Ask most business owners whether their email and files are backed up, and the answer is a confident "yes, it is all in Microsoft 365." That confidence is where the trouble starts. Microsoft keeps the service running. Recovering your data when something goes wrong inside your own tenant is, to a surprising degree, your job.
This is not a flaw in Microsoft 365, and it is not a reason to distrust the cloud. It is a line of responsibility that most people have simply never had explained to them. Here is where that line sits and what it means for you.
The shared-responsibility model
Cloud providers operate on what they call a "shared responsibility model," and it is worth understanding in one sentence: the provider is responsible for keeping the platform running, and you are responsible for what happens to your data inside it.
In practice, Microsoft takes care of the things only Microsoft can: keeping the service online, replicating it across datacentres so a hardware failure does not lose your mailbox, and protecting the underlying infrastructure. What Microsoft does not do is protect you from yourself and from attackers operating inside your tenant: an employee who deletes the wrong folder, a compromised account that wipes a mailbox, ransomware that encrypts your files, or a retention setting that quietly lets old data age out. Microsoft's own guidance points customers to consider third-party backup for exactly this reason.
What Microsoft 365 does protect
To be fair, the platform is not defenceless. It gives you real, useful safety nets:
- Infrastructure resilience. Your data is replicated across multiple datacentres, so a physical failure at Microsoft's end will not lose it.
- Recycle bins and version history. Deleted items and previous versions of files can be recovered, but only for a limited window, typically measured in weeks to a few months.
- Retention and hold policies. With the right licensing and configuration, you can retain or legally hold data for longer.
These are genuinely helpful. They are also short-term, configuration-dependent, and not designed to be a true point-in-time backup you can roll back to.
Where the gaps are
The trouble is that the most common ways a small business loses data all live in the space Microsoft leaves to you:
- Deletion that outlives the recycle bin. A folder deleted by mistake and noticed months later may be past the recovery window and simply gone.
- Malicious or compromised-account deletion. A disgruntled leaver or an attacker in a hijacked account can delete mailboxes and files deliberately.
- Ransomware. Because OneDrive and SharePoint sync files, encryption on one machine can propagate into the cloud copies too.
- Misconfigured retention. Many businesses believe they have long-term retention set up and discover, at the worst moment, that they never did.
- Offboarding. Remove a departed employee's licence without preserving their mailbox and files first, and that data can disappear after a grace period, exactly the risk in our guide to onboarding and offboarding.
Native tools versus a real backup
The native recycle bins, versioning, and retention policies are your first line, and every business should at least configure them properly. But they are not the same as a backup. A dedicated third-party Microsoft 365 backup keeps an independent copy of your mail, files, SharePoint, and Teams data, held separately from your tenant, with long or indefinite retention and the ability to restore a specific item to how it looked on a specific day. Crucially, because it sits outside your tenant, it survives the one scenario native tools cannot fully cover: someone with full control inside your Microsoft 365 turning destructive.
So, do you actually need one?
Honestly, not every business needs to buy a third-party backup on day one, and we are not going to pretend otherwise. But every business should make the decision on purpose instead of by assumption. Lean towards a proper backup when any of these is true:
- Your email and files effectively are the business, and losing weeks of them would be serious.
- You handle regulated or client data with retention obligations.
- You have had close calls already, or you have staff turnover where offboarding gets rushed.
- A cyber-insurance policy or a customer contract expects tested, recoverable backups.
If none of those apply yet, at the very least configure your native retention deliberately and revisit the question as you grow. The goal is a conscious choice, not a comfortable assumption.