Microsoft 365 Disaster Recovery & Business Continuity
Enterprise guide to the shared responsibility model, backup strategies, third-party tools, retention policies, RPO/RTO planning, and DR testing for your entire Microsoft 365 environment.
Microsoft 365 Disaster Recovery: What Microsoft Does Not Cover
Do you need disaster recovery for Microsoft 365? Yes. Microsoft guarantees platform uptime (99.9% SLA) but does NOT guarantee your data is recoverable in all scenarios. The shared responsibility model places data backup, accidental deletion recovery, ransomware recovery, retention policy management, and business continuity planning squarely on you — the customer. Native recycle bins have 93-day limits. There is no point-in-time mailbox restore. Departed user data is deleted after 30 days. EPC Group recommends third-party backup for every enterprise Microsoft 365 tenant, targeting 1-4 hour RPO and 4-8 hour RTO across all services.
The most dangerous assumption in enterprise IT is that Microsoft backs up your Microsoft 365 data. They do not — at least not in the way you need. Microsoft replicates your data across geo-redundant data centers to protect against THEIR infrastructure failures. But when a user permanently deletes a mailbox folder, when ransomware encrypts 10,000 SharePoint files via OneDrive sync, when a departing employee wipes their OneDrive, or when an admin accidentally deletes a site collection — Microsoft replication faithfully replicates the damage.
EPC Group has helped organizations recover from every one of these scenarios — and the ones that had backup in place recovered in hours. The ones that did not had permanent data loss. This guide covers exactly what you need to protect your Microsoft 365 environment from data loss scenarios that Microsoft native features cannot address.
We cover the shared responsibility model, native retention capabilities and their gaps, third-party backup tool selection, RPO/RTO planning, and a DR testing framework that validates your recovery capabilities quarterly.
The Shared Responsibility Model
Understanding who is responsible for what is the foundation of Microsoft 365 data protection. Microsoft protects the platform. You protect the data.
| Responsibility Area | Microsoft | Customer | Details |
|---|---|---|---|
| Data Center Infrastructure | - | Physical security, power, cooling, networking, hardware replacement | |
| Platform Availability (99.9% SLA) | - | Service uptime, geo-redundant replication, failover between data centers | |
| Operating System & Application Patching | - | Security patches, feature updates, vulnerability remediation | |
| Data Backup & Point-in-Time Recovery | - | Third-party backup, granular restore, long-term retention beyond native limits | |
| Accidental/Malicious Deletion Recovery | - | Native recycle bins have time limits. After expiry, data is unrecoverable without backup. | |
| Retention Policy Configuration | - | Define and apply retention policies per compliance requirements (HIPAA, SOX, FINRA) | |
| Account Security & Access Control | - | MFA, Conditional Access, identity protection, insider threat management | |
| Ransomware Protection & Recovery | - | Endpoint protection, backup for recovery, incident response procedures | |
| Regulatory Compliance Evidence | - | Audit logs, retention proof, data governance documentation for regulators | |
| Business Continuity Planning | - | DR procedures, communication plans, RTO/RPO targets, testing cadence |
Key Takeaway: Microsoft is responsible for 3 out of 10 data protection areas. You are responsible for 7 out of 10. The most critical customer responsibilities — backup, deletion recovery, ransomware recovery, and compliance evidence — are exactly the areas where organizations are most often unprepared. Microsoft service agreement Section 6b explicitly states: "We recommend that you regularly backup Your Content and Data that you store on the Services."
Native Recovery Capabilities by Service
Each Microsoft 365 service has different native recovery options — and different gaps. Understanding these gaps is essential for building a complete backup strategy.
