Frontrow Technology
← All insights & guides
Guide

Managed IT

Does Microsoft 365 back up your data? The shared-responsibility truth for Australian businesses

The short answer is no, not in the way most businesses assume. Here is exactly what Microsoft protects, how long deleted data survives natively, what the paid Microsoft 365 Backup service covers, and where third-party backup still earns its keep.

Graeme Lodge · 11 July 2026 · 6 min read

No — Microsoft protects the infrastructure, and you own the data. Microsoft 365 keeps the service running, replicates your content across datacentres, and holds deleted items for a limited window. It does not take a restorable, long-term backup of your mailboxes, files or Teams content. Under Microsoft's shared responsibility model, that job belongs to the customer.

This is not a gotcha, and it is not Microsoft cutting corners. Shared responsibility is standard practice across every major cloud platform: the provider secures and operates the service, and the customer remains responsible for their own data, identities and configuration. Microsoft is unusually direct about it. The Microsoft Services Agreement recommends that customers regularly back up their content and data using third-party apps and services. This guide covers what that means in practice for an Australian business on Microsoft 365.

What does Microsoft actually protect?

Microsoft's side of the bargain is availability and integrity of the platform. Your Exchange mailboxes, SharePoint sites and OneDrive accounts are replicated across multiple datacentres, so a hardware failure or a datacentre outage on Microsoft's side should never lose your data. Microsoft also carries responsibility for the physical security of its facilities, the health of the service, and honouring the uptime commitments in its service level agreement.

What replication does not protect against is the customer-side failure modes that cause almost every real-world data loss: a user deleting a folder and not noticing for four months, a departing employee emptying their mailbox on the way out, a misconfigured retention policy quietly purging content, a sync error propagating deletions, or ransomware encrypting files through a compromised account. In every one of those cases, Microsoft's replication faithfully copies the damage to every datacentre within minutes. Replication keeps data available. It does not keep data recoverable.

How long does deleted Microsoft 365 data survive?

Microsoft 365 does give you native recovery windows, and for everyday oops-moments they work well. The catch is that every window is finite, and once it closes, the data is gone for good unless something else was holding a copy. The key numbers:

  • SharePoint and OneDrive files: 93 days in the recycle bin, spanning the first-stage (user) and second-stage (site collection) bins combined. Day 94, permanent deletion.
  • Exchange Online deleted items: 14 days by default once an item leaves the Deleted Items folder, extendable to a maximum of 30 days by an administrator.
  • Deleted mailboxes: when a user account is deleted, the mailbox sits in a soft-deleted state for 30 days before permanent removal.
  • A departed user's OneDrive: retained for 30 days by default after the account is deleted (configurable up to 10 years), after which it moves through the recycle bin process and is purged.
  • Version history: SharePoint and OneDrive keep prior file versions (500 by default), which helps against bad edits and some ransomware, but versions are deleted along with the file.

Notice what is missing from that list: any option measured in years. If a Fair Work claim, an ATO review or a contract dispute surfaces eighteen months after an employee left, the native windows closed long ago. Retention policies and litigation hold in Microsoft Purview can preserve content for longer, but they are compliance tools for preserving data in place, not backup tools for restoring data at scale after an incident.

What's covered natively, and what isn't?

What Microsoft 365 covers out of the box

  • Infrastructure failure: geo-redundant copies of your data across datacentres
  • Short-term accidental deletion: recycle bins and deleted-item recovery inside the windows above
  • Bad edits and some file-level ransomware: version history on SharePoint and OneDrive files
  • Service availability: a financially backed uptime commitment for the platform itself
  • Compliance preservation: retention policies and litigation hold, where licensed and configured

What it does not cover

  • Anything deleted longer ago than the retention window: 93 days for files is the ceiling without extra configuration
  • Point-in-time restore of a mailbox, site or tenant to how it looked before an incident
  • Ransomware or admin-level sabotage that deletes content and empties recycle bins with legitimate credentials
  • A copy of your data held outside the tenant, isolated from whoever compromises it
  • Multi-year retention for legal, insurance or contractual purposes, unless separately configured with the right licensing

Is the native Microsoft 365 Backup enough?

