Office 365 backup for businesses: Microsoft 365 doesn’t back up your data in Dublin

Microsoft doesn’t back up your data on your behalf. Office 365 backup is your responsibility — and it’s not the same as the 30-day recycle bin. Thousands of businesses discover each year that Microsoft 365 does not guarantee the restoration of their data after an accidental deletion, a ransomware attack that encrypts your synchronised OneDrive files, or a departing employee’s conflictual exit. This guide explains exactly what Microsoft covers, what it doesn’t, and how to set up a reliable Office 365 backup for businesses in Dublin and across Ireland — with a budget and operational load that fit SMEs.

KEY FIGURE

30 days: the maximum retention of the personal OneDrive recycle bin. 93 days: the retention of the SharePoint recycle bin. Beyond, deletion is permanent — even when the cause is human error, ransomware or a tenant attack. Microsoft’s Shared Responsibility model is unambiguous: Microsoft provides platform availability; you are responsible for your data (Microsoft Services Agreement & Shared Responsibility Model).

What Microsoft covers — and what it doesn’t

The most common misconception: “I have Microsoft 365, my data is in the cloud, therefore it’s backed up.” This statement is false, and Microsoft explicitly documents it in its Shared Responsibility model. A clear distinction:

✅ What Microsoft covers

  • Availability of the M365 platform (99.9% SLA)
  • Geographical replication across data centres (infrastructure resilience)
  • Recycle bin — Exchange 30 days, OneDrive 30 days, SharePoint 93 days
  • Version history SharePoint/OneDrive (limited, configurable)
  • Anti-phishing protection Microsoft Defender

❌ What Microsoft does NOT cover

  • Human error beyond the retention window (deletion, overwrite, mass modification)
  • Ransomware encrypting your OneDrive-synchronised files and exhausting version history
  • Tenant attack (compromised admin account deleting everything)
  • Conflictual departure of an employee who wipes their OneDrive
  • Point-in-time restore at D-60 or D-180
  • Full Teams conversation backup with metadata

Microsoft manages the availability of its infrastructure — not the restoration of your data after an incident on your side. That is precisely the gap most SMEs fall into after migrating to M365 without a dedicated backup strategy.

3-2-1-1-0 RULE — NIST / NCSC RECOMMENDATION

3 copies of your data — 2 different media (M365 tenant + third-party cloud or local disk) — 1 outside the Microsoft tenant — 1 immutable (that even a compromised admin cannot delete) — 0 errors during restore testing. This rule, derived from the NIST Cybersecurity Framework and echoed in NCSC Ireland’s backup guidance, is the 2026 reference for SME backup — including in a 100% M365 environment.

The 4 scenarios where Microsoft can’t help you

We see these four scenarios every year with our SME clients in Dublin and across Ireland. The reaction is always the same: “I thought Microsoft backed up my data.” They don’t. And it’s too late to find out at the moment of the incident.

SCENARIO 1

Ransomware encrypting OneDrive

An employee opens a booby-trapped attachment. The ransomware encrypts all local files within seconds, then OneDrive synchronises those encrypted versions back to the cloud in the background. SharePoint version history may help — except ransomware typically makes 200+ rapid modifications, exceeding retained version limits. Without third-party backup, the data is lost.

SCENARIO 2

Human error spotted too late

A manager accidentally deletes a critical client folder during a SharePoint reorganisation. Nobody notices for 2 months. When the issue surfaces, the 93 days are gone. The recycle bin has been automatically purged. The files are permanently lost — along with historical commercial data, contracts and related conversations.

SCENARIO 3

Compromised admin account

Successful phishing on the IT manager’s account. The attacker has Global Admin rights, deletes local backups and purges recycle bins. In 15 minutes, years of Exchange and SharePoint data are wiped. Microsoft does not restore: the action was performed by an authorised tenant account. Only a backup external to the tenant enables recovery.

SCENARIO 4

Conflictual employee departure

A salesperson leaves for a competitor. The day before, they empty their OneDrive and delete the most sensitive client emails. Account deactivation 30 days later → automatic purge of data. Without third-party backup, commercial history is lost — including evidence in any future dispute (contracts, exchanges, proposals).

The 3 Office 365 backup options

💾 Local backup

Regular export to a local server or external drive. Full data control, low recurring cost, but vulnerable to the same disaster as the primary site (fire, flood, ransomware spreading across the network). Avoid as a sole solution.

