Microsoft 365 Disaster Recovery & Business Continuity
Enterprise guide to the shared responsibility model, backup strategies, third-party tools, retention policies, RPO/RTO planning, and DR testing for your entire Microsoft 365 environment.
Microsoft 365 Disaster Recovery Business Continuity Guide 2026 — enterprise reference guide from EPC Group, built from 29 years of Microsoft consulting engagements at Fortune 500 scale. Covers architecture, governance, compliance, pricing benchmarks, and implementation timelines for the Microsoft ecosystem.
Key Facts
- Built from EPC Group enterprise consulting engagements at Fortune 500 scale.
- Compliance-native guidance for HIPAA, SOC 2, FedRAMP, FINRA, CMMC, and GxP environments.
- Includes pricing benchmarks, timelines, and decision-framework matrices where applicable.
- Authored by EPC Group senior architects with 10+ years Microsoft enterprise experience.
- Microsoft Solutions Partner with experience across core current designations.
- Free consultation to apply this guide to your specific environment.
Microsoft 365 Disaster Recovery: What Microsoft Does Not Cover
Do you need disaster recovery for Microsoft 365? Yes, you do. Microsoft offers a 99.9% SLA for platform uptime. However, this does not ensure that your data is recoverable in every situation. Under the shared responsibility model, you, the customer, are responsible for:
- Backing up your data
- Managing access controls
- Implementing security measures
- Backing up your data
- Ensuring data recovery plans are in place
- Managing user access and permissions
- Backing up your data
- Restoring your data when needed
- Managing data security and compliance
- Data backup
- Accidental deletion recovery
- Ransomware recovery
- Retention policy management
- Business continuity planning
Note that native recycle bins have a 93-day limit. There is no option for point-in-time mailbox restore. Also, data from users who have left is deleted after 30 days.
EPC Group recommends using third-party backup for every enterprise Microsoft 365 tenant. This backup should aim for:
- 1-4 hour RPO
- 4-8 hour RTO
These targets should apply across all services.
The most dangerous assumption in enterprise IT is that Microsoft backs up your Microsoft 365 data. This is not true — at least not in the way you need.
Microsoft does replicate your data across geo-redundant data centers. This protects against their infrastructure failures. However, it does not cover all scenarios.
- When a user permanently deletes a mailbox folder,
- when ransomware encrypts 10,000 SharePoint files via OneDrive sync,
- when a departing employee wipes their OneDrive,
- or when an admin accidentally deletes a site collection —
In these cases, Microsoft replication simply replicates the damage.
EPC Group has helped organizations recover from every one of these scenarios — and the ones that had backup in place recovered in hours. The ones that did not had permanent data loss. This guide covers exactly what you need to protect your Microsoft 365 environment from data loss scenarios that Microsoft native features cannot address.
We address several key areas to enhance your recovery strategy:
- Shared responsibility model
- Native retention capabilities and their gaps
- Selection of third-party backup tools
- RPO/RTO planning
- A DR testing framework that validates your recovery capabilities quarterly
The Shared Responsibility Model
Understanding who is responsible for what is the foundation of Microsoft 365 data protection. Microsoft protects the platform. You protect the data.
| Responsibility Area | Microsoft | Customer | Details |
|---|---|---|---|
| Data Center Infrastructure | - | Physical security, power, cooling, networking, hardware replacement | |
| Platform Availability (99.9% SLA) | - | Service uptime, geo-redundant replication, failover between data centers | |
| Operating System & Application Patching | - | Security patches, feature updates, vulnerability remediation | |
| Data Backup & Point-in-Time Recovery | - | Third-party backup, granular restore, long-term retention beyond native limits | |
| Accidental/Malicious Deletion Recovery | - | Native recycle bins have time limits. After expiry, data is unrecoverable without backup. | |
| Retention Policy Configuration | - | Define and apply retention policies per compliance requirements (HIPAA, SOX, FINRA) | |
| Account Security & Access Control | - | MFA, Conditional Access, identity protection, insider threat management | |
| Ransomware Protection & Recovery | - | Endpoint protection, backup for recovery, incident response procedures | |
| Regulatory Compliance Evidence | - | Audit logs, retention proof, data governance documentation for regulators | |
| Business Continuity Planning | - | DR procedures, communication plans, RTO/RPO targets, testing cadence |
Key Takeaway: Microsoft handles 3 out of 10 data protection areas. You are responsible for the remaining 7. The most important customer responsibilities include:
- Backup
- Deletion recovery
- Ransomware recovery
- Compliance evidence
Organizations often find themselves unprepared in several key areas. Microsoft service agreement Section 6b states: "We recommend that you regularly backup Your Content and Data that you store on the Services."
