What Microsoft 365 Doesn't Back Up — And What You Stand to Lose

Microsoft 365 is the productivity backbone of most South African enterprises. Email in Exchange Online, documents in SharePoint, files in OneDrive, conversations in Teams — all of it lives in Microsoft's cloud. When IT directors tell us they haven't invested in a separate backup solution because "it's all in the cloud," we understand the reasoning. We also know how it ends.

Microsoft operates its cloud infrastructure with exceptional reliability. But reliability is not the same as protection. Your data can disappear from a Microsoft 365 tenant in ways that Microsoft's own infrastructure cannot recover from — and the fine print of your service agreement already tells you this.

What Microsoft Actually Provides

Microsoft builds redundancy into its infrastructure to protect against hardware failure, data-centre outages, and service disruptions. If a storage node fails, your data survives on a replica. If an entire data centre goes offline, another region takes over. This protects Microsoft — it ensures the service remains available.

What it does not protect against is your own actions, or the actions of someone inside your organisation.

Microsoft does provide some built-in recovery features:

• Recycle Bins in SharePoint and OneDrive retain deleted items for 93 days before permanent deletion.
• Deleted Items and Recoverable Items folders in Exchange Online allow recovery within configurable retention windows.
• Version history in SharePoint and OneDrive keeps previous file versions for a limited period.
• Microsoft 365 Backup (a paid add-on) offers faster point-in-time restore for SharePoint, OneDrive, and Exchange — but does not cover all services and comes at additional cost per licence.

These are useful features. They are not a backup strategy.

The Four Gaps Microsoft Cannot Close

1. Accidental Deletion Beyond the Retention Window

The 93-day recycle bin window in SharePoint sounds generous — until you consider that data loss is often discovered weeks or months after it occurs. A project folder deleted by a departing employee in January may not be missed until March. A misconfigured archiving rule that quietly purged records may go unnoticed until an audit request lands.

Once the retention window closes, the data is permanently deleted. Microsoft will confirm this in writing if you contact their support team.

This is not a theoretical risk. In our experience engaging with enterprise IT teams across South Africa, "we didn't know it was gone until we needed it" is the single most common precursor to an emergency data recovery conversation — and by that point, there is often nothing to recover.

2. Ransomware and Malicious Deletion

Modern ransomware attacks specifically target cloud-connected drives. OneDrive sync clients, SharePoint connectors, and Exchange integrations mean that encrypted or destroyed files can propagate to your Microsoft 365 tenant within minutes of a workstation infection.

Ransomware operators have also adapted to exploit Microsoft 365's own retention mechanisms. Techniques that cycle through file versions, exhaust version history limits, delete recovery items, and purge audit logs have been documented in active campaigns. If the attack is sophisticated enough, the version history you were counting on may no longer exist by the time you realise what has happened.

A compromised administrator account — accessed via phishing, credential stuffing, or a leaked token — can delete an entire SharePoint site collection, purge Exchange mailboxes, revoke licence assignments, and destroy Teams channel history within a single session. If the recycle bin is emptied before detection, there is no Microsoft-side recovery path.

3. Tenant Misconfigurations and Administrator Errors

Microsoft 365 tenants are complex environments. Retention policies, eDiscovery holds, compliance labels, sensitivity policies, and DLP rules interact in ways that even experienced administrators regularly misconfigure.

A common scenario: a retention policy applied to "All Mailboxes" is modified to exclude a distribution list. The intent is to remove the policy from shared mailboxes no longer in scope. The actual result is that the policy lifts from 40 active inboxes, which are purged during the next scheduled compliance clear. No malicious intent. No recovery path.

Administrator errors of this kind are among the most common causes of data loss in Microsoft 365 environments — and they fall entirely outside Microsoft's responsibility under the Shared Responsibility Model. That model states clearly: Microsoft is responsible for the infrastructure; the customer is responsible for the data.

