Data Recovery in Microsoft 365: Why Availability Is Not the Same as Recoverability
- 15 April, 2026
- 2:42 pm
Why Microsoft 365 Does Not Automatically Protect Your Data – and How to Fix That
Three Things You Need to Know
• Microsoft 365 includes availability features, not recovery-grade backup. Data deleted or corrupted is not automatically restorable after retention periods expire.
• Small organisations need a structured but lightweight backup approach: three components, minimal overhead, no dedicated IT department required.
•A practical framework exists that covers Exchange Online, SharePoint, OneDrive, and Teams without requiring complex infrastructure.
The Problem: A Misconception That Can Be Costly
A small accounting firm with twelve employees loses access to two years of client correspondence after a ransomware attack encrypts their SharePoint environment. Their IT provider reassures them: “You’re on Microsoft 365, your data is safe.” Two weeks later, it becomes clear that Microsoft’s built-in retention policies had expired and no independent backup existed. The data is gone. This scenario is not exceptional. Many small organisations – typically those with 10 to 200 employees – operate under the assumption that subscribing to Microsoft 365 means their data is backed up. Microsoft does protect against infrastructure failure and offers limited retention tooling, but this is not the same as recoverable backup in the event of user error, malicious deletion, or a ransomware incident.
The good news is that small organisations do not need enterprise-grade complexity to protect Microsoft 365 data effectively. What they need is a clear framework: three components, defined recovery objectives, and a tested process.
Why Microsoft 365 Is Not a Replacement for Proper Backup
Microsoft operates on a shared responsibility model. Microsoft is responsible for the infrastructure – the servers, the network, the availability of the service. The organisation is responsible for its data. Microsoft 365 includes features such as the Recycle Bin, version history, and the Compliance Center’s retention policies. These are designed to support compliance and accidental recovery within defined windows – typically 30 to 93 days depending on the feature. After these windows close, data is permanently deleted.
What Microsoft does not provide:
• Protection against ransomware that overwrites or encrypts files within Microsoft’s systems
• Recovery from admin errors that delete entire mailboxes or SharePoint sites
• Long-term archiving that satisfies legal or audit requirements beyond the default retention periods
• Granular, point-in-time recovery with guaranteed restore times
According to ENISA best practices for cyber crisis management, organisations should distinguish between availability (uptime of a service) and recoverability (the ability to restore data after a loss event). Microsoft 365 guarantees the first. The second requires an independent backup solution.
What Does a Small Organisation Actually Need to Back Up?
Microsoft 365 contains several data types that serve different operational and legal purposes. Not all require the same level of protection.
Exchange Online (email and calendars)
Email is typically the highest-priority workload. It is used for contracts, client communication, and audit trails. A restore window of 30 days is insufficient for most organisations that must retain records for 5 to 7 years.
SharePoint Online and OneDrive
These store documents, project files, and operational data. Version history exists, but it does not protect against complete folder or site deletion, nor against ransomware that alters files over a long period before detection.
Microsoft Teams
Teams stores chat history and attached files across both Exchange and SharePoint. Teams data is often overlooked in backup planning despite being a primary collaboration channel for many organisations.
Microsoft 365 Groups and Planner
Less critical for most small organisations, but worth including if these tools are used for project coordination. For organisations subject to the NIS2 Directive, all of the above may constitute essential data that must be recoverable within defined time frames.
A Practical Three-Step Framework for Small Organisations
The following framework is designed for organisations without a dedicated IT department. It requires a one-time setup of approximately half a day and minimal ongoing maintenance.
Step 1: Determine how much downtime and data loss is acceptable
Before selecting a tool, define two parameters:
1. Recovery Time Objective (RTO): How long can your organisation operate without email or documents? For most small businesses, 4 to 24 hours is the realistic threshold.
2. Recovery Point Objective (RPO): How much data can you afford to lose? Daily backup covers most needs; critical workloads may require more frequent snapshots.
Write these down. They are your requirements, not a vendor’s marketing claim.
