Microsoft 365 backup: why Microsoft does not protect your data

Most businesses assume that because their email and files are “in the cloud” with Microsoft, they are automatically backed up. They are not.

Microsoft keeps the platform running. They make sure the servers are online, the infrastructure is secure, and the service is available. But they are very clear about one thing: your data is your responsibility.

This is not a grey area. It is written into their service agreement. And most businesses only discover it after something goes wrong.

What Microsoft actually protects

Microsoft invests heavily in infrastructure. Their data centres have redundancy, failover systems, and disaster recovery at a scale that no individual business could match. They protect against:

• Hardware failure: If a server in their data centre fails, your data is replicated across multiple locations. You will not lose email because a Microsoft hard drive died.
• Infrastructure outages: If an entire data centre goes offline, your service fails over to another location.
• Platform-level disasters: Fires, floods, or catastrophic failures at their facilities are covered by their redundancy.

This is real and valuable. It means you do not need to worry about Microsoft’s infrastructure.

But notice what is not on that list: anything caused by you, your staff, or someone who gains access to your account.

What Microsoft does not protect

This is where the shared responsibility model matters. Microsoft protects the platform. You protect the data on it.

Accidental deletion. A staff member deletes an important email, a folder of documents, or an entire SharePoint site. Microsoft keeps deleted items for a limited time (14-93 days depending on the type of data and your settings), but after that retention window, the data is gone permanently. If nobody notices the deletion for three months, it is unrecoverable.

Malicious deletion. A disgruntled employee wipes their OneDrive before leaving. A compromised account gets used to delete data across the organisation. Microsoft’s retention policies are the same regardless of whether the deletion was accidental or deliberate.

Ransomware. If ransomware encrypts files on a device that syncs to OneDrive, the encrypted versions sync to the cloud. OneDrive does have a “restore” feature that can roll back to an earlier point, but it has limitations, and it does not cover Exchange mailboxes, SharePoint, or Teams data in the same way.

Account compromise. Someone gains access to a user’s account and creates forwarding rules, deletes emails, downloads confidential data, or changes settings. Microsoft logs the activity, but it does not automatically undo the damage.

Compliance and legal holds. If you need to retain data for a specific period (POPIA requires this for personal information), Microsoft’s default retention may not be long enough. You are responsible for configuring and managing retention policies, or backing up the data externally.

Migration and configuration errors. Mistakes during setup, migration, or configuration changes can result in data loss. Microsoft does not have a “roll back my tenant to yesterday” button.

Microsoft’s own words on this

From the Microsoft Services Agreement:

> “We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

This is not fine print buried in a legal document nobody reads. It is their stated position: back up your own data.

What proper Microsoft 365 backup looks like

A third-party backup solution for Microsoft 365 takes copies of your data independently of Microsoft’s platform. If data is deleted, encrypted, or compromised, you can restore it from your own backup regardless of Microsoft’s retention windows.

What should be covered:

• Exchange Online: Email, calendars, contacts. The most critical for most businesses. A lost email from six months ago should be recoverable.
• OneDrive: Personal files for each user. This is where the “sync is not backup” problem matters most.
• SharePoint: Shared sites, document libraries, team files. Often where the most important business documents live.
• Teams: Chat history, channel files, meeting recordings. Increasingly important as Teams becomes a primary communication tool.

A good M365 backup solution should:

• Run automatically without anyone needing to start it
• Keep data for longer than Microsoft’s default retention
• Allow granular restore (a single email, a single file, not just “everything or nothing”)
• Store the backup independently of Microsoft’s infrastructure

Our Kwik Backup service covers Microsoft 365 with 1TB per user, covering Exchange, OneDrive, SharePoint, and Teams. Backups run automatically and are stored separately from Microsoft’s platform. Full details on our Business Continuity page.

Three questions to ask about your current M365 setup

1. If someone deleted an important email three months ago, could you get it back? If the answer is no (or “I’m not sure”), you have a gap. Microsoft’s default deleted items retention is 14 days, and recoverable deleted items is 30 days. After that, the email is gone unless you have independent backup.

1. If ransomware encrypted your OneDrive files today, how would you recover? OneDrive’s “restore your OneDrive” feature covers some scenarios, but it does not cover every type of attack, and it does not help with Exchange or SharePoint.

1. Are you relying on Microsoft’s retention to meet your POPIA obligations? POPIA requires you to keep personal data for as long as it is needed for its purpose, and to dispose of it when it is no longer needed. Microsoft’s default retention may not align with your specific requirements. You need to either configure retention policies actively or back up externally.

Check your Microsoft 365 backup

We will review your current M365 setup and tell you whether your data is properly protected. Most businesses assume it is and discover it is not.

Get an IT Health Check

Or talk to us directly:

Call: 087 820 5005

WhatsApp: 081 526 1626

—

Related reading

• Cloud sync is not backup: what small businesses get wrong
• Business backup: what it actually means and what you need
• Moving to Microsoft 365: what Cape Town businesses need to know