Skip to main content
by IT Integrations Team

Microsoft 365 Backup for Fort Worth Businesses: Does Microsoft Actually Protect Your Data?

In late 2024, Microsoft started selling a product called Microsoft 365 Backup. It costs about fifteen cents per gigabyte per month, it runs out of the same admin center you already use, and it makes copies of your Exchange mailboxes, SharePoint sites, and OneDrive files. Read that again. Microsoft sells you a backup for the data that already lives in Microsoft's cloud. That single fact answers a question we get from Fort Worth business owners almost every week: if my email and files are in Microsoft 365, isn't Microsoft already backing them up? The honest answer is no, and Microsoft will tell you so themselves. This post explains what Microsoft actually protects, what it leaves to you, how long your deleted data really sticks around, and what real backup looks like for a business here in Fort Worth.

Microsoft protects the platform. You protect the data.

The shared responsibility model, in plain English

Microsoft runs Microsoft 365 under something called the shared responsibility model. In plain terms, Microsoft is responsible for keeping the service running: the data centers, the servers, the network, the uptime, and the physical security of the buildings. You are responsible for your data inside that service. That includes who has access to it, how it is configured, and whether it can be recovered after someone deletes it, encrypts it, or walks off with it.

This is not a fine-print trick. It is written into the Microsoft Services Agreement, updated in July 2025, which states plainly: "We recommend that you regularly backup Your Content and Data that you store on the Services." Microsoft is telling you, in its own terms of service, to keep your own backup. Most business owners have never read that line, and no salesperson is going to point it out during a Microsoft 365 rollout. When we take over Microsoft 365 for a new Fort Worth client, this is often the first surprise: the platform they assumed was protecting everything was never designed to.

Replication is not backup

Here is where the confusion comes from. Microsoft does keep multiple copies of your data across its data centers. That is called replication, and it is real. But replication protects against Microsoft's hardware failing, not against your data going wrong. If a file gets encrypted by ransomware, the encrypted version replicates. If an employee deletes a folder, the deletion replicates. If a mailbox gets wiped, every copy reflects the wipe. Replication keeps the service online. It does not give you a clean copy of yesterday's data to roll back to. Those are two different jobs, and only one of them is backup.

What retention gives you, and where it runs out

Microsoft 365 does have some built-in recovery, and it is genuinely useful for small mistakes. The problem is that people mistake it for a safety net that goes much deeper than it does.

Recycle bins and retention windows

When someone deletes a file in SharePoint or OneDrive, it goes to a first-stage recycle bin, then a second-stage recycle bin. According to Microsoft's own documentation, the total retention across both stages is 93 days. After that, the file is gone. Deleted email in Exchange Online follows shorter default windows measured in days, and when an employee leaves and their account is removed, their OneDrive is kept for 30 days by default before it enters that same deletion pipeline.

Ninety-three days sounds like a lot until you map it against how businesses actually discover data loss. A construction company finds out in month five that a subcontractor folder is missing. A medical practice gets a records request for a patient who was discharged eight months ago. An accountant needs a spreadsheet from last tax season. Retention windows are built for "I deleted this yesterday," not "I need what we had last spring." Once the window closes, Microsoft has no obligation and no button to get it back.

The gaps retention does not cover

Retention also does not help in the scenarios that actually hurt. A departing employee who deletes their own files on the way out, then whose account gets removed. Ransomware that reaches into synced SharePoint libraries and encrypts everything the recycle bin then dutifully overwrites. A compliance rule that says you must keep records for six years, not 93 days. A point-in-time restore of an entire site back to how it looked the morning before a bad migration. Native retention was never designed for any of these, and this is exactly the territory where real backup earns its keep. It is also why we treat backup as part of cybersecurity and disaster recovery, not as an afterthought.

Microsoft 365 Backup: Microsoft's own answer, and what it tells you

Which brings us back to where we started. In late 2024, Microsoft released Microsoft 365 Backup as a native, pay-as-you-go product. It backs up Exchange, SharePoint, and OneDrive, it keeps that data for up to a year, and per Microsoft's pricing documentation it lists at about $0.15 per gigabyte per month of protected content.

The launch of that product is the clearest possible answer to the "isn't it already backed up" question. Microsoft built and now charges for a backup service because the base platform does not include one. That is not a knock on Microsoft 365, which is a genuinely good place to run a business. It is a statement of fact about what you are and are not buying with your per-user licenses.

The native product is a real option, and for some businesses it is the right one. It is also worth understanding its shape before you assume it is the whole answer. It keeps data for up to a year, which does not satisfy multi-year compliance retention on its own. It lives inside the same Microsoft tenant it is protecting, so it is not a copy held somewhere separate from your Microsoft account. And it covers Exchange, SharePoint, and OneDrive, but not every place a growing business stashes data in Microsoft 365. Deciding between the native product, a third-party backup that holds an independent copy outside your tenant, or a combination of both is exactly the kind of call a managed IT provider should be making with you, based on your compliance needs and your budget, not selling you the most expensive option on reflex.


Not sure whether your Microsoft 365 data is actually backed up? IT Integrations provides Microsoft 365 management and data protection for Fort Worth businesses and the surrounding DFW area. Call us at (817) 808-1816 or contact us for a free IT assessment.


What this looks like for a Fort Worth business

The businesses we work with around Fort Worth are not running enterprise IT departments. They are healthcare practices, construction firms, law and accounting offices, water districts, and nonprofits, and most of them moved to Microsoft 365 over the last several years because it was the sensible thing to do. The move was right. The assumption that came with it, that the cloud takes care of everything, is where the exposure sits.

