According to a survey by Aberdeen Group, the number one cause of data loss in a SaaS deployment, such as Microsoft Office 365, is accidental data deletion. In fact, about 70 percent of all lost data is due to either accidental or malicious deletion of data by end-users. Other ways that data can be lost include misconfiguration, client sync issues, and most recently the widespread presence of malware and ransomware, which can render data unusable.

Microsoft’s primary focus within Office 365 is ensuring that service and data availability are not disrupted. While Microsoft does a great job of reducing the risk of downtime, this does not reduce the risk of data loss. In fact, Microsoft’s options for data recovery are quite limited, but they do provide some basic safety measures.

Use of Recycle Bins and Retention

Recently deleted content from Exchange Online, OneDrive for Business, and SharePoint Online is not deleted immediately. Instead, the deleted content goes through a set of Recycle Bins, each with their own retention policies, before it is deleted permanently. The Recycle Bins act as a safety net for deleted content. While data can be recovered from these Recycle Bins, the retention for each is limited and once the data is out of retention, the data is gone forever.

Table 1. Recycle Bins and Retention.

Microsoft Solution Recovery Feature Maximum Retention Period
SharePoint Online

Site Recycle Bin

Second Stage Recycle Bin

93 days

93 days

Exchange Online

Deleted Items

Recoverable Items

No maximum (configurable)(1)

Up to 30 days(2)

OneDrive for Business

Site Recycle Bin

Second Stage Recycle Bin

93 days

93 days

(1) Default retention is 30 days.
(2) Default retention is 14 days.

Document Versioning

If the Document Versioning feature is turned on, OneDrive for Business retains a number of previous versions for each file that has been modified, and end users are then able to restore back to any of these previous versions. However, this does not provide protection against intentional or accidental deletion since all versions of a document are deleted when the current version is deleted.

High Availability and Site Collection Backups

Microsoft uses Database Availability Groups (DAGs) to protect Exchange Online data. While DAGs do a great job of ensuring uptime and preventing catastrophic disasters, they do not protect against mailbox corruption, nor can they restore individual email-related items or entire mailboxes to a point in time. For SharePoint Online and OneDrive for Business, Microsoft takes backups of site collections every 12 hours and keeps these backups for 14 days. IT administrators have no control over these backups or restores. If a restore is necessary, it can only be initiated by contacting Office 365 support. You also cannot restore a single item, document, asset, or library. A full restore of a site collection is the only option.

Mailbox and Account Retention

When an employee leaves an organization, all data in that user’s Exchange Online mailbox and OneDrive for Business account is permanently deleted 30 days after their account is deleted. To retain this data for future reference or use, it must be backed up or moved elsewhere. Exchange Online mailboxes can be kept for longer periods of time by configuring an In-Place Hold before the account is deleted; however, this is a premium feature not available in some Office 365 plans.

Microsoft does all they can to put safeguards in place to prevent their customers from losing data, but Microsoft Office 365 does not specialize in data backup and recovery. Seeking an additional layer of protection against accidental or malicious data loss, organizations have begun to use third-party backup solutions that offer enhanced protection of Office 365 data, longer retention periods, and more robust recovery options.

Ask Us About 365 Complete Backup Protection