The Truth About Office 365® Data Backup

Data backup refers to the action of copying, moving, and storing files and information to an alternative secure location. It enables users to restore deleted, destroyed, or overwritten files.

You’re probably already aware that your business data is vulnerable. Vulnerable to things like:

And data backup is at the crux of reducing that vulnerability.

But many people have the wrong idea about what gets backed up, and what doesn’t. Especially when using Office 365®.

Here’s the data backup you probably THINK happens when you’re using Office365®

There are many good reasons why you would choose to use Office365®.

For instance:

  • it allows you to securely store all of your organizational data in the cloud and access it anywhere
  • it facilitates collaboration and communication
  • it’s much harder to get phished using Teams than email.

Not quite true 

But what do you think happens when one of your employees accidentally or maliciously deletes something? A One Drive file, an email, MS Excel spreadsheet, or Word document?

What happens when hackers succeed to gain administrative access to your Office 365® account? Have you ever asked yourself: “How is my data protected?”

Your answer might be: “Since Office 365® is running in the cloud, I will definitely recover that data from Microsoft. They’ve got my business covered, right?”

Well, that’s not entirely true.

Risky Behavior and MS Office®

A common misconception about Office 365® data backup

There are a lot of misconceptions surrounding Office 365® data protection. Because Office 365® is a highly available Software-As-A-Service application, many organizations assume that data protection and backup are also included in the package. 

Especially since you probably HAVE been able to restore some recently unsaved files inside an office application.

No one argues that Office 365® is a secure cloud service solution. However, Microsoft® doesn’t provide any clearly defined backup strategy for Office 365®.

In other words, your data is not backed up in the way that your organization would require. And although Microsoft® offers built-in data retention and governance features, there are some cases where these features can fall short.

Barracuda research has shown that at least 40% of companies surveyed aren’t using any third-party backup tools to protect their mission-critical data in Office 365®. This means that at least 40% of companies are putting their valuable data at risk.

Here’s your risk - and what you really get with Office 365® data backup.

If you’re serious about keeping your business data safe and want to avoid any situation where it might get lost forever, you need to have a clear grasp of what you do and don’t get when you subscribe to Office 365® services.

And you need to understand the difference between Microsoft’s responsibilities and yours in terms of data protection.

Let’s take a look at what Microsoft® actually offers as far as backup and recoverability are concerned, and the several responsibilities that they commit to:

Protection of data in the event of hardware failure or natural disaster: Microsoft® provides geo-redundancy and commits to ensuring the physical security of data centers where your Office 365® data is stored. Their globally spread data center infrastructure enables them to host a state-of-the-art redundant network architecture. This means that if one data center is down for whatever reason, the other centers will act as a backup. 

So in general, you don’t need to worry about any data loss due to data center outages. You’ve outsourced this problem to Microsoft®.    

Retention policy for short-term data protection: When a file or email is deleted in Office 365®, it heads to the Recycle Bin. Office 365® offers a retention policy that enables users to restore deleted files. That retention period, however, is limited. 

The retention period is 14 to 30 days for Exchange Online E1 versions, and 90 to 180 days for SharePoint Online and OneDrive for Business. From a compliance regulation perspective, this period is not enough.

Retention policies ensure that your data isn’t removed from the service. But they’re not backups.

Office 365® also offers a “Version History” option that allows users to revert data back to a previous point in time to undo a mistake or see what a document looked like before some changes occurred. But the problem is that Version History only works for files stored in OneDrive or SharePoint. 

Here are the other scenarios where data backup becomes your responsibility

Now let’s take a look at what lies within your responsibility in terms of data protection. Here’s what Microsoft® doesn’t provide as part of your Office 365® subscription:

A regular backup for your content and data: Microsoft® focuses on keeping Office 365® infrastructure up and running.

However, in the event of accidental or intentional data deletion, ransomware or malware incident, or cyberattack, your data is not protected.

And you can’t rely on Microsoft® to retrieve it.

Let’s look at the Microsoft® Services Agreement. This is what you’ve agreed to by using Office 365®:

“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft® is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored.

We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.” (6. Service Availability b.)

Point-in-time recovery for Exchange Online: Microsoft 365 doesn’t offer a point-in-time restoration of mailbox items. In other words,  if some ransomware infects a user’s Office 365® email, they won’t be able to take backups. If a mailbox is corrupted, the corruption will occur in the retention archive folder too.

Here’s Microsoft’s official position regarding this matter:

“Point in time restoration of mailbox items is out of scope for the Exchange Online service. However, Exchange Online offers great retention and recovery support for your organization’s email infrastructure, and your mailbox data is available when you need it, no matter what happens.”

What you need to do to protect your data

There you have it, Microsoft® clearly states that they do not offer a full backup and recovery service as part of the Office 365® package. What they do recommend, instead, is that you use a third-party backup solution or tool for your Office 365® data.

In fact, working with an Office 365® backup provider is not just the best way to back up and protect all of your Office 365® data, but it will also save you time, money, and headache in the long run. 

Conducting a full data backup once a week, during off-hours, is among the best practices of many organizations. It’s also possible to schedule backups as necessary. This ensures business protection and continuity. 


Using Microsoft Office 365® services is a smart business decision. However, solely relying on Microsoft’s native retention and basic recovery features to protect your mission-critical data can be a risky move.

According to Microsoft® themselves, data protection and availability is a shared responsibility. By using a third-party backup solution, you can assure that you’re also doing your part to protect your business and avoid any potential data loss.

Read more about how Verified Technologies and find out how we can fill in the gaps that Microsoft Office 365® leaves open.

Verified Technologies does NOT provide any cyber security services, cyber monitoring, hacking detection services in our regular managed services agreements unless it’s specifically defined in a separate statement of work. Please contact us with any questions.