Most business owners assume Microsoft is protecting their email, files, and data. They're not. Here's what's actually going on — in plain English.
Here's a conversation I have at least once a month. A business owner says to me: "We're on Microsoft 365, so our data is in the cloud. It's backed up, right?"
And I have to tell them: no. It's not.
I don't blame anyone for making that assumption. You're paying Microsoft a monthly fee per user. Your email, your files, your SharePoint sites, your Teams conversations — it's all "in the cloud." It feels safe. It feels managed. You'd think that a company as big as Microsoft would be protecting your data as part of the deal.
But they're not. And they're pretty upfront about it if you read the fine print. The problem is that nobody reads the fine print — and Microsoft doesn't exactly go out of their way to make this clear.
Let me explain what's actually happening, what the risks are, and what you should do about it.
Microsoft has something they call the "shared responsibility model." It's a fancy way of saying: "We handle our part. You handle yours."
Here's what Microsoft is responsible for:
In other words, Microsoft guarantees that their systems will work. If a hard drive fails in a Microsoft data center, they handle it. If a hurricane takes out one of their facilities, they have redundancy.
Here's what Microsoft is not responsible for:
To put it simply: Microsoft keeps the lights on. But if something happens to your data because of something on your end, that's your problem. And "your end" includes a pretty wide range of things that can and do happen to businesses every day.
This isn't hypothetical. These are things I've seen happen to actual businesses.
Someone cleans out their OneDrive and accidentally deletes a folder full of client contracts. Or they empty their deleted items in Outlook and realize a week later that they needed one of those emails. Microsoft has a recycle bin, and deleted items are recoverable — for a while. But "a while" has limits. Deleted items in Outlook stay in a recoverable folder for 14 to 30 days, depending on your settings. After that, they're gone. Files in OneDrive and SharePoint follow similar retention windows. If nobody notices the deletion within that window, the data is unrecoverable.
An employee leaves the company and someone deletes their Microsoft 365 account to stop paying the monthly license fee. Makes sense, right? Except that account had three years of email history, project files, and client communications in it. Microsoft gives you 30 days to recover a deleted account. After that, everything associated with it is permanently gone. I've seen businesses lose critical institutional knowledge because they deleted accounts too quickly and didn't have backups.
Here's one that surprises people: ransomware doesn't just affect your local computers. If an infected machine is syncing with OneDrive or SharePoint, the ransomware can encrypt those files too — and those encrypted versions sync right up to the cloud, replacing your good files with encrypted garbage. Yes, OneDrive has version history. But restoring hundreds or thousands of files individually through version history is a nightmare. And if you don't catch it quickly, those older versions can age out of the retention window.
Someone in your company falls for a phishing email and gives away their password. The attacker logs in, sets up email forwarding rules to intercept sensitive communications, deletes emails to cover their tracks, and starts sending phishing emails to your clients from your domain. By the time you discover the breach, the attacker may have deleted months of email, changed settings, and caused damage that's hard to quantify. Microsoft's built-in tools can help with some of this, but they're not designed to give you a complete, point-in-time restoration of everything the way it was before the attack.
You get served with a legal discovery request and need to produce all emails from a specific employee from two years ago. But that employee left the company 18 months ago and their account was deleted after 30 days. Without a backup, that data doesn't exist anymore. This isn't just an inconvenience — it can have real legal consequences.
This is where a lot of people (and a lot of IT providers, frankly) get confused.
Microsoft 365 has retention policies. You can configure them to keep deleted items for longer periods, apply litigation holds, and set up retention labels. These are useful features, and you should be using them. But they are not the same thing as a backup, and here's why.
Retention policies protect against accidental deletion within Microsoft's ecosystem. They extend the window during which you can recover deleted items. That's valuable. But they have limits — they depend on the policies being configured correctly in the first place, they're subject to Microsoft's own service limitations, and they don't protect you against every scenario.
