You and Microsoft 365 already have a great relationship. It provides services such as access to tools like Excel, Outlook, and Teams, gives you Cloud storage, AI features, and advanced security. It seems as if Microsoft 365 has it all and does it all, so why would you need to add a third party to this already perfect relationship?
As amazing as Microsoft 365 is, something it does not provide is a traditional, comprehensive backup service in the way many people assume, and does not provide infinite email retention. What Microsoft 365 can provide in terms of backups is this:
- High Availability and Geo-Redundancy: Microsoft’s primary focus is on ensuring the service is always available and that your data isn’t lost due to infrastructure failures. They replicate your data across multiple data centers, so if one goes down, your data is still accessible from another. This is for disaster recovery at the infrastructure level, not for individual user recovery of deleted items.
- Versioning (for some data types like OneDrive/SharePoint): OneDrive and SharePoint offer versioning, allowing you to revert to previous versions of files. This is not the same as a full mailbox backup.
- Recycle Bins and Recoverable Items Folders:
- Deleted Items Folder: When you delete an email, it goes here.
- Recoverable Items Folder: If you permanently delete an email from the Deleted Items folder, it moves to a “Recoverable Items” folder. By default, items stay here for 14 days, though an administrator can extend this to 30 days. After this period, the items are purged. This is a “soft delete” and not a true long-term backup.
- Retention Policies and Litigation Holds (Microsoft Purview):
- Retention Policies: These are powerful compliance tools that allow organizations to proactively retain or delete content (including emails) for specific periods (e.g., 7 years, 10 years, or even indefinitely).
- If a retention policy is in place, even if a user deletes an email, a copy is automatically retained in a secure, hidden location (the “Recoverable Items” folder for Exchange, or “Preservation Hold Library” for SharePoint) where users cannot access it directly.
- These policies are designed for compliance and eDiscovery, ensuring that data required for legal or regulatory purposes is not permanently deleted.
- Litigation Holds: Similar to retention policies, a litigation hold prevents content from being permanently deleted, even if a user attempts to do so. This is typically used during legal cases.
- Retention Policies: These are powerful compliance tools that allow organizations to proactively retain or delete content (including emails) for specific periods (e.g., 7 years, 10 years, or even indefinitely).
Key Distinction: While retention policies can keep emails for a very long time (even “forever” if configured that way), this isn’t a “backup” in the traditional sense for end-user recovery. It’s about data governance and ensuring discoverability for legal/compliance reasons. The data is still “in place” within Microsoft 365, but it does not allow for independent file recovery by users.
The Benefits of Adding a Third
Although Microsoft 365 does have robust retention and availability features, they explicitly state that customers are responsible for their own backup and recovery. Here are why the built-in features are not a substitute for a dedicated backup solution and why it may be beneficial to add a third-party backup system to your relationship:
- Accidental Deletion/User Error: While the recoverable items folder offers a short window, a user could accidentally or intentionally delete an email, and if it goes unnoticed past the retention period, it’s gone.
- Malicious Deletion: A disgruntled employee or a compromised account could intentionally delete large amounts of data. Retention policies help, but a separate backup provides an independent copy.
- Ransomware/Malware: While Microsoft 365 has strong security, a sophisticated attack could still compromise data. A separate, off-site backup provides an air-gapped recovery point.
- Configuration Errors: An administrator could accidentally delete an entire mailbox or misconfigure a retention policy, leading to data loss.
- Granular Recovery: Microsoft’s native recovery options for large-scale data loss might not offer the granular control (e.g., restoring a single email from a specific date without affecting the rest of the mailbox) that a dedicated backup solution provides.
- Long-Term Archiving/Disaster Recovery beyond Microsoft’s SLA: While Microsoft has high availability, their Service Level Agreement (SLA) for data recovery in a catastrophic event might not meet your organization’s specific RTO (Recovery Time Objective) or RPO (Recovery Point Objective) requirements. Third-party backups often offer faster and more flexible recovery options.
- Compliance with Specific Regulations: Some industries or regulations require independent backups, not just in-place retention.
Microsoft 365 offers excellent data availability and robust retention capabilities for compliance. However, it’s designed to protect against infrastructure failures and to meet specific data governance needs. It does not provide infinite, granular backups for all user-initiated data loss scenarios or protection against sophisticated cyber threats in the way a dedicated third-party backup solution does. Many organizations opt for third-party backup solutions, like Veeam, AvePoint, Druva, etc. to ensure comprehensive, long-term, and flexible recovery options for their Microsoft 365 data, including emails. So don’t be afraid about adding a third to strengthen your already great relationship with Microsoft 365. Ultimately, it will benefit all parties and improve your organization’s security.
