Microsoft 365 Backup & Business Continuity Playbook
Microsoft's own resilience is not the same as enterprise-grade backup. This is the EPC Group playbook for choosing between Microsoft 365 Backup and third-party ISV, designing 3-tier retention, and testing ransomware recovery.
Frequently Asked Questions
Does Microsoft 365 back up my data?
Not in the way most enterprise IT teams assume. Microsoft's Service Availability Backup provides infrastructure-level resilience against outages + tenant-loss scenarios, and Preservation Hold / Retention Policies preserve deleted content per the tenant's retention configuration. But there is NO enterprise-grade point-in-time restore for granular scenarios (single mailbox rewound to Tuesday morning; SharePoint site collection rewound to before the ransomware encryption). This is where Microsoft 365 Backup (Microsoft's native product) and third-party ISV backup (Veeam, AvePoint, Rubrik, Druva, Metallic) fit.
What is Microsoft 365 Backup?
Microsoft 365 Backup is a first-party PIT (point-in-time) restore product for Exchange, SharePoint, and OneDrive. Uses Preservation Lock for immutability, targets RPO under 15 minutes and RTO under 4 hours for large-scale ransomware recovery scenarios. Licensed per-user + per-storage. Best fit for organizations that want Microsoft-native, first-party backup covered by Microsoft's own SLA + support. Poor fit for organizations requiring Teams chat backup (currently limited coverage), organizations with cross-cloud recovery requirements, or organizations with existing enterprise backup investment they want to extend.
When should we use third-party ISV backup?
Six scenarios. (1) Existing enterprise backup investment (Veeam, Rubrik) you want to extend to M365. (2) Cross-cloud recovery requirements (restore M365 data into a different tenant, or into an on-premises Exchange for legal review). (3) Teams chat + channel granular backup where Microsoft's coverage is limited. (4) Regulatory workloads requiring immutability from an independent vendor (some financial services attestation frameworks require this). (5) Data-sovereignty requirements storing backup in a specific geography different from the primary tenant region. (6) Legacy data-portability workflows (bring backup into on-prem SharePoint, extract to a custom archive).
What's the retention design?
Three-tier retention. (1) Short-tier (30-90 days) — high-frequency PIT restore for accidental deletion + user error. (2) Mid-tier (1-3 years) — regulated content retention for HR investigations, minor litigation. (3) Long-tier (7+ years) — regulatory records retention (FINRA 4511, HIPAA, SEC 17a-4). Modern platforms tier automatically: short-tier in hot storage, mid-tier warm, long-tier cold (with lower recovery cost). EPC Group's retention design produces the target tier per content class + validates against your regulatory obligations.
How do we test the recovery workflow?
Table-top exercises + live recovery drills. (1) Quarterly table-top: a simulated ransomware scenario, walk through the restore workflow with the actual runbook, identify gaps. (2) Annual live drill: actually restore a small subset (a test mailbox + test SharePoint site) into a target environment; measure RTO + RPO against SLA. (3) Post-drill: update the runbook with lessons learned. Untested backups are unreliable — organizations that discover their backup doesn't work during an actual ransomware incident are the ones that make the news.
What does an EPC Group M365 backup + BCDR engagement produce?
A 4-8 week fixed-fee engagement. (1) Current-state gap analysis (native M365 preservation vs enterprise backup needs). (2) Native vs third-party ISV recommendation (Microsoft 365 Backup vs Veeam/AvePoint/Rubrik/Druva/Metallic) with TCO comparison. (3) Retention design across three tiers. (4) Deployment + configuration. (5) Runbook for ransomware recovery scenario. (6) Table-top exercise + first live drill. (7) Quarterly cadence document.
Talk to a senior architect
Email contact@epcgroup.net or call 888-381-9725.
North America's oldest continuous Microsoft Gold Partner (2000 until Microsoft retired the program in 2022) — today holding all six Microsoft Solutions Partner Designations.
