The Complete Guide to Microsoft 365 Backup

There is a dangerous misconception among UK businesses that moving to Microsoft 365 means their data is automatically backed up by Microsoft. This belief is understandable — after all, Microsoft operates some of the most sophisticated and resilient data centres in the world. Surely data stored in Exchange Online, SharePoint, OneDrive, and Teams is safe? The answer is more nuanced than most business owners realise, and the consequences of misunderstanding it can be devastating.

Microsoft provides infrastructure-level resilience — their data centres are designed to survive hardware failures, and data is replicated across multiple facilities. But Microsoft does not protect your data against accidental deletion by users, malicious deletion by disgruntled employees, ransomware that encrypts your cloud data, retention policy gaps that permanently purge data, or legal and compliance requirements for long-term data retention.

This distinction — between Microsoft's responsibility for the platform and your responsibility for the data — is codified in what Microsoft calls the Shared Responsibility Model. Understanding this model, and implementing proper backup accordingly, is essential for every UK business using Microsoft 365.

The reality is stark: research consistently shows that a significant proportion of UK businesses have experienced data loss events within their Microsoft 365 environments. These incidents range from minor inconveniences — a single deleted email that takes hours to locate — to catastrophic losses where entire mailboxes, project archives, or client records are permanently destroyed. The financial and operational impact scales dramatically with the severity of the loss, and for businesses in regulated sectors such as financial services, legal, or healthcare, data loss can trigger regulatory investigations, fines, and reputational damage that far exceeds the cost of the lost data itself.

What makes this issue particularly pressing for UK businesses is the regulatory environment. The UK General Data Protection Regulation places explicit obligations on data controllers — which includes every business that holds personal data — to implement appropriate technical and organisational measures to protect that data. The Information Commissioner's Office has made it clear that simply storing data in a cloud service does not discharge these obligations. You remain responsible for ensuring that personal data can be recovered in the event of a technical incident, and reliance on a cloud provider's built-in retention does not constitute an adequate backup strategy.

The Shared Responsibility Model Explained

Microsoft's Shared Responsibility Model clearly delineates what Microsoft is responsible for and what the customer is responsible for. Microsoft manages the underlying infrastructure — the physical data centres, servers, storage, networking, and the application code itself. They ensure the platform is available, performant, and resilient against hardware failures and natural disasters. Your responsibility, as the customer, covers the data itself — its protection, retention, recovery, and compliance with regulatory requirements.

Why the Shared Responsibility Model Catches Businesses Off Guard

The confusion around Microsoft's responsibility is partly driven by how Microsoft markets its services. When businesses see features like geo-redundant storage and 99.9% uptime SLA in marketing materials, they naturally assume their data is comprehensively protected. What these features actually guarantee is that Microsoft's infrastructure will remain available — not that your specific data will be recoverable if something goes wrong at the user or administrator level.

Consider an analogy: if you rent office space in a secure building with CCTV, access controls, and fire suppression, the landlord is responsible for the building's security and structural integrity. But if you leave confidential documents on your desk and a visitor takes them, or if a staff member shreds important files, the landlord bears no responsibility for the loss of those documents. The same principle applies to Microsoft 365 — Microsoft secures and maintains the platform, but the data decisions made by your users and administrators are entirely your responsibility.

This model is not unique to Microsoft. Every major cloud platform — Google Workspace, AWS, Salesforce — operates under a similar shared responsibility framework. The principle is consistent across the industry: the cloud provider manages the infrastructure, and the customer manages the data. Yet surveys consistently show that the majority of UK businesses are unaware of this distinction, leaving a critical gap in their data protection strategy.

What Microsoft 365 Does and Does Not Retain

Understanding Microsoft's built-in retention capabilities — and their limitations — is essential for assessing your backup needs.

