Microsoft 365 Doesn't Back Up Your Data: What Every Canadian SMB Needs to Know
Most Canadian small and medium businesses that run Microsoft 365 assume one thing that is factually incorrect: that Microsoft is backing up their data.
It is not.
Microsoft's infrastructure is genuinely resilient — your data is stored redundantly across multiple data centres, and Microsoft's uptime record is strong. But infrastructure resilience, the ability to keep the service running if one data centre goes offline, is not the same as backing up your data. Microsoft's shared responsibility model makes the distinction explicit: for cloud software-as-a-service, Microsoft is responsible for the platform; you are responsible for "information and data," "accounts and identities," and "devices."
That gap — between what Microsoft protects and what your business assumes is protected — is one of the most expensive misconceptions in Canadian SMB technology. According to a 2024 Gartner press release, only 15% of enterprises prioritized SaaS backup as a critical requirement as of 2024 — meaning 85% were not treating the backup of their Microsoft 365 data as a critical business need. The numbers are worse among SMBs with fewer dedicated IT resources.
What Microsoft 365 Actually Includes
When most people think "cloud backup," they picture what Microsoft 365 does include: geographic redundancy, automatic replication, and high-availability infrastructure. None of that protects you from the data loss scenarios that actually affect real businesses.
Here is what Microsoft 365 native features actually provide:
The SharePoint and OneDrive Recycle Bin (93 days)
Deleted files move through two stages of recycle bin — first-stage (user-visible) and second-stage (admin-visible). The combined window across both stages is 93 days, after which the file is permanently deleted. Microsoft retains a copy for an additional 14 days beyond that, but restoration from that final window requires contacting Microsoft Support and can only be done at the site collection level — not for individual files or folders.
This means: if an employee deletes a folder of client contracts and no one notices for four months, those files are gone, with no administrative path to recovery.
Exchange Online Deleted Items (14–30 days)
The default deleted item retention in Exchange Online is 14 days, configurable to a maximum of 30 days. Email deleted beyond that window — purged from the Recoverable Items folder — is permanently gone unless a Litigation Hold or retention policy has been applied to the mailbox.
Version History — Not the Safety Net It Appears
SharePoint and OneDrive maintain previous versions of files, which helps with accidental overwrites of individual documents. It does not help when ransomware encrypts your files and syncs those encrypted versions back to the cloud — the encrypted files become the "current" version, displacing the clean originals. Sophisticated ransomware is specifically designed to exploit this behaviour, incrementally overwriting files to exhaust version history before the full encryption payload triggers.
Retention Policies — Compliance, Not Recovery
Microsoft Purview retention policies are designed to ensure content cannot be prematurely deleted for compliance purposes. They are not operational backup tools. A retention policy preserves content in a compliance store; it does not provide point-in-time restoration of your working data environment.
The Three Data Loss Scenarios Microsoft Cannot Cover
1. Ransomware targeting your OneDrive or SharePoint sync
According to the Verizon 2025 Data Breach Investigations Report, ransomware was involved in 44% of all data breaches globally — and among SMBs specifically, ransomware was present in 88% of breaches. The OneDrive desktop sync client is a specific attack target: ransomware infects a device running the sync client, encrypts local files, and the client dutifully syncs those encrypted versions to the cloud, overwriting clean originals across the entire library.
The CIRA 2024 Cybersecurity Survey found that 28% of Canadian organizations experienced a successful ransomware attack in the previous 12 months — up from 17% in 2021. Of those attacked, 73% had data exfiltrated. Organizations without an isolated, separately maintained backup had no recovery path beyond paying the ransom.
2. Accidental deletion — and the time gap that makes it fatal
Industry research from Spanning estimates the average time from data loss to discovery at approximately 140 days. The SharePoint recycle bin window is 93 days. In the average accidental deletion scenario, data is already permanently gone by the time anyone realizes it is missing.
Accidental deletions are not rare events. Shared drives, SharePoint sites with multiple contributors, and admin accounts with broad permissions create regular opportunities for unintended bulk deletions — a mishandled folder move, a departing employee's account being removed too early, a migration script that goes wrong.
3. Compromised admin account and directory wipe
An attacker who gains access to a Microsoft Entra ID global admin account can delete users, groups, applications, and access policies across your entire Microsoft 365 environment. Standard Microsoft 365 native tools do not offer point-in-time restoration for the Entra ID directory. Rebuilding a wiped directory from memory or documentation is a crisis-level event that most SMBs are not equipped to handle without a dedicated backup of directory data.
What This Means Under Canadian Law
CRA Record-Keeping Obligations
Under Section 230 of the Income Tax Act, Canadian businesses must retain all records and supporting documents necessary to determine their tax obligations for a minimum of six years from the end of the last tax year to which they relate. The Canada Revenue Agency's Information Circular IC05-1 is explicit: electronic records must be retained in a readable and useable electronic format for the full prescribed period, and records stored on rewritable media must be backed up to prevent accidental loss, deletion, or erasure.
If your financial records — invoices, contracts, purchase orders, client agreements — live in Exchange Online, SharePoint, or OneDrive, and they are permanently deleted through any of the scenarios above, you may be unable to comply with a CRA audit request. The CRA may assess additional taxes based on the best available information when required records cannot be produced, and repeated failure to maintain records can constitute a criminal offence under the Act.
