Table of Contents
Does your organization have a real backup of its Microsoft 365 data — or are you relying on something that was never designed to protect you?
Most organizations are doing the latter without realizing it.
Microsoft 365 is the backbone of how modern businesses communicate, collaborate, and store critical files. Exchange Online handles email. SharePoint and OneDrive hold documents. Teams carries conversations and shared content. If any of that data disappears — due to accidental deletion, a departing employee, ransomware, or a misconfigured retention policy — the window to recover it is shorter than most organizations expect.
This article covers what Microsoft does and does not protect, where the gaps are, and what your options are for closing them.
What Microsoft Actually Covers (and What It Doesn't)
Microsoft is responsible for the infrastructure that runs Microsoft 365 — the data centers, uptime, availability, and physical security. When it comes to your data, Microsoft provides limited short-term recovery tools, but does not take responsibility for comprehensive, long-term recoverability under your control. [1] Nikki Chapple Microsoft 365 Retention, Archive and Backup View source ↗
Microsoft's Own Guidance
Microsoft's Services Agreement states: “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.” [2] Microsoft Microsoft Services Agreement View source ↗
This is known as the Shared Responsibility Model. [3] DrBackup OneDrive, SharePoint & Microsoft 365 Backup Whitepaper View source ↗ Microsoft ensures the platform stays running. You are responsible for protecting what's inside it.
What About Microsoft 365 Backup?
Microsoft recently released its own backup product, Microsoft 365 Backup [4] Microsoft Microsoft 365 Backup Overview View source ↗ , which delivers faster in-tenant recovery for Exchange, SharePoint, and OneDrive data. This is a meaningful improvement over native retention limits alone, and Veeam has integrated with this technology as a platform partner. [5] Techzine Veeam Gets Microsoft 365 Backup Storage Integration for Faster Recovery View source ↗
That said, many organizations still have good reasons to use a third-party backup platform:
- Separation of duties — a backup stored independently of your Microsoft tenant is not affected if the tenant itself is compromised, misconfigured, or ransomware-encrypted within M365
- Longer retention — Microsoft 365 Backup has its own retention limits; third-party platforms can retain data for 7+ years
- Broader coverage — third-party tools typically cover more workloads and offer more restore options
- MSP management — for organizations using a managed service provider, consolidating backup management outside Microsoft's admin center has operational advantages
Native Retention Has Hard Limits
Microsoft 365 includes some built-in data recovery features, but they are short-term safety nets — not a backup strategy.
| Workload | Native Recovery Window |
|---|---|
| SharePoint & OneDrive | 93 days total (both recycle bin stages combined) [6] Microsoft Learn About Retention Policies for SharePoint and OneDrive View source ↗ |
| Exchange Online | 14 days by default, configurable up to 30 days [7] Microsoft Q&A Default Retention Period for Deleted Items in Exchange Online View source ↗ |
| Microsoft Teams (files) | Follows SharePoint/OneDrive rules (93 days) [6] Microsoft Learn About Retention Policies for SharePoint and OneDrive View source ↗ |
| Microsoft Teams (chat/messages) | Stored in Exchange; governed by separate M365 retention policies [8] SysCloud Microsoft Teams Retention Policy View source ↗ — without explicit configuration, practical recovery windows for deleted content can be surprisingly short |
Organizations can configure longer records-management retention via Microsoft 365 retention policies in Microsoft Purview [9] Microsoft Purview Learn About Retention Policies and Retention Labels View source ↗ , but those are not a substitute for an operational backup and restore platform — they are compliance controls, not recovery tools.
Once data exits the recycle bin, it is permanently deleted. Microsoft Support can sometimes attempt a site-level restore beyond the recycle bin window for SharePoint, but this is not guaranteed, is not granular (individual files cannot be targeted — only entire site collections), and has no published SLA.
Litigation Hold and eDiscovery Are Not Backups
They are compliance tools designed for legal holds, not for operational data recovery. [9] Microsoft Purview Learn About Retention Policies and Retention Labels View source ↗ Retrieving a single email from litigation hold requires multiple administrative steps and elevated permissions — it is not a self-service restore tool.
