Microsoft 365 Doesn't Back Up Your Data by Default

It’s 10:23 AM on a Thursday. A project manager opens SharePoint to pull an old contract and gets an error. The site is gone. The message she left for IT is already three replies deep. “I think I might have deleted it by accident last month. Can we get it back?”

Her IT person checks the first-stage recycle bin. Empty. Checks the second-stage bin. Empty. The 93-day window closed sometime while she was on vacation in February.

Then he asks the question that decides what happens next. “We have a backup, right?”

This is the single most common misconception we see in Florida businesses: the assumption that “the cloud” includes backup by default. It doesn’t. Microsoft’s own documentation says it doesn’t. And the gap between what Microsoft protects and what you’re actually responsible for is where most of the bad days happen.

Microsoft’s Shared Responsibility Model Is Public

Microsoft publishes a shared responsibility model that spells out exactly who is responsible for what. Microsoft handles the infrastructure: the datacenters, the physical servers, the uptime SLA, the redundancy that keeps the service running when a drive fails in Virginia. That’s their job, and they do it well.

The data sitting on top of that infrastructure is yours. The emails, the SharePoint sites, the OneDrive files, the Teams chat history, the calendar entries. Protection of that data, including recovery from accidental deletion, corruption, or compromise, is explicitly your responsibility.¹

Most business owners have never read that page. Most IT providers have never walked a client through it. The result is a tenant full of critical business data that nobody has actually backed up, sitting behind a subscription that everyone assumed included backup.

What Microsoft Actually Protects You From

Microsoft’s infrastructure does real work, and it’s worth naming what that work is so you can see what it leaves out.

Microsoft protects you from hardware failure. If a disk dies in an Azure datacenter, your data doesn’t go with it. Everything is replicated across redundant storage in real time.

Microsoft protects you from datacenter outage. If one region goes dark, your tenant fails over to another. You might see a performance blip. You won’t see data loss.

Microsoft protects you from their own operational errors. If a Microsoft engineer fat-fingers a configuration change, they have rollback procedures, versioned configs, and internal recovery processes.

That’s the list. Hardware redundancy, geographic redundancy, operational discipline on their side of the line. All real, all valuable, and none of it addresses the scenarios that actually take businesses down.

What Microsoft Does Not Protect You From

Here’s the side of the line that’s yours.

Accidental deletion. An employee drags a folder to the wrong place. A shared mailbox gets cleaned up by someone who didn’t realize other people used it. A SharePoint site owner deletes the site, not the file.

Malicious deletion. A departing employee with still-active credentials. A contractor with broader access than they needed. A compromised account acting on someone else’s behalf.

Corruption. A faulty Outlook add-in mangles a mailbox. A script someone wrote to clean up attachments runs against the wrong OneDrive. A SharePoint list gets overwritten with a bad import.

Ransomware inside the tenant. A user’s device is compromised, the attacker syncs encrypted copies of files up to OneDrive or SharePoint, and the healthy versions get overwritten before anyone notices.

Compromised accounts. A phishing attack lands, credentials are harvested, and now the attacker has the same access your user has. Every action they take is logged as authorized activity, because it is.

Retention policy expiry. Items that aged out of whatever retention windows you have configured are gone. Microsoft honored the policy. It was your policy.

Every one of these scenarios is business-as-usual for the mistakes, departing employees, and attackers that actually cause data loss. None of them are covered by the service running underneath your tenant.

What About Microsoft 365 Backup?

Microsoft has started closing part of the gap. In 2024, they launched Microsoft 365 Backup, a paid native product that covers Exchange, OneDrive, and SharePoint.² It’s Microsoft’s own acknowledgment that customers need a backup layer they didn’t used to provide.

It’s a real product, and for some scenarios it’s useful. It’s also not a complete answer.

What it covers. Exchange mailboxes, OneDrive accounts, and SharePoint sites. Backup frequency is configurable. Restores are faster than eDiscovery exports and more granular than native recycle bins.

What it doesn’t cover. Teams chat history. That’s a meaningful gap if your business runs its real conversations in Teams rather than email.

How it’s priced. Pay-as-you-go per gigabyte of protected data and per gigabyte restored. The economics can get expensive quickly for tenants with years of accumulated SharePoint and OneDrive content.

The structural limit. Microsoft 365 Backup restores back into the same Microsoft 365 tenant. If an attacker compromises a Global Admin and methodically destroys your data, they have the same access to the backup controls that your IT team does. Microsoft has acknowledged this limitation in their own documentation and recommends combining it with third-party backup for scenarios where the tenant itself is compromised.

For most businesses, Microsoft 365 Backup is a step forward from native-tools-only. It is not a substitute for an independent backup that lives outside the tenant.