Native Recovery Capabilities by Service
Each Microsoft 365 service has different native recovery options — and different gaps. Understanding these gaps is essential for building a complete backup strategy.
Exchange Online
Native Recovery
Deleted Items (14-30 days), Recoverable Items folder (14-30 days), Litigation Hold (indefinite), In-Place Archive
Recovery Gaps
No point-in-time mailbox restore, no recovery after recoverable items period, litigation hold is not a backup (cannot selectively restore)
EPC Recommendation
Third-party backup with 1-hour RPO, 4-hour RTO for mailbox restore
SharePoint Online
Native Recovery
First-stage recycle bin (93 days), Second-stage recycle bin (93 days after user delete), Version history (up to 500 versions)
Recovery Gaps
No recovery after 93-day window, version history counts toward quota, site collection deletion by admin bypasses recycle bin with short recovery window
EPC Recommendation
Third-party backup with 4-hour RPO, 8-hour RTO for site collection restore
OneDrive for Business
Native Recovery
Recycle bin (93 days), Version history, "Restore your OneDrive" (30-day point-in-time)
Recovery Gaps
30-day restore window insufficient for late-detected ransomware, departed user OneDrive deleted after license removal (30-day grace), no granular file restore beyond version history
EPC Recommendation
Third-party backup with 4-hour RPO, retain departed user data for 1+ year
Microsoft Teams
Native Recovery
Chat retention (via retention policies), Channel files (SharePoint), Channel messages (compliance records)
Recovery Gaps
No native Teams backup product, chat deletion by user may not be recoverable, Teams settings and configurations not backed up, private channel content requires separate backup
EPC Recommendation
Third-party backup covering chats, channels, files, and Teams configuration
Power BI
Native Recovery
Dataset version history (limited), workspace recovery (admin restore within window)
Recovery Gaps
No native backup for reports, dashboards, or datasets. Deleted workspace has limited recovery window. No point-in-time restore for datasets.
EPC Recommendation
Export PBIX files to version-controlled repository (Azure DevOps), automated backup scripts
Entra ID (Azure AD)
Native Recovery
Soft-delete for users (30 days), audit logs (30-90 days), Conditional Access policy export
Recovery Gaps
No native backup of Conditional Access policies, group memberships, app registrations in a restorable format. Policy changes are not versioned.
EPC Recommendation
Automated configuration backup via Graph API, infrastructure-as-code for policies
Third-Party Backup Tool Comparison
Enterprise Microsoft 365 backup requires a third-party solution. Native retention features assist with short-term recovery, but they do not adequately protect enterprise data.
- Third-party solutions offer comprehensive backup options.
- They ensure long-term data protection and recovery.
- Leading tools provide features that native options lack.
| Tool | Coverage | Pricing | Strengths |
|---|---|---|---|
| Veeam Backup for M365 | Exchange, SharePoint, OneDrive, Teams | $2-4/user/month | Industry leader, fastest restore speeds, self-hosted or cloud, unlimited retention, granular search |
| AvePoint Cloud Backup | Exchange, SharePoint, OneDrive, Teams, Groups | $3-5/user/month | Strong SharePoint expertise, compliance reporting, automated DR testing, SaaS deployment |
| Commvault Metallic | Exchange, SharePoint, OneDrive, Teams, Entra ID | $3-6/user/month | Enterprise-grade, multi-cloud, advanced search and eDiscovery, Entra ID backup |
| Druva inSync | Exchange, SharePoint, OneDrive, Teams | $4-6/user/month | Pure SaaS (no infrastructure), automated compliance, legal hold, global deduplication |
| Microsoft 365 Backup | Exchange, SharePoint, OneDrive (expanding) | Pay-per-use (preview pricing) | Native Microsoft integration, fast restore via Microsoft infrastructure, no third-party dependency |
EPC Group Recommendation: For most enterprise deployments, we recommend Veeam Backup for Microsoft 365. It provides:
- The fastest restore speeds
- The most flexible deployment options (self-hosted or cloud)
- Unlimited retention
- The best cost-to-feature ratio
For organizations looking to remove infrastructure management, Druva inSync is the leading pure-SaaS option.
We are closely monitoring Microsoft 365 Backup (Preview). We will recommend it once it is fully available and supports Teams completely.
RPO and RTO Planning for Microsoft 365
The Recovery Point Objective (RPO) indicates the amount of data you can afford to lose. The Recovery Time Objective (RTO) specifies the time available for recovery. These two metrics influence all decisions regarding backup architecture, including:
- Data backup frequency
- Storage solutions
- Disaster recovery plans
- Data backup frequency
- Storage solutions
- Disaster recovery plans
- Frequency of backups
- Selection of tools
- Storage options
- Cost considerations
| Service | Standard RPO | Standard RTO | Critical RPO | Critical RTO |
|---|---|---|---|---|
| Exchange Online | 4 hours | 8 hours | 1 hour | 2 hours |
| SharePoint Online | 4 hours | 8 hours | 1 hour | 4 hours |
| OneDrive for Business | 4 hours | 4 hours | 1 hour | 2 hours |
| Microsoft Teams | 4 hours | 8 hours | 1 hour | 4 hours |
| Power BI | 24 hours | 24 hours | 4 hours | 8 hours |
| Entra ID Config | 24 hours | 4 hours | 4 hours | 1 hour |
Standard RPO/RTO targets are suitable for general business data. However, critical targets are necessary for:
- Executive communications
- Legal documents
- Financial records
- Regulated data (HIPAA PHI, SOX financial data, CMMC CUI)
The cost difference between standard and critical targets is about 2-3 times higher in backup infrastructure and licensing.
EPC Group holds business impact analysis (BIA) workshops. These workshops help us identify the right RPO/RTO for each service and data classification.
Next, we size and set up backup infrastructure to meet these targets. We also validate our configurations through quarterly disaster recovery (DR) testing.
DR Testing Framework
A backup that has never been tested is not a backup — it is a hope. EPC Group DR testing validates that recovery actually works within your RPO/RTO targets.
Monthly Tests
Restore a random mailbox, SharePoint site, and OneDrive account from backup. Verify data completeness and integrity. Log actual restore time. Compare to RTO target.
Metric: Pass/Fail: Restore within RTO?
Quarterly Scenarios
Simulate a real incident: ransomware recovery, departed employee data restoration, accidental admin deletion. Full end-to-end recovery including detection, escalation, and restore.
Metric: Mean time to recovery (MTTR)
Annual Exercise
Full business continuity exercise. Tenant-level recovery scenario. All service RPO/RTO validation. Communication plan testing. Executive participation. Lessons learned review.
Metric: Full BC plan validation
Runbook Updates
After every test, update recovery runbooks with actual steps, timing, and issues encountered. Keep runbooks in a location accessible during an outage (not only in the M365 tenant being recovered).
Metric: Runbook accuracy score
Essential Retention Policies for Every Tenant
Retention policies serve as the first line of defense before backup. They define how long Microsoft keeps deleted and modified content. When set up correctly, retention policies can help prevent many common data loss problems. However, they should not take the place of backup solutions.
Exchange Mailbox Retention
7 years for regulated industries, 3 years general businessScope: All mailboxes including shared and room mailboxes
Apply via Microsoft Purview retention policy. Covers deleted items beyond recycle bin period.
SharePoint Document Retention
7 years regulated, 3 years general, applied by sensitivity label or siteScope: All SharePoint sites including OneDrive
Use label-based retention for CUI, PHI, or financial documents. Location-based for general content.
Teams Chat Retention
7 years for FINRA/SOX, 3 years general businessScope: 1:1 chats, group chats, and channel messages
FINRA Rule 3110 requires retention of all electronic communications including Teams chat.
Departed User Hold
Minimum 1 year, convert mailbox to shared, retain OneDriveScope: All terminated/departed users
Automate via lifecycle workflows in Entra ID. Prevent license removal from deleting OneDrive data.
Litigation Hold
Indefinite, applied per legal caseScope: Specific users or content relevant to legal matter
Overrides all retention policies. Content preserved until hold is released by legal team.
Audit Log Retention
1 year with E5, 90 days with E3Scope: All Microsoft 365 audit events
E5 Advanced Audit provides 1-year retention. Export to Microsoft Sentinel for longer retention.
Frequently Asked Questions
Do you need disaster recovery for Microsoft 365?
Yes — absolutely. Microsoft guarantees infrastructure uptime (99.9% SLA) but does NOT guarantee your data is recoverable in all scenarios. The shared responsibility model means Microsoft protects against: data center failures, hardware failures, and platform outages. YOU are responsible for protecting against: accidental deletion (user or admin), malicious insider deletion, ransomware encrypting synced files, retention policy misconfiguration, compliance holds expiring, and account compromise leading to data destruction. Microsoft native retention covers some scenarios (recycle bins, version history) but has gaps: 93-day recycle bin limits, no point-in-time restore for mailboxes, and no protection against retention policy changes. EPC Group recommends third-party backup for every enterprise Microsoft 365 environment.
What is the Microsoft 365 shared responsibility model for data protection?
Microsoft is responsible for: physical infrastructure (data centers, networking, power), platform availability (99.9% SLA with financial credits), geo-redundant replication across regions, and security of the platform itself. You are responsible for: data backup and recovery, retention policy configuration, access control and account security, protection against accidental or malicious deletion, compliance with data retention regulations, and business continuity planning. The critical gap: Microsoft replicates your data for THEIR disaster recovery (data center failure), not for YOUR disaster recovery (deleted mailbox, ransomware, departed employee wiping their OneDrive). Microsoft explicitly states in their service agreement: "We recommend that you regularly backup Your Content and Data that you store on the Services." EPC Group closes this gap with comprehensive backup and DR strategies.
What are the native Microsoft 365 retention and recovery options?
Native Microsoft 365 recovery capabilities by service: Exchange Online — deleted items (14-30 days configurable), recoverable items (14-30 days), litigation hold (indefinite but not a backup). SharePoint Online — recycle bin (93 days), version history (up to 500 versions), site collection recycle bin (93 days after user deletion). OneDrive — recycle bin (93 days), version history, "Restore your OneDrive" feature (30-day point-in-time restore). Teams — chat retention (based on retention policies), channel messages (retained in SharePoint). Limitations: no granular point-in-time mailbox restore, no recovery after retention period expires, no protection if admin changes retention policies, no offline copy of data, and version history counts toward storage quotas. For enterprise compliance, these native features are insufficient.
What third-party backup tools work with Microsoft 365?
Top enterprise Microsoft 365 backup solutions: Veeam Backup for Microsoft 365 — industry leader, supports Exchange, SharePoint, Teams, OneDrive, unlimited retention, granular restore, $2-4/user/month. AvePoint Cloud Backup — strong SharePoint/Teams coverage, compliance-focused, built-in reporting, $3-5/user/month. Commvault Metallic — enterprise-grade, multi-cloud support, advanced search, $3-6/user/month. Druva inSync — SaaS-only (no infrastructure to manage), automated compliance, legal hold, $4-6/user/month. Microsoft 365 Backup (Preview) — Microsoft native backup via Microsoft 365 Backup Storage, fast restore, currently in preview with limited GA availability. EPC Group recommends Veeam for most enterprise deployments based on restore speed, cost, and feature completeness. We deploy and manage backup solutions as part of our managed services.
What RPO and RTO should I target for Microsoft 365?
RPO (Recovery Point Objective) defines maximum acceptable data loss. RTO (Recovery Time Objective) defines maximum acceptable downtime. Recommended targets by service: Exchange Online — RPO: 1 hour (backup frequency), RTO: 4 hours (mailbox restore). SharePoint Online — RPO: 4 hours, RTO: 8 hours (site collection restore). OneDrive — RPO: 4 hours, RTO: 4 hours (individual restore). Teams — RPO: 4 hours, RTO: 8 hours (channel and chat restore). For mission-critical scenarios (executive mailboxes, legal documents, financial records): RPO: 15 minutes, RTO: 1 hour. These targets drive backup frequency, storage costs, and tool selection. EPC Group sizes backup infrastructure to meet client-specific RPO/RTO requirements validated through quarterly DR testing.
How do you test Microsoft 365 disaster recovery?
Microsoft 365 DR testing should follow a structured cadence: Monthly — restore a random mailbox, SharePoint site, and OneDrive account from backup. Verify data integrity and completeness. Document restore time (validates RTO). Quarterly — simulate a major incident scenario: ransomware attack (restore encrypted files from pre-encryption backup), departed employee (restore deleted account and all data), admin error (restore after accidental site collection deletion). Annually — full business continuity exercise: complete tenant-level recovery scenario, validate all service RPO/RTO targets, test communication plans and escalation procedures, update DR runbooks based on lessons learned. EPC Group includes DR testing in all managed services engagements. We maintain documented runbooks for every recovery scenario and test them on schedule.
How does ransomware affect Microsoft 365 and how do you recover?
Ransomware impacts on Microsoft 365: OneDrive/SharePoint — ransomware encrypts local files, which sync to cloud and overwrite clean versions. OneDrive "Restore" feature provides 30-day point-in-time rollback. SharePoint version history preserves previous clean versions (if not exhausted). Exchange — compromised accounts may delete or encrypt mailbox contents, forward sensitive data, and send phishing to contacts. Teams — files stored in SharePoint are affected as above. Recovery strategy: 1) Isolate compromised accounts immediately (disable sign-in, revoke sessions), 2) Identify ransomware execution time using audit logs and Defender alerts, 3) Use third-party backup to restore all affected content to the point before ransomware execution, 4) Use OneDrive "Restore your OneDrive" for individual user recovery, 5) Restore SharePoint sites from version history or third-party backup, 6) Reset all affected account credentials and review Conditional Access policies. Without third-party backup, recovery depends entirely on version history and the 30-day OneDrive restore window — which may be insufficient for late-detected attacks.
What retention policies should every Microsoft 365 tenant have?
Essential Microsoft 365 retention policies: 1) Exchange mailbox retention: 7 years for regulated industries (HIPAA, SOX, FINRA), 3 years for general business, applied via Microsoft Purview retention policies. 2) SharePoint/OneDrive document retention: 7 years for regulated content, 3 years for general business documents, applied via sensitivity label-based retention or location-based policies. 3) Teams chat retention: 7 years for regulated industries (FINRA communication compliance), 1-3 years for general business. 4) Teams channel messages: follow SharePoint retention (messages stored in channel SharePoint site). 5) Deleted user data retention: hold departed user mailbox and OneDrive for minimum 1 year (legal protection). 6) Litigation hold: applied on a per-case basis, preserves all content indefinitely regardless of retention policies. EPC Group configures retention policies during every Microsoft 365 deployment and validates them quarterly.
What is the cost of Microsoft 365 backup and disaster recovery?
Microsoft 365 backup and DR costs: Third-party backup licensing: $2-6/user/month depending on tool and features. For 500 users: $12,000-$36,000/year. Backup storage: typically included in per-user licensing for the first 50-100GB per user. Additional storage: $0.05-$0.15/GB/month. DR planning and documentation: $15,000-$50,000 one-time for comprehensive DR plan, runbook development, and initial testing. Ongoing DR management: $5,000-$15,000/year for quarterly testing, runbook updates, and incident response readiness. Total annual cost for 500 users: approximately $30,000-$80,000/year. Compare this to the cost of data loss: average cost of a data breach is $4.45 million (IBM 2023). Average cost of ransomware recovery without backup: $1.85 million. EPC Group backup and DR solutions start at $15,000 for initial implementation plus $3/user/month for ongoing backup management.
Related Resources
Microsoft 365 Consulting Services
Enterprise Microsoft 365 deployment, migration, governance, and managed services from EPC Group.
Read moreManaged Services & 24/7 Support
Proactive monitoring, incident response, and continuous optimization for your Microsoft environment.
Read moreRegulated Industry Compliance
Industry-specific compliance controls for healthcare, financial services, government, and education.
Read moreProtect Your Microsoft 365 Data
Schedule a free Microsoft 365 data protection assessment with EPC Group. We will evaluate your:
- Current backup coverage
- Retention policies
- Disaster recovery (DR) readiness
After our assessment, we will provide a protection roadmap. This will include RPO/RTO targets, tool recommendations, and cost estimates.
Microsoft 365 Disaster Recovery & Business Continuity: Enterprise Guide 2026
Microsoft 365 does not automatically back up your data. Microsoft ensures platform availability but does not provide data backup. This guide explains:
- The shared responsibility model
- Third-party backup tools
- RPO/RTO planning
- Retention policy configuration
- Ransomware recovery steps for Exchange, SharePoint, Teams, and OneDrive
EPC Group has implemented disaster recovery strategies for regulated enterprise M365 tenants.
- Microsoft's service agreement explicitly states that customers are responsible for their own data backup.
- Default M365 retention for deleted items is 30–93 days — far too short for most compliance requirements.
- Third-party backup tools (Veeam, Avepoint, Acronis, Rubrik) are required for true enterprise data protection.
- Ransomware via OneDrive sync can encrypt thousands of SharePoint files before M365 detects and responds.
- EPC Group has designed and implemented DR strategies for enterprise M365 environments across regulated industries.
The Shared Responsibility Model
Microsoft is responsible for the availability of the Microsoft 365 platform. Microsoft is not responsible for your data. This distinction matters enormously for disaster recovery planning.
Microsoft maintains geographic redundancy, platform uptime (99.9%+ SLA), and infrastructure resiliency. If a Microsoft datacenter fails, the platform fails over automatically. Your data remains available.
What Microsoft does not protect against:
- A user permanently deleting a mailbox folder or SharePoint site
- Ransomware encrypting files via OneDrive sync before M365 detects it
- A departing employee wiping their OneDrive before the account is disabled
- An admin accidentally deleting a site collection
- Malicious deletion by a compromised account
In all these cases, Microsoft replication clearly shows the damage. Microsoft states in their service agreement that customers must back up their own data. This requirement is not a flaw in the platform; it is intentional.
As a result, you should plan your disaster recovery (DR) strategy accordingly.
Native M365 Data Recovery Capabilities
Microsoft 365 includes some native recovery tools. These cover short-term accidents — not enterprise DR requirements.
Exchange Online
- Deleted Items: Recoverable for 30 days by default.
- Recoverable Items (Dumpster): Soft-deleted items retained for 14 days by default. Extend to 30 days via retention policy.
- Litigation Hold: Preserves all mailbox content indefinitely for legal purposes. Not a backup — cannot restore a specific version of a document.
- In-Place eDiscovery: Allows searching and exporting archived mailbox content.
SharePoint and OneDrive
- Recycle Bin: Deleted items held for 93 days before permanent deletion.
- Version History: Restores previous document versions. Default version limit is 500. Does not protect against complete site deletion.
- OneDrive Restore: Restores individual OneDrive to any point in the last 30 days. Useful for ransomware recovery — but only for the individual OneDrive, not shared SharePoint libraries.
These native tools are useful for individual item recovery. They are not sufficient for enterprise-grade disaster recovery or compliance-required backup retention.
Third-Party Backup Tools
Enterprise disaster recovery for M365 requires third-party backup. Leading tools include:
| Tool | Key Strengths |
|---|---|
| Veeam Backup for M365 | Granular restore, immutable storage support, strong Exchange coverage |
| AvePoint Cloud Backup | SharePoint expertise, Teams backup, compliance-grade retention |
| Acronis Cyber Protect | Broad platform coverage, ransomware detection integration |
| Rubrik Security Cloud | Immutable backups, zero-trust architecture, ransomware recovery |
EPC Group suggests using solutions with immutable storage. These backups cannot be encrypted or deleted by ransomware, even if it infiltrates your backup environment.
Immutable backups are crucial for protecting against ransomware. They provide the strongest defense for your data.
RPO and RTO Planning
Define your recovery objectives before selecting a backup tool or DR strategy.
- Recovery Point Objective (RPO): How much data loss is acceptable? An RPO of 24 hours means backups run daily and you can lose up to one day of data. An RPO of 1 hour requires near-continuous backup.
- Recovery Time Objective (RTO): How quickly must services be restored? An RTO of 4 hours means your team must be able to restore critical services within 4 hours of a declared disaster.
Set separate RPO and RTO targets for each workload. Email typically requires a lower RPO than SharePoint document libraries. Legal hold content requires indefinite retention regardless of RPO targets.
Ransomware Recovery Playbook
Ransomware reaching your M365 environment via OneDrive sync is the most common M365 disaster scenario. Follow these steps when ransomware is detected.
- Isolate compromised accounts immediately. Disable sign-in for affected accounts and revoke all active sessions in Entra ID.
- Identify the ransomware execution time. Use unified audit logs and Microsoft Defender alerts to determine when encryption began.
- Restore from third-party backup. Use your backup tool to restore all affected content to the point-in-time before ransomware execution. This is why immutable backup is critical — M365 native tools cannot restore to an arbitrary point in time reliably.
- Use OneDrive Restore for individual user recovery. For users whose personal OneDrive was affected, use the built-in OneDrive Restore feature to roll back to the pre-encryption state (up to 30 days).
- Restore affected SharePoint sites from backup. Do not rely on version history alone for large-scale SharePoint encryption events. Use your third-party backup for bulk restores.
- Reset credentials and review Conditional Access. Reset passwords for all affected accounts. Review Conditional Access policies to close the gap that allowed ransomware to spread.
Retention Policies as a DR Layer
Microsoft 365 retention policies preserve content even after a user deletes it. This provides a DR layer for compliance-required data — but it is not a substitute for backup.
Configure retention policies for:
- Exchange mailboxes: Retain all email for 7 years (standard financial services requirement) or 6 years (HIPAA minimum).
- SharePoint and OneDrive: Retain all content for the compliance period applicable to your industry.
- Teams channels and chats: Retain for the same period as email in regulated environments.
Retention policy preservation differs from backup restore. You can access retained content using eDiscovery search. However, it cannot be retrieved through a straightforward point-in-time restore.
For complete data protection, it is essential to use:
- Retention policies
- Third-party backup solutions
DR Testing
A disaster recovery (DR) plan that has not been tested is just a theory. To make sure your team can execute the plan, follow these steps:
- Conduct tabletop exercises every quarter.
- Perform actual restore tests at least once a year.
- Restore a mailbox
- Restore a SharePoint site
- Restore a Teams channel
These tests confirm that the restore process is effective.
Document test results. Auditors and cyber insurance providers increasingly require evidence of DR testing. A log showing quarterly tabletop exercises and annual restore tests satisfies most requirements.
EPC Group's M365 DR Practice
EPC Group creates and implements disaster recovery strategies for enterprise M365 environments in regulated industries. These industries include healthcare, financial services, government, and professional services.
Our disaster recovery (DR) services include:
- Shared responsibility gap analysis
- Backup tool selection and configuration
- RPO/RTO definition
- Retention policy design
- Ransomware recovery playbook development
Frequently Asked Questions
Does Microsoft 365 back up my data?
No. Microsoft backs up the M365 platform infrastructure for availability purposes. Microsoft does not back up individual tenant data for recovery purposes.
Microsoft's service agreement specifies that customers are responsible for their own data. To achieve enterprise-level data protection, consider using a third-party backup tool or Microsoft 365 Backup.
This backup solution will be generally available in 2024.
What is the default retention period for deleted items in M365?
You can recover deleted email items for up to 30 days by default. Soft-deleted items in the Recoverable Items folder are stored for 14 days. However, you can extend this period to 30 days. Additionally, the SharePoint Recycle Bin retains deleted items for 93 days.
These default settings may not meet most compliance needs. To ensure compliance, configure retention policies to extend these durations.
What third-party backup tool should I use for Microsoft 365?
EPC Group assesses backup tools using several key criteria. These include:
- Immutable storage support
- Granular restore capability
- Teams coverage
- Compliance reporting
In enterprise settings, the most popular tools are Veeam Backup for M365 and AvePoint Cloud Backup. Choosing the right tool depends on several factors:
- Your budget
- Your compliance needs
- Your current infrastructure
Can OneDrive Restore recover from a ransomware attack?
OneDrive Restore lets users go back to any point in their OneDrive within the last 30 days. This feature is useful for individual user recovery.
However, it does not work for shared SharePoint libraries.
For large-scale ransomware incidents that impact multiple users and SharePoint sites, consider the following:
- Third-party backup solutions
- Immutable storage options
What RPO and RTO should I target for Microsoft 365?
Most enterprises aim for a Recovery Point Objective (RPO) of 24 hours and a Recovery Time Objective (RTO) of 4 hours for standard M365 workloads. However, regulated industries or mission-critical environments should set lower targets:
- RPO: Less than 24 hours
- RTO: Less than 4 hours
- RPO: Less than 24 hours
- RTO: Less than 4 hours
- RPO: 1 hour
- RTO: 1–2 hours
It's important to define targets based on the specific workload. For example, email usually has stricter requirements than SharePoint document libraries.
How does EPC Group approach M365 DR engagements?
EPC Group begins with a shared responsibility gap analysis. This process identifies what your current environment covers and what it leaves exposed.
Next, we:
- Select and configure backup tools
- Define RPO/RTO targets
- Design retention policies
- Build a ransomware recovery playbook
Engagements typically take 4–6 weeks from start to finish.
Build Your Microsoft 365 DR Strategy
EPC Group creates Microsoft 365 disaster recovery strategies. Our services include:
- Shared responsibility gap analysis
- Backup tool configuration
- Retention policy design
- Ransomware playbooks
We make sure your M365 environment is safe for scenarios that Microsoft does not address.