☁️ Third-party cloud backup

Dedicated solutions (Dropsuite, Veeam Backup for M365, Acronis Cyber Protect, Microsoft 365 Backup) backing up Exchange, SharePoint, Teams and OneDrive to an infrastructure independent from the Microsoft tenant. This is the recommended standard for SMEs in 2026: €2 to €5 per user per month, unlimited retention, granular restore.

🔀 Hybrid backup

Local + third-party cloud combination: better resilience, fast local restore for routine incidents, remote copy for major disasters. Ideal approach for the most critical data (accounting, HR, intellectual property). More expensive but justified where data loss would be fatal.

Third-party M365 backup vs native Microsoft recycle bin

✅ Third-party M365 backup

  • Granular restore (email, folder, file, full mailbox)
  • Configurable long-term retention (1 year, 7 years, unlimited)
  • Independence from Microsoft infrastructure
  • Accessible even if the tenant is compromised
  • AES-256 encryption in transit and at rest
  • Point-in-time restore at D-X

❌ Native Microsoft recycle bin

  • 30 days OneDrive / 93 days SharePoint, non-configurable
  • No protection against ransomware saturating version history
  • No point-in-time restore
  • Lost if the tenant is compromised by an admin
  • No coverage for Teams conversations and related files
  • Included in M365 — this is NOT a backup

GDPR: M365 backup is also an obligation

Article 32 of the GDPR requires controllers to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, including “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident” (Article 32 §1 c). The Data Protection Commission (DPC) in Ireland and the European Data Protection Board (EDPB) explicitly consider backup an appropriate measure for personal-data processing. An M365 tenant without third-party backup that loses personal data after an incident (ransomware, admin error, compromise) constitutes a failure to meet this obligation. The associated sanction falls under Article 83 §4 (up to €10 million or 2% of worldwide turnover).

On top of that, Article 33: in the event of a breach, notification to the DPC within 72 hours. If data loss makes information irrecoverable (e.g. permanently lost client file), the breach is considered “high risk” and Article 34 requires individual notification to each data subject. Third-party backup is therefore both an IT resilience measure and a GDPR compliance measure.

5 steps to implement your M365 backup

  1. Identify essential data: Exchange, SharePoint, OneDrive, Teams. Map critical vs secondary mailboxes and sites. Define the backup perimeter with business owners (not IT alone).
  2. Choose the solution: dedicated third-party M365 solution (Dropsuite, Veeam, Acronis, Microsoft 365 Backup) based on retention needs (1 year, 7 years, unlimited), granular restore requirements, and budget. Typical range: €2 to €5 per user per month.
  3. Configure retention policy: frequency (daily minimum, 4x per day for critical mailboxes), retention duration (1 year recommended, 7 years for accounting data, GDPR-aligned), scope (all mailboxes or a selection). EU hosting required for sensitive GDPR data.
  4. Test restoration: quarterly real-restore simulation — a specific email, a SharePoint file, a Teams folder. Measure real RTO (restoration time). Document each test. An untested backup is not a backup.
  5. Monitor and alert: enable backup failure alerts, review weekly reports, integrate into global IT monitoring with escalation to the fractional IT manager. A silently failing backup for 3 months is worse than no backup — it creates false security.

How Ezohiko helps with M365 backup

Setting up M365 backup that lasts requires three things: the right tool, the right configuration, and someone who tests and supervises. We cover all three, as a one-off project or under a fractional IT manager arrangement.

M365 backup audit

Full tenant review: what is actually backed up vs what you think is backed up, retention policy, restore test, GDPR compliance. Deliverable: a report with coverage gaps and a costed remediation plan, typically 2 days of engagement.

Request an audit →

Dropsuite / Veeam rollout

Deployment of a dedicated third-party M365 solution with EU hosting, AES-256 encryption, retention configured for your obligations. Monitoring integration, failure alerts, documented restore procedure. Restore tests every 6 months, handled by Ezohiko.

Scope a project →

DR as a Service

For businesses with infrastructure beyond M365 (line-of-business servers, databases). M365 backup combined with infrastructure replication at Ezohiko, bi-annual restore test, target RTO 4 hours. From a few hundred euros per month.

Discover DR →

Fractional IT Manager

Ongoing supervision of backups, periodic restore tests, vendor arbitrage, roadmap alignment with your business risk profile. The role that makes sure your M365 backup is still working in 18 months — not just on day one.