The Retention Windows That Feel Like Backup but Aren’t

Microsoft 365 has several recovery features that are useful for the cases they were designed for. They are not a backup, and the distinction matters more than most owners realize.

Exchange Online holds deleted mail items in the Deleted Items folder for as long as the user leaves them there. After a user empties Deleted Items, the items move to the Recoverable Items folder for 14 days by default, configurable up to 30 days. After that, the items are purged and unrecoverable through native tools.

SharePoint Online and OneDrive hold deleted files in a two-stage recycle bin. The first-stage bin holds items for 93 days, and if a user empties it, items move to a second-stage bin that site collection admins can restore from until the combined 93-day window expires. After 93 days, the file is gone. Administrators can’t extend the 93-day window. It’s a Microsoft-managed setting with no admin override.⁶ (One narrow exception: when a user account is deleted, the default 30-day retention on their orphaned OneDrive contents is configurable via PowerShell up to 10 years. That’s a terminated-employee control, not a day-to-day recycle bin extension.)

Version history on SharePoint and OneDrive files gives you prior versions of a file that changed, which can feel like backup when it’s actually a different thing. It’s file-level and defaults to a limited number of versions. It doesn’t help when the file itself is deleted, when ransomware overwrites the file enough times to push the clean version out of history, or when an admin purges version history to cover tracks.

Teams message retention is governed by the Microsoft Purview retention policies you configure. Defaults are not the same as a backup.

There’s also Litigation Hold and Preservation Lock, and both are often mistaken for backup.

Litigation Hold is a legal compliance feature that prevents specific users from permanently deleting items in scope, so you can satisfy e-discovery obligations. A compromised Global Admin can still disable or modify a standard retention policy.

Preservation Lock is the harder version. A Purview retention policy with Preservation Lock applied cannot be turned off, loosened, or deleted by anyone, including a Global Admin, including Microsoft support.³ It’s the right answer to a specific threat, and any serious M365 compliance program should consider it.

Neither gives you granular point-in-time restore. Neither covers Teams chat. Neither recovers a corrupted SharePoint list to the state it was in yesterday afternoon. They preserve what exists. A backup restores what used to exist.

The Threat That Changed the Math in 2024

For years, the M365 backup conversation was driven by the “oops” scenarios. Someone deleted something. Someone corrupted a file. Those scenarios are still real and still frequent.

What changed is the rise of valid-credential attacks. CrowdStrike’s 2026 Global Threat Report found that 82% of detections in 2025 were malware-free. Attackers log in with compromised credentials instead of breaking in with malware. Average eCrime breakout time (the time between initial access and lateral movement) is 29 minutes.⁴

This is the structural problem every tenant shares. In January 2024, Microsoft disclosed that the Russian state-backed group Midnight Blizzard (APT29) compromised a legacy non-production tenant at Microsoft itself and used the access to reach senior leadership mailboxes. The initial foothold was a password-spray attack against a test account that lacked MFA. From there, the attackers moved to a legacy OAuth application with elevated permissions and read email for weeks before detection.⁵

If Microsoft’s own security team can take weeks to notice a valid-credential compromise of their own tenant, the odds a 50-person Florida business notices one in real time are not great. And the point isn’t that Microsoft made a mistake. The point is that this is what valid-credential attacks look like. Every action the attacker took in that tenant was recorded as authorized activity, because it was.

The same structural pattern applies to any tenant. A Global Administrator account, compromised, can delete mailboxes, purge recycle bins, disable most retention policies, and exfiltrate or destroy data in ways that log as routine admin work. Microsoft’s own native protections (Preservation Lock, audit logging, anomaly detection) help, but none of them restore data the attacker deleted.

The March 2026 attack on Stryker was a different surface — Intune, not M365 data — but the same pattern. Admin tools used the way they were designed to be used, against the organization they were supposed to protect. Your M365 tenant has an equivalent admin surface, with equivalent blast radius if the wrong credential is compromised.

Recovery from inside the tenant in that scenario is unreliable, slow, and incomplete. Microsoft support can sometimes help with catastrophic-event recovery, but there’s no SLA on data restoration after a compromise, and the quality of what comes back varies. A backup that lives in a separate system, with separate credentials, that the attacker never had a path to reach, is what makes recovery predictable.

What Real M365 Backup Looks Like

Every Microsoft 365 tenant we manage is backed up by Datto SaaS Protection, independently of Microsoft’s infrastructure. Here’s what that means in practice.

Three times a day, at eight-hour intervals, every mailbox, OneDrive, SharePoint site, and Teams workspace in the tenant is backed up to Datto’s infrastructure. Not synced. Not mirrored. Backed up, in the sense that the backup is a distinct point-in-time copy you can restore to even if the live data is deleted or corrupted.

