"Microsoft 365 Is Not a Backup: What Microsoft Protects, and What Is Your Problem"
11 July 2026 · 6 min read
"Everything is in the cloud, Microsoft takes care of it." We hear that sentence on almost every audit, and it is true exactly halfway. Microsoft really does take care of its infrastructure: the servers are redundant, the service is available, and a hardware failure will not cost you data. But content falls under the shared responsibility model, which Microsoft documents openly: the platform is their concern, your data is yours. Service availability and the survival of your data are two different things, and the subscription only buys the first one.
What the built-in options can really do
Microsoft 365 has a recycle bin, versioning, and retention policies, and for everyday mishaps that is perfectly adequate. A deleted file comes back from the bin, an overwritten document from a previous version. The problem begins when the scenario is not everyday:
- Windows expire: the recycle bin and library restore options work within limited time windows, measured in weeks and months. If a deletion is noticed later than that, the data is gone. And deletions nobody noticed in time are, in our experience, the most common case.
- Retention is not backup: a retention policy keeps what you tell it to keep, under rules someone has to configure correctly. A misconfigured policy looks identical to a correct one, right up until the day you need it.
- A stolen account deletes legitimately: an attacker with admin access can empty SharePoint, delete users, and shorten retention, and the system will dutifully execute all of it, because from the platform's point of view an authorized user is doing it. The same goes for a disgruntled employee on their way out.
- Ransomware syncs: if ransomware encrypts files on a laptop, OneDrive will faithfully sync the encrypted versions to the cloud. Versioning often helps here, but recovering thousands of files through the built-in options is a slow and uncertain process with no guaranteed outcome.
What an independent tenant backup means
An independent backup of a Microsoft 365 environment means a copy that lives outside the tenant itself: Exchange mail, SharePoint, OneDrive, and Teams data copied regularly to separate storage, with its own retention that you define, and with granular restore, from a single email to an entire site. The key property: a compromised account inside the tenant cannot reach that copy. This brings M365 up to the same standard that has always applied to servers, because data that exists in only one place is not protected, no matter that the place carries a Microsoft logo.
How to check where you stand
Three questions for a quick self-assessment. First: if someone deletes an entire SharePoint site today and you notice in six months, can you get it back? Second: who last reviewed your retention policies, and when? Third: how long would it take to restore the complete mailbox of a key person? If the answer to any of these is "I don't know", you are relying on an assumption, not on protection.
The bottom line
Microsoft 365 is an excellent service and nothing in this article says otherwise. But the subscription buys platform availability, not a guarantee that your data will survive human error, malice, or a badly configured policy. That requires an independent backup, just as it always has for servers.
INTO MSP sets up independent M365 tenant backup for its clients, with defined retention and tested restores. If you do not know what your tenant would survive today, get in touch for a review.
Want this handled, without the drama?
INTO MSP runs security, backup and IT for small and mid-size companies. Step one is a short, no-obligation review.
Backup & Disaster Recovery → Contact