Does Microsoft 365 Back Up Your Data? What MSPs Need to Know
It's one of the most common misconceptions in managed services. A client signs up for Microsoft 365, gets their email in Outlook, their files in OneDrive, their team chatting in Teams — and assumes that because it's all in the cloud, it's all being backed up. Microsoft are a huge company, they think. Surely they've got it covered.
They haven't. Not in the way your clients mean, anyway.
This is one of those conversations that MSPs need to be having proactively — because by the time a client finds out their data wasn't backed up, it's usually too late.
What Microsoft Actually Provides
Microsoft 365 is an extremely reliable platform. The infrastructure behind Exchange Online, SharePoint, and OneDrive has redundancy built in at a level most businesses could never achieve on their own. But reliability and backup are two different things, and it's worth being precise about the distinction.
What Microsoft provides is platform availability — multiple copies of your data spread across datacentres so that if one goes down, the service keeps running. This protects against hardware failure and outages on Microsoft's side.
What Microsoft does not provide is protection against data loss caused by user or admin action. If someone deletes a file, empties a mailbox, gets phished and has their account wiped, or if a disgruntled employee deliberately removes data — Microsoft's infrastructure redundancy won't save you. The deletion is replicated across all those datacentres just as faithfully as the original data was.
What the Retention Policies Actually Do
Microsoft 365 does include some data retention features, and it's worth understanding what they cover — and what they don't.
Deleted Items folder retains emails for 30 days by default before permanent deletion. Recoverable Items gives a further window (up to 14 days by default, extendable to 30 with certain licences) before data is permanently gone. OneDrive has version history and a recycle bin, but again, these are time-limited and don't constitute a proper backup.
SharePoint Online has similar recycle bin functionality, and Teams chat history is stored in Exchange Online behind the scenes. But none of these are designed as backup and recovery systems — they're operational features with fixed windows.
The critical gap: once those windows close, or once an admin permanently deletes something (intentionally or not), the data is gone. There's no calling Microsoft support and getting it back.
Microsoft's Own Documentation Is Clear
Microsoft are not trying to hide this. Their documentation states explicitly that third-party backup tools are recommended for situations where data retention beyond the standard windows is required, or where point-in-time recovery is needed.
The Microsoft Shared Responsibility Model makes clear that while Microsoft is responsible for the infrastructure, the customer is responsible for their data. This is the same model used by AWS, Google Cloud, and virtually every other major cloud provider. The cloud doesn't mean your data is safe — it means someone else is running the servers.
The Scenarios That Catch Clients Out
In practice, data loss in Microsoft 365 tends to happen in a handful of predictable ways:
Accidental deletion is the most common. An employee deletes an email thread they didn't realise was important. A folder gets removed from SharePoint. A Teams channel gets archived and someone assumes the data is preserved forever. None of these are dramatic events — they happen quietly, and the problem often isn't discovered until weeks later, by which point the retention window has closed.
Ransomware and account compromise are increasingly common. If an attacker gains access to a Microsoft 365 account, they can delete mailboxes, wipe OneDrive, and remove SharePoint content. Synchronisation then pushes those deletions to any locally synced devices. A backup that predates the attack is the only reliable recovery path.
Admin errors happen more than anyone likes to admit. A misconfigured retention policy, an accidental bulk delete, a migration that goes wrong — at enterprise scale these are rare, but for SMBs with non-specialist IT support they're a real risk.
Staff departures create a subtler problem. When an employee leaves and their account is deprovisioned, their OneDrive data is typically retained for 30 days. After that, it's gone unless someone specifically intervened.
What MSPs Should Be Doing
The answer is straightforward: Microsoft 365 data should be backed up using a dedicated third-party backup solution, just like any other business-critical data source.
A proper Microsoft 365 backup solution should cover Exchange Online (email, calendar, contacts), SharePoint Online (sites, document libraries), OneDrive for Business (individual user files), and Microsoft Teams (conversations, channels, files). It should allow granular recovery — restoring a single email, a specific file version, or an entire mailbox — and it should retain data for a period that reflects the client's actual business needs, not Microsoft's default windows.
From an MSP perspective, this is also a straightforward recurring revenue add-on. Most clients, once the gap is explained clearly, understand immediately why they need it. The conversation usually takes about five minutes and the objection rate is low — because the logic is obvious once someone spells it out.
Talking to Clients About It
The framing that tends to land best is the shared responsibility model: Microsoft keeps the service running, you keep the data safe. Most clients are familiar with the idea of backing up their on-premises servers — this is the same principle applied to cloud data.
Avoid being alarmist, but be direct. Clients who have been running Microsoft 365 for years without a backup have been lucky, not protected. Many have never experienced a serious data loss event, which can create a false sense of security. The value of the conversation is giving them an accurate picture before something goes wrong, not after.
BOBcloud for Microsoft 365 backup
BOBcloud offers Microsoft 365 backup as part of a fully managed, white-label service, covering Exchange, SharePoint, OneDrive, and Teams, with flexible retention and granular restore options. Get in touch to find out more.