Why Microsoft 365 Backup Still Matters for Small Businesses
Microsoft replicates your tenant - they do not back it up. A practical look at why SMBs still need third-party Microsoft 365 backup, and what to protect first.
One of the most common assumptions we run into during Microsoft 365 assessments in Ottawa and Toronto is that Microsoft handles the backups. The mailbox is in the cloud, OneDrive syncs everywhere, SharePoint has version history - so the data must be safe. It is a reasonable-sounding assumption and it is wrong in the specific ways that matter most during an incident.
Microsoft replicates your tenant across datacentres so the service stays online. That is infrastructure availability, not data protection. The Microsoft Services Agreement is explicit: protecting your data from accidental deletion, malicious deletion, ransomware and long-term retention loss is your responsibility. For an SMB without a third-party backup product, that responsibility is usually unowned.
What Microsoft actually protects - and what it does not
Microsoft 365 includes some native recovery features. Deleted Items keeps mail for 30 days. SharePoint and OneDrive have a 93-day recycle bin. Retention policies can extend mailbox recovery further. These are useful for small mistakes - the file someone deleted yesterday, the email moved to the wrong folder.
They do not cover the scenarios that actually take SMBs offline: a finance user whose mailbox is compromised and selectively deleted three months ago, a SharePoint site that a leaving employee wiped before their account was disabled, a Teams channel deleted by an admin who thought it was unused, or a ransomware-driven encryption sweep across OneDrive folders. By the time anyone notices, the native recycle bins have rolled over.
What a real Microsoft 365 backup covers
- Exchange Online mailboxes including shared mailboxes, archive mailboxes and calendar items
- OneDrive for Business with full version history and folder structure
- SharePoint Online sites, lists, libraries and permissions metadata
- Microsoft Teams chats, channel posts, files and meeting recordings
- Group and Planner data tied to Microsoft 365 Groups
- Granular point-in-time restore with item-level recovery, not just full-tenant rollback
Three real-world scenarios we see every quarter
First: the departing employee who tidies up. A salesperson resigns, has two weeks of notice, and during that period deletes their OneDrive history, clears sent items and removes attachments from shared channels. By the time the new account owner inherits the data, the 93-day retention has been quietly running against them.
Second: the compromised mailbox. An attacker gets into a controller's account through a stolen session token, sets up inbox rules to hide replies, and forwards invoice threads externally for a month. After the breach is identified, the security team needs to reconstruct exactly which messages were touched - which means restoring point-in-time mailbox snapshots from before the compromise.
Third: ransomware via OneDrive sync. A user opens a malicious file on an unmanaged personal device that shares the same OneDrive account. Encrypted versions sync up; the cloud retains version history, but only for files with version chains that have not been exhausted by repeated encryption passes. A third-party backup catches the pre-encryption state cleanly.
Retention and compliance: the regulatory angle
PIPEDA, industry-specific regulations and most cyber insurance policies expect demonstrable data protection - not just service availability. "Microsoft handles it" is no longer an answer that satisfies an auditor or an insurer. We have seen renewals in Ontario delayed or repriced because the SMB could not show a third-party M365 backup with documented retention periods.
If your business operates in healthcare, legal, finance or any environment that handles client records, plan for at least seven years of mail retention and three to seven years of SharePoint/OneDrive depending on the data class. Native Microsoft retention can do parts of this; backup adds the recoverability layer.
What we recommend for SMBs
- Use a dedicated M365 backup product (Veeam, Datto, Keepit, or similar) - not just retention policies
- Keep at least one immutable copy that an admin cannot delete on a bad day
- Run a documented restore drill every quarter - mailbox, SharePoint site and OneDrive folder
- Define retention by data class: short for general mail, long for finance and HR
- Make sure backups survive a full tenant compromise - separate identity, separate billing
Bottom line
Microsoft 365 backup is not glamorous and it is not expensive. The reason most SMBs skip it is that nothing has gone wrong yet. The reason every MSP we respect insists on it is that when something does go wrong, the conversation is no longer about whether you have backups - it is about how quickly you can prove a clean restore.