Why Microsoft 365 does not back up your data natively
All dispatches
Backups and Business Continuity27 Aug 20257 min read

Why Microsoft 365 does not back up your data natively

🐑
Rodney
Head of Tech Realism · Black Sheep Support
Share this dispatch

For many UK SMEs, the transition to Microsoft 365 (M365) feels like a digital safety net. You move your emails to Exchange Online, your documents to SharePoint, and your collaboration to Teams, operating under the assumption that because your data is in the "cloud," it is inherently protected. However, this is one of the most dangerous misconceptions in modern IT. While Microsoft provides world-class infrastructure and high availability, they do not provide a comprehensive backup of your data. If you accidentally delete a vital client contract, suffer a ransomware attack, or have a disgruntled employee wipe their mailbox, the "native" tools provided by Microsoft are often insufficient to recover that data. As a UK-based managed IT provider, we see this gap in understanding lead to catastrophic data loss far too often. This guide explores the "Shared Responsibility Model," the limitations of M365’s native recovery tools, and why an independent, third-party backup is the only way to ensure your business continuity.

Understanding the Shared Responsibility Model

The fundamental misunderstanding stems from a confusion between service uptime and data protection. Microsoft operates under a Shared Responsibility Model. In this model, Microsoft is responsible for the cloud infrastructure—the servers, the data centres, and the uptime of the platform itself. They guarantee that the service will be available for you to use.

However, you, the customer, are responsible for the data that lives within that infrastructure. Microsoft’s Service Level Agreement (SLA) is designed to ensure the service is running, not to guarantee that your specific files or emails are retrievable after a human error or a cyber attack. If your data is corrupted or deleted, Microsoft generally considers that a user-side issue. They provide tools to help with short-term recovery, but these are not backups in the industry-standard sense of the word.

The Illusion of the Recycle Bin: Why Native Tools Fail

Many businesses rely on the M365 Recycle Bin or "Version History" as their de facto backup strategy. While these features are useful for recovering a file you deleted five minutes ago, they are not a substitute for a true backup solution.

The Problem with Retention Policies

Microsoft’s native retention policies are often misunderstood. They are designed to manage data lifecycle—keeping items for a set period before purging them to save space—not to protect against accidental or malicious loss.

  • Time-Limited Recovery: Once an item is purged from the Recycle Bin, it is gone forever.
  • Administrative Overwrite: If a malicious actor gains access to your admin account, they can easily change retention policies or delete backups, effectively wiping your data across the entire tenant.
  • Granular Restoration: Native tools often lack the ability to restore specific items to a point in time. If a user deletes a folder containing thousands of emails, restoring that data to its original state using native tools can be a complex, time-consuming, and often incomplete process.

The Threat Landscape: Why UK SMEs are Targets

Cyber security is not just a concern for multinational corporations; UK SMEs are increasingly the primary targets for cybercriminals. Phishing attacks, business email compromise (BEC), and ransomware are daily threats.

Ransomware and M365

Ransomware has evolved. It no longer just targets your local PC; it targets your cloud environment. If a user on your network syncs their OneDrive to a laptop that becomes infected with ransomware, that malware can sync the encrypted, "locked" versions of your files back to the cloud, overwriting your clean versions in SharePoint or OneDrive.

Compliance and the ICO

Under the UK GDPR and the Data Protection Act 2018, you are legally responsible for the personal data you hold. If you suffer a data breach or lose access to sensitive customer information because you lacked a proper backup, the Information Commissioner’s Office (ICO) may hold you accountable. Relying on "Microsoft has it covered" is not a valid defence in the eyes of a regulator. Demonstrating that you have robust, independent backups is a key component of proving you have taken "appropriate technical and organisational measures" to secure personal data.

Cyber Essentials and Best Practice

The UK government-backed Cyber Essentials scheme is the gold standard for SME cyber security. One of the core pillars of this certification is the maintenance of secure, reliable backups.

Why Third-Party Backups are Non-Negotiable

To meet the rigorous standards of Cyber Essentials and ensure genuine business continuity, you need a solution that is:

  1. Immutable: The backup must be stored in a way that cannot be altered or deleted by a hacker, even if they gain admin credentials.
  2. Air-Gapped: Your backup should ideally reside on a different platform than the production data. If Microsoft’s service goes down or your tenant is compromised, your backup remains safe and accessible.
  3. Automated and Frequent: Manual backups are prone to human error. A professional solution should run automatically, multiple times a day, without intervention.
  4. Easily Restorable: You should be able to perform a point-in-time restore, allowing you to "rewind" your SharePoint or Exchange environment to the state it was in an hour before a disaster occurred.

How to Build a Resilient Recovery Strategy

A robust backup strategy is not a "set and forget" task. It requires a structured approach that aligns with your business's Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

1. Audit Your Data

Identify which data is business-critical. While emails are obvious, don't overlook Teams chats, Planner tasks, and SharePoint site metadata.

2. Implement an Independent Backup Solution

Use a dedicated M365 backup tool that provides an "off-tenant" copy of your data. This ensures that even if your primary M365 environment is locked out or compromised, your data exists in an independent, secure repository.

3. Test Your Restores

A backup is only as good as its last successful restore. We recommend that SMEs conduct "recovery drills" at least twice a year. Try to restore a folder or a mailbox to ensure the process works as expected and that your team knows how to execute it under pressure.

4. Enforce Multi-Factor Authentication (MFA)

Backups protect your data, but MFA protects your access. Ensure that all administrative accounts—especially those with the power to modify backup settings—are protected by robust, hardware-based or app-based MFA.

Key Takeaways

  • Microsoft is not responsible for your data: They provide the infrastructure, but you are the custodian of the content.
  • Native tools are not backups: Recycle bins and retention policies are designed for data management, not disaster recovery.
  • Ransomware is a cloud threat: Syncing services can propagate encrypted files, effectively destroying your cloud data.
  • Compliance is mandatory: UK GDPR requires you to protect personal data; a lack of backups can lead to regulatory scrutiny from the ICO.
  • The "3-2-1" Rule: Maintain at least three copies of your data, on two different media types, with one copy kept off-site (or in this case, off-platform).
  • Test, test, test: A backup that hasn't been tested is merely a hope. Verify your recovery capability regularly to ensure business continuity.

Protecting your digital assets is a fundamental requirement for any modern UK business. By moving beyond the false sense of security provided by native M365 tools and implementing a professional, third-party backup strategy, you secure your business against the inevitable risks of the digital age.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence · BSS Digital Dispatch

Related dispatches

The 3-2-1 backup rule for modern businesses
Backups and Business Continuity

The 3-2-1 backup rule for modern businesses

# The 3-2-1 backup rule for modern businesses For UK SMEs looking to stay ahead in the modern workplace, understanding backups and business continuity is funda...

Immutable backups explained in plain English
Backups and Business Continuity

Immutable backups explained in plain English

# Immutable backups explained in plain English For UK SMEs looking to stay ahead in the modern workplace, understanding backups and business continuity is fund...

How often should an SME test its disaster recovery plan?
Backups and Business Continuity

How often should an SME test its disaster recovery plan?

# How often should an SME test its disaster recovery plan? For UK SMEs looking to stay ahead in the modern workplace, understanding backups and business contin...