- What Microsoft 365 Natively Provides for Data Recovery
- The Documented Gaps in Microsoft's Native Capabilities
- Microsoft Backup for M365: The First-Party Solution
- When Third-Party Backup Is Genuinely Required
- Workload-by-Workload Coverage Analysis
- Procuring M365 Backup: Cost and Contract Considerations
What Microsoft 365 Natively Provides for Data Recovery
Microsoft 365 provides a set of data retention and recovery features that are included in standard M365 licences and offer protection against common data loss scenarios. Understanding precisely what these features cover — and do not cover — is the starting point for any backup strategy decision.
Exchange Online Retention
Exchange Online provides a multi-stage deletion recovery mechanism. When items are deleted from a mailbox, they move to the Deleted Items folder. When Deleted Items is purged, items move to the Recoverable Items folder — an internal folder invisible to users — where they are retained for 14 days by default, extendable to 30 days or longer with a Retention Policy or Litigation Hold. Items subject to Litigation Hold or Compliance Policy retention are retained indefinitely until the hold expires, regardless of user action. This provides meaningful protection against accidental deletion within the retention window and some protection against malicious deletion where hold policies are in place.
SharePoint Online and OneDrive
SharePoint Online and OneDrive for Business provide version history (up to 500 versions per file, retained within the configured retention window) and a recycle bin with two stages: the first-stage recycle bin retains items for 93 days; second-stage retains items before permanent deletion. Microsoft 365's SharePoint admin center also provides site collection restore ("Restore your OneDrive") for up to 30 days. Ransomware detection in OneDrive can trigger an automatic recovery workflow that restores files from a pre-infection version.
Microsoft Teams Data
Teams messages are stored in Exchange Online (for chat messages) and SharePoint Online (for channel content and files), meaning Teams data inherits the retention and recovery capabilities of those underlying services. However, Teams-specific metadata — meeting recordings stored in OneDrive for Business, call records, and certain compliance records — has some gaps in the native retention framework that are worth assessing specifically for regulated-industry compliance requirements.
Microsoft's shared responsibility model explicitly states: "Microsoft does not back up customer data for the purposes of disaster recovery or data loss prevention." The native retention features are resilience tools, not backup — an important distinction when assessing your risk posture and regulatory compliance obligations.
The Documented Gaps in Microsoft's Native Capabilities
Despite meaningful native retention capabilities, several documented gaps in Microsoft's standard M365 data protection are relevant to enterprise backup decisions.
No point-in-time restore beyond retention windows: If data needs to be restored to a specific timestamp (e.g., restore SharePoint to a specific state from 45 days ago), Microsoft's standard features provide limited granularity. Version history restores individual files to previous versions but does not restore a complete site or library to a point-in-time state beyond the 30-day restore window.
Accidental or malicious permanent deletion: Items that are permanently deleted from the second-stage recycle bin — or that were never recycle-binned (certain admin operations, PowerShell commands, some third-party application actions) — may not be recoverable through native tools. Microsoft's support teams may be able to recover recently deleted data in some cases, but this is not a contractual commitment and recovery is not guaranteed.
M365 service outage scenarios: Microsoft publishes strong SLAs (99.9% uptime for most M365 services), but in the event of a regional or tenant-level service incident, access to data during the outage period and recovery of any data affected by the incident is Microsoft's responsibility under the service terms — not a backup recovery scenario. The relevant risk question is not Microsoft outage backup, but data integrity after tenant misconfigurations, API-driven bulk deletions, or compromised admin account actions.
Ransomware with extended dwell time: Modern ransomware attacks frequently involve extended dwell periods — weeks or months — before the encryption payload is triggered. If ransomware has been active for 90+ days before triggering, the 30-day OneDrive restore window and the 93-day recycle bin retention may both be insufficient to recover pre-infection file states. Air-gapped third-party backup with longer retention is the primary mitigant for this threat vector.
Microsoft Backup for M365: The First-Party Solution
Microsoft Backup for Microsoft 365 (generally available from 2025) is Microsoft's first-party enterprise backup solution for Exchange Online, OneDrive for Business, and SharePoint Online. It provides faster recovery, extended backup retention beyond the standard native limits, and a more granular restore interface than the standard M365 admin center tools.
Key capabilities include: backup of Exchange mailboxes and SharePoint sites with configurable retention, rapid restore of individual items or complete mailboxes and sites, backup data stored within the Microsoft 365 trust boundary (same Microsoft infrastructure, not a separate third-party environment), and integration with Microsoft Purview for compliance-aligned backup governance.
