How to Set Up a Business Backup Strategy for Microsoft 365
A practical guide to backing up Microsoft 365 data including Exchange Online, OneDrive, SharePoint, and Teams. Covers the 3-2-1 rule, retention policies, and third-party backup tools.
7 min readUpdated March 29, 2026
Overview
Microsoft operates Microsoft 365 infrastructure with high availability and geo-redundancy. However, Microsoft's responsibility ends at platform availability — they do not protect against data loss caused by accidental deletion, malicious insiders, ransomware, or retention policy gaps.
The Microsoft Services Agreement states: "We recommend that you regularly backup Your Content and Data that you store on the Services."
This guide explains what Microsoft protects (and what it does not), and how to build a backup strategy that covers the gaps.
What Microsoft Protects vs. What You Need to Protect
| Risk | Microsoft's Responsibility | Your Responsibility |
|---|---|---|
| Data centre failure | Yes — geo-redundant replication | — |
| Hardware failure | Yes — automatic failover | — |
| Accidental deletion by user | Partial — recycle bin (93 days max) | Yes — long-term recovery |
| Malicious deletion by insider | Partial — recycle bin (if not purged) | Yes — immutable backup |
| Ransomware encrypting files | No — encrypted files sync to cloud | Yes — point-in-time recovery |
| Retention policy gaps | No — data deleted after retention expires | Yes — archive and backup |
| Legal hold / compliance archive | Partial — requires proper configuration | Yes — backup as secondary copy |
| Account compromise + data exfiltration | No | Yes — detection and backup |
Danger
The biggest misconception about Microsoft 365 is that "it's in the cloud, so it's backed up." Microsoft guarantees the infrastructure is available — not that your data is recoverable after user error, attack, or policy expiry.
Microsoft 365 Built-In Retention
Before setting up third-party backup, understand what Microsoft retains natively:
| Service | Deleted Item Retention | Recycle Bin | Versioning |
|---|---|---|---|
| Exchange Online | 14 days (recoverable items: 30 days) | 30 days deleted items folder | N/A |
| OneDrive | 93 days recycle bin | Second-stage: 93 days | 500 versions per file |
| SharePoint | 93 days recycle bin | Second-stage: 93 days | 500 versions per file |
| Teams chat | Retained indefinitely (by default) | N/A | N/A |
| Teams files | Backed by SharePoint/OneDrive | Same as SharePoint | Same as SharePoint |
What this means
- If a user deletes an email and empties their Deleted Items, you have 30 days to recover it from the recoverable items folder
- If a user deletes a OneDrive file, you have 93 days to restore from the recycle bin
- After retention expires, the data is permanently gone unless you have a backup
The 3-2-1 Backup Rule
The gold standard for backup strategy:
- 3 copies of your data
- 2 different storage media or locations
- 1 copy offsite or offline (air-gapped)
For Microsoft 365, this translates to:
- Original data in Microsoft 365 (copy 1)
- Third-party backup in a separate cloud (copy 2)
- Offline or immutable copy that ransomware cannot reach (copy 3)
Recommended Third-Party Backup Solutions
| Solution | Backup Coverage | Pricing Model | Best For |
|---|---|---|---|
| Veeam Backup for M365 | Exchange, OneDrive, SharePoint, Teams | Per-user or per-TB | Businesses wanting self-managed backup |
| Datto SaaS Protection | Exchange, OneDrive, SharePoint, Teams | Per-user | MSP-managed environments |
| Acronis Cyber Protect | M365 + endpoint backup in one platform | Per-user | Businesses wanting unified backup |
| Afi Backup | Exchange, OneDrive, SharePoint, Teams | Per-user | Simple, affordable, SMB-focused |
| Barracuda Cloud-to-Cloud | Exchange, OneDrive, SharePoint, Teams | Per-user | Businesses already using Barracuda security |
What to look for in a backup solution
- Point-in-time recovery — restore data to a specific date and time
- Granular restore — recover individual emails, files, or folders (not just full mailboxes)
- Immutable storage — backups that cannot be modified or deleted, even by an admin
- Automated scheduling — backup runs 1-3 times daily without manual intervention
- Cross-tenant restore — restore to a different M365 tenant (important for disaster recovery)
- Compliance retention — configurable retention periods for legal and regulatory requirements
Setting Up Microsoft 365 Retention Policies
While third-party backup is the primary recommendation, you should also configure M365's built-in retention as a first layer of protection.