For healthcare, this is not just an operational risk, it is a compliance one. HIPAA expects covered entities to be able to recover electronic protected health information, and retention requirements for medical records in Texas run for years, far past any 93-day recycle bin. A hospice or home health agency that loses a year of documentation to a purged account or a ransomware event has a bigger problem than a missing file. This is one reason healthcare IT and backup have to be designed together rather than bolted on after an audit finding.

It is not only healthcare. A Weatherford construction company keeps years of project documentation, contracts, and photos in SharePoint, and losing a project's history in the middle of a dispute can cost real money. A Fort Worth accounting firm cannot lose client records between filing seasons. A nonprofit that loses its donor database loses its fundraising history. The specifics differ, but the pattern is the same across every business we support around Weatherford, Aledo, and the wider DFW area: the data is the business, and the platform holding it was never the thing responsible for protecting it.

What we see when we audit a new client's Microsoft 365 tenant

We have been running IT for Fort Worth businesses since 2003, and Microsoft 365 backup is one of the most common gaps we find when we take over an environment. The tenant works, email flows, files open. Nobody has tested what happens when something is gone. The most frequent finding is simply no backup at all, just an assumption that Microsoft has it covered. The second most common is a backup that was set up once, years ago, that has quietly stopped running, and nobody noticed because nobody ever needed to restore.

We are not the only ones seeing this. In a 2025 industry survey covered by Help Net Security, nearly 30 percent of IT providers reported a preventable Microsoft 365 client data loss incident that a dedicated backup would have avoided. These are not exotic failures. They are the everyday ones: the deleted account, the overwritten site, the ransomware that got into the sync folder, discovered months later when the data was already past its retention window.

The fix is not complicated, and it does not require scaring anyone. It requires deciding, on purpose, how your Microsoft 365 data gets backed up, how far back it goes, where the copy lives, and how fast it can be restored. Then it requires testing a restore so you know it works before you need it. That is the difference between assuming you are covered and knowing it. When we build this out for a client, we tie it into the same disaster recovery planning that covers the rest of their systems, so backup is one coordinated plan instead of a pile of separate tools.

Frequently Asked Questions

Does Microsoft back up my Microsoft 365 data?

Not in the way most people mean. Microsoft keeps your service running and replicates your data across its data centers so a hardware failure does not take you offline. That is availability, not backup. Microsoft does not keep an independent, restorable copy of your data that you can roll back to after an accidental deletion, a ransomware attack, or a departed employee cleaning out their files. Microsoft says this directly in its Services Agreement, which recommends that customers keep their own regular backup. If you want the ability to restore your data to a specific point in time, that is your responsibility to set up, either through Microsoft's own paid backup product or a third-party service.

How long does Microsoft keep my deleted files and emails?

For SharePoint and OneDrive, deleted files sit in a two-stage recycle bin for a combined 93 days by default, after which they are permanently removed. Deleted email in Exchange Online has shorter default windows measured in days and configurable within limits. When an employee leaves and their account is deleted, their OneDrive is retained for 30 days by default before it enters the deletion pipeline. These windows are fine for recovering something you deleted last week. They are not designed for recovering data you discover is missing months later, and they can be exhausted early if an attacker or a departing employee empties them on purpose.

Isn't data in the cloud automatically safe from ransomware?

No. Ransomware does not care whether a file lives on a local server or in the cloud. If a user's device syncs SharePoint or OneDrive files and that device gets hit, the encrypted versions sync up to the cloud like any other change. Microsoft's replication then faithfully copies the encrypted files, because replication cannot tell a legitimate change from a malicious one. The recycle bin can help if you catch it fast and the attacker did not empty it, but that is a race, not a plan. A backup that holds versions outside the reach of the compromised account is what lets you restore cleanly instead of negotiating with an attacker.

If I use Microsoft 365 Backup, do I still need third-party backup?

It depends on your requirements. Microsoft 365 Backup is a legitimate product, and for some businesses it is enough. But it keeps data for up to a year, which does not cover multi-year compliance retention on its own, and it stores the backup inside the same Microsoft tenant it is protecting, so it is not a truly separate copy. Businesses with longer retention obligations, or those who want a copy held completely outside their Microsoft account, often use a third-party backup instead of or alongside the native product. The right answer depends on your industry, your compliance rules, and your tolerance for risk, which is a conversation worth having before you pick a tool.

How much should Microsoft 365 backup cost my business?

Microsoft's native backup lists publicly at about $0.15 per gigabyte per month of protected data, and third-party services price in their own ways, usually per user per month. The real cost question is not the monthly line item, it is what an hour, a day, or a year of lost data would cost your specific business, and how quickly you need to be back up and running. For a small office that number is manageable. For a healthcare agency facing a compliance finding, or a construction firm in the middle of a dispute, the cost of not having it dwarfs the cost of having it. We help Fort Worth businesses right-size backup to what they actually need rather than overspending on capacity they will never use.

Next Steps

Microsoft 365 is a good place to run your business. It is just not a backup, and it was never meant to be. The platform keeps the service online and gives you a short window to undo small mistakes. Everything past that window, the ransomware event, the departed employee, the compliance request from last year, is your responsibility to plan for. The good news is that closing this gap is straightforward once you decide to do it, and it does not take fear or a big budget, just a real plan and a tested restore.

Want to know whether your Microsoft 365 data is actually protected? IT Integrations provides Microsoft 365 management, backup, and data protection for Fort Worth businesses and the surrounding DFW metro. Call (817) 808-1816 or schedule a free IT consultation today.

Need Help With Your IT?

IT Integrations provides managed IT services, cybersecurity, and compliance support for Fort Worth businesses. Let's talk about what you need.

Call Us Get a Quote