No — Microsoft protects the infrastructure, and you own the data. Microsoft 365 keeps the service running, replicates your content across datacentres, and holds deleted items for a limited window. It does not take a restorable, long-term backup of your mailboxes, files or Teams content. Under Microsoft's shared responsibility model, that job belongs to the customer.
This is not a gotcha, and it is not Microsoft cutting corners. Shared responsibility is standard practice across every major cloud platform: the provider secures and operates the service, and the customer remains responsible for their own data, identities and configuration. Microsoft is unusually direct about it. The Microsoft Services Agreement recommends that customers regularly back up their content and data using third-party apps and services. This guide covers what that means in practice for an Australian business on Microsoft 365.
What does Microsoft actually protect?
Microsoft's side of the bargain is availability and integrity of the platform. Your Exchange mailboxes, SharePoint sites and OneDrive accounts are replicated across multiple datacentres, so a hardware failure or a datacentre outage on Microsoft's side should never lose your data. Microsoft also carries responsibility for the physical security of its facilities, the health of the service, and honouring the uptime commitments in its service level agreement.
What replication does not protect against is the customer-side failure modes that cause almost every real-world data loss: a user deleting a folder and not noticing for four months, a departing employee emptying their mailbox on the way out, a misconfigured retention policy quietly purging content, a sync error propagating deletions, or ransomware encrypting files through a compromised account. In every one of those cases, Microsoft's replication faithfully copies the damage to every datacentre within minutes. Replication keeps data available. It does not keep data recoverable.
How long does deleted Microsoft 365 data survive?
Microsoft 365 does give you native recovery windows, and for everyday oops-moments they work well. The catch is that every window is finite, and once it closes, the data is gone for good unless something else was holding a copy. The key numbers:
- SharePoint and OneDrive files: 93 days in the recycle bin, spanning the first-stage (user) and second-stage (site collection) bins combined. Day 94, permanent deletion.
- Exchange Online deleted items: 14 days by default once an item leaves the Deleted Items folder, extendable to a maximum of 30 days by an administrator.
- Deleted mailboxes: when a user account is deleted, the mailbox sits in a soft-deleted state for 30 days before permanent removal.
- A departed user's OneDrive: retained for 30 days by default after the account is deleted (configurable up to 10 years), after which it moves through the recycle bin process and is purged.
- Version history: SharePoint and OneDrive keep prior file versions (500 by default), which helps against bad edits and some ransomware, but versions are deleted along with the file.
Notice what is missing from that list: any option measured in years. If a Fair Work claim, an ATO review or a contract dispute surfaces eighteen months after an employee left, the native windows closed long ago. Retention policies and litigation hold in Microsoft Purview can preserve content for longer, but they are compliance tools for preserving data in place, not backup tools for restoring data at scale after an incident.
What's covered natively, and what isn't?
What Microsoft 365 covers out of the box
- Infrastructure failure: geo-redundant copies of your data across datacentres
- Short-term accidental deletion: recycle bins and deleted-item recovery inside the windows above
- Bad edits and some file-level ransomware: version history on SharePoint and OneDrive files
- Service availability: a financially backed uptime commitment for the platform itself
- Compliance preservation: retention policies and litigation hold, where licensed and configured
What it does not cover
- Anything deleted longer ago than the retention window: 93 days for files is the ceiling without extra configuration
- Point-in-time restore of a mailbox, site or tenant to how it looked before an incident
- Ransomware or admin-level sabotage that deletes content and empties recycle bins with legitimate credentials
- A copy of your data held outside the tenant, isolated from whoever compromises it
- Multi-year retention for legal, insurance or contractual purposes, unless separately configured with the right licensing
Is the native Microsoft 365 Backup enough?
Since 2024, Microsoft has offered a genuine first-party backup product called Microsoft 365 Backup. It is pay-as-you-go at USD $0.15 per gigabyte of protected content per month, billed through an Azure subscription, and it covers Exchange Online mailboxes, OneDrive accounts and SharePoint sites. Restore points are taken every 10 minutes, restores are fast because the data never leaves Microsoft's platform, and restores themselves are free.
For what it does, it is good, and Frontrow deploys it where it fits. But it has boundaries worth understanding before treating it as the whole answer:
- Retention is capped at one year. Backups expire 365 days after they are taken, which falls short of many Australian legal and insurance retention expectations.
- Granular restore points thin out over time: for SharePoint and OneDrive, 10-minute restore points cover the last 14 days, then step down to weekly out to the one-year mark.
- Coverage is Exchange, SharePoint and OneDrive only. Teams chat history, Planner, and Entra ID configuration are not included.
- The backups live inside Microsoft's platform and your tenancy arrangement. There is no export to independent storage, so it does not give you a copy that survives losing access to the tenant itself.
Why do businesses still add third-party backup?
Third-party backup services earn their place on three properties the native options cannot fully provide. First, retention: most businesses want years, not months, and third-party platforms routinely offer unlimited or seven-plus-year retention. Second, immutability: backups that nobody, including a compromised global admin, can alter or delete during their retention period. Third, isolation: a copy held on separate infrastructure, under separate credentials, so that whoever takes over your tenant does not also hold your backups.
Those three properties map directly onto Strategy 8 of the ASD's Essential Eight: regular backups. Maturity Level One expects backups performed and retained in line with business criticality, with restoration actually tested. Maturity Level Two requires that privileged accounts be prevented from modifying or deleting backups. Maturity Level Three extends that restriction to backup administrator accounts themselves during the retention period. A Microsoft 365 tenant with nothing but recycle bins does not meet any of those levels, and even the native Microsoft 365 Backup needs careful design to satisfy the higher ones.
The honest summary: Microsoft does its half of the job well, and says plainly that the other half is yours. For a small Australian business, the practical stack is usually native recycle bins for everyday recovery, Microsoft 365 Backup or a third-party service for point-in-time restore, and third-party immutable backup wherever multi-year retention or Essential Eight maturity is on the agenda. Frontrow designs and runs that stack for organisations across Australia as part of its managed IT services.
Facts checked July 2026: retention windows, Microsoft 365 Backup coverage and USD pricing verified against Microsoft's published documentation.