Who backs up your Microsoft 365 data? Not Microsoft, and that's official
· by IDE Solutions
Here is a phone call no business owner enjoys. A folder has vanished from SharePoint, deleted at some point in the spring, and nobody noticed. In it: signed offers, the paper trail of a customer dispute, and invoices the tax office has just asked to see. Someone calls Microsoft support and receives an answer that is polite, correct, and completely unhelpful: the data is past its recovery window, and restoring it is not something Microsoft does. The first time you hear that, it sounds outrageous. It is also, in plain terms, exactly what the contract you accepted says.
So who actually carries the Microsoft 365 backup responsibility? The short answer: you do. Microsoft promises to keep the service running; what happens to your emails and files inside it is your job. Most owners of smaller companies have never been told this directly, which is why it is one of the first things we clarify for every client of our Microsoft 365 managed service. This article lays out what Microsoft does and does not promise, how long the built-in safety nets really last, why German record-keeping law turns that gap into a legal problem rather than a technical one, and what closing it actually costs.
Microsoft 365 backup responsibility: what the contract actually says
Cloud services work on a principle called the shared responsibility model. Microsoft's side of the deal covers the data centres, the hardware, the network, the software, and keeping it all available, backed by a 99.9 per cent uptime commitment. Your side of the deal covers everything you put into it. Your emails, files, Teams messages, contacts and settings are your content, and their survival is your responsibility, not Microsoft's.
This is not our interpretation of small print. Microsoft's own Services Agreement recommends, in so many words, that customers regularly back up the content and data they store in Microsoft's services, using third-party apps and services. It is worth reading that sentence twice: the manufacturer of the product is formally advising you to keep a copy of your data somewhere outside the product.
At this point most people object: "But surely Microsoft keeps copies of everything?" It does, for its own purposes. Your data is replicated across data centres so that a failed disk or even a destroyed building does not take the service offline. Replication protects Microsoft's promise of availability. It does nothing for yours: delete a file, and the deletion is faithfully copied everywhere within seconds. Let ransomware encrypt a document library, and the encrypted versions are replicated just as diligently. A perfect copy of a disaster is still a disaster.
The built-in safety nets, and when they run out
To be fair, Microsoft 365 handles everyday accidents well. There are several layers of short-term recovery, and for the file deleted yesterday they work exactly as hoped. The problem is that every layer has an expiry date, and the clock is short:
- Deleted files. SharePoint and OneDrive keep deleted items in a two-stage recycle bin for about 93 days in total. After that, they are gone: there is no deeper archive to appeal to.
- Deleted emails. A message removed from the Deleted Items folder sits in a hidden recovery area for 14 days by default (an administrator can extend this to 30). Then it is purged for good.
- Departed employees. When a leaver's account is deleted, their mailbox and OneDrive are typically retained for around 30 days, and then removed, with every email and file in them. Two years of customer correspondence can evaporate one uneventful month after someone's last working day.
- Older versions of files. Version history protects you against a bad edit, not against deletion of the file or the whole library, and a ransomware attack that rewrites files dozens of times can flush the useful versions out of the history.
What about retention policies? Microsoft 365's compliance features can be configured to preserve email and documents for defined periods, and they are genuinely useful: we set them up for clients regularly. But preservation is not backup. There is no simple way to restore a whole mailbox or site to how it looked last Tuesday; getting data back out is a search-and-export exercise, not a restore button. And a retention policy changed by mistake, or by an attacker with admin rights, stops protecting quietly, without anyone noticing. The honest summary: the built-in safety nets are measured in days and weeks. Your obligations, as the next section shows, are measured in years.
GoBD: German law turns the gap into a legal problem
If your company pays taxes in Germany, a set of rules called the GoBD governs how digital business records must be kept. You do not need to read them, but you do need to know three numbers. Business and commercial correspondence, which today mostly means email, must be kept for six years. Invoices and other documents relevant to bookkeeping must be kept for eight years (reduced from ten at the start of 2025). Ledgers, annual financial statements and similar core records: ten years.
The GoBD also cares about how records are kept. They must be protected against alteration and loss, remain machine-readable, and be retrievable for the entire period, including on the day a tax auditor asks for them. "It was in an employee's mailbox and the account was deleted when she left" is not an answer an auditor accepts.
Now put the two halves together. Invoices arrive by email into mailboxes whose deep recovery window is 14 to 30 days. Offers and contracts live in SharePoint libraries with a 93-day recycle bin. The law expects those records to be producible six or eight years later. Nothing in a standard Microsoft 365 subscription bridges that distance on its own. If records are missing at an audit, the consequences are concrete: the tax office may reject parts of your bookkeeping and estimate your revenue instead, and such estimates are rarely generous. Where record-keeping duties and IT actually meet is exactly the ground our IT governance and compliance service covers.
