Skip to content
Intro
7 min

Microsoft 365 Backup: What to Check

Microsoft 365 retention policies and recycle bins are not backups. Here's what to check and how to close the gap with a dedicated backup solution.

Last updated: March 20, 2026

A Destin insurance agency had all their client communications in Microsoft 365 Exchange. When a producer left — badly — they deleted their email account on the way out the door. Microsoft 365's native retention policy held deleted mailboxes for 30 days. The agency didn't notice until day 31. Four years of client emails, policy correspondence, and claim history — gone.

Microsoft's support team was sympathetic. They couldn't help. The 30-day retention window had passed.

Microsoft 365 is not backed up by default. Microsoft keeps data for a limited period, but this is not a backup solution — it's a grace period.

What Microsoft Actually Provides

Microsoft's built-in protection:

  • Deleted items: 14 days in Recycle Bin (Exchange, OneDrive)
  • Deleted mailboxes: 30 days (soft delete)
  • SharePoint Online: 93 days in recycle bin
  • Version history: For Office documents, up to 500 versions (if enabled)
  • Litigation Hold: Available in E3/E5 plans (requires admin to enable)

What's covered:

  • Accidental deletion within 30 days (if caught)
  • Some admin errors (depending on timing)
  • Service outages (Microsoft infrastructure issues)

What's NOT covered:

  • Permanent deletion after retention period expires
  • Malicious deletion by departing employees
  • Ransomware that encrypts your Microsoft 365 data
  • Account compromise (attacker logs in and deletes everything)
  • Retention policy mistakes (admin sets wrong retention, data is purged)
  • Internal sabotage (bad actor deletes data intentionally)
  • Regulatory requirements (HIPAA, FINRA, state bar) for data older than retention periods

The Specific Gaps That Hurt Gulf Coast Businesses

Scenario 1: Ransomware encrypts your Microsoft 365 tenant. An employee clicks a phishing link. The attacker accesses Microsoft 365 admin center and bulk-deletes mailboxes and SharePoint sites. Microsoft doesn't have a backup to restore from. Your only option is paying ransom or losing the data.

Scenario 2: The producer who took his book of business. A producer at the insurance agency above wasn't just unhappy — he was strategic. He'd been moving clients to a personal email for months before leaving. The email deletion was the last step. If they'd had backup, they'd have caught the pattern earlier. They didn't, so they had no evidence.

Scenario 3: Retention policy misconfiguration. An admin configures a SharePoint retention policy to delete data after 1 year for "project files." Six months later, someone realizes project files that should be kept for 7 years (for liability reasons) are being purged. Too late.

Scenario 4: Your Microsoft subscription lapses. Business closes or you miss a payment. Microsoft gives you 30 days to pay. After 30 days, the tenant is deleted. All your email, SharePoint, Teams data — gone. This has happened to businesses that closed suddenly.

What to Check Right Now

1. Who has Microsoft 365 admin access?

Go to admin.microsoft.com > Users > Active users > Filter to "Admin roles." List everyone with admin access. Remove anyone who's left. Admin access to Microsoft 365 means access to delete everything.

2. Do you know what's in your SharePoint/OneDrive?

Go to admin.microsoft.com > SharePoint > Active sites. List all SharePoint sites. Note which ones contain critical business data. This is where contract templates, client files, and project documents often live.

3. Is Litigation Hold enabled for anyone who needs it?

If you have compliance requirements (legal, healthcare, financial), Litigation Hold should be enabled for relevant users. This extends retention beyond the standard window. But Litigation Hold is not the same as a backup — it's a legal hold feature, not a data protection feature.

4. Do you have Microsoft 365 E3 or E5?

The free/Basic tier has very limited retention options. E3 and E5 include longer retention, Litigation Hold, and more admin controls. If you're on a lower tier, your protection options are more limited.