Two Scenarios That Happen More Often Than You'd Expect
Scenario 1: The Departing Employee
A departing employee deletes a project folder from their OneDrive before offboarding. Nobody notices until months later when a colleague needs those files. At that point, the data is gone — the 93-day recycle bin window closed long ago.
Scenario 2: Ransomware Propagation
A ransomware attack encrypts files synced through OneDrive, and those encrypted versions propagate back to SharePoint. The attack is discovered days later. Without an independent backup taken before the encryption occurred, restoring clean data requires working backward through version history — which may not go far enough.
Why This Matters
Every organization relying on Microsoft 365 faces the same exposure. Critical business data — contracts, financials, communications, project files — lives in Exchange, SharePoint, OneDrive, and Teams. When native recovery windows close, that data is unrecoverable without a third-party backup in place.
Cyber insurance carriers increasingly include third-party cloud backup as a question in underwriting questionnaires. While no universal formal requirement exists across all carriers, organizations that cannot demonstrate data recoverability may face higher premiums or gaps in coverage. It is becoming a baseline operational expectation, not a differentiator.
A Note for Legal and Law Firms
Law firms carry an additional layer of obligation that makes Microsoft 365 backup more than an IT best practice — it is an ethical and professional responsibility.
ABA Model Rules of Professional Conduct
- Rule 1.1 (Competence) requires attorneys to understand the risks of the technology they use, including how client data is stored and protected. [10] ABA Formal Opinion 477R – Securing Communication of Protected Client Information View source ↗
- Rule 1.6 (Confidentiality) requires “reasonable efforts” to prevent unauthorized access to or loss of client information.
- Rule 5.3 (Supervision of Vendors) requires firms to ensure that third-party vendors — including IT and cloud providers — comply with those same obligations.
ABA Formal Opinion 477R (2017) [10] ABA Formal Opinion 477R – Securing Communication of Protected Client Information View source ↗ reinforced a risk-based, fact-specific approach to securing electronic communications and client data. Formal Opinion 483 (2018) [11] Ele-ment ABA Formal Opinion No. 483 – Data Breaches and You View source ↗ addressed attorneys' obligations when a data breach or loss event occurs, including potential notification duties to current clients when there is a substantial likelihood that confidential information was compromised.
For law firms, the scenarios described above carry consequences beyond operational disruption. A deleted client matter folder or a ransomware event affecting client files can trigger ethics obligations, malpractice exposure, and notification requirements. A third-party backup is one of the most straightforward ways to demonstrate the “reasonable efforts” standard these rules require.
RPO and RTO: What Recovery Actually Means in Practice
Two terms worth understanding when evaluating backup vendors:
RPO — Recovery Point Objective
How much data can your organization afford to lose? If a vendor backs up email 3x/day, your worst-case data loss in a recovery scenario is roughly 8 hours of mail. If they back up 6x/day, that window drops to 4 hours.
RTO — Recovery Time Objective
How quickly does your organization need to be operational again? Granular item-level restores (a single email, a single file) typically take minutes. Mailbox-level or site-level restores can take longer.
For most organizations, practical targets often look something like this:
- File-level restore (single document, email): under 15–30 minutes
- Mailbox restore: within a few hours
- Full site or workload restore: same business day
Validate Before You Commit
Verify whether the vendor you're evaluating can meet those targets at your data scale before committing.
Vendor Options: What to Evaluate
The market for Microsoft 365 backup has matured significantly. Below is an overview of the vendors we evaluate most often for our clients, along with what distinguishes each one.
Veeam Data Cloud for Microsoft 365
Best for: Enterprise-grade protection with unlimited included storage and a fully SaaS-delivered platform
Veeam is one of the most widely deployed M365 backup platforms and has a formal strategic partnership with Microsoft, including integration with the Microsoft 365 Backup Storage API. [12] Veeam Microsoft 365 Backup Storage Capabilities for Veeam Data Cloud View source ↗ The current product is called Veeam Data Cloud for Microsoft 365 and is fully SaaS-delivered.
Workloads covered: Exchange Online, SharePoint, OneDrive, Microsoft Teams (including shared and private channels), and Entra ID (Advanced and Premium plans).
