The most common gap Frontrow finds during managed services onboarding isn't identity hygiene or licence waste. It's backup. Specifically: the assumption that Microsoft 365 comes with backup. It doesn't, not in the sense that matters when something has gone wrong.
What Microsoft actually provides
Microsoft provides redundancy. Data in Exchange Online, SharePoint, OneDrive and Teams is replicated across multiple datacentres within your chosen geography. If a Microsoft datacentre has an outage, your data is still available. That's a reliability feature, not a backup feature.
Microsoft also provides short-term recoverability. Exchange Online has a deleted items folder and recoverable items retention of up to 30 days. SharePoint and OneDrive have version history (default 500 versions) and a recycle bin with a 93-day retention. These are useful for accidental deletion, provided you catch it within the window.
What Microsoft does not provide: long-term retention against intentional deletion, protection against ransomware that has been quietly corrupting files for longer than the version history window, point-in-time restore to a specific date beyond that window, or recovery from a misconfigured retention policy that deleted data you needed.
The scenarios that catch businesses out
- A disgruntled employee who has 60 days of notice, and spends the last week deleting or exfiltrating files. By the time you discover it, the recycle bin has rolled over.
- Ransomware that uses legitimate Microsoft APIs to encrypt SharePoint files incrementally over six weeks. The version history is full of encrypted versions by the time you identify it.
- An admin who misconfigures a Microsoft Purview retention policy and inadvertently triggers deletion of a content category. Microsoft support can help within hours, but only if the items are still in the recoverable items window.
- An M&A integration where the acquired company's tenant is merged and selective data needs to be recovered to a specific pre-merger state.
Microsoft 365 Backup, what it is and what it isn't
Microsoft released Microsoft 365 Backup (currently in general availability for SharePoint, OneDrive and Exchange) in late 2024. It provides point-in-time restore back to any point within the prior 180 days, with granular restore capability down to the site or mailbox level. Pricing is consumption-based at approximately USD $0.15 per GB per month (billed in AUD through your Microsoft agreement, so convert accordingly). For a 100-seat business with moderate SharePoint and Exchange usage, expect $150–$400 AUD per month.
Microsoft 365 Backup is a meaningful improvement over the native recoverability tools. However, it still has gaps: it doesn't cover Teams chat messages independently, it doesn't provide export-to-tape or air-gapped offsite storage, and it doesn't help with eDiscovery-driven restoration requirements that call for a third-party chain of custody. For businesses that need those capabilities, third-party backup solutions remain appropriate.
Third-party backup options in the AU market
The established third-party M365 backup vendors operating in Australia include Veeam Backup for Microsoft 365, Acronis Cyber Protect, Barracuda Cloud-to-Cloud Backup, and Datto SaaS Protection. Pricing for a 100-seat organisation typically runs $80–$200 AUD per month depending on storage and retention requirements. Key differentiators are: retention period (some default to one year, others support multi-year), data residency (confirm AU-hosted storage if that's a requirement), and restore granularity, item-level restore for Exchange items like individual calendar appointments matters in practice.
The Essential Eight connection
The Australian Cyber Security Centre's Essential Eight includes Regular Backups as a control. The maturity requirements escalate: Maturity Level 1 requires backups of important data. Maturity Level 2 requires that backups be tested, that they're stored separately from the source system, and that they're protected from unauthorised modification. Maturity Level 3 requires offline or immutable backup storage. Microsoft's native recoverability tools don't meet ML2 or ML3 on their own, they're not stored separately, and they're subject to admin-level modification from within the same tenant. A proper M365 backup solution that writes to a separate storage account, or to a third-party service, is required to satisfy Essential Eight backup requirements above ML1.
Try it
Check your Essential Eight backup maturity
The tool maps your current posture across all eight controls, including Regular Backups. It takes five minutes and produces a maturity level you can take to your board or auditor.
Score each of the 8 strategies
Where are you on the Essential Eight — honestly?
Eight strategies. Four levels each. Pick the statement closest to your reality today. We'll map it to the Microsoft 365 tooling that closes the gap.
What's your target Maturity Level?
Maturity Level 2 — most orgs' pragmatic target
- 01
Application control
Only approved applications can execute on workstations and servers.
- 02
Patch applications
Internet-facing apps, browsers, Office, PDF readers patched promptly.
- 03
Microsoft Office macros
Macros disabled unless from trusted locations and signed by a trusted publisher.
- 04
User application hardening
Web browsers and productivity apps hardened against the most common attacks.
- 05
Restrict administrative privileges
Admin accounts limited, separated and reviewed — the crown jewels of the tenant.
- 06
Patch operating systems
Operating system patches applied on a schedule that matches the risk.
- 07
Multi-factor authentication
MFA everywhere that matters — privileged accounts, remote access, important data.
- 08
Regular backups
Backups of important data, configuration and software — and restores you have actually tested.