No, not in the way most people assume. Microsoft keeps the Microsoft 365 service running and makes sure your data isn't lost through a fault on their side. But getting back your own emails, files and Teams chats after an accidental deletion, a member of staff leaving, or a ransomware attack is your responsibility, not Microsoft's. The retention windows built into Microsoft 365 are short, and once they pass, the data is gone for good. They were never designed to be a backup.
This catches a lot of businesses out, and usually at the worst possible moment. Here is what Microsoft actually protects, what is down to you, and why a separate backup is worth the few pounds a month it costs.
The shared responsibility model, in plain terms
Microsoft runs Microsoft 365 on what it calls a shared responsibility model. The split is sensible enough, but it is easy to misread if nobody has spelled it out.
Microsoft's side is keeping the lights on: the data centres, the hardware, the underlying software, security patching and uptime. They commit to a 99.9% availability target, replicate your data across multiple sites so a single failure doesn't take it down, and make sure the service is there when you log in.
Your side is the data itself - protecting it, controlling who can reach it, and being able to get it back if something goes wrong at your end. Microsoft is clear that it is not responsible for restoring data you have deleted, that an attacker has encrypted, or that a leaver has wiped on the way out. The wording in their licensing terms is that you should regularly back up your own content and data. That sentence is doing a lot of work.
Put simply, replication is not backup. If a file is deleted or corrupted, that change is faithfully copied across all of Microsoft's data centres. Their resilience protects against their failures, not yours.
The built-in retention is short, and it isn't a backup
Microsoft 365 does keep deleted items around for a while, which is handy for the everyday "oops, I need that email back" moment. But these are recycle bins on a timer, not a backup system, and the default windows are shorter than people expect.
Deleted emails sit in your Deleted Items folder until you clear it, then in a hidden recoverable area for 14 days by default. An administrator can stretch that to a maximum of 30 days, but no further.
Deleted files in SharePoint and OneDrive pass through a two-stage recycle bin and are kept for around 93 days from deletion. After that they are permanently removed.
A departed employee's OneDrive is retained for 30 days by default after the account is deleted (this can be set higher), then it moves to a site collection recycle bin for up to 93 days before it disappears unless you have preserved it first.
Teams messages and channel data follow their own retention rules and are some of the easiest data to lose track of entirely.
The real issue isn't the length of these windows, it is what they are. There is no point-in-time restore, so you cannot roll a mailbox or a SharePoint library back to how it looked last Tuesday before someone made a mess of it. And the clock is always running. A staff member who left in March, whose files you suddenly need in July, is well past 93 days, and there is no undo button left to press.
What actually goes wrong (and it is rarely an outage)
When we restore data for clients across Berkshire and Oxfordshire, it is almost never because Microsoft fell over. It is the human and security side of things:
Accidental deletion. Someone tidies up a shared SharePoint folder, removes the wrong project, and nobody notices for two months.
A departing employee. The account is closed to save on a licence, and three months later you realise their mailbox held the only copy of a key client thread or a signed contract.
Malicious deletion. A disgruntled leaver clears their mailbox and files before handing back the laptop.
Ransomware and account compromise. An attacker gets into an account, encrypts or deletes OneDrive and SharePoint content, or quietly sets up mailbox rules that forward and hide incoming email.
Bad data, faithfully synced. A corrupted or overwritten file syncs to everyone, replacing the good version right across the business.
By the time most of these come to light, they are already outside the 14 to 93 day windows. That is the gap a real backup fills.
A synced cloud drive is not a backup either
This trips up a lot of owners. OneDrive and SharePoint live in the cloud, so it feels like the files must already be safe. But sync exists to keep the same version of a file consistent everywhere, not to keep old, separate copies you can fall back to. If a file is deleted, encrypted by ransomware or overwritten with rubbish, that change syncs straight to every device and every copy. Same data, same fate.
This is where the old 3-2-1 principle still earns its keep, even for a cloud-first business: keep 3 copies of your data, on 2 different types of storage, with at least 1 held separately from the original. Your live data in Microsoft 365 is one copy. An independent backup, held by a third party outside your tenant, is the separate copy that survives when something goes wrong inside Microsoft 365 itself.
What a proper Microsoft 365 backup gives you
A third-party Microsoft 365 backup runs automatically, takes its own independent copies, and gives you point-in-time restore. You are no longer limited to whatever happens to be sitting in a recycle bin on the day you go looking.
A good backup covers the four areas that matter:
Exchange Online - mailboxes, including calendars and contacts.
OneDrive - individual users' files.
SharePoint - shared sites, document libraries and their version history.
Teams - chats, channels and the files behind them.
In practice that means you can restore a single email from eight months ago, recover a leaver's entire OneDrive long after their account has gone, or roll a SharePoint library back to the day before it was corrupted. In the UK this typically runs to a few pounds per user per month - small money against a day spent reconstructing lost data, or worse, having to tell a client you have lost theirs.
The compliance angle for UK businesses
There is a legal dimension too. Under UK GDPR and the Data Protection Act 2018, you are expected to keep personal data available and recoverable, and to be able to produce it on request - for instance, when someone makes a subject access request. If a mailbox full of customer correspondence has aged out of Microsoft's retention and there is no backup, you cannot comply, however good your intentions. The same goes for records you are obliged to keep for HMRC, for contracts, and for any sector rules your business falls under, such as the NHS Data Security and Protection Toolkit if you handle health data. Being able to restore and produce your data is both an operational need and a compliance one.
The takeaway
Microsoft 365 is reliable and well run, and Microsoft will keep the service available. But protecting and recovering your own data sits with you, and the built-in retention windows are far too short to lean on as a safety net. A separate, automated backup closes that gap for a small monthly cost.
If you are not sure whether your Microsoft 365 data is actually backed up - and a surprising number of businesses assume it is when it isn't - we are happy to take a look and tell you straight. Our team can check what you have in place and set up a proper backup if you need one.