What stands out:
- Unlimited storage included at all tiers — no separate storage charges
- Granular restore down to individual emails, files, and Entra ID attributes
- Immutable backups, MFA enforcement, and role-based access controls
- MSP multi-tenant management via the Veeam Service Provider Console
- Self-hosted deployment also available (Veeam Backup for Microsoft 365) for organizations that want to bring their own storage
The Premium tier is required for the fastest disaster recovery speeds using Microsoft 365 Backup Storage integration. Retention is configurable, with support for multi-year retention policies depending on plan and storage design.
AvePoint Cloud Backup
Best for: Complex SharePoint environments or multi-SaaS backup coverage beyond just M365
AvePoint has one of the longest track records in Microsoft 365 data protection — they have been backing up SharePoint since it was called Team Services. Their platform is particularly deep on SharePoint and Teams content structure, including permissions, site hierarchies, and metadata.
Workloads covered: Exchange Online, SharePoint, OneDrive, Microsoft Teams, Dynamics 365, Azure AD/Entra ID, Google Workspace, and Salesforce [13] UK Digital Marketplace AvePoint Cloud Backup – Service Description View source ↗ — making it one of the broadest platforms available.
What stands out:
- Automated backups with granular item-level restore
- Flexible retention policies configurable to organizational needs
- Storage options: AvePoint-managed Azure storage or bring your own cloud
- Strong MSP reseller program with competitive partner pricing
- Broad coverage across SaaS platforms beyond M365
Some user reviews have noted that on-demand backup outside the scheduled window could be more flexible — worth asking about during a demo.
N-able Cove Data Protection
Best for: Backup coverage extending beyond M365 to include servers and workstations in a single console
Cove was built cloud-first and MSP-first. It is the only platform in this comparison that manages Microsoft 365, server, and workstation backups in a single web-based multi-tenant dashboard — no separate portals, no separate billing relationships for your IT provider to juggle.
Workloads covered: Exchange Online, SharePoint, OneDrive, Microsoft Teams [14] N-able Cove Data Protection for Microsoft 365 View source ↗ — all covered under a single per-user M365 license. Server and workstation backup are managed in the same console under separate licenses.
What stands out:
- Exchange backed up up to 6x/day; SharePoint up to 4x/day [15] N-able Cove Data Protection – SharePoint Backup View source ↗
- Up to 7-year data retention with regional storage selection for data sovereignty
- Storage is included — no second vendor for cloud storage
- SOC 1, SOC 2, ISO 27001, PCI-DSS, and HIPAA certifications
- Designed for MSP multi-tenant management with consolidated reporting
- Integrates with N-able RMM/N-central for unified monitoring
Some user reviews note that searching for specific data across the backup archive is less flexible compared to other platforms. Portable data export (e.g., PST format) has currently limited options — worth validating if that is a requirement.
Backupify (by Kaseya / Datto)
Best for: M365-focused backup with strong compliance credentials and minimal configuration overhead
Backupify [16] Exigent Backupify – Managed IT Services View source ↗ is now part of the Kaseya/Datto portfolio and runs on Datto's private cloud infrastructure. It is one of the simpler platforms to deploy and manage — automated lifecycle management handles user detection and departed employee archiving without manual intervention.
Workloads covered: Exchange Online, SharePoint, OneDrive, Microsoft Teams.
What stands out:
- Automated backups 3x/day with unlimited on-demand recovery
- Automatic detection of new users and archiving of departed employees
- SOC 2 Type II and HIPAA compliant
- AES-256 encryption with OAuth authentication
- Granular item-level or full-tenant restore without overwriting live data
PST export options are currently limited — restores go to another Microsoft 365 account rather than a portable file format. Some user reviews note UI complexity.
Side-by-Side Comparison
| Veeam Data Cloud | AvePoint Cloud Backup | N-able Cove | Backupify | |
|---|---|---|---|---|
| Exchange | Yes | Yes | Yes | Yes |
| SharePoint | Yes | Yes | Yes | Yes |
| OneDrive | Yes | Yes | Yes | Yes |
| Teams | Yes (incl. private channels) | Yes | Yes | Yes |
| Entra ID | Yes (Advanced+ only) | Yes | No | No |
| Server & Workstation | No | No | Yes | No |
| Backup Frequency | Configurable by tier | Automated / configurable | Up to 6x/day (Exchange), 4x/day (SharePoint) | 3x/day + on-demand |
| Retention | Configurable | Configurable | Up to 7 years | Configurable |
| Storage Included | Yes (unlimited) | Optional (BYO or AvePoint) | Yes (pooled) | Yes (Datto cloud) |
| MSP Multi-Tenant | Yes | Yes | Yes (strongest) | Limited |
| Compliance Certs | SOC 2, ISO 27001 | SOC 2, ISO 27001 | SOC 1, SOC 2, ISO 27001, PCI-DSS, HIPAA | SOC 2 Type II, HIPAA |
Features subject to change. Verify with vendors prior to purchasing. Contact DP3 for pricing guidance.