Four ordinary ways data disappears for good
None of what follows is exotic. These are the four patterns behind almost every "the data is gone" call we receive, and not one of them is a Microsoft outage:
- The late discovery. Someone tidies up a team site in March. In September, a customer disputes an invoice and the folder that would settle it has been gone for 90-plus days. The deletion was months ago; the need arrives later. This is the most common pattern by far.
- The leaver. An employee departs, the account is closed in the routine offboarding, and thirty days later the mailbox is purged, along with the only copies of quotes, approvals and customer promises that now belong to nobody.
- The encrypted laptop. Ransomware lands on one synced PC and OneDrive dutifully uploads the encrypted files, spreading the damage into the cloud and across shared libraries. How exposed your tenant is to exactly this is one of the things a Microsoft 365 security assessment establishes.
- The administrative slip. A cleanup script with the wrong filter, a retention policy edited in the wrong direction, a well-meant "let's delete the old shared mailbox", admin rights make mistakes efficient, and Microsoft executes instructions exactly as given.
It bears repeating: in every one of these cases Microsoft's service worked flawlessly. The uptime promise was kept. If the service itself fails, the service agreement offers credits on your subscription fee: it never offers your files back.
What a real Microsoft 365 backup looks like
A backup worthy of the name has four properties the built-in tools lack. First, it is an independent copy that lives outside your tenant, so that whatever happens inside the tenant, including a compromised admin account, cannot touch it. Second, its retention is set by you, in years, to match your legal duties, not by a product default measured in days. Third, it can restore to a point in time: a single email, one folder, or an entire site, as it looked before the incident. Fourth, at least one copy is unchangeable, written once and locked, so even ransomware with stolen credentials cannot rewrite it.
You have two routes to this, and they are not mutually exclusive. Microsoft now sells its own paid add-on, Microsoft 365 Backup, whose strength is speed: it restores large SharePoint and Exchange volumes far faster than traditional tools, which matters in a ransomware recovery. Its limitation is retention, backups are kept for roughly a year, which does not meet a six- or eight-year duty on its own. Third-party backup products cover the long-retention, independent-copy side, often for a few euros per user. Many of our clients run a combination: fast restore for incidents, long-term archive for the law. Whichever route you take, one habit is non-negotiable: test a restore twice a year. A backup nobody has ever restored from is a hope, not a plan. Designing and running this is the core of our backup and recovery service.
What it costs, and what it prevents
The numbers make this an easy decision to evaluate. Third-party Microsoft 365 backup typically costs in the range of two to five euros per user per month. For a 20-person company, that is roughly 500 to 1,200 euros per year, comparable to a single hour of legal advice in a dispute you cannot document, and far below what one afternoon of rebuilding a SharePoint site from scattered local copies costs in staff time alone.
Set against that: a rejected set of records at a tax audit can end in revenue estimates and back-payments that reach five figures; industry figures for a ransomware incident at a small company, downtime, recovery work, lost business, land in the mid five figures. The backup does not prevent the incident, but it converts "the data is gone" into "the data is back by tomorrow morning". Setting it up is a day of focused work, not a project.
Quick answers
Doesn't Microsoft back up my data anyway? Microsoft replicates your data to keep its service available. Replication copies your deletions and ransomware damage too. There is no Microsoft archive that can return a file you lost 94 days ago.
Are retention policies enough for the GoBD? They address the keeping side and are worth having, but they are hard to restore from, easy to misconfigure silently, and do not protect against tenant-level damage. Auditors and, more importantly, real incidents are best answered with retention and an independent backup.
We are only twelve people, does this really apply to us? The retention duties apply from the first invoice, regardless of headcount. A tax auditor does not scale expectations down for small companies; if anything, small companies have less paper to fall back on.
Is OneDrive a backup for our PCs? It is sync, not backup: whatever happens on the PC, deletion or encryption, is mirrored to the cloud within moments. It protects against a lost laptop, not against lost data.
We close the gap between Microsoft's promise and your obligations
We assess what your Microsoft 365 tenant would actually let you recover today, match it against the retention periods that apply to your records, and design a backup setup that fits your size and budget: independent copy, legal retention, tested restores.
Then we run it: monitoring, regular restore tests, and a documented answer for the day a customer, a court or a tax auditor asks for a file from five years ago.