Why retention is not backup, and why the difference matters for your business.
“It’s in the cloud, so it’s backed up.” This is one of the most dangerous assumptions in IT, and we hear it regularly from businesses of every size. The logic feels sound: Microsoft runs the infrastructure, the data lives in their data centres, surely they protect it. But that assumption misunderstands a fundamental aspect of how cloud services work.
Microsoft operates under a shared responsibility model. They protect the infrastructure: the physical data centres, the network, the platform availability. Your data, however, is your responsibility. Microsoft says this explicitly in their own service agreement: they recommend third-party backup for your content and data. They are not in the business of backing up your emails, your files, or your SharePoint sites.
What Microsoft does provide is retention. Retention and backup are not the same thing, and conflating the two creates a false sense of security that only becomes apparent when something goes wrong and you discover your data is gone.
What Microsoft retention actually provides
Microsoft 365 includes several data retention features. They are useful, but they serve a specific purpose: compliance and short-term recovery. They were not designed to be a comprehensive backup solution, and they have significant limitations that most organisations do not discover until it is too late.
Deleted Items folder
Items you delete land in the Deleted Items folder and stay there until the user empties it. Once emptied, the item moves to a hidden Recoverable Items folder where it remains for 14 days by default, or up to 30 days if configured. After that window closes, the data is permanently purged. Microsoft does not keep a copy beyond this point.
Retention policies
Administrators can configure retention policies that preserve content for a defined period to meet compliance obligations. These policies are designed for regulatory and legal requirements, not for operational recovery. They are complex to configure, difficult to restore individual items from, and do not cover every data type consistently across the platform.
Litigation hold
Legal hold preserves mailbox and OneDrive content to satisfy legal discovery requirements. It is not a backup mechanism. It preserves content in place but does not provide point-in-time recovery. It cannot restore a mailbox to the state it was in last Tuesday, and it does not protect against a compromised admin account removing the hold itself.
Version history
SharePoint and OneDrive maintain version history for documents, allowing users to revert to earlier versions. This is useful for accidental edits but has limits. Version counts are capped, older versions can be purged automatically, and ransomware that encrypts files creates new versions that push clean copies out of the history window.
“Microsoft protects the infrastructure. You are responsible for your data. That distinction is the single most important thing to understand about cloud services, and most businesses get it wrong.”
What proper backup provides
A dedicated Microsoft 365 backup solution creates an independent copy of your data, stored outside the Microsoft environment, with its own retention schedule and its own access controls. This is the difference between having a safety net and hoping the tightrope holds.
Independent data copy
A true backup stores your data in a completely separate system, outside the Microsoft 365 environment. If your tenant is compromised, your backup remains untouched. This independence is the fundamental difference between backup and retention.
Point-in-time recovery
Backup solutions capture snapshots of your data at regular intervals. Need to restore a mailbox to how it looked three months ago? A backup can do that. Retention policies cannot. This granularity is essential when data loss is discovered weeks or months after it occurred.
Ransomware protection
Because backups sit outside the production environment, typically with immutable storage, ransomware that encrypts your Microsoft 365 data cannot reach the backup copies. This is your last line of defence when every other control has failed.
Granular restore
Modern M365 backup solutions let you restore a single email, a specific SharePoint library, an individual Teams conversation, or an entire mailbox. You choose what to recover and where to put it, without affecting the rest of the environment.
Where retention fails you
These are not hypothetical scenarios. We see them regularly across the businesses we support. Each one represents a situation where Microsoft’s built-in retention capabilities are simply not enough, and where the absence of a proper backup turns a recoverable incident into a permanent data loss.
Ransomware encrypts everything
An attacker gains access to a global admin account, encrypts files across OneDrive and SharePoint, empties recycle bins, and waits for retention windows to expire. Without an independent backup, there is no recovery path. Retention was never designed to survive a targeted attack on the tenant itself.
Bulk deletion discovered late
A user accidentally deletes an entire project folder containing two years of client documents. Nobody notices for four months. By the time someone asks for the files, every retention window has closed. The data simply does not exist in Microsoft 365 any longer.
Departed employee mailbox lost
When an employee leaves, their Microsoft 365 licence is reassigned to a new starter. The departed user's mailbox enters a 30-day soft-delete window. If nobody exports or preserves that data within those 30 days, it is permanently gone. Every email, every calendar entry, every contact.
Corruption that replicates
A file becomes corrupted on a user's device. OneDrive sync dutifully pushes the corrupted version to the cloud, which then syncs to every other connected device. Version history might help if caught quickly, but if the corruption affects hundreds of files across multiple libraries, manual recovery from version history becomes impractical at scale.
Rogue admin or insider threat
A disgruntled administrator with full tenant access can disable retention policies, purge recoverable items, and remove litigation holds before deleting data. Microsoft's own controls cannot protect you from someone who has the keys to disable those controls. An external backup with separate credentials is the only safeguard.
Maximum soft-delete window for a removed M365 mailbox before permanent loss
Default Recoverable Items retention for deleted emails in Exchange Online
of organisations experienced data loss in SaaS applications in the past year
What you need to back up
A comprehensive Microsoft 365 backup strategy covers the four core workloads. Each stores different types of business data, and each has its own recovery challenges if that data is lost without a backup to restore from.
Exchange Online
Mailboxes, shared mailboxes, calendars, contacts, and archive mailboxes. Email remains the primary communication channel for most businesses. Losing a mailbox means losing years of client correspondence, contracts, and institutional knowledge.
OneDrive for Business
User files and personal storage. For many employees, OneDrive is their primary working location. Documents in progress, reference materials, and project files all live here.
SharePoint Online
Team sites, document libraries, lists, and site collections. SharePoint is often the backbone of shared file storage, intranet content, and collaborative workspaces across the organisation.
Microsoft Teams
Channel conversations, files shared in chats, meeting recordings, and team configurations. Teams data is spread across Exchange, SharePoint, and OneDrive behind the scenes, making it particularly difficult to reconstruct without a proper backup.
“The question is not whether you can afford Microsoft 365 backup. The question is whether you can afford to lose the data that lives there. For most organisations, the answer is obvious.”
Making the case internally
If you already understand the need for M365 backup but need to justify the investment to leadership, the conversation is straightforward. Microsoft 365 backup typically costs between two and five pounds per user per month. Compare that to the cost of recreating years of lost email correspondence, rebuilding SharePoint sites from memory, or explaining to clients that their project files no longer exist.
There is also the compliance angle. Regulations including GDPR, FCA requirements, and industry-specific standards increasingly require demonstrable data protection measures. Relying solely on Microsoft’s built-in retention does not meet the bar. Auditors and regulators expect independent backup with documented recovery procedures and tested restore capabilities.
Finally, consider the cyber insurance implications. Many policies now require evidence of adequate backup arrangements as a condition of cover. If you suffer a data loss event and your insurer discovers you had no independent backup for your primary business platform, your claim may be denied.
Need M365 backup in place?
We implement and manage Microsoft 365 backup for businesses across the UK. That includes selecting the right solution for your environment, configuring backup policies across Exchange, OneDrive, SharePoint, and Teams, and running regular test restores so you know recovery will work when it matters.
If you are not sure whether your current setup provides adequate protection, we can review your Microsoft 365 environment and show you exactly where the gaps are. It takes less than an hour and the findings are often eye-opening.