Infinite retention. We don’t age out old backups. If you need a file from 2023, it’s there. If you need to see what an email thread looked like before someone edited it six months ago, it’s there. Most backup providers expire data after 30, 60, or 90 days to control their storage costs. We don’t.

Outside the tenant. The backup data lives in Datto’s infrastructure, accessed with credentials that are separate from your M365 tenant. A compromised Global Admin in your M365 environment cannot touch the backup. That’s the whole point.

Granular restore. You can restore a single email, a specific version of a OneDrive file, a SharePoint list item, or a whole mailbox. You don’t have to choose between “restore everything” and “rebuild from scratch.”

Included in managed IT, not an add-on. M365 backup is part of every managed IT engagement we run. Not an optional tier, not a separate contract, not an upsell conversation. You can’t properly manage a Microsoft 365 tenant without protecting the data in it.

Five Questions to Ask Your IT Provider This Week

If you’re not sure where your tenant stands, you don’t need a vendor pitch to find out. Ask your IT team (or your current provider) these five questions.

1. Can you show me the last successful M365 restore we did? Not “do we have a backup.” A specific restore with a date. If the answer is “we’ve never had to do one,” ask them to run a test restore this week.

2. Which M365 workloads are actually covered by our backup? Mail is the obvious one. Specifically ask about OneDrive, SharePoint document libraries, SharePoint lists, Teams chat history, Teams files, and shared mailboxes. A backup that only covers Exchange is half a backup.

3. Does every Global Admin account have MFA enforced? A single admin without MFA is the most common cause of catastrophic tenant compromise. Your provider should be able to pull a report showing MFA status for every privileged account in under five minutes.

4. What is our retention policy, and is any of it Preservation-Locked? Most tenants have defaults that nobody remembers configuring. If your provider can’t tell you what your retention policy says, that’s the answer.

5. If our backup credentials were compromised tomorrow, would the backup itself still be recoverable? Backups stored with the same admin credentials as production are part of the attack surface, not a defense against it.

If any of those questions produces an answer you’re uncomfortable with, you have a gap worth fixing before it finds you.

Frequently Asked Questions

We’ve managed Microsoft 365 tenants for Florida businesses since 2011. In that time, we’ve recovered mailboxes nuked by departing employees, SharePoint sites corrupted by bad imports, OneDrive folders encrypted by ransomware that got past endpoint defenses, and tenants where compromised admin accounts tried to delete everything. In every one of those cases, the data came back. Because it existed somewhere the attacker couldn’t reach.

In fifteen years of managing Florida tenants, I can’t point to a recovery request we couldn’t answer.

If you’re not sure what your M365 tenant would lose if the account with admin rights got compromised tomorrow, start a conversation with us. We’ll walk the five questions above with you and tell you where you stand. No pitch, no pressure.

Sources

1. Shared responsibility in the cloud. Microsoft Learn. Microsoft’s own documentation of the shared responsibility model for cloud services, including the customer’s responsibility for information and data under SaaS. learn.microsoft.com

2. Overview of Microsoft 365 Backup. Microsoft Learn. Microsoft’s documentation for the native M365 Backup product covering Exchange, OneDrive, and SharePoint. learn.microsoft.com

3. Use Preservation Lock to restrict changes to retention policies. Microsoft Learn. Documentation of Preservation Lock, which prevents any administrator (including Global Admins and Microsoft support) from disabling or loosening a locked retention policy. learn.microsoft.com

4. 2026 Global Threat Report. CrowdStrike, February 2026. Annual threat intelligence report covering 2025 adversary activity. Finding: 82% of detections were malware-free; average eCrime breakout time was 29 minutes. crowdstrike.com

5. Midnight Blizzard: Guidance for responders on nation-state attack. Microsoft Security Response Center, January 2024. Microsoft’s own disclosure of the Midnight Blizzard (APT29) compromise of a legacy non-production test tenant and subsequent access to senior leadership mailboxes. msrc.microsoft.com

6. Configure SharePoint Recycle Bin settings. Microsoft Support. Microsoft’s documentation of what recycle bin settings administrators can change. The exposed settings cover storage quota (50-500% of site quota) but not the 93-day retention window itself, which is a fixed platform-level setting. support.microsoft.com

Further Reading

• Business Continuity Planning Isn’t About the Disaster. It Never Was. The companion piece to this post, covering the full backup and recovery system across servers, endpoints, and SaaS.
• What Stryker’s Cyberattack Teaches Every Business Owner. What happens when management tools meant to protect your environment are turned against you.
• Microsoft 365 Service Descriptions and SLAs. Microsoft. The service-level commitments Microsoft actually makes about your tenant. Worth reading in full once. microsoft.com