M365 Service	Deleted Item Retention	What Happens After	Risk
Exchange Online (email)	14 days (Deleted Items), then 14 days (Recoverable Items)	Permanently deleted — unrecoverable	Emails deleted more than 28 days ago are gone
OneDrive for Business	93 days in recycle bin	Permanently deleted	Files deleted 3+ months ago are unrecoverable
SharePoint Online	93 days in recycle bin	Permanently deleted	Document libraries and sites permanently lost
Microsoft Teams	Chat: 30 days, Files: 93 days (via SharePoint)	Permanently deleted	Channel data and conversations lost permanently
Deleted user account	30 days (soft delete)	Entire mailbox and OneDrive purged	All data for departed employee permanently lost

These retention windows may sound adequate for everyday accidents, but they create significant gaps. Consider a scenario where an employee slowly deletes important emails over several months — by the time the loss is discovered, the data is long past the retention window. Or consider a departing employee whose account is deleted after they leave — 30 days later, their entire email history and file library is gone. Without a proper backup solution, there is no way to recover this data.

Real-World Retention Failures

To illustrate how these retention limitations play out in practice, consider several scenarios that UK businesses commonly encounter. A legal firm discovers during a court case that critical email correspondence from eighteen months ago is needed as evidence. The emails were deleted by a paralegal during a routine mailbox clean-up eight months prior — well beyond Exchange Online's retention window. Without a third-party backup, the evidence is irrecoverable, potentially compromising the entire case.

An accounting practice loses a senior partner who managed several key client relationships. The partner's Microsoft 365 account is deactivated, and within thirty days the account and all associated data — emails, documents, client files in OneDrive — are permanently purged. The practice subsequently discovers that critical client correspondence and working papers were stored exclusively in the departed partner's account, with no copies elsewhere.

A marketing agency uses SharePoint to manage campaign assets for dozens of clients. An administrator accidentally deletes a site collection during a reorganisation. The deletion goes unnoticed for four months — long past the 93-day recycle bin window. Entire campaign histories, creative assets, and client approvals are permanently lost, damaging client relationships and creating legal exposure around lost contractual records.

These scenarios are not hypothetical edge cases. They represent the everyday reality of data management in Microsoft 365 environments, and they occur with alarming frequency across businesses of all sizes.

The Six Threats That Demand Third-Party Backup

There are six primary threats that Microsoft's built-in retention cannot adequately address.

1. Accidental Deletion

The most common cause of data loss in Microsoft 365 is human error. Users accidentally delete emails, files, or entire folders. If the deletion is noticed within the retention window, recovery is straightforward. If not, the data is permanently gone. A third-party backup solution retains data for as long as you define — months, years, or indefinitely — regardless of what happens in the live M365 environment.

2. Malicious Insider Threats

Disgruntled employees or compromised accounts can deliberately delete large volumes of data. A departing employee might delete their entire mailbox and OneDrive contents out of spite or to cover their tracks. By the time the deletion is discovered, the retention window may have passed. A backup provides a complete, independent copy that the insider cannot touch.

3. Ransomware and Malware

Modern ransomware can encrypt files stored in OneDrive and SharePoint via the sync client. Whilst Microsoft does offer version history that can help in some ransomware scenarios, sophisticated attacks target version history as well. A third-party backup stored independently of your Microsoft 365 environment provides a clean recovery point that is immune to ransomware.

4. Retention Policy Gaps

Microsoft 365 retention policies are complex and easy to misconfigure. A single policy error can result in data being purged before it should be. Third-party backup provides a safety net that operates independently of your retention policy configuration.

5. Legal and Compliance Requirements

UK GDPR, FCA regulations, SRA requirements, and various industry-specific rules may require you to retain certain data for specific periods — often years. Microsoft's built-in retention can be configured for compliance holds, but these are complex to manage and do not provide the independent, verifiable backup that regulators and auditors typically expect.

6. Departed User Data

When an employee leaves and their Microsoft 365 licence is removed, their data enters a 30-day grace period before permanent deletion. Many businesses do not have a process to preserve this data within that window. A backup solution automatically captures and retains departed user data without requiring manual intervention.

