Montana Data Company
SaaS Protection

How to Back Up Microsoft 365 for Your Business

Microsoft 365 doesn't back up your data automatically. Here's a plain-English guide to your options — from native retention policies to third-party backup — and which approach actually works.

2 July 20268 min readMontana Data Company · Data Protection Team

If you have read that Microsoft 365 does not back up your data, you are now asking the obvious next question: what do I do about it?

You have three options. Understanding what each one provides — and where each one fails — will tell you quickly which approach is right for your organisation.

Option 1: Microsoft's Native Retention Features

Microsoft 365 includes several built-in features that provide limited data retention. These are not backup — but they are worth understanding because many organisations rely on them without realising their limitations.

Recycle Bins

SharePoint and OneDrive have two-stage recycle bins. Deleted items go to the first-stage bin for 93 days. After that, they move to a second-stage bin for another period before permanent deletion. The total window before permanent deletion can reach 180 days in some configurations.

Limitation: Once both stages are emptied — whether by a user, an administrator, or a ransomware attack that deliberately purges the bin — the data is permanently gone. There is no recovery path.

Version History

SharePoint and OneDrive maintain previous versions of files. By default, up to 500 versions are retained. This allows you to revert a file to an earlier state if it is overwritten or corrupted.

Limitation: Version history does not protect against deletion. If a file is deleted, its version history is deleted with it. Ransomware that encrypts files rather than deleting them will propagate those encrypted versions through the sync client, overwriting clean versions in version history over multiple sync cycles.

Litigation Hold and eDiscovery

Microsoft 365's compliance features allow administrators to place holds on mailboxes and SharePoint sites, preserving content that would otherwise be deleted. This is primarily designed for legal discovery purposes, not operational recovery.

Limitation: Litigation holds are administratively complex, require E3 or E5 licensing, and are not designed for point-in-time recovery of specific items. They are a legal tool, not a backup tool.

Microsoft 365 Backup (Paid Add-On)

Microsoft now offers a paid backup add-on for Microsoft 365, providing faster point-in-time restore for SharePoint, OneDrive, and Exchange Online. At time of writing it covers these three services but not Teams recordings, Planner, or other Microsoft 365 workloads.

Limitation: This is a meaningful improvement over relying solely on recycle bins and version history, but it does not cover all Microsoft 365 data, and the restore granularity and retention options are more limited than purpose-built third-party solutions. Pricing is per-user per-month on top of existing Microsoft 365 licensing.

Bottom line on native features: For organisations with simple requirements, minimal compliance obligations, and low risk tolerance for data loss, native retention features may be sufficient — with the clear understanding that they are not backup and will fail in several common scenarios. For most South African businesses with POPIA obligations and real-world recovery requirements, they are not enough.

Option 2: Manual Export and Archiving

Some organisations attempt to address the backup gap by periodically exporting their Microsoft 365 data — running PST exports of mailboxes, downloading SharePoint document libraries, exporting Teams chat history — and storing those exports somewhere else.

What this approach provides: A snapshot of your data at the time of export. If you export monthly, you have a recovery point that is up to 30 days old.

Why it usually fails in practice:

  • Manual exports are rarely done consistently. The first month happens, then someone forgets, then it becomes quarterly, then it stops.
  • Exports are typically stored on a network drive or local storage that is itself vulnerable to the same incidents (ransomware, hardware failure) as the data it is meant to protect.
  • Restoring from a PST export to a live Exchange mailbox is a technically complex operation that most organisations have never tested and cannot do quickly in an emergency.
  • Teams data, SharePoint permissions, and metadata are not fully captured by standard export tools.

Manual export is better than nothing, but only marginally. It introduces operational discipline risks, storage risks, and recovery complexity that make it unreliable as a primary strategy.

Option 3: Third-Party Backup (The Right Approach)

Purpose-built third-party Microsoft 365 backup solutions connect to your tenant via Microsoft's APIs and take automated, scheduled snapshots of all your Microsoft 365 data — Exchange Online, SharePoint, OneDrive, Teams, and often additional workloads — storing them in independent cloud storage outside your Microsoft tenant.

