Microsoft 365 does not provide comprehensive backup of your business data. This surprises many small business owners who assume that because their email and files are "in the cloud," they are automatically protected. They are not, at least not in the way most people think.
Microsoft operates under what it calls a shared responsibility model. Microsoft is responsible for keeping the service running: the data centers, the hardware, the network infrastructure, and the geographic replication that protects against platform-level failures. But you are responsible for protecting your data from accidental deletion, malicious insiders, ransomware, retention policy gaps, and regulatory compliance requirements. Microsoft will keep the lights on. Protecting what is inside those lights is on you.
Many small businesses discover this distinction the hard way, usually when they try to recover something and find out it is already gone.
What Microsoft Does and Does Not Protect
Understanding the line between Microsoft's responsibility and yours is critical.
Microsoft's responsibility covers infrastructure uptime and hardware redundancy. If a hard drive fails in a Microsoft data center, your data is fine because it is replicated across multiple servers and geographic locations. If an entire data center goes offline, the service fails over to another location. Microsoft is very good at this. Their infrastructure uptime is excellent.
Your responsibility covers everything that happens to the data itself. If a user accidentally deletes a critical file, that is on you. If a departing employee maliciously clears out their mailbox, that is on you. If ransomware encrypts your OneDrive files, that is on you. If you need to produce emails from two years ago for a legal matter and they have been purged because no retention policy was in place, that is on you.
Here is the key distinction: Microsoft's replication is not backup. Replication protects against hardware failure on Microsoft's side. But it also replicates deletions. If a user deletes a file, that deletion replicates across all copies. Replication keeps your data available; it does not keep your data recoverable.
The Retention Gaps That Catch Businesses Off Guard
Microsoft does provide some built-in recovery windows, but they are shorter than most people realize and they vary by service.
Deleted mailbox items (Exchange Online). When someone deletes an email, it goes to the Deleted Items folder. If they empty Deleted Items, the email moves to a hidden Recoverable Items folder where it stays for 14 days by default (configurable up to 30 days). After that, it is permanently gone.
Deleted OneDrive files. Deleted files go to the OneDrive recycle bin, where they are recoverable for 93 days. After 93 days, the file is permanently deleted with no way to recover it through Microsoft.
Deleted SharePoint files. Similar to OneDrive, deleted SharePoint files go to a site recycle bin and are recoverable for 93 days. After that, a site collection administrator can recover them from a second-stage recycle bin, but only within the same 93-day window.
Deleted user accounts. When an employee leaves and their Microsoft 365 account is removed, their OneDrive data is deleted 30 days after the account is removed, unless another user was specifically granted access to the data beforehand.
Teams messages and channel data. Retention depends on whether explicit retention policies have been configured. Without them, data can be lost when teams or channels are deleted. Many businesses have no Teams retention policies in place.
These retention windows are short enough that problems often go unnoticed until it is too late. If a disgruntled employee deletes files and nobody notices for four months, that data is gone without a third-party backup. If someone needs an email from 18 months ago for a compliance audit, it may no longer exist in Microsoft's systems.
Scenarios Where Microsoft's Built-In Recovery Falls Short
Ransomware encrypts OneDrive files. OneDrive does keep version history, which can help recover from ransomware by rolling files back to a pre-encryption version. However, if the attack persists long enough to age out previous versions (OneDrive keeps versions for 30 days by default, or 500 versions, whichever comes first), recovery becomes partial or impossible. A third-party backup that stores data independently from the Microsoft tenant is unaffected by ransomware that compromises your Microsoft 365 environment.
A departing employee deletes their mailbox contents and OneDrive files. You have 30 to 93 days to notice, depending on the service. If the deletion happens gradually over their final weeks and nobody is watching, critical data can be permanently lost. With a third-party backup, you can restore that employee's mailbox and files to their exact state from any point in time covered by your backup retention.
An admin account is compromised. An attacker with global admin access can delete data, disable retention policies, remove backup configurations, and cover their tracks. Because a third-party backup like Dropsuite stores data independently from your Microsoft 365 tenant, a tenant-level compromise does not affect your backup data.
