Microsoft 365 does not make a backup the way you mean it: deleted files in SharePoint and OneDrive are gone for good after a total of 93 days in the recycle bin (Microsoft Support) and a deleted mailbox can be recovered for 30 days by default. Microsoft protects the service; your data remains your responsibility — the shared-responsibility model. This article explains what the defaults do cover, where the gaps are and what backup routes exist: a retention policy, Microsoft 365 Backup or an external supplier.

Why does Microsoft 365 need its own backup?

Because Microsoft protects the infrastructure, but you remain responsible for your data — the so-called shared-responsibility model. Microsoft makes sure the service runs and recovers from outages on their side; against deleted files, overwritten documents, departed employees, ransomware or a malicious administrator the platform protects you only to a limited extent and temporarily. The recycle bins and retention windows are recovery provisions, not a backup.

The practical difference: a backup is an independent copy, outside the reach of whoever (or whatever malware) can damage the original, with a retention window that you choose. The default provisions of Microsoft 365 are not that — they live in the same environment and expire after weeks.

What does Microsoft 365 keep by default?

In short: weeks, not years. Deleted files in SharePoint and OneDrive stay in the recycle bin for a total of 93 days (first and second stage combined; Microsoft Support). A deleted mailbox can be recovered for 30 days by default. Within those windows, recovering a single file or email is straightforward; beyond them, it is gone.

Three scenarios where the defaults alone leave you stuck: a deletion that is only discovered months later (an ex-employee whose account has been cleaned up, contents and all), ransomware that encrypts files and corrupts the version history along with them, and retention obligations — in the Netherlands, administrative records must be kept for seven years, far beyond any recycle-bin window. A retention policy (Purview) can partly address that last point, but requires the right licences and a deliberate configuration — and it stays within the same tenant.

What backup options are there?

Three routes, increasing in independence. One: a retention policy within Microsoft 365 itself — no extra cost with the right licence, but no copy outside the tenant. Two: Microsoft 365 Backup, Microsoft's own backup service, with fast recovery times but storage within the Microsoft ecosystem and consumption-based billing. Three: an external backup supplier (well-known names include Veeam, Acronis and Dropsuite) that periodically copies mail, OneDrive, SharePoint and Teams data to its own, separate storage — the most complete separation between platform and backup.

Which route fits depends on your risk profile and retention obligations. The rules of thumb: recovery must work per item (one mailbox, one file, not just all-or-nothing), the retention window must match your obligations, and recovery must be tested — a backup that has never had a test restore is an assumption. Prices vary by supplier and number of users; expect an amount per user per month and request current pricing from the supplier.

And Google Workspace?

The same principle applies to Google Workspace: the recycle bin in Drive and Gmail is a recovery provision with a limited window, not a backup. There too the three-way split is the same — built-in retention (Google Vault, for archiving and e-discovery) versus an external backup with its own storage and its own retention windows. Anyone switching platforms would do well to design the backup strategy into the migration rather than after it; see our migration step-by-step plan.

In both ecosystems the mistaken assumption is the same: 'it's in the cloud, so it's safe'. The cloud protects against broken hard drives — not against human error, malicious intent or obligations that run longer than a recycle bin.

How to set it up in practice

Four steps. One: determine the required retention window per data type (administration seven years; project data and mail to your own policy). Two: choose the route — a retention policy, Microsoft 365 Backup or an external supplier — and record what is and isn't covered (don't forget shared mailboxes and Teams). Three: automate the coverage, so that new employees and new sites are automatically included. Four: schedule a periodic test restore and record the result.

Backup is also a fixed part of the NIS2 duty of care (business continuity); the full list of measures is in the NIS2 checklist for SMEs. Under our Microsoft 365 management we set this up and monitor it — including that test restore.

In short

  • Microsoft works on shared responsibility: they protect the service, you remain responsible for your data.
  • Default windows are weeks, not years: 93 days in the recycle bin for SharePoint/OneDrive (Microsoft Support), 30 days for a deleted mailbox.
  • Three routes: a retention policy (within the tenant), Microsoft 365 Backup (Microsoft's own service) or an external backup supplier with separate storage.
  • Test every solution on per-item recovery, an appropriate retention window (administration: seven years) and a periodic test restore.
  • The same applies to Google Workspace: recycle bin and Vault are not an independent backup.

Further reading

Frequently asked questions

Doesn't Microsoft back up my data itself?

Microsoft protects the service and recovers from outages on their side, but works on a shared-responsibility model: your data remains your responsibility. The built-in provisions are recovery options with limited windows — among them 93 days in the recycle bin for SharePoint/OneDrive files and 30 days for a deleted mailbox — not an independent backup.

How long can I recover a deleted file or mailbox?

Files in SharePoint and OneDrive: 93 days in total via the recycle bin (first and second stage combined; Microsoft Support). A deleted mailbox can be recovered for 30 days by default. After that, recovery without your own backup is no longer possible.

Isn't a retention policy (Purview) enough?

A retention policy prevents data from actually disappearing within the chosen window and helps with retention obligations, but it stays within the same tenant: it does not protect against a compromised environment and requires the right licences and configuration. For many organisations it is part of the solution, alongside an independent copy.

What does a Microsoft 365 backup cost?

External backup services typically charge an amount per user per month; the level varies by supplier, retention window and data volume. Request current pricing from suppliers (well-known names include Veeam, Acronis and Dropsuite) and factor it into your total workplace cost per user.

Does this apply to Google Workspace too?

Yes, the same principle: recycle bins and Vault are recovery and archiving provisions, not an independent backup. Anyone who wants to be sure they can recover after mistakes, malicious intent or ransomware should arrange an external copy with their own retention windows there too.

Written by Hugo Eleveld · Updated . This article is informational; for tailored advice book an intro call.

Prefer these insights in your inbox?

Leave your email address and we'll add you to the list and email you as soon as the next edition on IT, automation and dashboards comes out. You can unsubscribe at any time with a single email.

We only use your email address for this — see the privacy statement.