Discover the fractional IT model →

Best practices — Office 365 backup for businesses in Dublin

  • Apply the 3-2-1-1-0 rule: 3 copies, 2 different media, 1 off-site, 1 immutable, 0 errors
  • Encrypt your backups: data in transit and at rest encrypted with AES-256 minimum, keys managed outside the M365 tenant
  • EU hosting: for sensitive GDPR data, choose a solution storing in the European Union (sovereignty + Standard Contractual Clauses)
  • Test restoration quarterly: different scenarios each test (email, SharePoint file, Teams folder, full mailbox)
  • Train your team: raise awareness of deletion risks, storage best practices, and recycle bin limits
  • Include backup in your DR plan: defined, tested, and communicated RTO/RPO

Frequently asked questions — Office 365 backup for businesses

Does Microsoft 365 automatically back up my data?

No. Microsoft ensures the availability of its infrastructure through a 99.9% SLA, but does not guarantee the restoration of your data in the event of accidental deletion, human error, or a cyberattack. This is explicitly documented in the Microsoft Shared Responsibility Model: your data is your responsibility. Office 365 backup remains entirely the responsibility of your organisation.

What are the retention periods of the Microsoft 365 recycle bins?

The Exchange recycle bin retains deleted emails for 30 days. The personal OneDrive recycle bin also for 30 days. The SharePoint site recycle bin retains files for 93 days. These periods are not configurable by the administrator and do not protect against ransomware, deliberate permanent deletions, or purges by a compromised admin. A third-party backup solution allows configurable retention up to several years — even unlimited.

Which Office 365 data should I prioritise for backup?

Four perimeters to cover in order of criticality: Exchange (mailboxes, calendars, contacts), SharePoint (team sites, business documents, project workspaces), OneDrive (individual files, often critical for salespeople and directors), Teams (conversations, channels, shared files, Wiki tabs). Any business data that cannot be rebuilt in a few hours from other sources must be in your backup policy.

Which Microsoft 365 backup solution do you recommend for SMEs in Dublin?

For a 10 to 100-user SME, we recommend mature dedicated M365 solutions: Dropsuite (great value, EU hosting available), Veeam Backup for Microsoft 365 (historic leader, maximum granularity), Acronis Cyber Protect (backup + EDR antivirus combination), or Microsoft 365 Backup (Microsoft’s native solution launched in 2024, simple to deploy but less granular). The choice depends on budget, long-term retention needs and Teams coverage. We evaluate all four during an initial audit.

How much does a Microsoft 365 backup cost for an SME?

The cost of a Microsoft 365 backup varies depending on user count, retention length, and the solution. On average for an SME: €2 to €5 per user per month for a complete third-party solution covering Exchange, SharePoint, OneDrive and Teams with 1-year retention. For a 25-staff SME, that represents €50 to €125 per month, or €600 to €1,500 per year. Compare that to the cost of an unrecoverable data loss event: data reconstruction, client disputes, DPC notification, potential fine — commonly tens of thousands of euros for a single incident.

How often should I test my Office 365 backup restoration?

At minimum once per quarter. The test should cover several scenarios in the same operation: restoring a specific email, a specific SharePoint file, a Teams folder, and ideally a complete Exchange mailbox. Each test must be documented: date, scenarios, measured RTO, anomalies. An untested backup cannot be considered reliable in your Disaster Recovery Plan (DRP) — and in case of a GDPR audit, the test documentation is your evidence that you have met Article 32 obligations.

Can ransomware reach my OneDrive files?

Yes, and this is one of the main attack vectors in 2026. Typical scenario: an employee opens a booby-trapped attachment, the ransomware encrypts all local files within seconds, then OneDrive synchronises those encrypted versions back to the cloud. Microsoft keeps version history, but ransomware typically makes 200 to 500 rapid changes per file to exceed that limit. Result: without third-party backup independent from the Microsoft tenant, the files are permanently lost. A dedicated M365 backup is the only reliable way to restore a pre-infection version.

Is M365 backup mandatory under GDPR?

Article 32 of the GDPR requires appropriate technical and organisational measures to ensure personal-data security, including “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident” (Article 32 §1 c). The DPC in Ireland and the EDPB explicitly consider backup an appropriate measure for processing involving personal data. An M365 tenant without third-party backup that suffers personal-data loss exposes the controller to sanctions up to €10 million or 2% of worldwide turnover (Article 83 §4). The DPC has published enforcement decisions for absent or untested backups in recent years.

Let’s discuss your situation.
30 minutes, no obligation.

Let’s take a look together at what it would take to ease your IT workload. No sales pitch. Just an honest assessment of the situation.

Book an appointment →
+33 4 28 29 87 94

Your IT architect. Your trusted partner.