The Compounding Nature of Data Loss Risk

What many businesses fail to appreciate is that these six threats do not exist in isolation — they compound one another. A ransomware attack may exploit a retention policy gap, resulting in encrypted files that cannot be recovered through version history because versions have been purged. An insider threat may target departed user accounts that have not yet been fully offboarded, combining two vulnerability vectors in a single incident. The interconnected nature of modern Microsoft 365 environments means that a weakness in one area can cascade through others.

Furthermore, the shift to hybrid and remote working has amplified these risks considerably. With employees accessing Microsoft 365 from personal devices, home networks, and public Wi-Fi, the attack surface has expanded dramatically. Files synchronised to local devices via OneDrive sync can be encrypted by ransomware that then propagates those encrypted files back to the cloud. Employees working remotely may be less careful about data handling, increasing the likelihood of accidental deletion. The dissolution of the traditional office perimeter makes robust backup even more essential as a last line of defence.

For UK businesses subject to regulatory oversight — whether from the FCA, the SRA, the CQC, or sector-specific bodies — the inability to produce historical data upon request can result in significant penalties. Regulators do not accept that data was simply deleted from a cloud platform as a valid explanation for missing records. The expectation is that businesses maintain comprehensive, independent backups that can be restored regardless of what happens in the live production environment.

What a Third-Party M365 Backup Solution Provides

A dedicated Microsoft 365 backup solution addresses every gap in Microsoft's built-in retention. Key capabilities include automated backup of Exchange Online, OneDrive, SharePoint, and Teams data, typically running multiple times per day. Granular recovery allowing you to restore individual emails, files, folders, or entire mailboxes. Long-term retention for months or years, configurable to meet your compliance requirements. Independent storage that is separate from your Microsoft 365 environment, protecting against ransomware and insider threats. Point-in-time recovery allowing you to restore data as it existed at a specific date and time. Departed user data preservation without requiring an active Microsoft 365 licence.

Deployment Models: Cloud-to-Cloud vs On-Premises

Third-party Microsoft 365 backup solutions broadly fall into two deployment models: cloud-to-cloud and on-premises. Cloud-to-cloud solutions store your backup data in the vendor's cloud infrastructure — typically in data centres separate from Microsoft's. This model requires no hardware, scales automatically with your organisation, and is managed entirely through a web-based console. For the majority of UK SMEs, cloud-to-cloud backup is the most practical and cost-effective option, offering enterprise-grade protection without the overhead of managing physical backup infrastructure.

On-premises backup solutions store your Microsoft 365 data on servers or storage appliances within your own office or data centre. This model offers maximum control over your backup data and eliminates ongoing cloud storage costs, but it requires hardware investment, maintenance, and physical security. Some larger organisations or those in highly regulated sectors prefer this approach for the additional control it provides.

Understanding Recovery Point and Recovery Time Objectives

Two critical metrics for evaluating any backup solution are the Recovery Point Objective (RPO) and Recovery Time Objective (RTO). The RPO defines the maximum acceptable amount of data loss measured in time — if your backup runs three times daily, your worst-case RPO is approximately eight hours, meaning you could lose up to eight hours of data. The RTO defines how quickly you can restore data after a loss event. For most UK businesses, an RPO of 24 hours and an RTO of a few hours is acceptable, but businesses with high-value transactions or time-sensitive communications may require more aggressive targets.

When evaluating backup solutions, ensure the vendor can clearly articulate the RPO and RTO their solution delivers, and verify that these metrics align with your business requirements and any regulatory obligations you are subject to.

Choosing a Microsoft 365 Backup Solution

The market for Microsoft 365 backup solutions is mature, with several well-established options. Key factors to consider when selecting a solution include the range of M365 services covered (email, files, SharePoint, Teams), backup frequency and granularity, storage location and data sovereignty (UK-based storage is important for UK GDPR compliance), ease of use for both backup configuration and recovery, scalability as your user count grows, cost per user per month, and vendor reputation and support quality.

