Protect your business data with Spanning’s Microsoft 365 backup and recovery software

Yes, Microsoft Office 365 does have measures in place to backup and protect your information. However, it's important to understand that this protection operates under a shared-responsibility model. Microsoft takes care of physical security at their data centers, as well as data storage replication and redundancy.

Microsoft performs regular data backups as part of their commitment to safeguarding your data and ensuring it's available in case of a disaster. These backups are aligned with their uptime service level agreement (99.9%). Nevertheless, it's crucial to note that your organization retains the ultimate responsibility for data protection. These backups are not accessible to administrators or end users and are not designed for easy and swift data restoration.

While it is possible to retrieve lost data through Microsoft Office 365's backups, the process can be arduous, expensive, and disruptive to business continuity. This is why as part of the shared-responsibility model its important to have a third party backup and recovery solution, such as Spanning, for your data.

Microsoft Office 365 retention policies and capabilities are varied across its numerous services and tend to change with some frequency. While each service comes with a default, retention policies can be customized by administrators and are often used by organizations to manage and govern their data by establishing a preferred schedule of retaining and deleting content. This practice, however, does little to absolve organizations from their data protection obligations.

Retention policies can be applied in a variety of manners depending on the retention and deletion needs of an organization. They can be set to apply across an entire tenant or configured to affect only certain users and/or locations. Similarly, policies can be applied across all content types or restricted to content meeting specified conditions. For more detailed information on Microsoft Office 365 retention policies and how to manage them, please see Microsoft's overview of retention policies.

The default retention setting for all messages and folders within Microsoft Office 365 is “Never Delete”. As such, Microsoft Office 365 emails and the contents of which should remain accessible unless acted upon by the user or systematically deleted via custom retention policy. In other words, Microsoft Office 365 has no stated policy of deleting emails automatically once they reach a certain age.

In the event that an email is deleted, it is first moved to the Deleted Items folder, which also has an unlimited retention setting. Items can be manually restored by the end user from the Deleted Items folder. If an item is deleted from this folder it moves to the Recoverable Items folder, which has a retention period of 14 days (admins can extend this period to a maximum of 30 days). Users and admins can recover items from this folder one at a time via a process known as Single Item Recovery. Once an item exceeds the retention period or is further deleted, it is moved to the Purge Folder.

Emails that have reached the Purge Folder will be retained for a maximum of 14 days. From here, only admins are able to use the Single Item Recovery feature to recover items for their end users. Once the 14-day retention period expires, items are permanently deleted from the tenant and become unrecoverable if a backup solution is not in place.

Microsoft Office 365 accounts are generally rendered inactive in the wake of an employee's departure or extended absence from an organization. An admin will often choose to remove this account in which case the user's data and account become restorable for a 30-day period before it is permanently deleted. In order to avoid critical data loss, the admin should consider what they want to do with the license moving forward and how they would like to deal with the departed user's OneDrive and email content before deleting the user (removing the account) from the organization. To learn more, read Microsoft's advice on deleting a user from your organization.

If a Microsoft Office 365 user account is deleted from a tenant there is a 30-day window to restore the account and all associated data. This 30-day period in known as the “soft deleted” state and there is a documented process (dependent on the manner of deletion) by which an admin may fully recover the user account. Once this 30-day retention period expires, the account is permanently deleted (hard deleted) and cannot be recovered if a backup and recovery solution is not in place.

Microsoft has taken extensive measures to alleviate the risks of data loss within Microsoft Office 365 and has put safeguards in place to ensure your data's safety from any fault on their behalf. However, they cannot protect you from the actions of your users and threats beyond their control that constitute the majority of data loss events.

Even with an SLA that promises to keep your data accessible 99.9% of the time, they make no guarantee that their services are immune from disruption and “recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.” The bottom line is that the safety of your Microsoft Office 365 data is your responsibility and Microsoft alone cannot defend you from data loss.