Is Your SharePoint Actually Backed Up? What Microsoft Won't Tell You
Ask your IT team one question: "If somebody deleted our entire SharePoint library tomorrow, how would we get it back?" If the answer sounds anything like "Microsoft handles that," you have a problem.
When Eric Thompson runs an evaluation on a new client's Microsoft 365 environment, this is one of the first things he looks at. He's yet to find one that had a real third-party backup in place for SharePoint, OneDrive, and Teams. Varying degrees of better and worse, but the same underlying gap, every time.
Here's why that matters, what Microsoft actually does and doesn't protect, and what you should do about it.
Microsoft Does Not Back Up Your SharePoint Data
This surprises almost everyone. When you pay for Microsoft 365 licenses, you get access to SharePoint, OneDrive, and Teams. Microsoft's position on your data is explicit: it's your data, you own it, it's your responsibility to protect it. They give you the platform. The rest is on you.
Microsoft provides infrastructure redundancy. If one of their data centers has a hardware failure, your data isn't lost. But that's not a backup. If an employee accidentally deletes a folder, ransomware encrypts your files through a compromised account, or somebody restructures a SharePoint library and makes a mess of it, Microsoft isn't going to restore that for you.
What Microsoft Actually Provides
Microsoft does offer some built-in protections, but they're limited and they're not backup:
Recycle Bin. Deleted SharePoint and OneDrive files stay recoverable for up to 93 days total, across the site and site collection recycle bins combined. After that, they're gone. In a large SharePoint environment, deletions regularly go unnoticed inside that window, and once it closes, the data's unrecoverable through Microsoft's native tools.
Version History. SharePoint keeps previous versions, so if somebody overwrites a document you can recover it. But version history won't help against bulk deletion, ransomware, or account compromise. It's a convenience feature, not disaster recovery.
Retention Policies. These exist for legal and compliance work, preserving data for court orders or eDiscovery requests. They're not backup. You can't use a retention policy to recover from ransomware or roll an accidentally deleted SharePoint site back to yesterday.
Microsoft protects their infrastructure. They don't protect your data from your own users, cyberattacks, or mistakes.
What Actually Goes Wrong Without SharePoint Backup
We've seen every version of this story.
Accidental deletion and restructuring disasters are the most common. SharePoint is so easy to use that people constantly try to reorganize, move, or clean up their data, and before they realize what happened, files are gone or duplicated across locations. By the time people figure it out, it's a giant mess. Duplicate data, things in two spots, missing libraries, broken links inside Teams. We do a lot of accidental deletion restores for our clients.
The ransomware scenario is worse. We had a client (a corporate entity with branches across the country) where we managed the Minnesota location only. Their New York office housed a lot of the company's data. Somebody at New York got ransomware on their computer. Because their account had access to SharePoint, the ransomware crippled the whole company's SharePoint database across every location.
They had no backup. Microsoft did nothing for them.
Real client incident, 2024We were able to help them with a limited version history recovery (not from backup, but from the native version history feature) which salvaged some data. They still lost a significant amount. The Minnesota branch was fine because it wasn't tied into the same exposure.
How McNallan Handles SharePoint Backup
Our approach is to treat SharePoint, OneDrive, and Teams data the same way we treat any critical business system: it gets its own dedicated backup, separate from everything else.
We use a Microsoft 365 tenant-integrated backup product called AFI. It covers SharePoint data, Teams data (including messages and channels), and email. Backups run four times per day.
It's separate from our server backup, our file-level backup, and our disaster recovery infrastructure. On purpose. If one backup gets hit, the others are still there. A backup stored inside the same Microsoft 365 tenant it's supposed to protect isn't really a backup. It's just a copy in the blast radius.
Air-gapped insurance
For our most critical client environments, our server and DR backups go into immutable storage. Basically a digital safety deposit box even we can't delete from. We have an agreement with Amazon that says: put this over here, and if I come asking for it back, don't listen to me. Even in the worst ransom scenario, the last copy is still there because nobody can wipe it. Not an attacker, not a compromised admin, not even us.
We've done full SharePoint library restores with our backup tool. We've run simulations where we take a client's entire SharePoint environment offline and restore it, so we know it works before anyone needs it. And we've used it in real cyber incidents to get clients back to normal without paying a ransom or rebuilding from zero.
Three Things to Ask Your IT Team Today
Do we have a third-party backup for SharePoint, OneDrive, and Teams?
If the answer is "Microsoft handles that," they're wrong. You need a dedicated solution that runs outside your Microsoft 365 tenant.
How often are backups running, and where are they stored?
"We have a backup" isn't good enough. You need frequency (ours runs four times per day) and you need the backup stored outside Microsoft 365.
Has anyone ever tested a restore?
If you've never tested a restore, you don't have a backup. You've got hope. You should be able to point to a specific date somebody tested restoring SharePoint data and confirmed it worked.
Not sure if your SharePoint is backed up?
Tell us how your M365 tenant is configured today: backup, permissions, MFA, security defaults. We will tell you what is missing.
Get in Touch