Key Evaluation Criteria for UK Businesses

When evaluating Microsoft 365 backup solutions specifically for a UK business context, several additional factors deserve careful consideration. Data sovereignty is paramount — ensure that backup data is stored in UK-based data centres, or at minimum within the European Economic Area. Under UK GDPR, transferring personal data to jurisdictions without adequate data protection frameworks requires additional safeguards, making UK-based storage the simplest path to compliance.

Consider the vendor's approach to encryption. Your backup data should be encrypted both in transit and at rest, using industry-standard encryption protocols. Some solutions offer customer-managed encryption keys, which provide an additional layer of control — particularly valuable for businesses in regulated sectors where demonstrating exclusive control over encryption keys may be a compliance requirement.

Assess the solution's administrative overhead. The best backup solutions for UK SMEs operate on a set-and-forget basis, requiring minimal ongoing management after initial configuration. Automated backup scheduling, automatic discovery of new users and mailboxes, and proactive alerting when backup jobs fail are all features that reduce the administrative burden on your IT team or provider.

Cost Considerations and Budgeting

Microsoft 365 backup solutions typically charge per user per month, with pricing ranging from approximately £1.50 to £5.00 per user depending on the features and storage included. For a 50-user organisation, this translates to £75 to £250 per month — a modest investment when compared to the potential cost of data loss. Many providers offer discounts for annual commitments or larger user counts, so it is worth negotiating terms rather than simply accepting list pricing.

When calculating the return on investment, consider not just the direct cost of data loss — staff time, lost productivity, potential regulatory fines — but also the indirect costs: reputational damage, lost client confidence, and the opportunity cost of staff spending days trying to reconstruct lost data rather than doing productive work. For most UK businesses, the cost of a backup solution is a fraction of the cost of a single significant data loss incident.

How Cloudswitched Protects Your Microsoft 365 Data

At Cloudswitched, Microsoft 365 backup is a standard component of our managed IT service. We deploy enterprise-grade backup solutions that protect your Exchange Online, OneDrive, SharePoint, and Teams data with automated backups running multiple times daily. Your data is stored in UK-based data centres, ensuring compliance with UK GDPR data residency requirements. Our team manages the entire backup lifecycle — configuration, monitoring, testing, and recovery — so you never need to think about it until you need to restore something.

When recovery is needed, our helpdesk can restore individual emails, files, or entire mailboxes within minutes. We also conduct regular backup integrity testing to verify that your data can be recovered successfully — because a backup that has never been tested is not a backup at all.

Our Approach to Backup Management

Our backup management methodology is built around three core principles: automation, verification, and rapid recovery. Automation ensures that backups run reliably without human intervention — every mailbox, every OneDrive account, every SharePoint site, and every Teams channel is backed up according to schedule, with new users and resources automatically discovered and included. This eliminates the common pitfall of backup gaps where newly created accounts or sites are overlooked.

Verification goes beyond simply confirming that a backup job completed. Our team conducts periodic restore tests, recovering sample data from random backup points to confirm that the backup data is intact, complete, and recoverable. This testing regime means that when a genuine recovery is needed, we can proceed with confidence rather than discovering problems at the worst possible moment.

Rapid recovery is where the value of a well-managed backup truly becomes apparent. When a user accidentally deletes a critical email, when a departing employee's data needs to be preserved, or when ransomware strikes, our team can initiate recovery immediately. Granular recovery means we can restore exactly what is needed — a single email, a specific folder, an individual file — without the disruption of a full-scale restore operation. For larger incidents, we can restore entire mailboxes or OneDrive accounts to a specific point in time, returning your environment to a known-good state.

Every recovery operation is documented and reported, providing an audit trail that demonstrates your organisation's data resilience capabilities to regulators, auditors, and clients. This documentation is particularly valuable for businesses subject to regulatory oversight, where demonstrating that effective backup and recovery procedures are in place is often a compliance requirement.