Free tool · 5 minutes · Microsoft 365 backup
Microsoft owns the platform. The customer owns the data. Score your Microsoft 365 backup posture across Exchange Online, OneDrive, SharePoint and Teams against ASD Essential Eight Strategy 8 in five minutes.
10 questions · 5 domains
Score your Microsoft 365 backup posture across Exchange Online, OneDrive, SharePoint, Teams, and the operational discipline behind it. Pick the option closest to how your tenant is configured today.
Domain 1
Mailbox retention beyond default deleted-items policy, litigation hold, or third-party backup that survives malicious deletion or compromise.
How are Exchange Online mailboxes protected beyond default deleted-items retention?
Source: Microsoft Learn: Exchange Online retention; Microsoft Purview Data Lifecycle Management.
When did you last test recovering a deleted mailbox or mailbox folder?
Source: ASD Essential Eight Strategy 8 — Regular Backups (restore testing).
Domain 2
OneDrive retention, version history beyond defaults, and protection against ransomware that encrypts content across synced devices.
How is OneDrive content protected beyond default version history and recycle bin?
Source: Microsoft Learn: OneDrive recycle bin and version history.
Have you confirmed your OneDrive recovery posture survives a ransomware encryption sweep?
Source: Microsoft Learn: Files Restore for OneDrive; ASD Annual Cyber Threat Report.
Domain 3
SharePoint retention, versioning, and third-party backup of site content that survives a malicious site deletion or ransomware sweep.
How is SharePoint Online content protected against malicious deletion or ransomware?
Source: Microsoft Learn: SharePoint retention and recycle bin.
When did you last test restoring a SharePoint site or library?
Source: ASD Essential Eight Strategy 8 — Regular Backups.
Domain 4
Teams chat retention, channel-message history, channel-files protection and Loop component recovery.
How is Microsoft Teams chat history protected?
Source: Microsoft Learn: Microsoft Teams retention and eDiscovery for Teams.
How are Teams channel files protected?
Source: Microsoft Learn: Teams files architecture and SharePoint storage.
Domain 5
Restore testing, documented recovery point and recovery time objectives, and named ownership of the backup posture.
Do you have documented Recovery Point Objective and Recovery Time Objective targets for Microsoft 365 data?
Source: ASD Essential Eight Strategy 8; ISO 27031 IT continuity guidance.
Who owns the Microsoft 365 backup posture?
Source: ASD Essential Eight Strategy 8; APRA CPS 230 operational risk management.
This is an indicative self-assessment. It is not a substitute for a tenant-level backup audit. For verified results Frontrow Technology offers an in-tenant backup posture review.
What the analyser covers
Domain 1
Exchange Online retains deleted items for 14 to 30 days by default and Recoverable Items for 14 days. That is not backup. A compromised admin account can purge mailboxes. Litigation hold and third-party backup are the controls that protect data when retention is not enough.
Domain 2
OneDrive's default version history is 500 versions and the recycle bin holds files for 93 days. Files Restore can roll back the last 30 days. None of those survive a determined adversary, a long-dwell ransomware campaign, or a mass user-account purge.
Domain 3
SharePoint sites can be hard-deleted from the recycle bin. Versions can be exhausted by an attacker writing thousands of versions. Microsoft restores at site-collection level on request and not always within the timeframe a business needs.
Domain 4
Teams chat is stored in hidden Exchange folders and channel files in SharePoint. Both inherit those services' limitations. Many tenants still have a gap on private-channel messages and Loop components.
Domain 5
A backup that has never been restored is a hypothesis, not a control. ASD Essential Eight Strategy 8 requires regular tested restores. Boards increasingly ask for documented RPO and RTO targets and evidence the targets have been met.
Frequently asked questions
No, not in the way most organisations assume. Microsoft's Service Agreement and Shared Responsibility Model are explicit: Microsoft is responsible for the platform, the customer is responsible for the data. Microsoft 365 retention, recycle bins, and litigation hold are recovery features for accidental deletion within defined windows. They are not backup. They will not survive a malicious deletion by a compromised admin account, a long-dwell ransomware campaign that exhausts versions, or a mass user-account purge.
Retention extends how long Microsoft keeps a deleted item before purging it. A backup stores an independent copy that is point-in-time recoverable, ideally immutable, and outside the trust boundary of the source tenant. Retention is overwritten by an attacker. Backup is not. The distinction matters because the failure mode of relying on retention is silent until the recovery event happens.
No. Microsoft 365 Business Premium includes Microsoft Purview retention features, eDiscovery and litigation hold. None of those are backup. Backup is a separate product category provided by third-party vendors that integrate with Microsoft Graph (examples include Veeam, AvePoint, Keepit, Barracuda Cloud-to-Cloud Backup, Druva).
ASD Essential Eight Strategy 8 (Regular Backups) requires regular and tested backups of important data, software, and configuration settings. Importantly it requires the backups to be tested and to be retained for an appropriate period. ML2 introduces requirements around restore frequency and protection from modification or deletion by privileged accounts.
Files Restore is a self-service recovery feature that lets a user roll back their entire OneDrive to a point in the last 30 days. It is useful for ransomware that encrypts files within that window. It is not a backup because it is bound to the OneDrive itself, has a 30-day ceiling, and does not survive a deleted user account. A long-dwell ransomware attack or a malicious deletion of a user account both defeat Files Restore.
All four core Microsoft 365 services: Exchange Online (mailboxes), OneDrive for Business, SharePoint Online (sites), and Microsoft Teams (chats, channel messages, channel files, Loop). The pattern Frontrow runs across Australian mid-market clients is Microsoft Purview retention as the first layer plus a third-party Microsoft 365 backup as the second layer, with quarterly tested restores documented in the operations runbook.
Every scoring threshold cites a primary source: Microsoft Learn for retention and recovery features, the Microsoft Service Agreement and Shared Responsibility Model for the responsibility split, and ASD Essential Eight Strategy 8 for the Australian baseline. The methodology is authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).
A direct review of the customer's tenant configuration via Microsoft Graph and admin console (rather than self-reported answers), test restore drills across mailbox, OneDrive, SharePoint and Teams, gap report against ASD Strategy 8, and a remediation plan with effort estimates. Indicative pricing on request.
