Microsoft 365 Is Not Backed Up by Microsoft. Here Is What That Actually Means for Your Business.

This is one of the most common misunderstandings I come across in small business IT. People believe that because their data sits in Microsoft 365, in the cloud, on Microsoft's own servers, it must be safe. It is a fair assumption. It is also wrong.

If you run a business that uses Microsoft 365 for email, files, SharePoint, OneDrive, or Teams, this article is worth ten minutes of your time. I am going to explain what Microsoft actually protects, what they do not, and what you can do about it without spending a fortune.

What Microsoft actually says about backing up data:

Microsoft's own service agreement is clear, though most people never read it. The relevant section is called the Shared Responsibility Model. In plain English, it says Microsoft is responsible for the platform: keeping the servers running, the software updated, and the infrastructure secure. You are responsible for your data.

That distinction matters more than it sounds. Microsoft will keep the lights on. They will not, however, restore a file you deleted six months ago. They will not recover an inbox that was wiped by a departing employee. They will not undo a ransomware attack that encrypted your SharePoint library.

Their built-in protections are limited and time-bound. Deleted emails sit in a recoverable items folder for around 14 days. Deleted files in SharePoint and OneDrive can be retrieved from the recycle bin for 93 days. After that, they are gone. Permanently. No exceptions.

This is not a Microsoft failing. It is how the service is designed. They are a platform provider, not a backup company.

The four ways businesses actually lose data:

In twenty years of running an IT business, the same patterns come up again and again. Cloud data is lost in four main ways:

1. Accidental deletion

Someone clears out an inbox to free up space. A staff member tidies a SharePoint folder and deletes something they should not have. A shared file is overwritten with the wrong version. This is the most common cause by far, and it usually goes unnoticed for weeks.

2. Departing employees

When someone leaves, their account is usually disabled or removed. If that is not handled properly, the data attached to their account can disappear too. Years of emails, files, and shared resources can vanish in a single admin action.

3. Cyber attacks

Ransomware does not care that your files are in the cloud. If an attacker gets into a Microsoft 365 account, they can encrypt or delete data just as easily as if it were on a local server. Phishing remains the most common way in.

4. Sync errors and software faults

OneDrive and SharePoint sync issues can corrupt files. A bad third-party app integration can mass-delete records. These are rare, but they do happen, and the consequences can be severe.

Why this matters more than people think

Most small business owners I speak to underestimate two things: how much they rely on Microsoft 365, and how painful it would be to lose it.

Email is the obvious one. For most businesses, the inbox is the de facto record of every quote, contract, conversation, and decision. Losing it is not just inconvenient. It can be a legal and commercial problem.

SharePoint and OneDrive are quietly even more important. They hold operational files, client documents, financial records, HR information, project history. Losing six months of a team's work in SharePoint would set most businesses back significantly.

Then there is compliance. If you handle personal data, you have obligations under GDPR. Being able to recover data is part of that. "Microsoft lost it" is not a defence.

Five proactive things you can do this month:

You do not need to panic. You do need to act. Here are five practical steps in order of priority.

1. Find out what backup you actually have

Most businesses I audit do not know. They assume something is in place. Ask your IT provider directly: "Are our Microsoft 365 emails, OneDrive, and SharePoint backed up to a separate system, and how far back can we recover?" If the answer is vague, you have a problem.

2. Set up a proper third-party backup

There are good backup services that connect to Microsoft 365 and run automatically in the background. They cover email, OneDrive, SharePoint, Teams, and contacts. Restoration takes minutes, not days. For most small businesses this is the single most valuable IT investment they can make.

3. Tighten up your account management

Have a clear process for what happens when someone leaves. Their data should be preserved, not deleted, until you are certain nothing important is attached to it. Many businesses lose data because the leaver process is rushed.

4. Turn on Multi-Factor Authentication for everyone

If you have not done this already, do it this week. MFA stops the vast majority of account compromises. Microsoft offers it free with every 365 licence. The reason it is not on for everyone is usually that nobody has got round to it. Get round to it.

5. Run a recovery test

Backup is not the same as recovery. Once you have a backup in place, test it. Restore a file. Restore an old email. Make sure the process actually works before you need it in an emergency. The worst time to discover your backup is broken is the day you need it.

A note on cost:

If you only do one thing after reading this, do that one.

The bigger point:

The reason I find this topic worth writing about is not really the technical detail. It is the assumption underneath it. Many business owners treat IT as something that just works in the background, until it does not. They trust the big names. They assume the defaults are sensible. They hope they will not be the one who finds out the hard way.

Most of the time, that approach is fine. Until it is not. And when it is not, the consequences land squarely on the business owner, not on Microsoft.

Good IT is mostly about removing assumptions and replacing them with things you actually know. You know your data is backed up. You know your accounts are protected. You know your staff have been trained on what a phishing email looks like. That is what "managed" actually means.

If you want to check where you stand

If you are not sure whether your Microsoft 365 data is properly backed up, or if anything in this article has prompted a quiet moment of concern, get in touch. Happy to have a no-pressure conversation about where your business currently sits and what, if anything, needs to change.

At PK Networks, we look after IT for small and medium businesses across West Sussex, Surrey, and the surrounding area. We are family-run, Microsoft Partners, and Cyber Essentials certified.

More importantly, we answer the phone ourselves!

Why not try for yourself? Give us a call on 01342 601 217.