The Complete Guide to Microsoft 365 Backup

There is a dangerous misconception among UK businesses that moving to Microsoft 365 means their data is automatically backed up by Microsoft. This belief is understandable — after all, Microsoft operates some of the most sophisticated and resilient data centres in the world. Surely data stored in Exchange Online, SharePoint, OneDrive, and Teams is safe? The answer is more nuanced than most business owners realise, and the consequences of misunderstanding it can be devastating.

Microsoft provides infrastructure-level resilience — their data centres are designed to survive hardware failures, and data is replicated across multiple facilities. But Microsoft does not protect your data against accidental deletion by users, malicious deletion by disgruntled employees, ransomware that encrypts your cloud data, retention policy gaps that permanently purge data, or legal and compliance requirements for long-term data retention.

This distinction — between Microsoft's responsibility for the platform and your responsibility for the data — is codified in what Microsoft calls the Shared Responsibility Model. Understanding this model, and implementing proper backup accordingly, is essential for every UK business using Microsoft 365.

The Shared Responsibility Model Explained

Microsoft's Shared Responsibility Model clearly delineates what Microsoft is responsible for and what the customer is responsible for. Microsoft manages the underlying infrastructure — the physical data centres, servers, storage, networking, and the application code itself. They ensure the platform is available, performant, and resilient against hardware failures and natural disasters. Your responsibility, as the customer, covers the data itself — its protection, retention, recovery, and compliance with regulatory requirements.

What Microsoft 365 Does and Does Not Retain

Understanding Microsoft's built-in retention capabilities — and their limitations — is essential for assessing your backup needs.

M365 Service	Deleted Item Retention	What Happens After	Risk
Exchange Online (email)	14 days (Deleted Items), then 14 days (Recoverable Items)	Permanently deleted — unrecoverable	Emails deleted more than 28 days ago are gone
OneDrive for Business	93 days in recycle bin	Permanently deleted	Files deleted 3+ months ago are unrecoverable
SharePoint Online	93 days in recycle bin	Permanently deleted	Document libraries and sites permanently lost
Microsoft Teams	Chat: 30 days, Files: 93 days (via SharePoint)	Permanently deleted	Channel data and conversations lost permanently
Deleted user account	30 days (soft delete)	Entire mailbox and OneDrive purged	All data for departed employee permanently lost

These retention windows may sound adequate for everyday accidents, but they create significant gaps. Consider a scenario where an employee slowly deletes important emails over several months — by the time the loss is discovered, the data is long past the retention window. Or consider a departing employee whose account is deleted after they leave — 30 days later, their entire email history and file library is gone. Without a proper backup solution, there is no way to recover this data.

The Six Threats That Demand Third-Party Backup

There are six primary threats that Microsoft's built-in retention cannot adequately address.

1. Accidental Deletion

The most common cause of data loss in Microsoft 365 is human error. Users accidentally delete emails, files, or entire folders. If the deletion is noticed within the retention window, recovery is straightforward. If not, the data is permanently gone. A third-party backup solution retains data for as long as you define — months, years, or indefinitely — regardless of what happens in the live M365 environment.

2. Malicious Insider Threats

Disgruntled employees or compromised accounts can deliberately delete large volumes of data. A departing employee might delete their entire mailbox and OneDrive contents out of spite or to cover their tracks. By the time the deletion is discovered, the retention window may have passed. A backup provides a complete, independent copy that the insider cannot touch.

3. Ransomware and Malware

Modern ransomware can encrypt files stored in OneDrive and SharePoint via the sync client. Whilst Microsoft does offer version history that can help in some ransomware scenarios, sophisticated attacks target version history as well. A third-party backup stored independently of your Microsoft 365 environment provides a clean recovery point that is immune to ransomware.

4. Retention Policy Gaps

Microsoft 365 retention policies are complex and easy to misconfigure. A single policy error can result in data being purged before it should be. Third-party backup provides a safety net that operates independently of your retention policy configuration.

5. Legal and Compliance Requirements

UK GDPR, FCA regulations, SRA requirements, and various industry-specific rules may require you to retain certain data for specific periods — often years. Microsoft's built-in retention can be configured for compliance holds, but these are complex to manage and do not provide the independent, verifiable backup that regulators and auditors typically expect.

6. Departed User Data

When an employee leaves and their Microsoft 365 licence is removed, their data enters a 30-day grace period before permanent deletion. Many businesses do not have a process to preserve this data within that window. A backup solution automatically captures and retains departed user data without requiring manual intervention.

What a Third-Party M365 Backup Solution Provides

A dedicated Microsoft 365 backup solution addresses every gap in Microsoft's built-in retention. Key capabilities include automated backup of Exchange Online, OneDrive, SharePoint, and Teams data, typically running multiple times per day. Granular recovery allowing you to restore individual emails, files, folders, or entire mailboxes. Long-term retention for months or years, configurable to meet your compliance requirements. Independent storage that is separate from your Microsoft 365 environment, protecting against ransomware and insider threats. Point-in-time recovery allowing you to restore data as it existed at a specific date and time. Departed user data preservation without requiring an active Microsoft 365 licence.

Choosing a Microsoft 365 Backup Solution

The market for Microsoft 365 backup solutions is mature, with several well-established options. Key factors to consider when selecting a solution include the range of M365 services covered (email, files, SharePoint, Teams), backup frequency and granularity, storage location and data sovereignty (UK-based storage is important for UK GDPR compliance), ease of use for both backup configuration and recovery, scalability as your user count grows, cost per user per month, and vendor reputation and support quality.

How Cloudswitched Protects Your Microsoft 365 Data

At Cloudswitched, Microsoft 365 backup is a standard component of our managed IT service. We deploy enterprise-grade backup solutions that protect your Exchange Online, OneDrive, SharePoint, and Teams data with automated backups running multiple times daily. Your data is stored in UK-based data centres, ensuring compliance with UK GDPR data residency requirements. Our team manages the entire backup lifecycle — configuration, monitoring, testing, and recovery — so you never need to think about it until you need to restore something.

When recovery is needed, our helpdesk can restore individual emails, files, or entire mailboxes within minutes. We also conduct regular backup integrity testing to verify that your data can be recovered successfully — because a backup that has never been tested is not a backup at all.