Microsoft 365 is not a backup solution. Your email and files in OneDrive are protected against hardware failure — but not against accidental deletion, ransomware, or data corruption. Here's what you actually need.
The misconception about Microsoft 365 and data protection
Microsoft 365 stores your data redundantly across multiple data centers. If a hard drive fails at Microsoft, your data is safe. That's what Microsoft is responsible for — infrastructure reliability.
Microsoft is not responsible for protecting your data from yourself, your employees, ransomware, or a disgruntled former staff member. The shared responsibility model is explicit: Microsoft protects the platform; you protect your data.
This distinction matters because most small businesses assume that because their email and files are "in the cloud," they're backed up. They're not — not in any meaningful sense for the scenarios that actually cause data loss.
What Microsoft 365 actually retains (and for how long)
Microsoft 365 has some built-in retention that provides a limited safety net. Deleted emails go to the Deleted Items folder, then to the Recoverable Items folder, where they're retained for 14 days by default (up to 30 days with a specific configuration). Deleted OneDrive files go to the recycle bin for 93 days.
These retention periods sound reasonable until you consider: a ransomware attack that encrypts your OneDrive files silently over several weeks (all versions within the retention window may be encrypted); an employee who deleted files 100 days ago that you just realized you need; a terminated employee whose account you deleted (Microsoft retains the data for 30 days, then it's gone); or a misconfigured retention policy that deleted the wrong mailbox data.
Microsoft 365 Backup (Microsoft's newer paid backup service) and Microsoft 365 Archive extend retention — but they're additional costs and not a complete backup solution in the traditional sense.
What scenarios a real backup protects against
Accidental deletion. A user deletes a folder they shouldn't have. You need to restore it 120 days later. Without a backup, it's gone.
Ransomware. Ransomware that targets OneDrive and SharePoint can encrypt cloud-synced files. Microsoft's versioning may help recover, but a backup with immutable retention is a more reliable recovery path.
Malicious insider activity. A departing employee deletes their files before leaving. A backup captures a point-in-time copy before the deletion.
Account deletion mistakes. You delete a user account not realizing there were important files in their OneDrive. Microsoft gives you 30 days; after that, the data is unrecoverable without a backup.
Corruption or sync errors. OneDrive sync issues can propagate corrupted or overwritten files across devices before anyone notices.
What a Microsoft 365 backup solution looks like
A third-party Microsoft 365 backup solution — tools like Veeam Backup for Microsoft 365, Acronis, or Backupify — creates independent copies of your Exchange mailboxes, SharePoint sites, OneDrive data, and Teams data on a defined schedule. Those copies are stored separately from Microsoft's infrastructure and retained according to a policy you control.
Recovery is granular: you can restore a single email, a specific version of a file, a deleted SharePoint site, or an entire mailbox — to any point within your retention window.
For most small businesses, a Microsoft 365 backup solution costs $3–8 per user per month. For a 10-person business, that's $30–80/month for a genuine backup of all your business communications and files. That's cheap insurance against the scenarios above.
Intragreat recommends and implements Microsoft 365 backup solutions as part of our managed IT services. We also assess backup coverage in our free security review — checking whether your current setup actually protects against the scenarios that cause real data loss.