A compliance investigation requires historical email. If a legal matter requires email records from two years ago and no retention policy was configured to keep data that long, the email is gone. A third-party backup with long-term retention solves this problem by keeping data for as long as your retention policy specifies, independent of anything Microsoft does or does not retain.
What a Third-Party Backup Solution Provides
A dedicated Microsoft 365 backup solution fills the gaps that Microsoft leaves open.
Automated daily backups of Exchange mailboxes, OneDrive accounts, SharePoint sites, and Teams data. Once configured, backups run automatically without anyone needing to remember or trigger them.
Long-term retention independent of Microsoft's retention policies. Keep backup data for months or years, depending on your business and compliance requirements. Your backup retention is completely separate from Microsoft's built-in retention windows, so data remains recoverable long after Microsoft would have purged it.
Point-in-time recovery. Restore a mailbox, file, or SharePoint site to its exact state from a specific date. If you need to see what a file looked like last Tuesday, or recover an email that was deleted three months ago, you can do that with a few clicks.
Granular recovery. Restore a single email, a single file, or a single folder without having to restore an entire mailbox or site. This is important for everyday recovery requests where someone just needs one deleted file, not a full restore.
Independent storage. Backups are stored separately from Microsoft 365, so a compromise of your Microsoft tenant does not compromise your backups. This is critical for ransomware protection and for scenarios where an attacker gains administrative access to your Microsoft 365 environment.
How Athencia Handles Microsoft 365 Backup
Athencia includes Dropsuite as the Microsoft 365 backup solution in its managed IT stack. Dropsuite automatically backs up Exchange email, OneDrive, and SharePoint data for every protected user. Backups run daily, and backup health is monitored through the Athencia One portal so issues are caught and resolved before they become problems.
If you need to recover data, whether it is a single email or an entire mailbox, the Athencia team can perform the restore through the Dropsuite dashboard. For a single email recovery, sign in to the Dropsuite admin console, navigate to the user's mailbox backup, search for the specific email by date, subject, or sender, and click Restore. For larger restores, such as an entire OneDrive or a SharePoint site, the process works the same way but covers a broader scope.
This is different from relying on Microsoft's native retention. Microsoft's retention is a limited safety net with expiration dates. Dropsuite provides independent, point-in-time recovery that works regardless of what has happened inside your Microsoft 365 tenant.
How to Get Started
If you are not currently backing up your Microsoft 365 data, here is how to close that gap.
-
Audit your current retention policies. Sign in to the Microsoft 365 admin center at admin.microsoft.com. Navigate to Compliance (or Purview), then Data lifecycle management, then Retention policies. Review what policies are in place. If there are none, your data is only protected by Microsoft's default retention windows described above.
-
Identify your most critical data. Think about what data would cause the most damage if lost: client email correspondence, financial documents, project files, shared team resources. This helps prioritize what to protect first.
-
Set up a third-party backup. If Athencia manages your IT, Dropsuite is already included and configured. If you are managing IT yourself, choose a backup solution that covers Exchange, OneDrive, SharePoint, and Teams.
-
Configure backup coverage for all users. Make sure every active mailbox and OneDrive account is included. When new employees join, add them to the backup. When employees leave, preserve their data according to your retention requirements.
-
Verify the first backup completes successfully. Log in to the backup dashboard and confirm that the initial backup ran without errors. Check the data volume to make sure it looks reasonable for your organization.
-
Test a restore within the first week. Pick a random email or file and restore it to a temporary location. Open it and verify it is intact. This confirms that the backup is not just running but is actually producing usable, recoverable data.
-
Schedule monthly verification. Set a recurring calendar reminder to check backup status, test a restore, and review coverage. A backup system that nobody monitors will eventually fail silently.
Need Help?
If you are unsure whether your Microsoft 365 data is properly backed up, or if you want to close the gap, reach out to Athencia. We can audit your current setup and get backup protection in place quickly.