Exchange Online
Native Recovery
Deleted Items (14-30 days), Recoverable Items folder (14-30 days), Litigation Hold (indefinite), In-Place Archive
Recovery Gaps
No point-in-time mailbox restore, no recovery after recoverable items period, litigation hold is not a backup (cannot selectively restore)
EPC Recommendation
Third-party backup with 1-hour RPO, 4-hour RTO for mailbox restore
SharePoint Online
Native Recovery
First-stage recycle bin (93 days), Second-stage recycle bin (93 days after user delete), Version history (up to 500 versions)
Recovery Gaps
No recovery after 93-day window, version history counts toward quota, site collection deletion by admin bypasses recycle bin with short recovery window
EPC Recommendation
Third-party backup with 4-hour RPO, 8-hour RTO for site collection restore
OneDrive for Business
Native Recovery
Recycle bin (93 days), Version history, "Restore your OneDrive" (30-day point-in-time)
Recovery Gaps
30-day restore window insufficient for late-detected ransomware, departed user OneDrive deleted after license removal (30-day grace), no granular file restore beyond version history
EPC Recommendation
Third-party backup with 4-hour RPO, retain departed user data for 1+ year
Microsoft Teams
Native Recovery
Chat retention (via retention policies), Channel files (SharePoint), Channel messages (compliance records)
Recovery Gaps
No native Teams backup product, chat deletion by user may not be recoverable, Teams settings and configurations not backed up, private channel content requires separate backup
EPC Recommendation
Third-party backup covering chats, channels, files, and Teams configuration
Power BI
Native Recovery
Dataset version history (limited), workspace recovery (admin restore within window)
Recovery Gaps
No native backup for reports, dashboards, or datasets. Deleted workspace has limited recovery window. No point-in-time restore for datasets.
EPC Recommendation
Export PBIX files to version-controlled repository (Azure DevOps), automated backup scripts
Entra ID (Azure AD)
Native Recovery
Soft-delete for users (30 days), audit logs (30-90 days), Conditional Access policy export
Recovery Gaps
No native backup of Conditional Access policies, group memberships, app registrations in a restorable format. Policy changes are not versioned.
EPC Recommendation
Automated configuration backup via Graph API, infrastructure-as-code for policies
Third-Party Backup Tool Comparison
Enterprise Microsoft 365 backup requires a third-party solution. Native retention features are useful for short-term recovery but insufficient for enterprise data protection. Here is how the leading tools compare.
| Tool | Coverage | Pricing | Strengths |
|---|---|---|---|
| Veeam Backup for M365 | Exchange, SharePoint, OneDrive, Teams | $2-4/user/month | Industry leader, fastest restore speeds, self-hosted or cloud, unlimited retention, granular search |
| AvePoint Cloud Backup | Exchange, SharePoint, OneDrive, Teams, Groups | $3-5/user/month | Strong SharePoint expertise, compliance reporting, automated DR testing, SaaS deployment |
| Commvault Metallic | Exchange, SharePoint, OneDrive, Teams, Entra ID | $3-6/user/month | Enterprise-grade, multi-cloud, advanced search and eDiscovery, Entra ID backup |
| Druva inSync | Exchange, SharePoint, OneDrive, Teams | $4-6/user/month | Pure SaaS (no infrastructure), automated compliance, legal hold, global deduplication |
| Microsoft 365 Backup | Exchange, SharePoint, OneDrive (expanding) | Pay-per-use (preview pricing) | Native Microsoft integration, fast restore via Microsoft infrastructure, no third-party dependency |
EPC Group Recommendation: Veeam Backup for Microsoft 365 for most enterprise deployments. It offers the fastest restore speeds, most flexible deployment (self-hosted or cloud), unlimited retention, and the best cost-to-feature ratio. For organizations that want zero infrastructure management, Druva inSync is the strongest pure-SaaS option. We monitor Microsoft 365 Backup (Preview) closely and will recommend it once it reaches GA with full Teams support.
