Axia Computer Systems Ltd

Cyber Security

Yes, you still need a third-party backup for Microsoft 365 — here is why

Microsoft 365 is highly available and highly resilient — but it is not backed up the way you think it is. Here is what Microsoft actually protects, what they do not, and the gap that catches SMEs out.

Cyber SecurityBy Axia Computer Systems Ltd
Microsoft 365Backup
Yes, you still need a third-party backup for Microsoft 365 — here is why

A surprisingly common assumption: "Microsoft is a huge cloud company, of course my email and OneDrive are backed up". A more accurate version: Microsoft makes the platform highly available so that your data is unlikely to be lost due to their infrastructure failing. What they do not do is protect you from the most common cause of data loss, which is you (or one of your users) deleting something and not noticing for six months.

What Microsoft 365 actually retains

  • Deleted items in Outlook: 14 days by default, recoverable from Deleted Items, then up to 14 more days in Recoverable Items. Total: 30 days.
  • Deleted OneDrive and SharePoint files: 93 days in the recycle bin (first-stage 30 days, then second-stage to 93).
  • Deleted user accounts: 30 days before the mailbox and OneDrive are unrecoverable.
  • Teams chat and channel messages: governed by retention policies — by default kept indefinitely, but a single misconfigured policy can purge them.
  • No version-by-version backup history beyond what Microsoft’s own retention provides.

The scenarios that catch SMEs out

A leaver’s account is closed and 31 days later finance realises they were the only person with three years of client contracts in their OneDrive. A ransomware attack encrypts SharePoint files via OneDrive sync, and by the time it is detected, version history has been cycled. An admin runs a "tidy up" PowerShell script and deletes a SharePoint site that had inherited data nobody had checked. A retention policy is changed and removes three years of Teams chat history overnight. In every one of these cases, Microsoft has done exactly what they promised — and your data is still gone.

What a proper Microsoft 365 backup gives you

  • Independent copy of Exchange, OneDrive, SharePoint and Teams data, stored outside the Microsoft 365 tenant.
  • Long-term retention well beyond Microsoft’s native windows — typically 7 years.
  • Point-in-time restore: rewind a single mailbox, file or site to a specific moment.
  • Granular restore — recover one email, one file or one Teams channel without restoring the whole tenant.
  • Protection from administrative mistakes, malicious insiders, ransomware and misconfigured retention policies.

Microsoft’s own shared responsibility model is explicit: protecting your data is your responsibility, not theirs. We deploy and manage third-party Microsoft 365 backup for SMEs across the UK — typically using Veeam or comparable platforms — billed per user, per month, with restores included. If you have not validated what happens when one of your users deletes something important and asks for it back six months later, talk to us.

More from Cyber Security

Microsoft Defender for Business: enterprise-grade endpoint security for SMEs
18 February 2025

Microsoft Defender for Business: enterprise-grade endpoint security for SMEs

Read
Cyber Essentials in plain English: a walkthrough for UK SMEs
22 January 2025

Cyber Essentials in plain English: a walkthrough for UK SMEs

Read

Ready to talk?

Discuss your IT requirements with our team. Call 01923 333111 or send us a message.

01923 333111Get in touch

Authorised trading partners