UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
Why you still need to back up Microsoft 365 (the myth that bites businesses) — networkWhy you still need to back up Microsoft 365 (the myth that bites businesses) — reach
Cloud & Software

Why you still need to back up Microsoft 365 (the myth that bites businesses)

Rachel Okonkwo · Cloud Practice Lead8 min read

'It's in the cloud, so Microsoft backs it up' is one of the most expensive misunderstandings in UK business IT. It feels obviously true - your email, files and Teams chats live in Microsoft's data centres, so surely they are safe? They are safe from Microsoft's hardware failing. They are not safe from you, your staff, or an attacker - and the gap between those two things is exactly where firms lose data they thought was protected. Let us bust the myth properly.

What a Microsoft 365 backup must cover
M365 data protection — control mapMAILExchange mailboxes backed up independentlyCOREDRIVEOneDrive files in separate copiesCORESPSharePoint sites and document librariesCORETEAMSTeams chats, channels and filesCORERETLong retention you control, not short binsPLUSIMMImmutable copies ransomware cannot alterPLUSTESTRestores tested, not just assumedOPT

The myth, stated plainly

The belief goes like this: Microsoft 365 is a cloud service run by one of the largest technology companies on earth, with vast, resilient infrastructure - so backup is obviously baked in and not something a customer needs to think about. Half of that is true, which is exactly what makes it dangerous.

Microsoft does keep your service running with extraordinary reliability, and it does protect your data against its own data centres failing. What it does not do is take responsibility for recovering data you lose through your own actions. That distinction has a name, and once you know it the whole picture changes.

The shared responsibility model

Cloud services run on what is called the shared responsibility model, and Microsoft states it openly. In short: Microsoft is responsible for the availability of the platform - keeping the lights on, the service up, the infrastructure resilient. You are responsible for your data within it.

Read that again, because it is the crux. Microsoft keeps the service available; protecting and recovering your actual content is your job. Their job is uptime. Your job is your data. The platform staying up is not the same as your data being recoverable - and assuming otherwise is precisely the error that costs businesses dearly.

What actually goes wrong (and Microsoft will not save you)

Once you accept that data protection is yours, the real risks come sharply into focus. None of these are exotic - they are the everyday ways businesses lose Microsoft 365 data, and in each case Microsoft is working exactly as designed.

  • Accidental deletion: a staff member deletes an important email, file or whole folder - and notices months later, long after any short retention window has passed.
  • Departing staff: an employee leaves, their account is removed to save a licence, and their mailbox and OneDrive vanish with it.
  • Ransomware and malware: malicious files sync into SharePoint and OneDrive, encrypting or corrupting your data across the service.
  • Malicious insiders: someone with access deliberately deletes or sabotages data on the way out.
  • Retention gaps: Microsoft's built-in recycle bins and retention are short-term safety nets, not a long-term backup, and they can be misconfigured or expire.
Who is responsible for this 365 data?
What kind of problem are you protecting against?
Microsoft hardware fails
Microsoft - platform uptime
You delete / ransomware
You - needs own backup
Staff leaves
You - back up before removal

Built-in retention is not a backup

Microsoft 365 does include recycle bins, retention policies and litigation hold, and people point to these as proof a backup exists. They are useful, but they are not a backup in any meaningful sense - and leaning on them is how the myth survives.

The problems are concrete: retention windows are limited and expire; recycle bins can be emptied, by a user or an attacker; the controls are complex and easily misconfigured; and none of it gives you the quick, reliable, point-in-time restore of a real backup. It is the same lesson as RAID is not a backup - resilience and retention are not the same as the ability to recover. A proper backup is independent, immutable where possible, and squarely under your control.

What to actually do

The fix is a dedicated third-party backup for Microsoft 365 - a separate service that takes its own regular, independent copies of your email, OneDrive, SharePoint and Teams, retains them as long as you choose, and lets you restore quickly when something goes wrong. It is inexpensive, runs in the background, and turns a potential catastrophe into a minor inconvenience.

This is simply the cloud version of how to back up business data, applying the 3-2-1 backup rule to your cloud just as you would to a server - ideally with immutable copies ransomware cannot touch. For the buyer-level detail, our best backup software guide and immutable backup architectures go deeper, and our backup and disaster recovery service can set it up so you never have to test the myth the hard way. If you are not sure what your plan even covers, our Microsoft 365 plans explainer and SharePoint guide will help.

Key takeaways
  • 'Microsoft backs it up' is a myth: Microsoft protects the platform's availability, but your data is your responsibility.
  • This is the shared responsibility model - Microsoft's job is uptime, your job is recovering your own content.
  • Accidental deletion, departing staff, ransomware and retention gaps are the everyday ways businesses lose 365 data.
  • Built-in recycle bins and retention are short-term safety nets, not a real, point-in-time backup you control.
  • Use a dedicated third-party Microsoft 365 backup - it is cheap, runs in the background, and turns disaster into inconvenience.
Frequently asked

FAQs — Why you still need to back up Microsoft 365 (the myth that bites businesses)

Busting the myth

Doesn't Microsoft already back up my data?

Microsoft protects the platform's availability and guards against its own hardware failing - but under the shared responsibility model, recovering your data from accidental deletion, ransomware or a departed employee is your job, not theirs. The service staying up is not the same as your data being recoverable. That gap is exactly why a separate backup is needed.

Isn't the recycle bin and retention enough?

No. Those are short-term safety nets, not a backup. Retention windows expire, recycle bins can be emptied by a user or an attacker, and the settings are easily misconfigured. None of it offers the long-term retention and quick, reliable point-in-time restore a real backup provides. Useful as a first line, inadequate as your only protection.

Doing it properly

What does a Microsoft 365 backup actually cover?

A proper third-party backup covers Exchange email, OneDrive files, SharePoint sites and Teams content - taking independent, regular copies you retain for as long as you choose and can restore quickly. It sits outside Microsoft 365, under your control, so it protects you even when the problem is inside your own tenant. That independence is the whole point.

Is backing up Microsoft 365 expensive?

It is one of the cheaper pieces of business IT relative to the risk it removes - typically a small per-user monthly cost. Set against the alternative of permanently losing years of email, documents and Teams history, or being unable to recover from ransomware, it is inexpensive insurance that runs quietly in the background once configured.

Related

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →