Do I Need Cloud Backup If I Have OneDrive?

It's a reasonable question. If your files are in OneDrive, they're in Microsoft's cloud infrastructure — replicated across multiple datacentres, accessible from anywhere, and generally very reliable. Surely that counts as backup?

It doesn't. And the distinction matters enough that it's worth understanding clearly, because the consequences of confusing the two tend to surface at the worst possible moment.

What OneDrive Actually Does

OneDrive is a sync and storage service. When you save a file to OneDrive, it synchronises that file between your device and Microsoft's cloud storage. If you have OneDrive installed on multiple devices, the file appears on all of them. If your laptop is stolen or fails, your files are still accessible from the cloud or another device.

This is genuinely useful. But it's not backup.

The critical difference is that OneDrive synchronises changes — including deletions and corruptions. If you delete a file, OneDrive deletes it everywhere. If ransomware encrypts a file on your laptop, OneDrive syncs the encrypted version to the cloud and to every other connected device. The sync happens faithfully in both directions.

What OneDrive's Retention Features Cover

Microsoft does include some data recovery features in OneDrive, and it's worth knowing what they are.

The Recycle Bin retains deleted files for 30 days before permanent deletion. For accidental deletions caught quickly, this works well.

Version history keeps previous versions of files, which can help if a file is overwritten or corrupted. The number of versions retained and the period they're kept depends on your Microsoft 365 licence.

Files Restore allows you to roll back your entire OneDrive to a point in time up to 30 days ago. This is specifically useful in ransomware scenarios and is a more capable feature than most people realise.

These are useful safety nets. But they have hard limits — 30 days is the maximum window, and once data is permanently deleted or the window closes, it's gone. There's no calling Microsoft and asking them to retrieve something from six months ago.

Where OneDrive Falls Short as a Backup

The 30-day window is too short for many real-world scenarios. Ransomware is often dormant for weeks before triggering. A file that was quietly corrupted months ago won't be recoverable from OneDrive's version history. A departing employee who deleted files before leaving may not be discovered until well after the window has closed.

OneDrive only covers OneDrive. Files saved locally to the desktop, in application data folders, or in locations not included in OneDrive sync aren't protected at all. Many business applications store data in locations that OneDrive doesn't touch.

Shared drives and SharePoint have separate retention rules. Files in SharePoint Online — which is what backs Teams channels and many shared library scenarios — have different recycle bin behaviour than personal OneDrive. The rules are more complex and the defaults are less generous than people assume.

Admin errors can permanently delete data. A Microsoft 365 admin with the right permissions can permanently delete mailboxes, sites, and files in ways that bypass the standard recycle bin. This happens more than anyone likes to admit, particularly during migrations or when offboarding staff.

What Proper Microsoft 365 Backup Looks Like

A proper Microsoft 365 backup solution sits outside Microsoft's own infrastructure and takes independent copies of your data on a schedule. It covers Exchange Online (email, calendar, contacts), SharePoint Online, OneDrive for Business, and Teams.

Critically, it allows point-in-time recovery beyond Microsoft's 30-day window — typically with 12 months or more of retention — and granular restore, meaning you can recover a single email, a specific file version, or an entire mailbox without needing to restore everything.

This is what separates a backup from a retention feature. You control the retention period. You can restore to any point in time within that period. And your data exists independently of whatever Microsoft's platform state happens to be.

For UK Businesses

UK GDPR requires businesses to protect personal data against accidental loss and to be able to restore it in a timely manner. OneDrive's 30-day window does not reliably satisfy this obligation — particularly for businesses where personal data is stored in email or shared drives that might not be flagged as at-risk until after the window closes.

A properly configured Microsoft 365 backup, with documented retention periods and tested recovery, is the straightforward way to demonstrate compliance.

The Short Answer

Yes, you need cloud backup even if you have OneDrive. OneDrive protects you against device failure and makes your files accessible. It does not protect you against data loss beyond 30 days, ransomware that predates the window, admin errors, or files stored outside OneDrive sync scope.

The two serve different purposes and both are worth having.

If you're an MSP looking to offer Microsoft 365 backup to your clients, or a UK business looking for a properly managed backup service that covers OneDrive and the rest of your Microsoft 365 environment, get in touch with BOBcloud.