Skip to content
Intro
7 min

SaaS Backups for Microsoft 365 and Google Workspace

SaaS apps like Microsoft 365 and Google Workspace need dedicated backup protection. Here's what to know and what to implement.

Last updated: March 20, 2026

A Gulfport insurance agency discovered the hard way that "the cloud is safe" is not the same as "our data is backed up."

Their team worked in Microsoft 365. When a producer left — badly — they deleted their Microsoft account on the way out the door. Microsoft 365's built-in retention held the deleted mailbox for 30 days. By the time the agency noticed, day 31 had passed. Four years of client emails, policy communications, and claim history — gone.

Microsoft couldn't help. Microsoft's support documentation clearly states: "Microsoft 365 retention policies are not backups."

They had cloud storage. They didn't have backups.

The Fundamental Misunderstanding

What Microsoft and Google provide:

  • Data redundancy: Your data exists in multiple physical locations within their data centers. If a hard drive fails, your data survives.
  • Service availability: If their servers go down, they'll bring them back up.
  • Limited retention windows: Deleted items are held for 14-93 days depending on the service.

What Microsoft and Google do NOT provide:

  • Point-in-time recovery beyond retention windows: After 30-93 days, data is permanently deleted.
  • Protection from user actions: Malicious deletion, accidental bulk deletion, compromised accounts — all can permanently delete data.
  • Cross-tenant backup: If your organization is compromised, attackers can delete everything.
  • Compliance-grade retention: Microsoft's retention policies support compliance, but they're not a replacement for dedicated backup with independent retention management.

The key point: Microsoft and Google build redundant infrastructure so their service stays available. They do not back up your data for your business continuity purposes.

What Data Is At Risk

Microsoft 365:

  • Exchange Online (email): Deleted mailboxes retained 30 days
  • SharePoint Online: Deleted sites retained 93 days in recycle bin
  • OneDrive: Deleted files retained 14 days in recycle bin
  • Teams: Messages and files have varying retention depending on settings
  • OneNote, Planner, and other apps: Often overlooked in backup planning

Google Workspace:

  • Gmail: Deleted messages retained 30 days
  • Google Drive: Deleted files retained 30 days (Trash)
  • Shared Drives: Deleted files retained 30 days
  • Google Chat/Spaces: Retention depends on admin settings
  • Google Sites, Forms, etc.: Often overlooked

The Scenarios That Actually Happen

Departing employee deletion: An employee leaves on bad terms. Before they leave, they delete everything they can access — email, Drive files, Shared Drive content. The 30-day retention window is real, but only if you're watching for it. Most businesses don't have monitoring set up for this.

Account compromise: An employee's credentials are stolen in a phishing attack. The attacker logs in, downloads sensitive data, then deletes everything to cover tracks. Microsoft doesn't have a backup to restore from. You have no data and no evidence of what was stolen.

Ransomware in the cloud: Ransomware actors have evolved. They now target cloud storage directly. If your Microsoft 365 or Google Workspace credentials are compromised, attackers can delete your cloud data. Some ransomware variants specifically target backup systems first, then encrypt production data.

Retention policy misconfiguration: An admin sets a SharePoint retention policy to delete files after 1 year for "project files." Six months later, project files that should be kept for 7 years are being purged automatically. By the time anyone notices, the data is gone.

Vendor outage affecting your data: Microsoft's US East data center had a significant outage in December 2023. Businesses relying solely on Microsoft 365 had no access to their email, files, or collaboration tools for hours. A backup service would have allowed access to recent versions of critical files.