Step 2: Choose a backup solution built specifically for Microsoft 365
Use a solution designed specifically for Microsoft 365 – not a general-purpose file backup tool. Key criteria:
1. Backs up Exchange, SharePoint, OneDrive, and Teams from a single interface
2. Stores backup data in a location independent of Microsoft’s infrastructure (separate cloud or on-premises)
3. Supports granular restore (individual email, file, or site – not just full restore)
4. Provides clear retention configuration (minimum 1 year; 7 years for regulated industries)
Mindtime’s Microsoft Cloud Backup is built on these principles and is designed for organisations that need reliable protection without managing complex infrastructure.
Step 3: Test the restore process and document it
A backup that has never been tested is not a backup – it is an assumption. Schedule a quarterly restore test and document the following:
1. Who initiates the restore
2. Which system is used
3. Expected restore time
4. What was tested and the outcome
This documentation is also relevant for insurance purposes and, in regulated sectors, for NIS2 compliance.
What Does Proper Backup Actually Cost a Small Organisation?
Microsoft 365 backup for a small organisation is significantly less expensive than most assume. For organisations with 10 to 50 users, purpose-built backup solutions typically cost between 2 and 5 euros per user per month. Compare this to the cost of a single data loss incident: the average cost of a ransomware recovery incident for an SME – including downtime, IT recovery costs, and lost productivity – exceeds 50,000 euros. Backup is not an IT luxury. For small organisations, it is the lowest-cost risk mitigation available. A Backup as a Service approach removes the need for in-house infrastructure entirely, making it particularly practical for organisations without a dedicated IT team.
Four Mistakes Small Organisations Commonly Make
Mistake 1: Relying solely on Microsoft’s retention policies Retention policies serve a compliance function, not a recovery function. They are not designed to restore data after a malicious event or significant user error.
Mistake 2: Never testing the restore process
Organisations that have never tested a restore often discover – at the worst possible moment – that their backup process was misconfigured, that credentials expired, or that a critical workload was excluded.
Mistake 3: Overlooking Teams and SharePoint
Email backup is often in place, but Teams chats and SharePoint sites are frequently forgotten. In practice, these often contain more operationally critical data than email.
Mistake 4: Storing backup data inside Microsoft’s own ecosystem
Some solutions store backup data in Azure or in the same Microsoft tenant. This creates a single point of failure: if the tenant is compromised, both production data and backup data are at risk. Use a solution that stores data in an independent environment. For organisations concerned about ransomware protection, this is especially important – isolated backup storage is a core defence against encryption attacks.
Conclusion: Availability Is Not the Same as Recoverability
Small organisations often delay Microsoft 365 backup because they assume it is complex, expensive, or already handled by Microsoft. None of these assumptions are accurate. Microsoft provides availability – not recoverability. A practical backup framework requires three steps, runs in the background with minimal maintenance, and costs a fraction of what a single recovery incident would cost. The question is not whether your organisation can afford to back up Microsoft 365. It is whether you can afford not to.
Frequently asked questions
Does Microsoft 365 automatically back up my data? +
No. Microsoft 365 includes features such as the Recycle Bin and version history, but these are availability and retention tools, not backup. They are designed to support recovery within limited time windows – typically 30 to 93 days. After these windows close, data is permanently deleted. Microsoft’s shared responsibility model places the obligation for data recovery on the customer, not on Microsoft.
What happens to Microsoft 365 data if the organisation is hacked or hit by ransomware? +
If an attacker gains access to a Microsoft 365 tenant – whether through a compromised account or ransomware – they can delete, encrypt, or exfiltrate data within the environment. Microsoft’s native protections do not guarantee recovery in these scenarios. An independent backup stored outside the Microsoft ecosystem is the only reliable way to restore data after such an event.
How long does it take to set up Microsoft 365 backup for a small organisation? +
A purpose-built Microsoft 365 backup solution can typically be configured within a few hours for a small organisation. Initial setup involves connecting the backup tool to the Microsoft 365 tenant, defining which workloads to protect (Exchange, SharePoint, OneDrive, Teams), setting retention periods, and scheduling a first backup. Ongoing maintenance is minimal – mainly monitoring and quarterly restore tests.