Since 2024, Microsoft has offered a genuine first-party backup product called Microsoft 365 Backup. It is pay-as-you-go at USD $0.15 per gigabyte of protected content per month, billed through an Azure subscription, and it covers Exchange Online mailboxes, OneDrive accounts and SharePoint sites. Restore points are taken every 10 minutes, restores are fast because the data never leaves Microsoft's platform, and restores themselves are free.

For what it does, it is good, and Frontrow deploys it where it fits. But it has boundaries worth understanding before treating it as the whole answer:

  • Retention is capped at one year. Backups expire 365 days after they are taken, which falls short of many Australian legal and insurance retention expectations.
  • Granular restore points thin out over time: for SharePoint and OneDrive, 10-minute restore points cover the last 14 days, then step down to weekly out to the one-year mark.
  • Coverage is Exchange, SharePoint and OneDrive only. Teams chat history, Planner, and Entra ID configuration are not included.
  • The backups live inside Microsoft's platform and your tenancy arrangement. There is no export to independent storage, so it does not give you a copy that survives losing access to the tenant itself.

Why do businesses still add third-party backup?

Third-party backup services earn their place on three properties the native options cannot fully provide. First, retention: most businesses want years, not months, and third-party platforms routinely offer unlimited or seven-plus-year retention. Second, immutability: backups that nobody, including a compromised global admin, can alter or delete during their retention period. Third, isolation: a copy held on separate infrastructure, under separate credentials, so that whoever takes over your tenant does not also hold your backups.

Those three properties map directly onto Strategy 8 of the ASD's Essential Eight: regular backups. Maturity Level One expects backups performed and retained in line with business criticality, with restoration actually tested. Maturity Level Two requires that privileged accounts be prevented from modifying or deleting backups. Maturity Level Three extends that restriction to backup administrator accounts themselves during the retention period. A Microsoft 365 tenant with nothing but recycle bins does not meet any of those levels, and even the native Microsoft 365 Backup needs careful design to satisfy the higher ones.

The honest summary: Microsoft does its half of the job well, and says plainly that the other half is yours. For a small Australian business, the practical stack is usually native recycle bins for everyday recovery, Microsoft 365 Backup or a third-party service for point-in-time restore, and third-party immutable backup wherever multi-year retention or Essential Eight maturity is on the agenda. Frontrow designs and runs that stack for organisations across Australia as part of its managed IT services.

Facts checked July 2026: retention windows, Microsoft 365 Backup coverage and USD pricing verified against Microsoft's published documentation.

Common questions

Frequently asked

Does Microsoft automatically back up Microsoft 365 data?
No. Microsoft replicates your data across datacentres for availability and provides limited-time recycle bins, but it does not take a restorable long-term backup. Microsoft's Services Agreement recommends customers regularly back up their content using third-party apps and services.
How long do deleted files stay recoverable in SharePoint and OneDrive?
93 days in total, split across the first-stage and second-stage recycle bins. After 93 days the file and its version history are permanently deleted, unless a retention policy or a backup was holding a copy.
What does the native Microsoft 365 Backup service cost and cover?
It is pay-as-you-go at USD $0.15 per GB of protected content per month, covering Exchange Online, SharePoint and OneDrive with restore points every 10 minutes. Retention is capped at one year, and Teams chat, Planner and Entra ID configuration are not covered. Restores are free.
Is Microsoft 365 backup required for Essential Eight compliance?
Strategy 8 of the Essential Eight is regular backups. Maturity Level One expects backups retained in line with business criticality and tested restoration; Levels Two and Three require that privileged accounts, and eventually backup administrators too, cannot modify or delete backups. Recycle bins alone do not satisfy any maturity level.
Do retention policies in Microsoft Purview replace backup?
No. Retention policies preserve content in place for compliance and legal discovery, and they need the right licensing and configuration. They are not designed for restoring a mailbox, site or tenant to a point in time after an incident, which is what backup provides.

Want Frontrow to run this with your team?

A 30-minute call with a senior consultant. No deck. Frontrow walks through your tenant, your priorities and the next sensible move.