RPO and RTO Planning for Microsoft 365
Recovery Point Objective (RPO) defines how much data you can afford to lose. Recovery Time Objective (RTO) defines how long recovery can take. These two metrics drive every backup architecture decision — frequency, tool selection, storage, and cost.
| Service | Standard RPO | Standard RTO | Critical RPO | Critical RTO |
|---|---|---|---|---|
| Exchange Online | 4 hours | 8 hours | 1 hour | 2 hours |
| SharePoint Online | 4 hours | 8 hours | 1 hour | 4 hours |
| OneDrive for Business | 4 hours | 4 hours | 1 hour | 2 hours |
| Microsoft Teams | 4 hours | 8 hours | 1 hour | 4 hours |
| Power BI | 24 hours | 24 hours | 4 hours | 8 hours |
| Entra ID Config | 24 hours | 4 hours | 4 hours | 1 hour |
Standard RPO/RTO targets are appropriate for general business data. Critical targets apply to executive communications, legal documents, financial records, and regulated data (HIPAA PHI, SOX financial data, CMMC CUI). The cost difference between standard and critical is approximately 2-3x in backup infrastructure and licensing.
EPC Group conducts business impact analysis (BIA) workshops to determine the appropriate RPO/RTO for each service and data classification. We then size and configure backup infrastructure to meet those targets — and validate them through quarterly DR testing.
DR Testing Framework
A backup that has never been tested is not a backup — it is a hope. EPC Group DR testing validates that recovery actually works within your RPO/RTO targets.
Monthly Tests
Restore a random mailbox, SharePoint site, and OneDrive account from backup. Verify data completeness and integrity. Log actual restore time. Compare to RTO target.
Metric: Pass/Fail: Restore within RTO?
Quarterly Scenarios
Simulate a real incident: ransomware recovery, departed employee data restoration, accidental admin deletion. Full end-to-end recovery including detection, escalation, and restore.
Metric: Mean time to recovery (MTTR)
Annual Exercise
Full business continuity exercise. Tenant-level recovery scenario. All service RPO/RTO validation. Communication plan testing. Executive participation. Lessons learned review.
Metric: Full BC plan validation
Runbook Updates
After every test, update recovery runbooks with actual steps, timing, and issues encountered. Keep runbooks in a location accessible during an outage (not only in the M365 tenant being recovered).
Metric: Runbook accuracy score
Essential Retention Policies for Every Tenant
Retention policies are the first line of defense before backup. They determine how long Microsoft preserves deleted and modified content natively. Properly configured retention policies prevent many common data loss scenarios — but they are not a substitute for backup.
Exchange Mailbox Retention
7 years for regulated industries, 3 years general businessScope: All mailboxes including shared and room mailboxes
Apply via Microsoft Purview retention policy. Covers deleted items beyond recycle bin period.
SharePoint Document Retention
7 years regulated, 3 years general, applied by sensitivity label or siteScope: All SharePoint sites including OneDrive
Use label-based retention for CUI, PHI, or financial documents. Location-based for general content.
Teams Chat Retention
7 years for FINRA/SOX, 3 years general businessScope: 1:1 chats, group chats, and channel messages
FINRA Rule 3110 requires retention of all electronic communications including Teams chat.
Departed User Hold
Minimum 1 year, convert mailbox to shared, retain OneDriveScope: All terminated/departed users
Automate via lifecycle workflows in Entra ID. Prevent license removal from deleting OneDrive data.
Litigation Hold
Indefinite, applied per legal caseScope: Specific users or content relevant to legal matter
Overrides all retention policies. Content preserved until hold is released by legal team.
Audit Log Retention
1 year with E5, 90 days with E3Scope: All Microsoft 365 audit events
E5 Advanced Audit provides 1-year retention. Export to Microsoft Sentinel for longer retention.
Frequently Asked Questions
Do you need disaster recovery for Microsoft 365?
