If you’re running your business on Microsoft 365, you’re in good company. Millions of organisations worldwide rely on Exchange Online, SharePoint, Teams, and OneDrive to keep their people connected and their data flowing. But there’s a dangerous assumption lurking beneath the surface of that productivity one that could cost your business dearly.
Most Microsoft 365 users assume Microsoft is backing up their data. They’re not. At least, not in the way you think.
In fact, according to research by Spanning, 77% of Microsoft 365 users suffered a data loss incident in the past year with an average time from compromise to detection of 140 days. ¹ That’s nearly five months of exposure before anyone even knows something is wrong.
What Microsoft Actually Covers
Let’s be fair to Microsoft they do an exceptional job of keeping their infrastructure available. Their data centres are redundant, geographically distributed, and highly resilient. If an Azure data centre goes offline, your data doesn’t disappear. Microsoft protects against hardware failure, natural disasters, and platform-level outages.
But here’s the critical distinction: Microsoft protects their infrastructure. They do not protect your data.
Microsoft’s Service Level Agreement (SLA) guarantees uptime. It does not guarantee data recovery. If you accidentally delete a folder of critical contracts, if a disgruntled employee wipes a SharePoint site, or if ransomware encrypts your Teams files, Microsoft’s infrastructure protections are entirely irrelevant. The data is gone.
And Microsoft knows it. Their own Service Agreement explicitly states:
“We recommend that you regularly back up your content and data that you store on the services or store using third-party apps and services.” – Microsoft Service Agreement ²
That’s Microsoft in their own words telling you not to rely on them for backup.
The Shared Responsibility Model
This brings us to the concept that every IT leader and business owner using cloud services needs to understand: the shared responsibility model.
In simple terms, this model draws a line between what the cloud provider is responsible for and what you, the customer, are responsible for. Microsoft is responsible for the availability of the service. You are responsible for the data within it.
As Microsoft’s own Azure documentation confirms:
“For all cloud deployment types, you own your data and identities. You’re responsible for protecting the security of your data and identities.” – Microsoft Azure: Shared Responsibility in the Cloud ³
Yet despite this being clearly documented, 35% of the market still wrongly assume their SaaS vendor is responsible for data protection – when it is solely their responsibility as the customer. ⁴
Think of it like renting office space. The building owner is responsible for keeping the structure safe, the lifts running, and the power on. But if you leave your laptop on your desk and it gets stolen, that’s not the landlord’s problem that’s yours.
The same logic applies to Microsoft 365. Your emails, SharePoint libraries, OneDrive files, and Teams conversations are your responsibility. And without a dedicated Microsoft 365 backup solution in place, you’re operating without a safety net.
Real Data Loss Scenarios
You might be thinking, “We’re careful. Our team wouldn’t delete important data.” That’s a reasonable confidence to have but data loss rarely comes from where you expect it.
Accidental deletion is the number one cause of data loss in cloud environments, contributing to 95% of data breaches in 2024 according to GitProtect research. ⁵ A user deletes a folder thinking it’s outdated. A Teams channel gets removed. An admin clears a distribution list. Microsoft does offer a recycle bin with a limited retention window but once that window closes, recovery becomes near-impossible without a backup.
Ransomware and malware increasingly target cloud environments. Modern ransomware variants are designed to synchronise encrypted files directly into OneDrive and SharePoint, overwriting your legitimate data. What makes this particularly dangerous is that ransomware attackers frequently empty Microsoft’s recycle bins and remove retention policies as their first move specifically to eliminate your easy recovery options. ⁶ By the time you realise what’s happened, the damage is already synced across your tenant.
Insider threats are more common than most businesses admit. Whether it’s a disgruntled employee on their last day or a simple misuse of admin privileges, internal actors can cause significant data destruction that no infrastructure-level protection will stop. And the clock is ticking: with an average detection window of 140 days, internal data loss can go unnoticed for months.
Third-party app integrations are another silent risk. An app with write access to your Microsoft 365 environment can corrupt or delete data and you’d have no recourse without a proper backup.
Microsoft’s own retention limits also create gaps. Microsoft automatically deletes data from inactive accounts after 90 days, which may directly conflict with your compliance and retention requirements. ⁷
The stakes couldn’t be higher. Studies show that of businesses which experience extended data loss exceeding 10 days, 50% file for bankruptcy immediately and 93% close within 12 months. ⁸
What a Proper Microsoft 365 Backup Looks Like
A true Microsoft 365 backup solution goes far beyond Microsoft’s native retention capabilities. Here’s what to look for:
Comprehensive coverage means backing up everything that matters Exchange Online mailboxes, SharePoint sites, OneDrive for Business, Microsoft Teams (including chats, channel messages, and files), and Microsoft 365 Groups. Partial coverage creates blind spots you can’t afford.
Granular recovery is what separates a real backup from a blunt restore. You should be able to recover a single email, a specific file version, an entire mailbox, or a complete SharePoint site without restoring everything else alongside it. Note that retrieving just a single email through Microsoft’s native litigation hold process requires going through 8 to 10 demanding steps that’s not backup, that’s bureaucracy. ⁹
Automated, frequent backup cycles ensure minimal data loss in the event of an incident. Daily backups are a baseline, but solutions that back up multiple times per day give you a tighter recovery point objective (RPO).
Offsite, independent storage is non-negotiable. Your backup data should live completely outside of Microsoft’s environment. If your Microsoft 365 tenant is compromised, your backup needs to be somewhere the attacker cannot reach and cannot delete using the same credentials.
Immutable storage is increasingly essential. Unlike Microsoft’s native environment, a proper backup solution should offer write-once, read-many (WORM) compliant storage that cannot be altered or wiped even by an attacker who has gained admin access. ¹⁰
Long-term retention beyond Microsoft’s default windows lets you meet compliance requirements, support legal holds, and recover data from events discovered weeks or months after they occurred.
How Be In The Cloud Fills the Gap
At Be In The Cloud, we work with businesses across Australia to close the protection gap that Microsoft leaves open. Our Microsoft 365 backup solution Cloud 365 is purpose-built to give you true data ownership and rapid recovery capability.
Cloud 365 automatically backs up your Exchange Online mailboxes, SharePoint, OneDrive, and Teams data to a secure, offsite environment entirely separate from Microsoft’s infrastructure. Recovery is fast and granular — whether you need a single email from six months ago or a full site restoration after a ransomware attack, you can do it in minutes, not days.
We also provide long-term data retention to support compliance obligations under Australian privacy and data governance frameworks — so you’re covered not just for operational recovery, but for regulatory peace of mind as well.
With nearly 30% of MSPs having already experienced preventable Microsoft 365 data loss on behalf of their clients ¹¹, the window for acting proactively is narrowing. The businesses that survive data loss events are the ones who had a plan before they needed one.
Don’t Wait for a Data Loss Event
The Microsoft 365 platform is excellent. But excellent infrastructure availability is not the same as data protection.
The shared responsibility model isn’t a loophole or fine print. It’s a clearly stated division of duties — one that Microsoft themselves spell out and one that, as Grant Crough, Founder and CISO at LEAP Strategy, puts plainly:
“Microsoft runs the service, but partners and customers still own data protection and recovery.” ¹²
Microsoft has held up their end. Now it’s time to hold up yours.
If you’re using Microsoft 365 without a dedicated backup solution, you’re not protected — you’re hoping. And in business, hope is not a strategy.
Ready to close the gap? Talk to the team at Be In The Cloud about Cloud 365 and what proper Microsoft 365 backup looks like for your business.