Table of Contents
Shared Responsibility Model
Most businesses assume Microsoft is backing up their Microsoft 365 data. Microsoft's own service agreement says otherwise. Under the Shared Responsibility Model, Microsoft guarantees 99.9% uptime for its applications, but data recovery is your problem. If a user deletes a mailbox, a ransomware attack encrypts OneDrive files, or a departing employee's account gets wiped, Microsoft will not restore it for you. That exposure is written directly into the service terms.
Specifically, Microsoft is not responsible for issues that arise from:
- Any unauthorized action, or failure to act, by your employees, contractors, vendors, or anyone accessing the Microsoft network with your credentials or equipment
- Failure to follow appropriate security practices and required configurations
- Failure to properly use and configure supported platforms
- Use that is inconsistent with Microsoft's published guidance or acceptable use policies
Microsoft's role as "Controller" means they manage infrastructure, uptime, and platform availability. As the "Processor", the organization, you own the data. If someone on your team hits delete, intentionally or by accident, that data is gone unless you have a backup strategy in place. The same applies to data lost through malicious access, ransomware, or account compromise.
What Microsoft Does (and Doesn't) Protect
Microsoft 365 includes real security controls, but they address threats to the platform, not data loss from user actions or internal incidents. Microsoft Defender for Office 365 scans email attachments and links in real time, blocking known phishing campaigns and malware before they reach inboxes. Microsoft Purview Information Protection classifies and labels sensitive documents automatically, applying access and encryption policies based on content type. These tools protect against external threats reaching your environment.
What they don't cover: accidental deletion, insider deletion, ransomware that encrypts files synced to OneDrive, or data tied to deprovisioned accounts. Microsoft retains deleted items in Exchange for 30 days by default (extensible with a retention policy), and SharePoint/OneDrive recycle bins hold content for 93 days, but once those windows close, or if the account is removed, the data is gone. There is no Microsoft-managed backup you can call to restore a SharePoint library from six months ago.
Data Governance and Access Controls
A baseline Microsoft 365 governance posture starts with knowing what data you have and who can reach it. That means building a data map, an inventory of where sensitive data lives across Exchange, SharePoint, OneDrive, and Teams, what classification it carries, and who has access. Microsoft Purview can automate much of the classification work, but the policies and access controls behind it require human decisions.
Role-Based Access and Least Privilege
Role-based access control (RBAC) limits what each user can do based on their job function. A user in accounting shouldn't have write access to engineering SharePoint libraries, and a contractor shouldn't have persistent access to folders they needed for a single project. Microsoft Entra ID (formerly Azure AD) manages these permissions at the identity level. Regularly auditing permission assignments, especially when employees change roles or leave, prevents access sprawl that creates unnecessary data exposure.
Retention Policies and Compliance Requirements
Microsoft Purview Compliance includes retention policies that control how long data is kept before deletion and whether it can be deleted at all during a hold period. For organizations subject to HIPAA, FINRA, or CMMC, these settings aren't optional, regulators expect demonstrable control over data retention and deletion. A retention policy set correctly also prevents the scenario where a compliance-relevant email disappears because someone emptied their deleted items folder.
Office, Exchange, SharePoint, and OneDrive: Why Backups Matter
When Exchange goes down or a mailbox is deleted, email-dependent workflows stop immediately. A missing document in OneDrive that three people were actively editing creates version conflicts and lost work. A SharePoint site collection deleted by an admin error can take out an entire project's documentation. Microsoft's native recycle bins and retention windows provide short-term recovery, but they were not designed to replace a backup platform.
A third-party Microsoft 365 backup solution addresses the gaps Microsoft's built-in tools leave open:
- Backs up Exchange mailboxes at the organization level or by selected groups, with point-in-time recovery down to individual emails and calendar items
- Restores entire SharePoint site collections, document libraries, and individual files to any previous point
- Backs up all OneDrive accounts or specific users, with granular restore options
- Retains data beyond Microsoft's native retention windows, giving you 30-day, 90-day, or multi-year restore points depending on your policy
- Covers Teams chat history and channel data, which Microsoft's built-in compliance tools often handle inconsistently
Backup platforms commonly used in Microsoft 365 environments include Veeam Backup for Microsoft 365, Acronis Cyber Protect, and Datto SaaS Protection. Each provides automated daily backups, retention policies configurable to compliance requirements, and admin consoles for initiating restores without Microsoft involvement.
Testing restore procedures matters as much as running backups. A backup that hasn't been tested is an assumption, you don't know it works until you need it. Regular restore drills, documented recovery time objectives, and a clear process for who initiates a restore request are the difference between a manageable incident and a prolonged outage.
Stratify IT designs Microsoft 365 backup strategies that match your actual exposure, mailbox volume, SharePoint structure, compliance requirements, and recovery time expectations. Contact us to review your current Microsoft 365 configuration and identify where your data is unprotected.
For more on Microsoft 365 security and backup, explore our Microsoft 365 backup services. For organizations that also need to address recovery of on-premises systems, failover procedures, and formal RTO/RPO planning, our disaster recovery and business continuity services cover the full scope.
Frequently Asked Questions
It depends on where the data lives. Deleted emails sit in the Recoverable Items folder for 14 days by default, extendable to 30 days with a retention policy. SharePoint and OneDrive give you 93 days in the recycle bin. After those windows close, the data is gone unless you've got a third-party backup capturing it independently. Most businesses don't realize those windows have already passed by the time someone notices something is missing.
Not meaningfully. Business Premium adds Defender for Business, Intune device management, and Azure AD Premium features, all genuinely useful security tools, but none of them back up your mailbox or SharePoint data. The shared responsibility model applies at every licensing tier. Paying more for Microsoft 365 doesn't shift data ownership back to Microsoft; it just gives you better tools to protect the platform itself.
Yes, and this distinction matters. Purview retention policies are designed for compliance and legal hold, not operational recovery. They can preserve a copy of data for regulatory purposes, but restoring a specific user's mailbox to a point in time, recovering a corrupted SharePoint library, or pulling a single deleted file from six weeks ago isn't what they're built for. A backup tool like Veeam or Datto SaaS Protection gives you granular, restorable copies, which is a different capability entirely.
Once you delete an account in Microsoft 365, you have 30 days to restore it before the license, mailbox, and associated data are permanently removed. Many IT teams or managers don't act fast enough, especially in small businesses without a formal offboarding checklist. If the window closes and no backup was taken, that employee's email history, OneDrive files, and Teams chat data are gone. Converting the account to a shared mailbox before deletion is one workaround, but it's not a substitute for having a proper backup.
Yes, and it happens more than people expect. Modern ransomware variants specifically target synced cloud drives because files on OneDrive sync bidirectionally with local machines. If ransomware encrypts files on a user's laptop, those encrypted versions can sync back to OneDrive and overwrite the originals before anyone notices. Microsoft's version history offers some recovery options, but it's limited in depth and scope. A dedicated backup solution that takes independent snapshots outside the Microsoft environment closes that gap.
Coverage across the full suite matters first, mailboxes, SharePoint, OneDrive, and Teams channels should all be included, not just email. Look for solutions that store backups in a location fully independent of Microsoft's infrastructure, so an outage or compromise on their end doesn't take your backups down too. Granular restore is the other big one. You want to recover a single email or file without restoring an entire account. Veeam Backup for Microsoft 365 and Datto SaaS Protection are two well-regarded options worth evaluating.