Yes — absolutely. Microsoft guarantees infrastructure uptime (99.9% SLA) but does NOT guarantee your data is recoverable in all scenarios. The shared responsibility model means Microsoft protects against: data center failures, hardware failures, and platform outages. YOU are responsible for protecting against: accidental deletion (user or admin), malicious insider deletion, ransomware encrypting synced files, retention policy misconfiguration, compliance holds expiring, and account compromise leading to data destruction. Microsoft native retention covers some scenarios (recycle bins, version history) but has gaps: 93-day recycle bin limits, no point-in-time restore for mailboxes, and no protection against retention policy changes. EPC Group recommends third-party backup for every enterprise Microsoft 365 environment.
What is the Microsoft 365 shared responsibility model for data protection?
Microsoft is responsible for: physical infrastructure (data centers, networking, power), platform availability (99.9% SLA with financial credits), geo-redundant replication across regions, and security of the platform itself. You are responsible for: data backup and recovery, retention policy configuration, access control and account security, protection against accidental or malicious deletion, compliance with data retention regulations, and business continuity planning. The critical gap: Microsoft replicates your data for THEIR disaster recovery (data center failure), not for YOUR disaster recovery (deleted mailbox, ransomware, departed employee wiping their OneDrive). Microsoft explicitly states in their service agreement: "We recommend that you regularly backup Your Content and Data that you store on the Services." EPC Group closes this gap with comprehensive backup and DR strategies.
What are the native Microsoft 365 retention and recovery options?
Native Microsoft 365 recovery capabilities by service: Exchange Online — deleted items (14-30 days configurable), recoverable items (14-30 days), litigation hold (indefinite but not a backup). SharePoint Online — recycle bin (93 days), version history (up to 500 versions), site collection recycle bin (93 days after user deletion). OneDrive — recycle bin (93 days), version history, "Restore your OneDrive" feature (30-day point-in-time restore). Teams — chat retention (based on retention policies), channel messages (retained in SharePoint). Limitations: no granular point-in-time mailbox restore, no recovery after retention period expires, no protection if admin changes retention policies, no offline copy of data, and version history counts toward storage quotas. For enterprise compliance, these native features are insufficient.
What third-party backup tools work with Microsoft 365?
Top enterprise Microsoft 365 backup solutions: Veeam Backup for Microsoft 365 — industry leader, supports Exchange, SharePoint, Teams, OneDrive, unlimited retention, granular restore, $2-4/user/month. AvePoint Cloud Backup — strong SharePoint/Teams coverage, compliance-focused, built-in reporting, $3-5/user/month. Commvault Metallic — enterprise-grade, multi-cloud support, advanced search, $3-6/user/month. Druva inSync — SaaS-only (no infrastructure to manage), automated compliance, legal hold, $4-6/user/month. Microsoft 365 Backup (Preview) — Microsoft native backup via Microsoft 365 Backup Storage, fast restore, currently in preview with limited GA availability. EPC Group recommends Veeam for most enterprise deployments based on restore speed, cost, and feature completeness. We deploy and manage backup solutions as part of our managed services.
What RPO and RTO should I target for Microsoft 365?
RPO (Recovery Point Objective) defines maximum acceptable data loss. RTO (Recovery Time Objective) defines maximum acceptable downtime. Recommended targets by service: Exchange Online — RPO: 1 hour (backup frequency), RTO: 4 hours (mailbox restore). SharePoint Online — RPO: 4 hours, RTO: 8 hours (site collection restore). OneDrive — RPO: 4 hours, RTO: 4 hours (individual restore). Teams — RPO: 4 hours, RTO: 8 hours (channel and chat restore). For mission-critical scenarios (executive mailboxes, legal documents, financial records): RPO: 15 minutes, RTO: 1 hour. These targets drive backup frequency, storage costs, and tool selection. EPC Group sizes backup infrastructure to meet client-specific RPO/RTO requirements validated through quarterly DR testing.
How do you test Microsoft 365 disaster recovery?
