This is one of the most common — and costly — misconceptions we encounter when working with Sydney businesses: the assumption that because their data is in Microsoft 365, Microsoft is backing it up.
The short answer: Microsoft 365 does not provide backup in any meaningful sense of the word.
Microsoft is responsible for keeping the Microsoft 365 service running. You are responsible for protecting your data within it. This distinction is clearly stated in Microsoft's own documentation and service agreements — but most businesses never read them.
What Microsoft Actually Does (and Doesn't) Protect
Microsoft does operate redundant, geographically distributed infrastructure. If a Microsoft data centre has an outage, your data is replicated to another location and you can still access it. Microsoft is genuinely excellent at maintaining service availability — that's not in dispute.
What Microsoft does not protect you from:
- Accidental deletion. If an employee deletes a file or email, Microsoft retains it for a limited period (typically 30–93 days depending on your plan and configuration). After that window, the data is gone permanently — unless you have a third-party backup.
- Malicious deletion. A disgruntled employee with admin access can permanently delete years of email, SharePoint documents, or Teams conversations. Microsoft's retention tools do not prevent this.
- Ransomware. If ransomware encrypts your OneDrive or SharePoint files and then syncs those encrypted files to the cloud, your cloud copies are now encrypted too. Microsoft provides version history that can help recover some data — but it has limits, and it is not a substitute for a proper backup.
- Third-party application errors. Migrations, integrations, or sync errors from connected applications can corrupt or overwrite data. Microsoft is not responsible for data lost through third-party apps.
- Account compromise. If an attacker gains access to an account and permanently deletes data, Microsoft's native tools may not be sufficient to recover it.
Microsoft's own guidance: Microsoft explicitly recommends that customers use third-party backup solutions for Microsoft 365 data. This is stated in their shared responsibility model documentation.
What About the Recycle Bin and Version History?
Microsoft 365 does include some data recovery features — and it's worth understanding what they do and don't cover.
Deleted Items / Recycle Bin
Deleted emails go to the Deleted Items folder first. From there, they can be permanently deleted or they expire after the retention period (default 30 days). SharePoint and OneDrive have a similar Recycle Bin with a two-stage recovery. These are useful for recovering recently deleted files — they are not a backup.
Version History
SharePoint and OneDrive maintain version history for documents — typically 500 versions by default. This allows you to restore a previous version of a file. However, version history can be manually deleted by users with edit access, and for ransomware scenarios, if the encryption event happened more than 500 versions ago (or if an attacker cleared version history), this protection is lost.
Litigation Hold and Retention Policies
Microsoft 365 Business Premium and Enterprise plans include Litigation Hold and retention policies that can preserve data beyond normal deletion. These are compliance tools — they are not designed for rapid data recovery, and configuring them correctly requires Microsoft 365 admin expertise.
What Data in Microsoft 365 Needs Backing Up
| Data Type | Microsoft 365 Service | Backup Required? |
|---|---|---|
| Exchange Online | Yes | |
| Files and documents | OneDrive, SharePoint | Yes |
| Teams chats and channels | Microsoft Teams | Yes |
| Contacts and calendar | Exchange Online | Yes |
| Tasks and Planner | Microsoft 365 Apps | Recommended |
| Forms and Lists | Microsoft 365 Apps | Recommended |
Everything in the table above sits within Microsoft's infrastructure — but your responsibility to protect it does not transfer to Microsoft. Every category of data above can be permanently lost through accidental deletion, ransomware, or account compromise without a third-party backup in place.
What a Proper Microsoft 365 Backup Looks Like
A proper Microsoft 365 backup solution:
- Backs up Exchange Online mailboxes (email, calendar, contacts) on a daily or more frequent schedule
- Backs up SharePoint document libraries and OneDrive for Business
- Backs up Microsoft Teams chat history and channel content
- Stores backup data outside of Microsoft's infrastructure (so a Microsoft outage doesn't affect your backup)
- Provides granular restore — you can restore a single email, file, or calendar item without restoring everything
- Retains data for 30, 90, or 365 days depending on your compliance requirements
- Is tested regularly — a backup that's never been tested is not a backup
Solutions like Veeam, Acronis, and Datto SaaS Protection are purpose-built for this and integrate directly with Microsoft 365. They run automatically in the background and are invisible to your staff.
Not sure if your Microsoft 365 data is properly backed up? We'll check as part of a free audit.
Learn About Our Backup Service →How Much Does Microsoft 365 Backup Cost?
For most SMBs, Microsoft 365 backup runs $3–$6 AUD per user per month when bundled with a managed IT service. For a 20-person business, that's $60–$120 per month — or $720–$1,440 per year.
Compare that to the cost of a data loss incident: recovery of a single accidentally deleted SharePoint library without a backup typically takes 5–15 hours of professional IT work at $150–$250/hour — if recovery is even possible. Beyond a certain point, unbackup data is simply gone.
The Shared Responsibility Model
Cloud services operate on a shared responsibility model. The cloud provider (Microsoft) is responsible for the availability and security of the infrastructure. The customer (your business) is responsible for the data within it.
This model is widely understood in enterprise IT but is routinely missed by SMBs who assume that “cloud” means “backed up.” It doesn't. Moving data to Microsoft 365 from an on-premise server doesn't eliminate your backup obligation — it changes where the backup needs to be.
If you're not sure whether your Microsoft 365 data is backed up, the answer is almost certainly: not properly. A five-minute check with your IT provider or a look at your Microsoft 365 admin centre will confirm it.