A real backup is an independent copy of your data stored outside of Microsoft's platform. If Microsoft's retention policies fail, if your account gets nuked, if ransomware corrupts your data faster than retention can protect it, if you need to restore something from a year ago that fell outside your retention window — a backup has you covered. A retention policy might not.
Think of it this way: retention policies are like a safety net built into the trapeze platform. A backup is a completely separate net, maintained by someone else, in a different location. If the platform fails, the safety net built into it fails too. The separate net doesn't care what happened to the platform.
Both are valuable. But one is not a substitute for the other.
I'm not going to name specific products here because the landscape changes and what matters are the principles, not the brand names. Here's what you should look for in a Microsoft 365 backup solution:
It backs up everything. Email (including attachments), OneDrive files, SharePoint sites, Teams data, and contacts. Not just some of it — all of it. If it's in your Microsoft 365 environment, it should be in your backup.
It runs automatically on a schedule. Backups should happen at least once a day without anyone needing to remember to press a button. Most good solutions back up multiple times per day.
It stores your data independently from Microsoft. Your backups should live somewhere completely separate from Microsoft's infrastructure. If something catastrophic happened to your Microsoft 365 tenant, your backups should be completely unaffected.
It retains data for as long as you need it. Not 30 days. Not 90 days. Your backup retention should align with your business and legal requirements. For most businesses, that means at least one year, and often longer.
It allows granular restore. You should be able to restore a single email, a single file, a single mailbox, or your entire environment — whatever the situation calls for. And restoring should be fast and straightforward, not a multi-day ordeal.
It provides point-in-time recovery. You should be able to say "show me what this mailbox looked like on March 15th" and get that exact snapshot back. This is critical for ransomware recovery and compliance scenarios.
It includes monitoring and alerting. If a backup fails, someone should know about it immediately — not three months later when you actually need to restore something and discover it hasn't been working.
It's managed by someone who checks it. This is the one people overlook. Having backup software is not the same as having working backups. Someone needs to verify that backups are completing successfully, that data integrity is maintained, and that restores actually work when you need them. Backup software that nobody monitors is barely better than no backup at all.
I know what you're thinking: "Great, another monthly fee." And I get it. You're already paying per user for Microsoft 365. Adding a backup cost on top of that stings.
But let me reframe it. A proper Microsoft 365 backup solution typically costs a few dollars per user per month. For a 25-person company, you're looking at somewhere in the range of $75 to $200 per month, depending on the solution and how much data you're storing.
Now compare that to the cost of losing your email history, your client files, or your SharePoint data. What would it cost your business to recreate that information? What would it cost in terms of client trust? Legal liability? Lost productivity while everyone scrambles to figure out what's gone?
For most businesses, the cost of not having a backup is orders of magnitude higher than the cost of having one. It's one of those expenses that feels unnecessary until the day it saves your business — and then it's the best money you've ever spent.
If you've gotten this far and you're realizing you don't have a Microsoft 365 backup in place, here's what I'd recommend:
1. Don't panic, but don't wait. The risk is real, but it's not an emergency unless something is actively going wrong. That said, every day without a backup is a day you're exposed. Get this on your priority list this week, not next quarter.
2. Ask your IT provider about it. If you have an IT provider, ask them point-blank: "Are we backing up our Microsoft 365 data?" If the answer is yes, ask them to show you. Ask them what's covered, how long backups are retained, and when they last tested a restore. If the answer is no, or if they're confused by the question, that tells you something important.
3. Check your retention policies. Even before you get a backup solution in place, make sure your Microsoft 365 retention policies are configured sensibly. Extend deleted item retention to the maximum. Consider litigation holds for critical mailboxes. This isn't a replacement for backup, but it buys you some breathing room.
4. Get a proper backup solution implemented. Whether you do it yourself, have your IT provider handle it, or bring in someone like us — get an independent backup of your Microsoft 365 data running as soon as possible. It's one of the highest-impact, lowest-cost things you can do for your business's resilience.