Microsoft 365 DR testing should follow a structured cadence: Monthly — restore a random mailbox, SharePoint site, and OneDrive account from backup. Verify data integrity and completeness. Document restore time (validates RTO). Quarterly — simulate a major incident scenario: ransomware attack (restore encrypted files from pre-encryption backup), departed employee (restore deleted account and all data), admin error (restore after accidental site collection deletion). Annually — full business continuity exercise: complete tenant-level recovery scenario, validate all service RPO/RTO targets, test communication plans and escalation procedures, update DR runbooks based on lessons learned. EPC Group includes DR testing in all managed services engagements. We maintain documented runbooks for every recovery scenario and test them on schedule.
How does ransomware affect Microsoft 365 and how do you recover?
Ransomware impacts on Microsoft 365: OneDrive/SharePoint — ransomware encrypts local files, which sync to cloud and overwrite clean versions. OneDrive "Restore" feature provides 30-day point-in-time rollback. SharePoint version history preserves previous clean versions (if not exhausted). Exchange — compromised accounts may delete or encrypt mailbox contents, forward sensitive data, and send phishing to contacts. Teams — files stored in SharePoint are affected as above. Recovery strategy: 1) Isolate compromised accounts immediately (disable sign-in, revoke sessions), 2) Identify ransomware execution time using audit logs and Defender alerts, 3) Use third-party backup to restore all affected content to the point before ransomware execution, 4) Use OneDrive "Restore your OneDrive" for individual user recovery, 5) Restore SharePoint sites from version history or third-party backup, 6) Reset all affected account credentials and review Conditional Access policies. Without third-party backup, recovery depends entirely on version history and the 30-day OneDrive restore window — which may be insufficient for late-detected attacks.
What retention policies should every Microsoft 365 tenant have?
Essential Microsoft 365 retention policies: 1) Exchange mailbox retention: 7 years for regulated industries (HIPAA, SOX, FINRA), 3 years for general business, applied via Microsoft Purview retention policies. 2) SharePoint/OneDrive document retention: 7 years for regulated content, 3 years for general business documents, applied via sensitivity label-based retention or location-based policies. 3) Teams chat retention: 7 years for regulated industries (FINRA communication compliance), 1-3 years for general business. 4) Teams channel messages: follow SharePoint retention (messages stored in channel SharePoint site). 5) Deleted user data retention: hold departed user mailbox and OneDrive for minimum 1 year (legal protection). 6) Litigation hold: applied on a per-case basis, preserves all content indefinitely regardless of retention policies. EPC Group configures retention policies during every Microsoft 365 deployment and validates them quarterly.
What is the cost of Microsoft 365 backup and disaster recovery?
Microsoft 365 backup and DR costs: Third-party backup licensing: $2-6/user/month depending on tool and features. For 500 users: $12,000-$36,000/year. Backup storage: typically included in per-user licensing for the first 50-100GB per user. Additional storage: $0.05-$0.15/GB/month. DR planning and documentation: $15,000-$50,000 one-time for comprehensive DR plan, runbook development, and initial testing. Ongoing DR management: $5,000-$15,000/year for quarterly testing, runbook updates, and incident response readiness. Total annual cost for 500 users: approximately $30,000-$80,000/year. Compare this to the cost of data loss: average cost of a data breach is $4.45 million (IBM 2023). Average cost of ransomware recovery without backup: $1.85 million. EPC Group backup and DR solutions start at $15,000 for initial implementation plus $3/user/month for ongoing backup management.
Related Resources
Microsoft 365 Consulting Services
Enterprise Microsoft 365 deployment, migration, governance, and managed services from EPC Group.
Read moreManaged Services & 24/7 Support
Proactive monitoring, incident response, and continuous optimization for your Microsoft environment.
Read moreRegulated Industry Compliance
Industry-specific compliance controls for healthcare, financial services, government, and education.
Read moreProtect Your Microsoft 365 Data
Schedule a free Microsoft 365 data protection assessment with EPC Group. We will evaluate your current backup coverage, retention policies, and DR readiness — then deliver a protection roadmap with RPO/RTO targets, tool recommendations, and cost estimates.