If your business runs on Microsoft 365 – emails, Teams, SharePoint, OneDrive – you’re probably assuming that Microsoft is looking after your data. It’s Microsoft, after all. Surely they back everything up?
They do. But not in the way you need.
Microsoft backs up its own infrastructure to keep its services running. That is very different from protecting your data against the mistakes, accidents, and threats that actually put businesses at risk. Understanding the gap between those two things is one of the most important conversations any Microsoft 365 user should have about their IT setup.
What Microsoft Actually Provides
Microsoft is extraordinarily reliable when it comes to keeping its platform online. Redundant data centres, automated failover, world-class infrastructure – your Microsoft 365 service almost certainly won’t go down because of a hardware failure on Microsoft’s side.
But Microsoft’s responsibility ends at the platform. Your data – your emails, files, Teams conversations – is your responsibility under what Microsoft calls the Shared Responsibility Model. Microsoft makes this clear in its own service documentation, though it doesn’t always come up in the conversation when a business first signs up.
Microsoft does offer some short-term data recovery tools. Deleted items in Exchange can be recovered for up to 30 days. SharePoint and OneDrive have a recycle bin and version history. These can be genuinely helpful for minor mistakes. But they are not a backup, and they were not designed to be one.
Where the Shared Responsibility Model Leaves a Gap
The scenarios that actually threaten business data rarely involve Microsoft’s infrastructure failing. They involve what happens inside your Microsoft 365 environment.
Ransomware that encrypts or corrupts your files and syncs the damage through OneDrive before anyone notices. A disgruntled employee who deletes years of project data on their last day. An admin mistake that removes a shared mailbox. A third-party application with write access that behaves unexpectedly. In all of these situations, Microsoft’s built-in tools may fall short – and in some cases, won’t help at all.
Microsoft’s retention windows are also fixed. Once you’re outside the 30-day recovery window for deleted emails, or beyond the recycle bin period for SharePoint, that data is gone unless you have your own backup in place. If you don’t discover an issue until six weeks after it happened – which is not unusual with ransomware or slow-moving data corruption – you may have no recovery options through Microsoft alone.
The Most Common Misconceptions
The belief that a Microsoft 365 subscription includes comprehensive backup is the most common misconception we come across. It doesn’t. What you’re paying for is access to the platform and its built-in features – not independent data protection.
A related assumption is that OneDrive sync is a backup. It isn’t. OneDrive keeps your files in sync between your device and the cloud, which is useful. But if a file gets corrupted or deleted, OneDrive syncs that change too. You haven’t got a separate protected copy – you’ve got one copy that exists in two places at once.
Version history is another feature that gets mistaken for backup. It gives you previous versions of files for a configurable period, which can be helpful. But it has limits on retention, it can be turned off, and it doesn’t protect you against account deletion, licensing changes, or the loss of entire sites or mailboxes.
What a Proper Microsoft 365 Backup Actually Does
A third-party Microsoft 365 backup solution sits outside Microsoft’s environment and takes independent copies of your data on a regular schedule. Emails, calendars, contacts, SharePoint sites, OneDrive files, Teams data – the scope depends on the solution, but the principle is the same: a separate, protected copy that Microsoft’s platform cannot affect.
The practical difference is significant. If ransomware hits your environment today and you don’t realise for three weeks, a proper backup means you can restore to a point in time before the infection. If an admin deletes a SharePoint site containing two years of project documentation, a backup means you can recover it. If a user leaves and their mailbox is removed with their licence, a backup means their emails aren’t lost permanently.
Good Microsoft 365 backup also gives you granular recovery – the ability to restore a single email or file rather than an entire mailbox or site. That matters when time and accuracy both count.
What to Look For in a Microsoft 365 Backup Solution
Not all backup products are equal, and the marketing language in this space can be deliberately vague. A few things worth looking for when evaluating options.
Retention period – how long does the backup solution keep your data? Some solutions only hold 30 or 90 days, which may not be long enough if you have regulatory or contractual obligations. UK businesses operating under GDPR need to think carefully about both what data they hold and how they can demonstrate control over it.
Coverage – does the solution back up all the Microsoft 365 services your business uses, including SharePoint, Teams, and shared mailboxes, or just Exchange?
Restore speed and granularity – can you recover individual items quickly, or does a recovery operation take hours and require restoring everything at once?
Independence – is the backup stored completely separately from Microsoft’s infrastructure? If your Microsoft 365 tenant has a serious problem, your backup needs to be accessible regardless.
How AOIT Approaches Microsoft 365 Backup
Microsoft 365 backup is included alongside every Microsoft 365 licence we manage – because providing one without the other wouldn’t be responsible. It’s billed separately so you have full visibility of what you’re paying for and why.
Our managed backup service covers Exchange, OneDrive, SharePoint, and Teams data independently from Microsoft’s infrastructure, with backups running up to six times a day for Exchange and Teams, and up to four times a day for OneDrive and SharePoint. That frequency matters in practice – the shorter the gap between backups, the less data you stand to lose if something goes wrong. Restores are granular, meaning we can recover a single email, a specific file, or an entire mailbox without having to restore everything at once.
Backups are stored as immutable copies, meaning once written, the data cannot be altered or deleted – even by ransomware. That is an important distinction. A backup that can be encrypted or tampered with is not a reliable safety net, and immutability is what ensures your data remains recoverable regardless of what happens to your live environment.
All backup data is stored encrypted – both in transit and at rest – in private, certified data centres that meet SOC 1 Type II, SOC 2 Type II, ISO 27001, ISO 9001, PCI-DSS, and HIPAA standards. Retention can be configured to meet your specific requirements – up to seven years if needed – which is relevant for UK businesses with GDPR obligations around data control, recovery, and retention periods.
Is This Something Your Business Needs?
If your business uses Microsoft 365 and holds data that matters – emails, contracts, project files, customer records, financial documents – then yes, independent backup is something you should have in place. The question isn’t really whether the risk exists. It’s whether your current setup adequately addresses it.
Businesses with regulatory obligations, client confidentiality requirements, or any kind of data retention policy should pay particular attention. The inability to recover data after an incident isn’t just operationally damaging – it can create compliance exposure too.
The cost of proper Microsoft 365 backup is modest relative to the value of the data it protects. That’s a calculation most businesses only wish they’d made before something went wrong.
The businesses that regret not having proper backup in place all have one thing in common – they didn’t think they needed it until they did. If Microsoft 365 is central to how your business operates, it’s worth making sure your data is properly protected. Get in touch to find out how we can help.