4. Licence Removal and Account Deprovisioning

When a user's Microsoft 365 licence is removed, a deletion timer starts. Exchange Online mailboxes are typically retained for 30 days after licence removal before permanent deletion. OneDrive files are retained for the period configured in your admin centre (default: 30 days, maximum: 180 days).

This creates a serious problem in organisations with high employee turnover, frequent restructuring, or aggressive licence management. Data belonging to former employees — often the most audit-critical data in the event of litigation or a POPIA data subject request — is quietly deleted on a schedule that most IT teams are not actively monitoring.

In several engagements we've conducted, organisations discovered months after the fact that mailboxes for former senior staff had been silently deleted, taking with them years of client correspondence that would have been material in ongoing disputes.

The POPIA Dimension

South Africa's Protection of Personal Information Act (POPIA) introduces a specific compliance obligation to this risk. The Act requires organisations to take "appropriate, reasonable technical and organisational measures" to prevent loss, damage, or unlawful destruction of personal information.

A Microsoft 365 tenant without a third-party backup cannot demonstrably meet this requirement:

Data subject access requests under POPIA Section 23 require the ability to locate and provide all personal information held on an identified data subject. If records have been deleted beyond Microsoft's retention window — whether through normal operations, an admin error, or an attack — compliance becomes impossible.

Data breach notification under POPIA Section 22 requires organisations to determine the scope of a breach thoroughly. Without backup logs showing what existed before a destructive event, accurately scoping the breach is not feasible.

Regulated retention periods in financial services (under FAIS and FSCA rules), legal practice, and healthcare (under HPCSA records guidelines) extend significantly beyond Microsoft's 93-day recycle bin window. Relying solely on Microsoft's built-in retention does not satisfy these obligations.

The Information Regulator has made clear that "it's in the cloud" is not a defence for inadequate data protection. Your organisation remains the responsible party for the personal information you process — regardless of where it is stored.

What Purpose-Built Backup Actually Provides

A third-party SaaS backup solution — such as Druva, which Montana Data Company deploys and manages — addresses each of these gaps with capabilities that Microsoft's platform does not offer:

Point-in-time recovery. Snapshots of Exchange Online, SharePoint, OneDrive, and Teams taken daily or more frequently allow restoration to any point in time across the full backup history — not limited to Microsoft's 93-day window. Recovery from a ransomware event that occurred six months ago is possible in minutes.

Ransomware-specific protection. Backup copies reside in immutable cloud storage completely outside the blast radius of a compromised Microsoft 365 tenant. Anomaly detection identifies abnormal deletion or encryption patterns and can trigger automated alerts or preservation holds.

Granular restore. Restore a single email, an individual SharePoint folder, or an entire mailbox without a full-tenant restore. This is critical for litigation support, internal investigations, and POPIA data subject access requests.

Offboarding and licence protection. Backup coverage extends to data belonging to deprovisioned accounts, ensuring former employee records are retained for the full legally required period regardless of licence status or admin actions.

Audit-ready documentation. An independent, tamper-evident record of data state at each backup point is available for internal investigations, external audits, and legal proceedings.

Five Questions to Test Your Exposure Right Now

Ask your IT team:

1. If a SharePoint site collection were accidentally deleted today, what is the maximum data we could lose?
2. If ransomware encrypted 10,000 OneDrive files three months ago and we only discovered it now, can we recover?
3. Are retention policies covering all mailboxes — including shared mailboxes, resource accounts, and distribution lists?
4. What is our OneDrive retention period after user deprovisioning, and is anyone monitoring that timer?
5. Can we produce a complete archive of any individual's email history for the past five years in response to a POPIA access request?

If any answer is "I'm not sure" or "no," your organisation has unacceptable exposure in the Microsoft 365 environment.

Montana Data Company offers a complimentary M365 Backup Gap Assessment that maps your current tenant configuration against POPIA retention requirements and delivers a practical remediation plan. Reach out to arrange a consultation.