Microsoft 365 Backup: The 2026 Shared Responsibility Guide

Last week an Istanbul accounting office called: an intern had accidentally deleted the entire team’s OneDrive folder. “We use Microsoft 365 — there’s automatic cloud backup, right?” No, there isn’t. Microsoft commits to keeping the servers running. Backing up your data is not their job.

In 20 years of managing IT for SMBs, this misunderstanding shows up every month. This guide explains Microsoft’s “shared responsibility” model, the actual retention windows, and a concrete backup plan for organisations of 1–50 users.

What does Microsoft’s shared-responsibility model actually mean?

The Microsoft Services Agreement in one line: “Your data belongs to you; backing it up is entirely your responsibility.” Microsoft’s commitment is limited to infrastructure uptime (99.9% SLA), hardware failure handling, and keeping the service available.

Responsibility	Microsoft	You
Datacentre, server, network	✓	—
Application uptime (99.9% SLA)	✓	—
Accidental deletion, ransomware	—	✓
Insider attack, departing employee damage	—	✓
Legal retention (KVKK, tax codes)	—	✓

What you “get for free” — and what you don’t

What Microsoft 365 includes by default:

• OneDrive / SharePoint Recycle Bin — 93 days. After that, data is permanently deleted.
• Exchange Online deleted items — 14 days by default (extendable to 30).
• Litigation Hold (E3/E5 or Exchange Online Plan 2) — indefinite hold for compliance, but it’s a hold, not a backup. If a malicious admin disables it, data goes.
• Version history — works only for files that already exist. If the folder is deleted, versions go with it.

What it does not cover:

• Ransomware encrypting your OneDrive — the encrypted versions sync to the cloud and overwrite history.
• A departing employee deleting their mailbox/OneDrive — after 30 days the mailbox is gone.
• A misconfigured Power Automate flow that mass-deletes SharePoint items — Recycle Bin fills up, hits its quota, oldest items disappear.
• Long-term retention for KVKK / tax law (10 years).

What an actual M365 backup solution does

A proper third-party M365 backup product:

1. Takes immutable snapshots of Exchange, OneDrive, SharePoint and Teams data on a daily cadence.
2. Stores those snapshots outside the Microsoft tenant (on Azure, AWS or vendor infrastructure).
3. Provides granular restore: an individual mailbox item, a SharePoint folder, a Teams channel — to a point-in-time, weeks or months back.
4. Includes ransomware detection (anomalous deletion patterns trigger alerts).

The realistic price range: 3–6 USD per user per month for full M365 backup. For a 30-person SMB, that’s 90–180 USD/month — less than the cost of recreating two days of work after an incident.

When the discussion gets real: KVKK & tax retention

Turkish data-protection law and tax codes impose retention windows that go well beyond M365 native retention:

• Tax records: 10 years (Tax Procedure Law).
• Employment records: 10 years post-separation.
• KVKK-relevant processing: as long as the legal basis exists.

Microsoft’s Litigation Hold technically allows this, but operationally it’s not a viable long-term archive — it lacks the discovery, lifecycle and tiered-storage features of a true archive system. For organisations under serious retention obligations, third-party backup + archive is the practical answer.

A 30-day backup setup for SMBs

Day 1–5 — Inventory. What’s in M365? Identify the high-value workloads (executive mailboxes, finance SharePoint, project Teams).

Day 6–15 — Pick a tool. The market leaders: Veeam Backup for M365, Acronis Cyber Protect (Microsoft 365 SKU), Datto SaaS Protection, Barracuda Cloud-to-Cloud Backup. Match feature set to your retention obligations and budget.

Day 16–25 — Deploy & verify. First full backup typically completes in 24–72 hours. Run two restore tests: a mailbox item, a SharePoint folder.

Day 26–30 — Document. Write the runbook: how to restore, who has access, what the RPO/RTO commitments are.

Frequently asked questions

Doesn’t Microsoft’s new Microsoft 365 Backup service replace this? Microsoft 365 Backup (GA in 2024) is a Microsoft-native backup option but with constraints — it’s tied to your tenant, limited retention, lacks granular cross-tenant restore. For most regulated organisations it’s a complement, not a replacement, for third-party backup.

Our Microsoft partner says they handle backup. Is that enough? Ask specifically: which workloads, what retention, where is the backup stored, what’s the restore SLA, and is there a recent successful restore test? “We have backups” without these answers usually means very little.

What’s the typical first-incident cost without backup? Lost time + business disruption typically lands in the 5,000–20,000 USD range for a single OneDrive folder loss at a mid-size SMB. We’ve seen six-figure costs when ransomware hits without backup.

Bottom line

Microsoft 365 is not a backup. You are responsible for the data. The right architecture for 2026 is M365 + a dedicated third-party backup product, properly configured, with regular restore testing. To evaluate the right backup tool for your environment and configure it, contact us for a free assessment.