Create a retention policy for email
- Go to compliance.microsoft.com (Microsoft Purview)
- Navigate to Data lifecycle management > Retention policies
- Click New retention policy
- Name: "Email Retention — 1 Year"
- Choose locations: Exchange mailboxes (all users)
- Retention period: Retain for 1 year, then do nothing (or delete, depending on your policy)
Create a retention policy for OneDrive and SharePoint
- Same portal > New retention policy
- Name: "File Retention — 1 Year"
- Choose locations: OneDrive accounts + SharePoint sites (all)
- Retention period: Retain for 1 year
Litigation hold (for legal preservation)
If you need to preserve all data for legal reasons:
powershell
# Place a user on litigation hold
Connect-ExchangeOnline
Set-Mailbox -Identity "[email protected]" -LitigationHoldEnabled $true -LitigationHoldDuration 365
Backup Schedule Recommendations
| Data Type | Backup Frequency | Retention |
|---|---|---|
| Exchange mailboxes | 3x daily | 1 year minimum |
| OneDrive files | 3x daily | 1 year minimum |
| SharePoint sites | 3x daily | 1 year minimum |
| Teams chats and channels | 1x daily | 1 year minimum |
| Microsoft Entra ID config | 1x daily | 90 days minimum |
| Conditional Access policies | Weekly export | 1 year |
Export Conditional Access policies (no backup tool needed)
powershell
Connect-MgGraph -Scopes "Policy.Read.All"
$policies = Get-MgIdentityConditionalAccessPolicy -All
$policies | ConvertTo-Json -Depth 10 | Out-File "CA-Policies-Backup-$(Get-Date -Format 'yyyy-MM-dd').json"
Testing Your Backups
A backup that has never been tested is not a backup. Schedule quarterly restore tests:
Test 1: Recover a single email
- Delete a test email from a user's mailbox
- Empty the Deleted Items and wait for the recoverable items window to expire
- Restore the email from your third-party backup
- Verify the email is intact (subject, body, attachments)
Test 2: Recover a OneDrive folder
- Delete a test folder from OneDrive
- Empty the recycle bin
- Restore the folder from backup
- Verify all files are present and not corrupted
Test 3: Full mailbox recovery
- Create a test user
- Simulate a mailbox loss (remove the licence)
- Restore the full mailbox from backup to a new user
- Verify all emails, folders, and calendar items are recovered
Tip
Document each test result and keep the records for compliance audits. CMMC, SOC 2, and ISO 27001 all require evidence that backups are tested regularly.
Disaster Recovery Scenarios
| Scenario | Recovery Method | Expected Recovery Time |
|---|---|---|
| User accidentally deletes a file | OneDrive recycle bin or backup restore | Minutes |
| User's mailbox corrupted by sync issue | Third-party backup point-in-time restore | 30 minutes |
| Ransomware encrypts OneDrive files | Backup restore to pre-encryption point | 1-4 hours |
| Disgruntled employee deletes everything | Third-party backup full restore | 2-8 hours |
| Entire tenant compromised | Cross-tenant restore to new M365 tenant | 1-3 days |
| Legal discovery request | Litigation hold + backup search | Varies |
Next Steps
- Evaluate and deploy a third-party M365 backup solution
- Configure retention policies in Microsoft Purview as a first layer
- Schedule quarterly backup restore tests
- Document your backup and recovery procedures in a runbook
- Review your cyber insurance policy — many require documented backup procedures
BackupMicrosoft 365Disaster RecoveryBusiness ContinuityData Protection
Related Articles
GuidesSetting Up Microsoft Defender for Business (Step-by-Step)A practical guide to deploying Microsoft Defender for Business across your organisation. Covers onboarding devices, configuring policies, and monitoring threats.Read GuidesHow to Set Up MFA for Microsoft 365 (Step-by-Step)A complete guide to enabling multi-factor authentication for every user in your Microsoft 365 tenant using Conditional Access, Microsoft Authenticator, and passkeys.Read GuidesHow to Migrate Email to Microsoft 365A step-by-step guide to migrating email from any provider to Microsoft 365 Exchange Online. Covers cutover migration, staged migration, and IMAP migration methods.Read
Was this article helpful?