What It Costs

Microsoft 365 itself:

  • Business Basic: $6/user/month (web-only, no desktop Office)
  • Business Standard: $12/user/month (includes desktop Office apps)
  • E3: $23/user/month (includes more compliance features)
  • E5: $38/user/month (includes advanced security and compliance)

Dedicated Microsoft 365 backup services:

| Provider | Price | Notes | |----------|-------|-------| | Veeam Backup for Microsoft 365 | $7-10/user/month | Backs up to your own storage | | AvePoint | $8-15/user/month | Full-featured, enterprise tier | | Backupify (Datto) | $5-10/user/month | Enterprise features | | Spinbackup | $3-8/user/month | Simple, SMB-focused | | Keepit | $5-10/user/month | Dedicated Microsoft 365 backup |

For a typical Gulf Coast business (10 users):

  • Basic SaaS backup: $30-80/month
  • Full-featured SaaS backup: $50-150/month
  • Enterprise solutions: $100-200/month

What Can Go Wrong

You're using Microsoft Purview (Compliance) for backup. Purview is Microsoft's compliance and governance tool. It can archive and retain data. But it's not designed as a backup solution — it's designed for eDiscovery and compliance. If you need to restore accidentally deleted data, Purview is not the tool for that.

Your backup service misses Teams data. Teams chats, channels, and files are stored across multiple Microsoft 365 services. Not all backup tools capture Teams comprehensively. Check whether your backup service covers Teams before assuming you're protected.

You back up to the same Microsoft region as your tenant. If there's a regional Microsoft outage, your backup in the same region might be affected. Ask where your backup data is stored.

Your backup service has the same credentials as your Microsoft 365 admin. If your backup service account is compromised, the attacker can delete your backups. Use separate credentials. Enable MFA on all admin accounts.

Vendor Questions (Copy/Paste)

  1. "Do you back up Teams chats, channels, and files?"
  2. "Do you back up SharePoint Online, including Shared Documents libraries?"
  3. "How often are backups taken — real-time, hourly, or daily?"
  4. "What's your retention policy? Can I restore something from 6 months ago?"
  5. "Can I restore individual emails, files, or mailboxes, or only full restores?"
  6. "Where is my backup data stored? Is it in the same region as my Microsoft 365 tenant?"
  7. "Can I verify my backups are working without calling support?"

Minimum Viable Implementation

  1. Export your critical Microsoft 365 data this week. Use Microsoft's built-in export tools to download your most important SharePoint files and mailboxes. This isn't a backup — it's a one-time export — but it proves what you have and gives you a baseline.

  2. Sign up for Veeam Backup for Microsoft 365 or Backupify. For most Gulf Coast SMBs, Veeam at $7/user/month covers the basics. Set it up this week. Point it at all user mailboxes AND SharePoint/OneDrive.

  3. Configure daily backups minimum. Real-time is better if your data changes frequently. Check the backup schedule settings.

  4. Test a restore this month. Pick one email, delete it permanently, restore it from your backup service. Prove the chain works end-to-end.

  5. Audit admin access today. Go to admin.microsoft.com. Remove any former employees from admin roles. Enable MFA for anyone with admin access. This protects both your Microsoft 365 and your backup.

When to Hire Help

  • You have more than 25 users
  • You're in healthcare (HIPAA) or legal (state bar) and need compliant backup
  • You've had a data loss incident with Microsoft 365
  • Your backup service isn't capturing Teams data and you need it
  • You've had a near-miss (compromised account, suspicious deletion) and need to audit your security posture
  • You need legal hold capabilities (preserve data for active litigation)

Most Gulf Coast businesses with Microsoft 365 and fewer than 25 users can implement basic Microsoft 365 backup without professional help. The key is: do it, and test it.

The Destin insurance agency story above? They now have Veeam Backup for Microsoft 365. Monthly restore tests. They also added an offsite archive of their most critical contracts.

Cost: $120/month.

They calculated it was worth $85,000 to have never been in that position in the first place.

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch