← Back to blog
Cloud & Infrastructure

Microsoft 365 Backup: why the recycle bin and retention periods are not real data protection

By Zarioh Digital Solutions5 min read· Updated
Share
Microsoft 365 Backup: why the recycle bin and retention periods are not real data protection

Many organisations assume their data is safe because it 'lives in Microsoft's cloud'. But availability is not backup. Read how Microsoft 365 Backup works, where its limits lie, and which steps you take to genuinely protect your business data.

Many organisations assume their data in Microsoft 365 is automatically safe. 'It's in Microsoft's cloud, after all' is a phrase IT partners hear far too often. Microsoft does offer excellent availability: the infrastructure is redundant, data is mirrored across multiple data centres, and uptime is consistently above 99.9 percent. But availability and backup are two fundamentally different things.

Availability means the service is reachable. Backup means you can restore data to an earlier point in time after it has been lost or corrupted. Microsoft guarantees the first. The second is your own responsibility, and for most organisations, no proper solution is currently active.

What Microsoft does and does not protect

Microsoft 365 has built-in recovery features, but they have clear limits. The recycle bin in SharePoint and OneDrive retains deleted files for 93 days by default. After that they are permanently deleted. Exchange Online retains deleted emails for 30 days in the deleted items folder, and with the 'Recover deleted items' option for up to 30 additional days. Teams chat messages that are deleted are no longer recoverable after the default retention period unless you have configured Purview retention policies.

This means that an employee who accidentally deletes a folder in December cannot recover it in April unless an external backup is in place. And a ransomware attack that encrypts files in SharePoint while OneDrive synchronises spreads the encryption directly to the cloud. By the time the attack is discovered, the recovery versions in the recycle bin may already have been overwritten.

The most common causes of data loss in Microsoft 365

Four scenarios account for the majority of data loss incidents at organisations using Microsoft 365. The first is accidental deletion by employees. Folders are wiped, email archives cleaned up, documents overwritten. If reported too late, the recycle bin offers no way out.

The second scenario is ransomware via synchronised storage. Modern ransomware sometimes waits weeks before manifesting, to overwrite as many recovery versions as possible. If the encryption in OneDrive or SharePoint is synchronised before the attack becomes visible, the cloud versions are also compromised.

The third scenario involves malicious or departing employees. An employee leaving the organisation may delete large volumes of data in their final working days. The recycle bin enables recovery, but only if discovered quickly and before the mailbox or account is cleaned up. The fourth scenario is configuration errors: incorrectly configured automation rules or accidentally deleted SharePoint sites that are only reported much later in a complex environment.

Microsoft 365 Backup: the native solution

In 2024, Microsoft made its own backup solution generally available: Microsoft 365 Backup. The product provides direct recovery support for SharePoint Online sites, OneDrive accounts, and Exchange Online mailboxes. Its distinguishing feature is speed: restoring large volumes of data is considerably faster than with traditional external backup tools, because Microsoft has direct access to the underlying storage.

Microsoft 365 Backup offers point-in-time restore: you choose a moment in the past, select what you want to recover (a single file, a full mailbox, or an entire SharePoint site), and Microsoft restores the data to that point. The maximum retention period is currently 180 days. That is a significant improvement over the standard recycle bin, but not sufficient for organisations with longer statutory retention obligations.

When do you need more than the native backup?

Microsoft 365 Backup covers the most common recovery situations well, but there are cases where an external backup solution adds more value. First, if your retention or compliance requirements exceed the 180-day limit. Organisations in healthcare, legal services, or the public sector often have a retention obligation of five to ten years for specific communications and documents.

Second, if you also want to protect Teams data, Planner tasks, form results, or data from other Microsoft 365 apps. Microsoft 365 Backup focuses on three core workloads: SharePoint, OneDrive, and Exchange. For the rest of the Microsoft 365 ecosystem, external tools are better positioned. Third, if your customers or insurer impose contractual requirements on demonstrable recovery capacity with detailed reporting.

Backup versus retention: a crucial distinction

A common misconception is that retention policies in Microsoft Purview are the same as a backup. They are not. Retention policies ensure that data is not deleted before a set period, even if a user or administrator tries to do so. But they provide no point-in-time restore and do not help with data corruption or overwriting.

Put differently: retention protects against unwanted deletion, backup protects against loss and corruption. Ideally you need both, with a clear policy on what is retained, for how long, and how you recover when something goes wrong.

How do you get started with data protection for Microsoft 365?

Four steps to strengthen the data safety of your Microsoft 365 environment this quarter. First: activate Microsoft 365 Backup if you have not already done so. Configure it for all SharePoint sites, OneDrive accounts, and Exchange mailboxes that are business-critical. Verify that you can actually perform a restore by running a one-off test.

Second: configure the recycle bin settings in Exchange and SharePoint to the maximum retention period your licence allows. This costs nothing extra and gives you more time to discover an accidental deletion. Third: evaluate whether your retention and compliance requirements exceed the 180-day limit. If so, explore an external backup tool; there are reliable solutions for SMEs with a transparent cost structure.

Fourth: test your recovery scenario. A backup that has never been tested is a backup without a guarantee. Plan a recovery test every six months where you restore a random mailbox, a deleted file, and a SharePoint library. Document the turnaround time and whether the data came back complete and usable. Data in the cloud is not automatically safe. Microsoft offers excellent availability and increasingly capable native recovery options, but responsibility for a complete recovery profile rests with your organisation. Want help activating Microsoft 365 Backup, assessing your current recovery capacity, or choosing an external backup strategy suited to your sector? Contact Zarioh.

Z

Zarioh Digital Solutions

IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Related articles

← Back to all articles
Share