In this article we look at the need for data protection in Microsoft 365 – what Microsoft is responsible for – and what your organization is responsible for.

Native Data Resiliency

As any capable cloud service, Microsoft takes the availability of customers data in M365 very seriously. As previously mentioned, Exchange mailboxes have four copies, three up to date ones and a fourth, lagged copy (up 24 hours behind).

This last copy is used in case of a systemic corruption of the other three copies. These four copies are distributed across at least two datacenters. All of this is handled automatically by the system and not something end users will notice.

SharePoint and OneDrive for Business storage similarly relies on data being stored in two separate Azure regions – a write will only be considered completed if it’s successfully written to both regions. And the underlying storage uses AppendOnly, ensuring that earlier data can’t be corrupted or encrypted by an attacker.

This versioning also allows the restore of previous versions of files.

Sounds good right? Microsoft clearly takes steps to protect my data, so I don’t have to worry about it? Not so fast – everything described above is about data resiliency, and high availability of your data. What it doesn’t provide, outside of some limited options, is backup of your data.

Backup are copies of your production data, in a separate system, that’s regularly (every hour, every day) copied from production data to the backup location. This provides the following features:

  • The ability to “go back in time” and restore emails / documents / mailboxes / sites to a previous point in time – either to a production location, or a separate export location.
  • The ability to access your production data in case of a catastrophic failure or outage of services in Microsoft 365.

In other words, data resiliency / high availability is not the same as backup. They’re related but serve different purposes. Depending on your business needs or which compliance regulations you must comply with, you may need both.

Let’s cover your native options for restoring earlier versions of data. With Exchange items (emails, contacts, calendar appointments), when they’re deleted you can recover them from the Outlook Deleted Items folder.

They’re kept there indefinitely unless you change the policy in your tenant. If they’re deleted from the Deleted Items folder, you can recover them for up to 14 days from the Recoverable Items hidden folder.

You’ll need to train your users how to do this themselves, or make sure your helpdesk team is prepared to assist on a regular basis as the user interface isn’t exactly intuitive.

In SharePoint / OneDrive for Business deleted documents are kept by default for 93 days, first in a user accessible recycle bin, and if they’re purged from there, in an administrator accessible recycle bin.

Again, the restore process for a document deleted by mistake isn’t straightforward so some training will be required.

To alter the defaults, you can use Retention Policies to keep items for longer (they’re available for restore, even if users delete them out of their Deleted Items folder), these can be applied to both Exchange and SharePoint data.

For Exchange you also use In-Place and Litigation Holds for select mailboxes to manage retention.

365 Total Backup

If you’re looking to alleviate the challenges with using the built in data protection features as a recovery solution, Hornetsecurity provides a comprehensive M365 backup and recovery solution 365 Total Backup or as part of 365 Total Protection Compliance & Awareness.

This protects mailboxes, Teams Chat, OneDrive for Business storage, SharePoint sites, plus Windows endpoints. It’s simple to set up and provides comprehensive protection across your entire tenant.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.


In summary, while Microsoft 365 ensures data resiliency, other backup substitutes exist. Backup solutions offer crucial benefits like restoring data to previous states and accessing data during outages. Consider options like Hornetsecurity’s 365 Total Backup for comprehensive protection.


Does Microsoft 365 have a backup?

Microsoft 365 provides basic data retention features but doesn’t offer a comprehensive backup solution (although one is in preview from Microsoft at this time). While it retains deleted items for a limited time, a dedicated backup strategy is recommended for robust data protection.

How do I set up a Microsoft 365 backup?

To set up a Microsoft 365 backup:

  • Consider third-party backup solutions like Hornetsecurity.
  • Select a solution that aligns with your backup needs.
  • Follow the provider’s instructions to configure and schedule backups.

How do I backup my OneDrive in Microsoft 365?

To backup your OneDrive in Microsoft 365:

  • Choose a backup solution compatible with OneDrive.
  • Install and configure the selected backup tool.
  • Set up backup policies, including frequency and retention.
  • Monitor and verify backups to ensure data integrity.