This approach provides what the other options do not:

Complete coverage: All Microsoft 365 workloads captured — not just the three services Microsoft's own backup add-on covers.

Independent storage: Backup data is stored outside your Microsoft 365 tenant. If your tenant is compromised, the backup is unaffected. Many platforms use immutable storage, meaning backup data cannot be deleted even by a compromised admin account.

Point-in-time recovery: Restore any item — a single email, a SharePoint file, an entire mailbox — to its state at any snapshot point within your retention window. If ransomware was active for three weeks before you detected it, you restore to a point four weeks ago.

Granular restore: Recover a single deleted email without a full mailbox restore. Recover a specific version of a SharePoint document without restoring the entire site. This is critical for POPIA data subject access requests and internal investigations.

Long retention: Most third-party platforms offer retention windows of one, three, or seven years — covering regulated retention requirements for financial services, healthcare, and legal practices that extend far beyond Microsoft's 93-day recycle bin.

Monitoring and alerting: Backup jobs are monitored automatically. Failures trigger immediate alerts. You are not relying on someone remembering to check.

What to Look for in an M365 Backup Solution

When evaluating third-party options, check these specifically:

  • Coverage: Does it back up Exchange, SharePoint, OneDrive, Teams (messages, files, recordings), and any other workloads you use?
  • Restore granularity: Can you restore a single item without a full restore?
  • Retention options: Can you configure retention per workload? Does it support the retention periods your regulatory obligations require?
  • Immutability: Is backup data stored immutably, or can it be deleted via the admin console?
  • POPIA compliance: Where is data stored? Is a data processing agreement available?
  • Pricing model: Per-user, per-GB, or a combination? What is the cost at your scale?

Druva for Microsoft 365

Montana Data Company deploys Druva's Microsoft 365 backup as our primary recommended solution for South African businesses. Druva backs up Exchange Online, SharePoint, OneDrive, and Teams data automatically, stores it in immutable cloud storage, and provides granular point-in-time restore with a retention window configurable up to seven years.

For a business of 25 users, Druva M365 backup typically costs R1,800–R3,500 per month through Montana, depending on data volume and retention configuration. That cost is a fraction of the exposure it eliminates.

The Steps to Get Microsoft 365 Backup in Place

Getting a third-party M365 backup solution running is straightforward:

  1. Assess your environment: Identify the workloads in scope (Exchange, SharePoint, OneDrive, Teams), approximate mailbox sizes and SharePoint data volumes, and your retention requirements.
  2. Choose a solution and configure the connector: Third-party solutions connect to Microsoft 365 via OAuth or service account credentials with read access to your tenant. No software is installed on your endpoints.
  3. Run the initial backup: The first full backup of a large tenant can take 24–72 hours depending on data volume and connection speed. Subsequent incremental backups run in minutes.
  4. Verify the backup: Perform a test restore of a mailbox item and a SharePoint file before relying on the solution for real recovery.
  5. Set up monitoring: Ensure backup job failures generate alerts to a named owner, not a shared inbox.

If you are currently relying on Microsoft 365's native retention features — or not thinking about M365 backup at all — a gap assessment will show you specifically what your current exposure looks like and what a properly configured third-party solution would change. Most organisations can have Druva M365 backup running within a week of deciding to proceed.

Microsoft 365SaaS BackupCloud BackupDruvaPOPIA
Back to all articles

More in SaaS Protection

SaaS Protection

What Microsoft 365 Doesn't Back Up — And What You Stand to Lose

Microsoft 365 is not a backup solution. Here's exactly what falls through the gaps — accidental deletion, ransomware, admin errors, and licence removal — and what South African organisations need to do about it.

SaaS Protection

How to Back Up Salesforce Data: A Business Guide

Salesforce does not back up your data the way most businesses assume. Here's what Salesforce retains, the common data loss scenarios it cannot recover from, and how to protect your CRM properly.

SaaS Protection

Salesforce Data Loss: 5 Scenarios Nobody Talks About

Salesforce doesn't guarantee data recovery. Here are five ways organisations lose CRM data permanently — and what a proper backup strategy looks like for the world's most critical sales platform.

Monty

Montana Data Assistant

Hi, I'm Monty, your Montana Data Company assistant. How can I help you today?