, covering SharePoint, OneDrive, and Exchange Online through the Microsoft 365 Admin Center. Pricing is consumption-based at approximately $0.15/GB/month of protected content.

For organizations with large data volumes, that model scales differently than per-seat pricing. A tenant with 1TB of protected content would pay roughly $150/month — compared to a flat $20/user/year with solutions like iDrive M365 Backup.

The more significant consideration: Microsoft 365 Backup stores your backup data within Microsoft's own infrastructure. This means a successful tenant-level compromise or a prolonged Microsoft service disruption can affect both the primary data and the backup. The native tool does not satisfy the independent off-platform storage requirement of the 3-2-1 backup rule.

For compliance-driven use cases and organizations that need fast recovery within the Microsoft ecosystem, the native tool is a reasonable option. For SMBs that want true data isolation from a credential-level threat, third-party solutions with external storage offer stronger protection.

What Counts as Real Backup for M365

A valid Microsoft 365 backup must feature off-platform storage, immutable data protection, and granular recovery options.

A real backup solution for Microsoft 365 needs to satisfy three criteria:

1. Independent copy stored outside Microsoft's infrastructure

If your backup lives within Microsoft's ecosystem — in Azure Blob Storage tied to the same admin account, or in Microsoft 365 Backup's native storage — a credential compromise can reach it. The backup needs to live somewhere that a compromised M365 admin account cannot access. This is what the 3-2-1 rule means in the cloud context: your M365 backup copy must be genuinely off-platform.

2. Immutable storage

Modern ransomware variants actively attempt to delete or encrypt backup targets. Immutable storage — where data is written once and cannot be modified or deleted for a defined period — addresses this. Without immutability, a backup that an attacker can delete provides limited protection.

3. Granular recovery

Restoring a single email or file from a specific date shouldn't require rebuilding an entire mailbox or SharePoint site. Granular recovery makes the difference between a targeted two-minute fix and a time-consuming full restoration.

These three requirements also clarify why common workarounds fall short:

• Manual PST exports — point-in-time, not automated, and not independently stored
• OneDrive version history — within Microsoft's infrastructure; admin credentials can disable it
• Litigation holds — serve compliance retention, not operational disaster recovery

For businesses with an on-premises NAS looking to run M365 backup locally, Synology Active Backup for Business supports M365 workloads and can serve as the independent storage layer for organizations that prefer to keep backup infrastructure in-house.

Native Microsoft Tools vs. Third-Party Backup: Side-by-Side

The native tools are valuable for compliance-driven use cases — litigation holds and Purview retention policies serve a real purpose. For disaster recovery scenarios, they don't meet the three criteria above.

If you're ready to evaluate specific solutions, we've compared the leading options — iDrive, Veeam, and Acronis — by price, recovery speed, and SMB fit:

→ Microsoft 365 Backup Solutions Compared: iDrive vs. Veeam vs. Acronis

Related Resources

• Microsoft 365 Backup Guide: iDrive vs. Veeam vs. Acronis — The full buying-stage comparison for businesses ready to choose a solution.
• SaaS Backup vs. Cloud Storage: What's the Difference? — Explains the sync-vs-backup distinction that underlies everything on this page.
• Best Cloud Backup for Small Business — For businesses with mixed infrastructure looking at the broader backup landscape.
• Departing Employee Data Security: What You Need to Lock Down — The offboarding checklist that covers the data deletion risk in detail.
• The 3-2-1 Backup Rule, Applied to Modern Business Infrastructure — Why off-platform storage is the rule, not the exception.
• Synology Active Backup for Business: M365 and On-Premises in One Solution — For businesses that want to keep backup infrastructure local.
• How to Get Your Small Business Online — Complete setup guide for new businesses: domain, email, authentication, website, and software stack including Microsoft 365 setup.