Is My Microsoft 365 Data Automatically Protected by Microsoft?
- 28 April, 2026
- 7:54 am
Microsoft protects the service. Your data? That's your responsibility.
An accountant accidentally deletes the entire Teams history of a project that wrapped up three years ago. The contracts, the decisions, the communication — gone. His colleague calls IT: "Can Microsoft restore that?" The answer is: no, unless it happened within the last 30 days.
This scenario is not an edge case. It is the direct consequence of a misconception that is widespread across organizations: that Microsoft 365 also backs up the data stored within it. Microsoft does not do this — and it's not hidden. It's in the terms of service.
This isn't a criticism of Microsoft. It's an invitation for every IT manager to understand where Microsoft's responsibility ends and where theirs begins.
Key Takeways:
• Microsoft protects M365 platform availability, not your individual data when user errors or attacks occur.
• Deleted data in Microsoft 365 is permanently gone after 30 days (by default) — unless you have an external backup.
• The Shared Responsibility Model explicitly places data protection responsibility with the customer.
What does Microsoft protect — and what doesn't it?
Microsoft invests significantly in the availability and security of its own infrastructure. The datacenters are ISO 27001 certified, the Microsoft 365 uptime guarantee is 99.9% (source: Microsoft Service Level Agreement), and Microsoft has extensive measures against intrusion at the platform level.
But that is not the same as protecting your data. Microsoft's responsibility ends the moment you — or someone with access to your account — deletes, overwrites, or corrupts data. The Microsoft Services Agreement (section 6b) is clear on this: Microsoft is not liable for data loss resulting from user actions.
What Microsoft does not protect against: - Data that an employee accidentally or intentionally deletes - Data encrypted by ransomware through a compromised account - Data lost due to a misconfigured retention policy - Data deleted when offboarding employees if not prevented in time
This is called the Shared Responsibility Model, and it is the standard in the cloud industry. The provider protects the service; the customer protects the data.
What Microsoft does offer: built-in retention tools
Microsoft 365 does offer a number of built-in retention tools, but these are not the same as a backup.
The recycle bin in Exchange Online and SharePoint retains deleted items for 30 days by default (extendable to 93 days through additional settings). Microsoft 365 Backup (a paid add-on) offers longer retention for certain workloads but is limited in granularity and recovery speed. Retention policies can preserve data for compliance purposes but are not designed for operational recovery.
None of these tools is a full backup that protects against all data loss scenarios.
Why Microsoft 365 data is particularly vulnerable
Microsoft 365 is especially vulnerable to a type of attack that bypasses classic backup strategies: attacks via compromised accounts.
If an employee falls victim to phishing and their credentials are stolen, the attacker has access to the entire M365 environment with that employee's permissions. They can delete emails, overwrite files, and erase Teams conversations. Microsoft 365 executes these actions as legitimate user actions — and synchronizes them to all devices and integrations.
According to Microsoft, Microsoft Entra ID (the identity service behind M365) processes more than 600 million threats daily. A compromised account is one of the most common access vectors for data exfiltration and loss.
An independent backup of M365 data — stored outside Microsoft's own environment — is the only way to recover from this type of loss. See our Microsoft Cloud Backup page for more information.
Which M365 data do you need to protect yourself?
Virtually all data in Microsoft 365 is vulnerable to loss that Microsoft cannot restore. The most critical categories are:
Exchange Online (email): Deleted mailboxes from departed employees are permanently deleted after 30 days. All email history is then gone — unless a backup is available.
SharePoint Online and OneDrive: Deleted site collections are retained for 93 days, but individual files disappear sooner. Version history in SharePoint is limited and not designed for emergency recovery.
Microsoft Teams: Teams conversations, channel messages, and shared files fall under Exchange and SharePoint retention rules — with the same limitations.
Microsoft Entra ID: User accounts, groups, application registrations, and access policies. If an account or group is accidentally deleted, this can have cascading effects on access to all M365 services.
For each of these workloads, an independent backup is the only guarantee of complete recovery.
Step-by-step: how to assess your M365 data protection
1. nventory which M365 workloads you actively use (Exchange, SharePoint, Teams, OneDrive, Entra ID).
2. Check which retention policies are active and how long deleted data is retained.
3. Determine whether an independent backup solution is active for each workload.
4. Test whether recovery is possible: request recovery of a specific item from 60 days ago.
5. Document the recovery process including responsibilities and escalation paths.
6. Establish an RTO and RPO for M365 data and verify that the backup solution meets these targets.
How does compliance work with Microsoft 365?
Many organizations use M365's built-in compliance tools — Purview, retention policies, eDiscovery — to comply with GDPR and sector-specific regulations. This is a sensible approach for compliance purposes, but it is not a substitute for backup.
Retention policies preserve data for legal or regulatory purposes, but are not designed for operational recovery. Data retained by a retention policy is not always immediately accessible for recovery in normal business operations.
Moreover, the NIS2 directive — enforced in the Netherlands from July 2026 — requires organizations to demonstrate recovery capabilities. Not just preserving data, but demonstrating you can recover data within a defined timeframe. That is a different requirement from compliance archiving.
For an integrated approach to M365 security and compliance, see our Data Security page.
What are the options for independent M365 backup?
There are three categories of solutions for independent Microsoft 365 backup.
First: specialized SaaS backup solutions. These are cloud-native services specifically designed for backing up M365 workloads. They operate outside the Microsoft environment, offer granular recovery options (individual email, file, or conversation), and typically have longer retention periods than Microsoft's built-in tools.
Second: Backup as a Service from a managed service provider. This is similar to the first category but managed by an external party. Suitable for organizations without their own IT department or that want to outsource backup.
Third: hybrid solutions combining M365 with on-premises or sovereign cloud backup. Relevant for organizations with strong data sovereignty requirements or those subject to NIS2 or sector-specific regulations.
See our Backup as a Service page for more information on how these solutions work in practice.
Conclusion
Microsoft 365 is an excellent productivity platform with strong security measures for its own infrastructure. But it is not a backup for your data. The responsibility for protecting emails, files, Teams conversations, and identity data lies with your organization.
The Shared Responsibility Model is not a way to absolve Microsoft of responsibility. It is an honest description of how cloud services work — and an invitation to take your own responsibility seriously.
A good M365 backup is not a luxury. It is the base layer of data protection that every M365 user needs.
Frequently asked questions
Does Microsoft automatically back up my Microsoft 365 data? +
No. Microsoft protects platform availability but does not back up your individual data. Deleted items are retained for 30 to 93 days in the recycle bin depending on settings, but after that they are permanently gone. For structural data protection, an independent backup solution outside the Microsoft environment is required.
What is the Shared Responsibility Model in the cloud? +
The Shared Responsibility Model is a principle whereby cloud providers are responsible for the security of their own infrastructure (datacenters, network, hardware), while customers are responsible for the security of their own data and applications. In practice, this means Microsoft ensures M365 is available, but you are responsible for protecting the data you store in it.
Does Microsoft 365 protect me against ransomware? +
Microsoft 365 has built-in security measures against malware, but these do not fully protect against all ransomware scenarios. If ransomware is activated through a compromised account, Microsoft 365 executes the encryption or deletion as a legitimate user action. An independent backup outside the M365 environment is the only way to recover data if the M365 environment itself is compromised.