We hear some version of this at least twice a month: "Oh, we don't need backup. Our stuff is in the cloud." And then we ask what happens if someone deletes a critical folder. Then there's a pause. Then: "Well, Microsoft would have it, right?"
They don't. And this misconception is quietly setting up Utah businesses for some very bad days.
The Shared Responsibility Model (And Why It Matters to You)
Microsoft operates Microsoft 365 under what's called a shared responsibility model. Here's the short version: Microsoft is responsible for keeping the service available. You are responsible for your data inside it.
From Microsoft's own Service Agreement:
"We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services."
That's not us editorializing. That's Microsoft literally recommending you back up your stuff because they're not going to do it for you.
What Microsoft does protect against: data center fires, hardware failures, service outages. What Microsoft does not protect against:
- An employee accidentally deleting a mailbox or shared drive folder
- A ransomware attack that encrypts or wipes your OneDrive
- A disgruntled ex-employee emptying SharePoint on their way out the door
- Malicious third-party app permissions that corrupt your data
- Retention policy gaps that permanently purge emails before you need them
Each of those scenarios is something we've seen happen to real businesses. Real businesses that assumed they were covered.
What Microsoft 365 Actually Gives You
Microsoft does offer some data recovery options, but they're limited and they have sharp edges:
| Feature | What It Does | The Catch |
|---|---|---|
| Deleted Items folder | Holds deleted emails for 14–30 days | User can permanently delete from here too |
| Recycle Bin (SharePoint/OneDrive) | Recovers deleted files for up to 93 days | Ransomware can trigger mass deletion that exhausts retention |
| Version history | Saves previous versions of files | Ransomware often overwrites versions before anyone notices |
| Litigation Hold | Preserves data for legal purposes | Requires E3/E5 license, complex to configure, not granular recovery |
None of these are a backup solution. They're availability features. There's a difference — and the difference becomes very important at about 2 PM on a Tuesday when someone realizes a week of work is gone.
What a Real Backup Looks Like
We use Datto SaaS Protection for our clients, and it backs up the following three times a day, automatically, with unlimited retention:
- All Exchange email (including shared mailboxes)
- Contacts and calendar events
- OneDrive for Business files
- SharePoint sites
- Teams chat data
- Google Workspace (if you're in that camp instead)
When someone needs something recovered — whether it's a single email from six months ago or an entire mailbox — we can restore it in minutes, not days. Granularly. Without having to call Microsoft and open a ticket that goes nowhere.
The Ransomware Angle
Here's the scenario that keeps IT people up at night: ransomware that specifically targets cloud sync.
Modern ransomware variants know that businesses keep files in OneDrive and SharePoint. They also know that OneDrive syncs bidirectionally. So they encrypt files on the local machine, OneDrive dutifully syncs the encrypted versions to the cloud, and now both your local copy and your cloud copy are encrypted garbage. Microsoft's version history buys you some time, but if the ransomware moves fast enough — and it usually does — it overwrites enough versions to corner you.
With a proper third-party backup that creates independent, immutable snapshots outside of the Microsoft ecosystem? That's just a restore operation. Annoying, but not catastrophic.
The "It Won't Happen to Us" Math
For a 50-person company in Utah, the average cost of a data loss incident — accounting for downtime, recovery effort, and lost productivity — runs somewhere between $15,000 and $150,000 depending on severity. SaaS backup for that same company runs a few hundred dollars a month.
We're not saying it will happen to you. We're saying the math doesn't favor the gamble.
If you want to see exactly what your Microsoft 365 environment looks like from a backup and recovery standpoint, we're happy to walk through it with you. No commitment required — just clarity on where you actually stand.