Microsoft 365 backup is not bundled into any Microsoft 365 subscription. However, Microsoft bundles retention instead: it holds deleted items for a defined window, replicates data across data centres, and protects the platform from its own failures. None of that is the same as backup. If a user empties a deleted-items folder, ransomware encrypts SharePoint files, or an admin deletes the wrong site collection, retention alone may not be enough to bring the data back.
Microsoft does sell a first-party backup product called Microsoft 365 Backup, launched in 2024 and priced per gigabyte stored per month. Most UK SMEs we work with use a third-party backup tool instead because the per-GB pricing scales unpredictably and the feature set is narrower than the established backup market. Either way, the gap below is real: retention by itself does not give you point-in-time recovery.
Where the confusion comes from
Microsoft publishes a shared-responsibility model that splits ownership between platform and customer. Microsoft owns availability and infrastructure. The customer owns the data, the configuration, and the recovery of that data when something goes wrong on the customer’s side.
Most businesses read “the cloud” as “they handle backup”. They do not.
Retention vs backup
Retention is a holding pattern for items that have been deleted or modified, kept for a defined period inside Microsoft 365. Backup is an independent copy of your data, stored outside the live platform, that can be restored to a point in time.
The difference matters when something larger than a single deletion goes wrong.
| Scenario | Retention covers it | Backup covers it |
| User deletes a single email | Yes, within retention window | Yes |
| User empties deleted items | Sometimes, depending on policy | Yes |
| Ransomware encrypts OneDrive files | Limited, version history may help | Yes |
| Admin deletes a SharePoint site | Limited, 93-day recovery window | Yes |
| Departing employee mailbox archived | Yes, with policy in place | Yes |
| Restore to a specific point in time | No | Yes |
| Restore Teams chat history | Limited | Yes |
| Recover after a full tenant compromise | No | Yes |
Retention buys you a window. Backup gives you a copy.
What Microsoft does and does not back up
Microsoft replicates your data across multiple data centres for availability. That protects against hardware failure and regional outages. It does not protect against data your business has deleted, encrypted or corrupted.
The native recycle bins and retention policies are useful, and you should configure them. They are not designed to replace a backup. They will not help you restore last Tuesday’s version of a SharePoint site, roll Teams back to a known clean state after a ransomware event, or recover a mailbox after a long-deleted account has aged out of retention.
The NCSC Small Business Guide on backing up data is unambiguous on the principle: keep an independent copy of important data, and test that you can restore it.
Where Microsoft 365 Backup the product sits
Microsoft launched Microsoft 365 Backup in 2024 as its own paid backup product and built it directly into the Microsoft admin centre. In addition, it covers Exchange, OneDrive and SharePoint, restores items and full sites, and bills storage per gigabyte each month on top of the existing subscription.
Two trade-offs decide whether it suits a UK SME. First, the per-GB pricing is unpredictable for businesses with growing storage estates, where third-party tools usually price per user. Second, the backups sit inside the same Microsoft tenant boundary as the live data, which keeps things convenient but means the backup is not stored outside the blast radius of a major tenant-level incident. Neither trade-off is a deal-breaker. Both are worth knowing before you choose.
What good Microsoft 365 backup looks like
A real Microsoft 365 backup covers Exchange Online, OneDrive, SharePoint and Teams, retains data for a period that suits your business, and supports point-in-time restore at item, folder and site level.
Three operational details separate good from average.
Restore granularity
Can you restore a single email, a specific OneDrive folder, or a SharePoint site as it was on a Tuesday last month? If the answer is “we can restore the whole mailbox”, that is not enough for most real incidents.
Test restores
You cannot trust a backup until you have restored it successfully. Test restores at least quarterly on a sample of data.
Independent credentials and storage
The backup admin account should not share credentials with day-to-day Microsoft 365 admins, and backup data should sit outside the same blast radius as the live tenant. This is the test Microsoft 365 Backup the product does not pass on its own; a third-party tool with separate storage usually does.
This is the same principle we applied in our ransomware downtime guide and our incident response plan template. Backup is the layer that turns a bad week into a recoverable one.
When retention is enough
For some SMEs, retention covers most realistic scenarios. A small team with limited turnover, no regulated data, a stable Microsoft 365 footprint and a clear retention policy may not need third-party backup as a day-one priority.
That changes quickly. Once a business takes on regulated data, hits 20+ users, holds anything an attacker would consider valuable, or carries client contracts that require a documented recovery plan, retention alone becomes a thin layer to rely on.
A short readiness check
Three questions to ask:
- If a user deleted everything in their OneDrive a year ago, could we restore it today?
- If ransomware encrypted our SharePoint sites tomorrow, what would we use to restore them?
- When did we last test a restore on a non-trivial item?
If the answers are “probably not”, “I am not sure”, and “we have not”, retention is doing the work that backup should be doing.
Close the gap before you need to use it
Microsoft 365 retention is a useful tool. It is not a recovery strategy. The businesses we see recovering well from ransomware, mass deletion and account compromise are the ones that closed this gap before they needed to.
If you would like us to check what your current Microsoft 365 setup can restore, book a Microsoft 365 backup gap assessment and we will produce a one-page recovery map covering Exchange, OneDrive, SharePoint and Teams.