DP3's Recommendation
Every organization's environment is different. The right vendor depends on your workload scope, retention requirements, compliance obligations, and how your IT is managed. That said, there are a few consistent takeaways:
Fully SaaS with Unlimited Storage
If your organization needs a fully SaaS-delivered platform with unlimited storage and the broadest Microsoft 365 workload coverage, Veeam Data Cloud for Microsoft 365 is the strongest all-around option.
Deep SharePoint or Multi-SaaS Coverage
If you have deep SharePoint complexity or need backup across multiple SaaS platforms, AvePoint's depth and flexibility make it worth evaluating.
M365 + Servers + Workstations in One Console
If your organization needs backup coverage that extends beyond Microsoft 365 to include servers and workstations — all under a single managed solution — Cove is the strongest fit. It is also the right choice for organizations with strict data residency requirements or compliance mandates that require up to 7 years of retention.
Simple M365-Only Backup
If your backup requirements are focused exclusively on Microsoft 365 — no servers, no workstations, no Entra ID — and you want a straightforward solution with strong compliance credentials and minimal configuration overhead, Backupify is a solid fit.
The Worst Option Is No Backup
If your organization is relying solely on Microsoft's native recycle bin and retention policies, your data is on a countdown timer — 93 days for SharePoint and OneDrive, 14 to 30 days for email. [6] Microsoft Learn About Retention Policies for SharePoint and OneDrive View source ↗ [7] Microsoft Q&A Default Retention Period for Deleted Items in Exchange Online View source ↗ Once those windows close, the data is gone.
Ready to Talk About Backup?
DP3 helps organizations evaluate, implement, and manage cloud backup as part of a broader data protection strategy. We can assess your current Microsoft 365 environment, identify gaps, and recommend a solution that fits your size, compliance obligations, and requirements.
Contact us to schedule a review
References
- [1] Nikki Chapple, "Microsoft 365 Retention, Archive and Backup," 2025. Link
- [2] Microsoft, "Microsoft Services Agreement," 2025. Link
- [3] DrBackup, "OneDrive, SharePoint & Microsoft 365 Backup Whitepaper," 2025. Link
- [4] Microsoft, "Microsoft 365 Backup Overview," 2025. Link
- [5] Techzine, "Veeam Gets Microsoft 365 Backup Storage Integration for Faster Recovery," 2025. Link
- [6] Microsoft, "Learn About Retention Policies for SharePoint and OneDrive," 2025. Link
- [7] Microsoft Q&A, "Default Retention Period for Deleted Items in Exchange Online," 2025. Link
- [8] SysCloud, "Microsoft Teams Retention Policy," 2025. Link
- [9] Microsoft, "Learn About Retention Policies and Retention Labels (Microsoft Purview)," 2025. Link
- [10] ABA, "Formal Opinion 477R – Securing Communication of Protected Client Information," 2017. Link
- [11] Ele-ment, "ABA Formal Opinion No. 483 – Data Breaches and You," 2018. Link
- [12] Veeam, "Microsoft 365 Backup Storage Capabilities for Veeam Data Cloud," 2025. Link
- [13] UK Digital Marketplace, "AvePoint Cloud Backup – Service Description," 2025. Link
- [14] N-able, "Cove Data Protection for Microsoft 365," 2025. Link
- [15] N-able, "Cove Data Protection – SharePoint Backup," 2025. Link
- [16] Exigent, "Backupify – Managed IT Services," 2025. Link
© 2026 DP3. All rights reserved. Product details and features are subject to change; verify directly with vendors before purchasing. This article is provided for informational purposes and does not constitute a binding recommendation.