What It Costs

Microsoft 365 itself:

  • Business Basic: $6/user/month
  • Business Standard: $12/user/month (includes desktop Office)
  • E3: $23/user/month (better compliance features)
  • E5: $38/user/month (advanced security and compliance)

Microsoft 365 backup services:

| Provider | Price | Notes | |----------|-------|-------| | Veeam Backup for Microsoft 365 | $7-10/user/month | Backs up to your own storage | | Backupify (Datto) | $5-10/user/month | Enterprise features | | AvePoint | $8-15/user/month | Full-featured, enterprise | | Spinbackup | $3-8/user/month | SMB-focused |

Google Workspace backup services:

| Provider | Price | Notes | |----------|-------|-------| | Spinbackup | $3-8/user/month | SMB-focused | | Backupify | $5-10/user/month | Enterprise features | | AvePoint | $8-15/user/month | Full-featured | | Keepit | $5-10/user/month | Dedicated Google backup |

For a typical 10-user business:

  • Basic backup (Spinbackup): $30-80/month
  • Full-featured backup: $50-150/month
  • Enterprise solutions: $100-200/month

What Can Go Wrong

You use Microsoft's built-in export tools instead of a backup service. Microsoft provides data export options. But export is manual — you have to run it, download the data, store it somewhere. It's not a continuous backup solution. If you need to restore a deleted email from 3 months ago, an export you ran last month won't help.

Your backup service doesn't cover all data types. Not all backup tools cover Teams messages, Shared Drives, or collaborative documents comprehensively. Check coverage before assuming you're protected.

Your backup retention is shorter than your business needs. Some services offer 30-day retention by default. For compliance (legal, healthcare, financial), you may need 7 years. Make sure your retention matches your actual requirements.

You back up to the same cloud region as your original data. A regional outage could affect both your production data and your backup. Ask where your backup data is stored.

Your backup service has the same credentials as your SaaS admin. If your backup account is compromised and has admin access to your Microsoft 365 or Google Workspace, an attacker can delete your backups along with your production data.

Vendor Questions (Copy/Paste)

For any SaaS backup vendor:

  1. "Do you back up Teams/Shared Drives in addition to individual mailboxes and drives?"
  2. "How often are backups taken — real-time, hourly, or daily? Can I configure this?"
  3. "What's your retention policy? Can I restore something from 6 months ago?"
  4. "Can I restore individual items (one email, one file) without restoring entire mailboxes or drives?"
  5. "Where is my backup data stored? Can I choose the region?"
  6. "What's the restore process? Can I test a restore without calling support?"
  7. "Do you support compliance requirements like legal hold and eDiscovery?"
  8. "What happens if I stop paying? Is there a grace period for data export?"

Minimum Viable Implementation

  1. Know what you have. Go to admin.microsoft.com (or admin.google.com) and list all the services your team uses. Note which ones contain business-critical data.

  2. Sign up for SaaS backup this week. Spinbackup or Veeam for Microsoft 365 covers the basics for most businesses. $3-10/user/month. This is not optional.

  3. Configure backup for all users and shared spaces. Don't skip shared drives, shared mailboxes, or Teams. These often contain your most important data.

  4. Set retention to at least 90 days. Microsoft's default retention is 30 days. For most businesses, 90 days is safer. If you have compliance requirements, set retention accordingly.

  5. Test a restore this month. Delete one email. Restore it from your backup service. Prove the chain works.

  6. Enable MFA on all admin accounts. Protect your SaaS admin accounts with multi-factor authentication. This protects both your production data and your backup.

When to Hire Help

  • You have more than 25 users
  • You're in healthcare (HIPAA), legal (state bar), or financial services (FINRA/SEC)
  • You've had a data loss incident with Microsoft 365 or Google Workspace
  • You need legal hold capabilities (preserve data for active or anticipated litigation)
  • Your backup service isn't capturing all your data types (Teams, Shared Drives, etc.)
  • You've had a security incident (compromised account, suspicious deletion) and need to audit your environment

The Gulfport insurance agency now pays $90/month for Veeam Backup for Microsoft 365. They do monthly restore tests. They've had one legitimate restore need in two years — a departing producer had archived old client emails that weren't accessible through normal Outlook.

The restore took 20 minutes. The alternative — explaining to clients that four years of email history was gone — would have been business-ending.

$90/month to avoid that conversation is straightforward math.

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch