Microsoft 365 Disaster Recovery & Business Continuity
Enterprise guide to the shared responsibility model, backup strategies, third-party tools, retention policies, RPO/RTO planning, and DR testing for your entire Microsoft 365 environment.
Microsoft 365 Disaster Recovery Business Continuity Guide 2026 — enterprise reference guide from EPC Group, built from 29 years of Microsoft consulting engagements at Fortune 500 scale. Covers architecture, governance, compliance, pricing benchmarks, and implementation timelines for the Microsoft ecosystem.
Key Facts
- Built from EPC Group enterprise consulting engagements at Fortune 500 scale.
- Compliance-native guidance for HIPAA, SOC 2, FedRAMP, FINRA, CMMC, and GxP environments.
- Includes pricing benchmarks, timelines, and decision-framework matrices where applicable.
- Authored by EPC Group senior architects with 10+ years Microsoft enterprise experience.
- Microsoft Solutions Partner with experience across all six current designations.
- Free consultation to apply this guide to your specific environment.
Microsoft 365 Disaster Recovery: What Microsoft Does Not Cover
Do you need disaster recovery for Microsoft 365? Yes. Microsoft guarantees platform uptime (99.9% SLA) but does NOT guarantee your data is recoverable in all scenarios. The shared responsibility model places data backup, accidental deletion recovery, ransomware recovery, retention policy management, and business continuity planning squarely on you — the customer. Native recycle bins have 93-day limits. There is no point-in-time mailbox restore. Departed user data is deleted after 30 days. EPC Group recommends third-party backup for every enterprise Microsoft 365 tenant, targeting 1-4 hour RPO and 4-8 hour RTO across all services.
The most dangerous assumption in enterprise IT is that Microsoft backs up your Microsoft 365 data. They do not — at least not in the way you need. Microsoft replicates your data across geo-redundant data centers to protect against THEIR infrastructure failures. But when a user permanently deletes a mailbox folder, when ransomware encrypts 10,000 SharePoint files via OneDrive sync, when a departing employee wipes their OneDrive, or when an admin accidentally deletes a site collection — Microsoft replication faithfully replicates the damage.
EPC Group has helped organizations recover from every one of these scenarios — and the ones that had backup in place recovered in hours. The ones that did not had permanent data loss. This guide covers exactly what you need to protect your Microsoft 365 environment from data loss scenarios that Microsoft native features cannot address.
We cover the shared responsibility model, native retention capabilities and their gaps, third-party backup tool selection, RPO/RTO planning, and a DR testing framework that validates your recovery capabilities quarterly.
The Shared Responsibility Model
Understanding who is responsible for what is the foundation of Microsoft 365 data protection. Microsoft protects the platform. You protect the data.
| Responsibility Area | Microsoft | Customer | Details |
|---|---|---|---|
| Data Center Infrastructure | - | Physical security, power, cooling, networking, hardware replacement | |
| Platform Availability (99.9% SLA) | - | Service uptime, geo-redundant replication, failover between data centers | |
| Operating System & Application Patching | - | Security patches, feature updates, vulnerability remediation | |
| Data Backup & Point-in-Time Recovery | - | Third-party backup, granular restore, long-term retention beyond native limits | |
| Accidental/Malicious Deletion Recovery | - | Native recycle bins have time limits. After expiry, data is unrecoverable without backup. | |
| Retention Policy Configuration | - | Define and apply retention policies per compliance requirements (HIPAA, SOX, FINRA) | |
| Account Security & Access Control | - | MFA, Conditional Access, identity protection, insider threat management | |
| Ransomware Protection & Recovery | - | Endpoint protection, backup for recovery, incident response procedures | |
| Regulatory Compliance Evidence | - | Audit logs, retention proof, data governance documentation for regulators | |
| Business Continuity Planning | - | DR procedures, communication plans, RTO/RPO targets, testing cadence |
Key Takeaway: Microsoft is responsible for 3 out of 10 data protection areas. You are responsible for 7 out of 10. The most critical customer responsibilities — backup, deletion recovery, ransomware recovery, and compliance evidence — are exactly the areas where organizations are most often unprepared. Microsoft service agreement Section 6b explicitly states: "We recommend that you regularly backup Your Content and Data that you store on the Services."
Native Recovery Capabilities by Service
Each Microsoft 365 service has different native recovery options — and different gaps. Understanding these gaps is essential for building a complete backup strategy.
Exchange Online
Native Recovery
Deleted Items (14-30 days), Recoverable Items folder (14-30 days), Litigation Hold (indefinite), In-Place Archive
Recovery Gaps
No point-in-time mailbox restore, no recovery after recoverable items period, litigation hold is not a backup (cannot selectively restore)
EPC Recommendation
Third-party backup with 1-hour RPO, 4-hour RTO for mailbox restore
SharePoint Online
Native Recovery
First-stage recycle bin (93 days), Second-stage recycle bin (93 days after user delete), Version history (up to 500 versions)
Recovery Gaps
No recovery after 93-day window, version history counts toward quota, site collection deletion by admin bypasses recycle bin with short recovery window
EPC Recommendation
Third-party backup with 4-hour RPO, 8-hour RTO for site collection restore
OneDrive for Business
Native Recovery
Recycle bin (93 days), Version history, "Restore your OneDrive" (30-day point-in-time)
Recovery Gaps
30-day restore window insufficient for late-detected ransomware, departed user OneDrive deleted after license removal (30-day grace), no granular file restore beyond version history
EPC Recommendation
Third-party backup with 4-hour RPO, retain departed user data for 1+ year
Microsoft Teams
Native Recovery
Chat retention (via retention policies), Channel files (SharePoint), Channel messages (compliance records)
Recovery Gaps
No native Teams backup product, chat deletion by user may not be recoverable, Teams settings and configurations not backed up, private channel content requires separate backup
EPC Recommendation
Third-party backup covering chats, channels, files, and Teams configuration
Power BI
Native Recovery
Dataset version history (limited), workspace recovery (admin restore within window)
Recovery Gaps
No native backup for reports, dashboards, or datasets. Deleted workspace has limited recovery window. No point-in-time restore for datasets.
EPC Recommendation
Export PBIX files to version-controlled repository (Azure DevOps), automated backup scripts
Entra ID (Azure AD)
Native Recovery
Soft-delete for users (30 days), audit logs (30-90 days), Conditional Access policy export
Recovery Gaps
No native backup of Conditional Access policies, group memberships, app registrations in a restorable format. Policy changes are not versioned.
EPC Recommendation
Automated configuration backup via Graph API, infrastructure-as-code for policies
Third-Party Backup Tool Comparison
Enterprise Microsoft 365 backup requires a third-party solution. Native retention features are useful for short-term recovery but insufficient for enterprise data protection. Here is how the leading tools compare.
| Tool | Coverage | Pricing | Strengths |
|---|---|---|---|
| Veeam Backup for M365 | Exchange, SharePoint, OneDrive, Teams | $2-4/user/month | Industry leader, fastest restore speeds, self-hosted or cloud, unlimited retention, granular search |
| AvePoint Cloud Backup | Exchange, SharePoint, OneDrive, Teams, Groups | $3-5/user/month | Strong SharePoint expertise, compliance reporting, automated DR testing, SaaS deployment |
| Commvault Metallic | Exchange, SharePoint, OneDrive, Teams, Entra ID | $3-6/user/month | Enterprise-grade, multi-cloud, advanced search and eDiscovery, Entra ID backup |
| Druva inSync | Exchange, SharePoint, OneDrive, Teams | $4-6/user/month | Pure SaaS (no infrastructure), automated compliance, legal hold, global deduplication |
| Microsoft 365 Backup | Exchange, SharePoint, OneDrive (expanding) | Pay-per-use (preview pricing) | Native Microsoft integration, fast restore via Microsoft infrastructure, no third-party dependency |
EPC Group Recommendation: Veeam Backup for Microsoft 365 for most enterprise deployments. It offers the fastest restore speeds, most flexible deployment (self-hosted or cloud), unlimited retention, and the best cost-to-feature ratio. For organizations that want zero infrastructure management, Druva inSync is the strongest pure-SaaS option. We monitor Microsoft 365 Backup (Preview) closely and will recommend it once it reaches GA with full Teams support.
RPO and RTO Planning for Microsoft 365
Recovery Point Objective (RPO) defines how much data you can afford to lose. Recovery Time Objective (RTO) defines how long recovery can take. These two metrics drive every backup architecture decision — frequency, tool selection, storage, and cost.
| Service | Standard RPO | Standard RTO | Critical RPO | Critical RTO |
|---|---|---|---|---|
| Exchange Online | 4 hours | 8 hours | 1 hour | 2 hours |
| SharePoint Online | 4 hours | 8 hours | 1 hour | 4 hours |
| OneDrive for Business | 4 hours | 4 hours | 1 hour | 2 hours |
| Microsoft Teams | 4 hours | 8 hours | 1 hour | 4 hours |
| Power BI | 24 hours | 24 hours | 4 hours | 8 hours |
| Entra ID Config | 24 hours | 4 hours | 4 hours | 1 hour |
Standard RPO/RTO targets are appropriate for general business data. Critical targets apply to executive communications, legal documents, financial records, and regulated data (HIPAA PHI, SOX financial data, CMMC CUI). The cost difference between standard and critical is approximately 2-3x in backup infrastructure and licensing.
EPC Group conducts business impact analysis (BIA) workshops to determine the appropriate RPO/RTO for each service and data classification. We then size and configure backup infrastructure to meet those targets — and validate them through quarterly DR testing.
DR Testing Framework
A backup that has never been tested is not a backup — it is a hope. EPC Group DR testing validates that recovery actually works within your RPO/RTO targets.
Monthly Tests
Restore a random mailbox, SharePoint site, and OneDrive account from backup. Verify data completeness and integrity. Log actual restore time. Compare to RTO target.
Metric: Pass/Fail: Restore within RTO?
Quarterly Scenarios
Simulate a real incident: ransomware recovery, departed employee data restoration, accidental admin deletion. Full end-to-end recovery including detection, escalation, and restore.
Metric: Mean time to recovery (MTTR)
Annual Exercise
Full business continuity exercise. Tenant-level recovery scenario. All service RPO/RTO validation. Communication plan testing. Executive participation. Lessons learned review.
Metric: Full BC plan validation
Runbook Updates
After every test, update recovery runbooks with actual steps, timing, and issues encountered. Keep runbooks in a location accessible during an outage (not only in the M365 tenant being recovered).
Metric: Runbook accuracy score
Essential Retention Policies for Every Tenant
Retention policies are the first line of defense before backup. They determine how long Microsoft preserves deleted and modified content natively. Properly configured retention policies prevent many common data loss scenarios — but they are not a substitute for backup.
Exchange Mailbox Retention
7 years for regulated industries, 3 years general businessScope: All mailboxes including shared and room mailboxes
Apply via Microsoft Purview retention policy. Covers deleted items beyond recycle bin period.
SharePoint Document Retention
7 years regulated, 3 years general, applied by sensitivity label or siteScope: All SharePoint sites including OneDrive
Use label-based retention for CUI, PHI, or financial documents. Location-based for general content.
Teams Chat Retention
7 years for FINRA/SOX, 3 years general businessScope: 1:1 chats, group chats, and channel messages
FINRA Rule 3110 requires retention of all electronic communications including Teams chat.
Departed User Hold
Minimum 1 year, convert mailbox to shared, retain OneDriveScope: All terminated/departed users
Automate via lifecycle workflows in Entra ID. Prevent license removal from deleting OneDrive data.
Litigation Hold
Indefinite, applied per legal caseScope: Specific users or content relevant to legal matter
Overrides all retention policies. Content preserved until hold is released by legal team.
Audit Log Retention
1 year with E5, 90 days with E3Scope: All Microsoft 365 audit events
E5 Advanced Audit provides 1-year retention. Export to Microsoft Sentinel for longer retention.
Frequently Asked Questions
Do you need disaster recovery for Microsoft 365?
Yes — absolutely. Microsoft guarantees infrastructure uptime (99.9% SLA) but does NOT guarantee your data is recoverable in all scenarios. The shared responsibility model means Microsoft protects against: data center failures, hardware failures, and platform outages. YOU are responsible for protecting against: accidental deletion (user or admin), malicious insider deletion, ransomware encrypting synced files, retention policy misconfiguration, compliance holds expiring, and account compromise leading to data destruction. Microsoft native retention covers some scenarios (recycle bins, version history) but has gaps: 93-day recycle bin limits, no point-in-time restore for mailboxes, and no protection against retention policy changes. EPC Group recommends third-party backup for every enterprise Microsoft 365 environment.
What is the Microsoft 365 shared responsibility model for data protection?
Microsoft is responsible for: physical infrastructure (data centers, networking, power), platform availability (99.9% SLA with financial credits), geo-redundant replication across regions, and security of the platform itself. You are responsible for: data backup and recovery, retention policy configuration, access control and account security, protection against accidental or malicious deletion, compliance with data retention regulations, and business continuity planning. The critical gap: Microsoft replicates your data for THEIR disaster recovery (data center failure), not for YOUR disaster recovery (deleted mailbox, ransomware, departed employee wiping their OneDrive). Microsoft explicitly states in their service agreement: "We recommend that you regularly backup Your Content and Data that you store on the Services." EPC Group closes this gap with comprehensive backup and DR strategies.
What are the native Microsoft 365 retention and recovery options?
Native Microsoft 365 recovery capabilities by service: Exchange Online — deleted items (14-30 days configurable), recoverable items (14-30 days), litigation hold (indefinite but not a backup). SharePoint Online — recycle bin (93 days), version history (up to 500 versions), site collection recycle bin (93 days after user deletion). OneDrive — recycle bin (93 days), version history, "Restore your OneDrive" feature (30-day point-in-time restore). Teams — chat retention (based on retention policies), channel messages (retained in SharePoint). Limitations: no granular point-in-time mailbox restore, no recovery after retention period expires, no protection if admin changes retention policies, no offline copy of data, and version history counts toward storage quotas. For enterprise compliance, these native features are insufficient.
What third-party backup tools work with Microsoft 365?
Top enterprise Microsoft 365 backup solutions: Veeam Backup for Microsoft 365 — industry leader, supports Exchange, SharePoint, Teams, OneDrive, unlimited retention, granular restore, $2-4/user/month. AvePoint Cloud Backup — strong SharePoint/Teams coverage, compliance-focused, built-in reporting, $3-5/user/month. Commvault Metallic — enterprise-grade, multi-cloud support, advanced search, $3-6/user/month. Druva inSync — SaaS-only (no infrastructure to manage), automated compliance, legal hold, $4-6/user/month. Microsoft 365 Backup (Preview) — Microsoft native backup via Microsoft 365 Backup Storage, fast restore, currently in preview with limited GA availability. EPC Group recommends Veeam for most enterprise deployments based on restore speed, cost, and feature completeness. We deploy and manage backup solutions as part of our managed services.
What RPO and RTO should I target for Microsoft 365?
RPO (Recovery Point Objective) defines maximum acceptable data loss. RTO (Recovery Time Objective) defines maximum acceptable downtime. Recommended targets by service: Exchange Online — RPO: 1 hour (backup frequency), RTO: 4 hours (mailbox restore). SharePoint Online — RPO: 4 hours, RTO: 8 hours (site collection restore). OneDrive — RPO: 4 hours, RTO: 4 hours (individual restore). Teams — RPO: 4 hours, RTO: 8 hours (channel and chat restore). For mission-critical scenarios (executive mailboxes, legal documents, financial records): RPO: 15 minutes, RTO: 1 hour. These targets drive backup frequency, storage costs, and tool selection. EPC Group sizes backup infrastructure to meet client-specific RPO/RTO requirements validated through quarterly DR testing.
How do you test Microsoft 365 disaster recovery?
Microsoft 365 DR testing should follow a structured cadence: Monthly — restore a random mailbox, SharePoint site, and OneDrive account from backup. Verify data integrity and completeness. Document restore time (validates RTO). Quarterly — simulate a major incident scenario: ransomware attack (restore encrypted files from pre-encryption backup), departed employee (restore deleted account and all data), admin error (restore after accidental site collection deletion). Annually — full business continuity exercise: complete tenant-level recovery scenario, validate all service RPO/RTO targets, test communication plans and escalation procedures, update DR runbooks based on lessons learned. EPC Group includes DR testing in all managed services engagements. We maintain documented runbooks for every recovery scenario and test them on schedule.
How does ransomware affect Microsoft 365 and how do you recover?
Ransomware impacts on Microsoft 365: OneDrive/SharePoint — ransomware encrypts local files, which sync to cloud and overwrite clean versions. OneDrive "Restore" feature provides 30-day point-in-time rollback. SharePoint version history preserves previous clean versions (if not exhausted). Exchange — compromised accounts may delete or encrypt mailbox contents, forward sensitive data, and send phishing to contacts. Teams — files stored in SharePoint are affected as above. Recovery strategy: 1) Isolate compromised accounts immediately (disable sign-in, revoke sessions), 2) Identify ransomware execution time using audit logs and Defender alerts, 3) Use third-party backup to restore all affected content to the point before ransomware execution, 4) Use OneDrive "Restore your OneDrive" for individual user recovery, 5) Restore SharePoint sites from version history or third-party backup, 6) Reset all affected account credentials and review Conditional Access policies. Without third-party backup, recovery depends entirely on version history and the 30-day OneDrive restore window — which may be insufficient for late-detected attacks.
What retention policies should every Microsoft 365 tenant have?
Essential Microsoft 365 retention policies: 1) Exchange mailbox retention: 7 years for regulated industries (HIPAA, SOX, FINRA), 3 years for general business, applied via Microsoft Purview retention policies. 2) SharePoint/OneDrive document retention: 7 years for regulated content, 3 years for general business documents, applied via sensitivity label-based retention or location-based policies. 3) Teams chat retention: 7 years for regulated industries (FINRA communication compliance), 1-3 years for general business. 4) Teams channel messages: follow SharePoint retention (messages stored in channel SharePoint site). 5) Deleted user data retention: hold departed user mailbox and OneDrive for minimum 1 year (legal protection). 6) Litigation hold: applied on a per-case basis, preserves all content indefinitely regardless of retention policies. EPC Group configures retention policies during every Microsoft 365 deployment and validates them quarterly.
What is the cost of Microsoft 365 backup and disaster recovery?
Microsoft 365 backup and DR costs: Third-party backup licensing: $2-6/user/month depending on tool and features. For 500 users: $12,000-$36,000/year. Backup storage: typically included in per-user licensing for the first 50-100GB per user. Additional storage: $0.05-$0.15/GB/month. DR planning and documentation: $15,000-$50,000 one-time for comprehensive DR plan, runbook development, and initial testing. Ongoing DR management: $5,000-$15,000/year for quarterly testing, runbook updates, and incident response readiness. Total annual cost for 500 users: approximately $30,000-$80,000/year. Compare this to the cost of data loss: average cost of a data breach is $4.45 million (IBM 2023). Average cost of ransomware recovery without backup: $1.85 million. EPC Group backup and DR solutions start at $15,000 for initial implementation plus $3/user/month for ongoing backup management.
Related Resources
Microsoft 365 Consulting Services
Enterprise Microsoft 365 deployment, migration, governance, and managed services from EPC Group.
Read moreManaged Services & 24/7 Support
Proactive monitoring, incident response, and continuous optimization for your Microsoft environment.
Read moreRegulated Industry Compliance
Industry-specific compliance controls for healthcare, financial services, government, and education.
Read moreProtect Your Microsoft 365 Data
Schedule a free Microsoft 365 data protection assessment with EPC Group. We will evaluate your current backup coverage, retention policies, and DR readiness — then deliver a protection roadmap with RPO/RTO targets, tool recommendations, and cost estimates.
Microsoft 365 Disaster Recovery & Business Continuity: Enterprise Guide 2026
Microsoft 365 does not automatically back up your data — Microsoft provides platform availability, not data backup. This guide covers the shared responsibility model, third-party backup tools, RPO/RTO planning, retention policy configuration, and ransomware recovery steps for Exchange, SharePoint, Teams, and OneDrive. EPC Group has implemented DR strategies for regulated enterprise M365 tenants.
- Microsoft's service agreement explicitly states that customers are responsible for their own data backup.
- Default M365 retention for deleted items is 30–93 days — far too short for most compliance requirements.
- Third-party backup tools (Veeam, Avepoint, Acronis, Rubrik) are required for true enterprise data protection.
- Ransomware via OneDrive sync can encrypt thousands of SharePoint files before M365 detects and responds.
- EPC Group has designed and implemented DR strategies for enterprise M365 environments across regulated industries.
The Shared Responsibility Model
Microsoft is responsible for the availability of the Microsoft 365 platform. Microsoft is not responsible for your data. This distinction matters enormously for disaster recovery planning.
Microsoft maintains geographic redundancy, platform uptime (99.9%+ SLA), and infrastructure resiliency. If a Microsoft datacenter fails, the platform fails over automatically. Your data remains available.
What Microsoft does not protect against:
- A user permanently deleting a mailbox folder or SharePoint site
- Ransomware encrypting files via OneDrive sync before M365 detects it
- A departing employee wiping their OneDrive before the account is disabled
- An admin accidentally deleting a site collection
- Malicious deletion by a compromised account
In all of these cases, Microsoft replication faithfully replicates the damage. Microsoft explicitly states in their service agreement that customers are responsible for their own data backup. This is not a gap in the platform — it is by design. Plan your DR strategy accordingly.
Native M365 Data Recovery Capabilities
Microsoft 365 includes some native recovery tools. These cover short-term accidents — not enterprise DR requirements.
Exchange Online
- Deleted Items: Recoverable for 30 days by default.
- Recoverable Items (Dumpster): Soft-deleted items retained for 14 days by default. Extend to 30 days via retention policy.
- Litigation Hold: Preserves all mailbox content indefinitely for legal purposes. Not a backup — cannot restore a specific version of a document.
- In-Place eDiscovery: Allows searching and exporting archived mailbox content.
SharePoint and OneDrive
- Recycle Bin: Deleted items held for 93 days before permanent deletion.
- Version History: Restores previous document versions. Default version limit is 500. Does not protect against complete site deletion.
- OneDrive Restore: Restores individual OneDrive to any point in the last 30 days. Useful for ransomware recovery — but only for the individual OneDrive, not shared SharePoint libraries.
These native tools are useful for individual item recovery. They are not sufficient for enterprise-grade disaster recovery or compliance-required backup retention.
Third-Party Backup Tools
Enterprise disaster recovery for M365 requires third-party backup. Leading tools include:
| Tool | Key Strengths |
|---|---|
| Veeam Backup for M365 | Granular restore, immutable storage support, strong Exchange coverage |
| AvePoint Cloud Backup | SharePoint expertise, Teams backup, compliance-grade retention |
| Acronis Cyber Protect | Broad platform coverage, ransomware detection integration |
| Rubrik Security Cloud | Immutable backups, zero-trust architecture, ransomware recovery |
EPC Group recommends solutions with immutable storage — backups that cannot be encrypted or deleted by ransomware, even if it reaches your backup environment. Immutable backups are the most important feature for ransomware resilience.
RPO and RTO Planning
Define your recovery objectives before selecting a backup tool or DR strategy.
- Recovery Point Objective (RPO): How much data loss is acceptable? An RPO of 24 hours means backups run daily and you can lose up to one day of data. An RPO of 1 hour requires near-continuous backup.
- Recovery Time Objective (RTO): How quickly must services be restored? An RTO of 4 hours means your team must be able to restore critical services within 4 hours of a declared disaster.
Set separate RPO and RTO targets for each workload. Email typically requires a lower RPO than SharePoint document libraries. Legal hold content requires indefinite retention regardless of RPO targets.
Ransomware Recovery Playbook
Ransomware reaching your M365 environment via OneDrive sync is the most common M365 disaster scenario. Follow these steps when ransomware is detected.
- Isolate compromised accounts immediately. Disable sign-in for affected accounts and revoke all active sessions in Entra ID.
- Identify the ransomware execution time. Use unified audit logs and Microsoft Defender alerts to determine when encryption began.
- Restore from third-party backup. Use your backup tool to restore all affected content to the point-in-time before ransomware execution. This is why immutable backup is critical — M365 native tools cannot restore to an arbitrary point in time reliably.
- Use OneDrive Restore for individual user recovery. For users whose personal OneDrive was affected, use the built-in OneDrive Restore feature to roll back to the pre-encryption state (up to 30 days).
- Restore affected SharePoint sites from backup. Do not rely on version history alone for large-scale SharePoint encryption events. Use your third-party backup for bulk restores.
- Reset credentials and review Conditional Access. Reset passwords for all affected accounts. Review Conditional Access policies to close the gap that allowed ransomware to spread.
Retention Policies as a DR Layer
Microsoft 365 retention policies preserve content even after a user deletes it. This provides a DR layer for compliance-required data — but it is not a substitute for backup.
Configure retention policies for:
- Exchange mailboxes: Retain all email for 7 years (standard financial services requirement) or 6 years (HIPAA minimum).
- SharePoint and OneDrive: Retain all content for the compliance period applicable to your industry.
- Teams channels and chats: Retain for the same period as email in regulated environments.
Retention policy preservation differs from backup restore. Retained content is available via eDiscovery search — but not via a simple point-in-time restore. Use both retention policies and third-party backup for complete data protection.
DR Testing
A DR plan that has never been tested is a hypothesis. Run tabletop exercises quarterly to validate that your team can execute the plan. Run actual restore tests at least annually — restore a mailbox, a SharePoint site, and a Teams channel from backup to verify that the restore process works.
Document test results. Auditors and cyber insurance providers increasingly require evidence of DR testing. A log showing quarterly tabletop exercises and annual restore tests satisfies most requirements.
EPC Group's M365 DR Practice
EPC Group designs and implements disaster recovery strategies for enterprise M365 environments across regulated industries — healthcare, financial services, government, and professional services. Our DR engagements cover shared responsibility gap analysis, backup tool selection and configuration, RPO/RTO definition, retention policy design, and ransomware recovery playbook development.
Frequently Asked Questions
Does Microsoft 365 back up my data?
No. Microsoft backs up the M365 platform infrastructure for availability purposes. Microsoft does not back up individual tenant data for recovery purposes.
Microsoft's service agreement explicitly states that customers are responsible for their own data. You need a third-party backup tool or Microsoft 365 Backup (generally available as of 2024) for enterprise-grade data protection.
What is the default retention period for deleted items in M365?
Deleted email items are recoverable for 30 days by default. Soft-deleted items in the Recoverable Items folder are retained for 14 days by default (extendable to 30 days). SharePoint Recycle Bin holds deleted items for 93 days. These defaults are insufficient for most compliance requirements — configure retention policies to extend them.
What third-party backup tool should I use for Microsoft 365?
EPC Group evaluates backup tools based on immutable storage support, granular restore capability, Teams coverage, and compliance reporting. Veeam Backup for M365 and AvePoint Cloud Backup are the most commonly selected tools in enterprise environments. The right choice depends on your budget, compliance requirements, and existing infrastructure.
Can OneDrive Restore recover from a ransomware attack?
OneDrive Restore can roll back an individual user's OneDrive to any point in the last 30 days. It is useful for individual user recovery but does not cover shared SharePoint libraries. For large-scale ransomware events affecting multiple users and SharePoint sites, third-party backup with immutable storage is required.
What RPO and RTO should I target for Microsoft 365?
Most enterprises target an RPO of 24 hours and an RTO of 4 hours for standard M365 workloads. Regulated industries or mission-critical environments should target lower: RPO of 1 hour, RTO of 1–2 hours. Define targets by workload — email typically has stricter requirements than SharePoint document libraries.
How does EPC Group approach M365 DR engagements?
EPC Group starts with a shared responsibility gap analysis — identifying what your current environment covers and what it leaves exposed. We then select and configure backup tools, define RPO/RTO targets, design retention policies, and build a ransomware recovery playbook. Engagements typically take 4–6 weeks end-to-end.
Build Your Microsoft 365 DR Strategy
EPC Group designs enterprise Microsoft 365 disaster recovery strategies — from shared responsibility gap analysis to backup tool configuration, retention policy design, and ransomware playbooks. We ensure your M365 environment is protected for the scenarios that Microsoft does not cover.