Microsoft Backup is priced on a consumption basis — cost is based on the volume of data backed up and retained, consumed through Microsoft 365 admin center. For organisations that want the simplicity of a Microsoft-native solution and whose backup requirements are met by the Exchange, OneDrive, and SharePoint coverage, Microsoft Backup is worth evaluating as a cost-effective alternative to third-party solutions. The limitation: Teams-specific capabilities and applications outside the standard M365 data store (Dynamics 365 data, Azure SQL connected to M365 apps) are not covered by Microsoft Backup and require separate solutions.
When Third-Party Backup Is Genuinely Required
Third-party Microsoft 365 backup is genuinely required in several scenarios that Microsoft's native tools and Microsoft Backup do not fully address.
Regulatory Compliance with Immutability Requirements
Certain regulatory frameworks (FINRA for financial services, HIPAA BAA provisions in healthcare, specific national data protection regulations) require immutable backup records stored independently of the production system — backup that cannot be modified or deleted even by a compromised administrator account. Microsoft's in-tenant backup solutions do not provide true external immutability. Third-party backup solutions that store backup data in physically separate infrastructure (Azure Blob with WORM storage, or external clouds entirely) can meet these requirements. If your regulatory framework requires immutable, independently auditable backup, third-party solutions remain the appropriate choice.
Ransomware Resilience with Air-Gapped Recovery
For organisations with high ransomware exposure (critical infrastructure, high-value targets, organisations that have experienced previous ransomware incidents), air-gapped backup — backup copies stored entirely outside the Microsoft 365 tenant that cannot be accessed or encrypted through compromised M365 credentials — provides resilience that in-tenant backup cannot match. If a ransomware actor gains global admin access to an M365 tenant, in-tenant backup is theoretically accessible. True air-gapped third-party backup to an entirely separate environment eliminates this risk vector.
Workloads Not Covered by Microsoft Backup
If your M365-adjacent data protection requirements extend to Dynamics 365, Power Platform Dataverse, Azure DevOps, or other Microsoft workloads not covered by Microsoft Backup, a unified third-party backup platform that spans these workloads under a single pane of glass may offer better operational efficiency than multiple point solutions.
Workload-by-Workload Coverage Analysis
| Workload | Native M365 Protection | Microsoft Backup Coverage | Third-Party Required? |
|---|---|---|---|
| Exchange Online | 93-day recoverable items, holds | Yes — extended retention | For immutability / ransomware only |
| SharePoint Online | 93-day recycle bin, 30-day restore | Yes — granular restore | For long-retention / compliance only |
| OneDrive for Business | 30-day restore, version history | Yes — extended retention | For long-retention / compliance only |
| Microsoft Teams | Via Exchange / SharePoint | Partial (via Exchange/SPO) | For regulated Teams meeting records |
| Dynamics 365 | Platform-level backup by Microsoft | No | Yes for point-in-time granular restore |
| Azure DevOps | Limited native | No | Yes for enterprise code backup |
Procuring M365 Backup: Cost and Contract Considerations
When third-party M365 backup is required, the procurement decision involves evaluating cost, coverage, and contract terms — and ensuring the backup solution does not duplicate capabilities already available natively or through Microsoft Backup.
Third-party M365 backup is typically licensed per user per month or per workload per year. Leading solutions (Veeam, Acronis, Barracuda, Druva, HYCU) typically price in the $3–$8 per user per month range for Exchange and OneDrive backup, with SharePoint and Teams coverage adding incremental cost. Annual enterprise contracts at 1,000+ user scale typically achieve 20–30% discounts from vendor list prices, and multi-year commitments (2–3 years) can yield further reductions.
Key contract terms to evaluate: data portability and exit provisions (what happens to your backup data if you leave the provider?); SLA for recovery time and recovery point objectives; geographic data residency (particularly important for EU/UK organisations under GDPR); and liability provisions for data loss events. Backup solution contracts often contain liability caps that are disproportionately low relative to the business value of the data being protected — negotiate liability terms before committing, particularly for regulated-industry deployments.
For the broader Microsoft licensing context: The Complete Guide to Microsoft Enterprise Agreement Negotiation. For Microsoft data governance in the EA context: Microsoft EA Guide. For SaaS contract optimisation including backup tools: SaaS Contract Optimization service.