Is Microsoft 365 Backed Up? What Singapore Businesses Should Know

Is Microsoft 365 backed up? What every Singapore business should know

It is one of the most dangerous assumptions in business IT: that because your email and files live in Microsoft 365, Microsoft is backing them up for you. Most businesses believe this, and most are wrong. The truth catches people out at the worst possible moment, when something has been deleted, an employee has left, or ransomware has struck, and they discover the data is simply gone. This guide explains exactly what Microsoft does and does not protect, where the gaps are, and what you actually need to be safe. The same logic applies to Google Workspace, so if you are on that instead, read on, it affects you too.

The short answer

No, Microsoft 365 is not backed up in the way most people assume. Microsoft keeps the service running and protects its own infrastructure, but the responsibility for protecting your actual data, your emails, files, Teams messages and SharePoint content, falls on you. This is not a secret. It is written into Microsoft's own service terms, which recommend that you back up your content yourself. The recycle bin and retention features are useful safety nets for recent mistakes, but they are not a backup, and relying on them alone leaves real gaps.

The Shared Responsibility Model, explained plainly

Microsoft operates on what is called a Shared Responsibility Model, and understanding it is the whole point. Microsoft's job is to keep Microsoft 365 available and running: if a data centre fails or a server dies, Microsoft handles the failover and keeps the service online. That is genuinely excellent, and it is what their replication across data centres is for. But that replication protects against Microsoft's problems, not yours. If you delete a mailbox, if an employee wipes their files, if ransomware encrypts your documents, Microsoft's systems faithfully replicate that deletion or encryption across every copy. The data being available is Microsoft's job. The data being recoverable after human error or attack is yours.

What the native tools actually do, and for how long

Microsoft 365 does include some recovery features, but each has firm time limits and none is a real backup. It helps to know the actual numbers:

Exchange Online (email). Deleted items go to a Recoverable Items area and are kept for 14 days by default, extendable to 30 by configuration. After that, they are permanently purged.
SharePoint and OneDrive (files). Deleted files sit in a two-stage recycle bin for a total of 93 days, then they are permanently deleted. There is no retroactive extension once that window passes.
Microsoft Teams. Teams files actually live in SharePoint and OneDrive behind the scenes, so they follow the same 93-day limit.
Version history. Useful for rolling back an unwanted edit to a single file, but no help at all against bulk deletion or ransomware affecting thousands of files.
Litigation or retention holds. These preserve data for legal and compliance reasons, but they are not a backup either: you cannot restore your environment to how it looked at a specific point in time, which is what real recovery needs.

Notice the pattern: every one of these is time-limited, and none offers point-in-time recovery, the ability to roll your whole environment back to the morning before disaster struck. That is the single biggest gap.

The real-world ways businesses lose Microsoft 365 data

This is not theoretical. These are the situations we actually see:

Accidental deletion that is noticed too late. Someone deletes a folder or mailbox, nobody realises for a few months, and by the time it matters the recycle bin window has long closed. The data is gone.
A departing employee. This one is especially nasty. When a staff member leaves and their account is removed, their OneDrive data is kept for only around 30 days, with a further admin recovery window, and then it is deleted, or archived behind reactivation fees. Years of a salesperson's files or a manager's records can vanish a month or two after they walk out the door.
Ransomware syncing into the cloud. Modern ransomware encrypts files on a PC, and the OneDrive or SharePoint sync dutifully uploads the encrypted versions over your good ones. Without a clean, separate backup to restore from, the cloud copy is encrypted too.
A malicious or careless administrator. Someone with admin rights can delete content, change retention settings and clear audit logs. Only a backup that sits outside your tenant's control is safe from that.

In every one of these, Microsoft's native tools either run out of time or were never designed to help. A proper backup is what closes the gap.

What a real backup adds

A genuine third-party backup of Microsoft 365 does what the native tools do not: it keeps independent copies of your email, files, Teams and SharePoint data, held separately from your Microsoft tenant, with long or unlimited retention and, crucially, point-in-time recovery so you can restore things exactly as they were before an incident. Because it sits outside your tenant, it survives ransomware, rogue admins and accidental deletion alike. That is the difference between a recycle bin (a short-term undo for recent mistakes) and a backup (a dependable way to get your business data back, whenever and however you lost it).

What about Google Workspace?

If you are on Google Workspace rather than Microsoft 365, none of this lets you off the hook. Google operates on the same shared-responsibility basis: they keep the service running, your data protection is your responsibility. Google Vault is for retention and eDiscovery, not backup, and it will not restore your environment to a point in time after a deletion or ransomware event. The same gaps, the same need for proper backup.

How CARE helps

We provide proper, independent backup for both Microsoft 365 and Google Workspace, covering email, files, Teams, SharePoint and Drive, with the long retention and point-in-time recovery the native tools lack. It is part of our wider backup and disaster recovery service, and it sits alongside the Microsoft 365 and Google Workspace management we do for businesses across Singapore. If you are not sure whether your cloud data is genuinely protected, that is exactly the kind of thing we will check for you honestly.

Not certain your Microsoft 365 or Google Workspace data is safe? Talk to CARE and we will review your setup and close any gaps.

Frequently asked questions

Does Microsoft really not back up my data?
Correct. Microsoft keeps the service running and protects its own infrastructure, but protecting your actual data is your responsibility under their Shared Responsibility Model, and their own terms recommend you back it up. The recycle bin and retention features are short-term safety nets, not a backup.

How long does Microsoft 365 keep deleted items?
Roughly: deleted emails in Exchange for 14 days, extendable to 30; deleted files in SharePoint and OneDrive for 93 days. After that they are permanently gone, with no way to get them back unless you have a separate backup.

What happens to a departing employee's data?
This catches many businesses out. Once the account is removed, OneDrive data is typically kept for only about 30 days plus a limited admin recovery window, then deleted or archived behind fees. Without a backup, that person's files can disappear a month or two after they leave.

If ransomware hits, can I just restore from OneDrive?
Often not. Ransomware encrypts files locally and the sync uploads the encrypted versions over your good ones, so the cloud copy is encrypted too. Recovering cleanly needs a separate backup with point-in-time restore to before the attack.

Is Google Workspace any different?
No. Google works on the same shared-responsibility basis, and Google Vault is for retention and eDiscovery, not backup. Workspace data needs proper independent backup just as Microsoft 365 does.

Can you set up Microsoft 365 or Google Workspace backup for us?
Yes. We provide independent backup for both, with long retention and point-in-time recovery, as part of our backup and disaster recovery service. Talk to CARE and we will make sure your cloud data is genuinely protected.