Browse all topics
All guidesGlossary
Microsoft 365 essentials

Microsoft 365 backup and recovery

What Microsoft 365 protects natively, what it doesn't, and how to think about backup for Exchange, OneDrive, SharePoint, and Teams.

Microsoft 365 stores your data redundantly across multiple datacentres, but that's not the same thing as backup. Microsoft protects against infrastructure failure; you're still responsible for protecting yourself against your own users, malicious actors, and configuration mistakes. This is the shared responsibility model, and many organisations only learn it the hard way.

What's protected out of the box

  • Mailbox retention — Exchange Online keeps deleted items for 14 days by default (configurable to 30) and supports litigation hold to retain everything.
  • OneDrive and SharePoint — recycle bin keeps deleted files for 93 days. Files have version history. A second-stage recycle bin extends recovery.
  • Teams — chats and channel messages are retained according to Purview retention policies. Files live in SharePoint and follow its rules.
  • Purview retention policies — let you define longer retention across workloads (years, indefinitely) for compliance.

These features cover accidental deletion within their windows. They do not give you point-in-time restore of an entire mailbox, site, or tenant, and the windows are short relative to many incidents.

Microsoft 365 Backup

In 2024 Microsoft launched Microsoft 365 Backup, a first-party service for backing up Exchange, OneDrive, and SharePoint within Microsoft's own infrastructure, with rapid restore at scale. It's billed per protected GB. It's a credible option for many customers, especially those who want backup without leaving the Microsoft estate, and a backup-vendor ecosystem is being built on top of it via the Backup Storage APIs.

Third-party SaaS backup

A mature third-party SaaS backup market still exists — Veeam, Druva, Acronis, AvePoint, Barracuda, Spanning, and many others. The reasons to use one alongside or instead of Microsoft 365 Backup:

  • Longer retention (years instead of months).
  • Off-platform storage as an air-gapped insurance policy.
  • Granular restore of items, sites, mailboxes to a different tenant.
  • Coverage of Teams, Planner, OneNote with first-class fidelity.

A sensible default

For most organisations: turn on appropriate Purview retention policies, evaluate Microsoft 365 Backup for short-to-medium-term recovery, and run at least one off-platform backup for ransomware and tenant-loss scenarios. Then test restores, because the only backup that matters is one you've recovered from.