PIPEDA and Forthcoming Privacy Legislation
Canada's *Personal Information Protection and Electronic Documents Act* (PIPEDA) requires organizations to protect personal information with security safeguards appropriate to its sensitivity — and to report breaches that create a real risk of significant harm to the Office of the Privacy Commissioner and to affected individuals. A ransomware attack that destroys or exfiltrates customer personal information from an M365 environment with no backup is a potential mandatory breach notification event.
Bill C-36, the *Personal Privacy Protection and Compliance Act* (PPCDA), tabled in June 2026 and currently in the legislative process, will introduce substantially stronger requirements including mandatory documented privacy management programs. A privacy management program that does not address backup of systems containing personal information is difficult to defend under any credible review.
CCCS Guidance
The Canadian Centre for Cyber Security's ITSAP.40.002 — Tips for Backing Up Your Information is clear: organizations retain legal responsibility for protecting their data regardless of where it is stored, and the CCCS recommends the 3-2-1 rule — three copies of data, on two different media types, with one copy stored offsite or in an isolated environment. A single cloud tenancy, however internally redundant, does not satisfy this standard.
Microsoft 365 Backup — The Add-On Most SMBs Don't Know About
Microsoft does offer a genuine backup service — Microsoft 365 Backup, released in 2024 as a paid add-on. It provides point-in-time restoration for SharePoint, OneDrive, and Exchange Online, with a 10-minute recovery point objective for the trailing two weeks and weekly snapshots up to 365 days back.
The cost is $0.15 USD per GB per month of protected content, billed through an Azure subscription. For a business with 500 GB of M365 data, that is approximately $90 USD ($124 CAD) per month in additional licensing cost on top of existing M365 subscriptions. Coverage is currently limited to SharePoint, OneDrive, and Exchange — Teams chat history and Entra ID directory data are not included.
Most Canadian SMBs have not enabled Microsoft 365 Backup, and many are unaware it exists as a separate purchase. If you have not had an explicit conversation with your IT provider about M365 backup coverage, assume it is not in place.
A Practical Backup Framework for Canadian SMBs on M365
A complete Microsoft 365 backup strategy covers all active data surfaces:
| Workload | What to Protect | Native Retention |
|---|---|---|
| Exchange Online | All mailboxes, shared mailboxes, archives | 14–30 days (deletions) |
| SharePoint Online | All site collections and document libraries | 93 days (recycle bin) |
| OneDrive for Business | All user OneDrive libraries | 93 days (recycle bin) |
| Microsoft Teams | Channel messages, meeting recordings | No independent backup |
| Microsoft Entra ID | User accounts, groups, app registrations | No native point-in-time restore |
Your options for closing the gap:
1. Microsoft 365 Backup (native add-on) — Best for businesses that want to stay within the Microsoft ecosystem. Covers SharePoint, OneDrive, and Exchange. Cost: $0.15 USD/GB/month via Azure. Does not currently cover Teams chat or Entra ID.
2. Third-party SaaS backup — Purpose-built M365 backup solutions provide broader workload coverage, longer configurable retention, and more flexible file-level restore options than the native offering. Pricing typically runs $3–$6 CAD per user per month for comprehensive coverage.
3. Managed backup service — Your managed service provider configures, monitors, and runs regular restore tests across your entire M365 environment, providing both the technical solution and the operational verification that it actually works.
Where to Start This Week
According to Statistics Canada, 48% of Canadian businesses used cloud computing in 2023. The share running Microsoft 365 as their primary productivity platform is substantially higher. The backup coverage gap across this population is enormous — and largely invisible until something goes wrong.
The average cost of a data breach in Canada reached CA$6.32 million in 2024, according to IBM. For an SMB, even a fraction of that figure is a business-ending event.
Four immediate actions:
1. Ask your IT provider directly: "Is our Microsoft 365 environment backed up by a third-party solution or Microsoft 365 Backup? What is the retention period? Can you show me the last verified restore test result?"
2. Check the Microsoft 365 admin centre: Search for "Microsoft 365 Backup." If no policies are configured, native backup is not enabled.
3. Map your CRA-relevant data: Identify which M365 workloads contain records subject to the 6-year CRA retention requirement. Any record you cannot produce in response to a CRA audit request is a compliance gap.
4. Demand a restore test: A backup solution that has never been tested is a backup solution you cannot rely on. Ask for proof of a completed, documented restore before trusting any backup commitment.
Sources
- Microsoft. *Shared Responsibility in the Cloud.* learn.microsoft.com
- Microsoft. *Overview of Microsoft 365 Backup.* learn.microsoft.com
- Microsoft. *SharePoint Online Data Deletion.* learn.microsoft.com
- Microsoft. *Change How Long Permanently Deleted Items Are Kept for Exchange Online Mailboxes.* learn.microsoft.com
- Gartner. *Gartner Predicts 75% of Enterprises Will Prioritize Backup of SaaS Applications as a Critical Requirement by 2028.* August 2024. gartner.com
- Spanning. *Are You at Risk for Data Loss in Microsoft 365?* spanning.com
- Verizon. *2025 Data Breach Investigations Report.* verizon.com
- Canadian Internet Registration Authority (CIRA). *2024 Cybersecurity Survey.* cira.ca
- IBM. *Cost of a Data Breach Report 2024 — Canada Results.* canada.newsroom.ibm.com
- Canada Revenue Agency. *Information Circular IC05-1: Electronic Record Keeping.* canada.ca
- Government of Canada. *Income Tax Act, Section 230.* laws-lois.justice.gc.ca
- Office of the Privacy Commissioner of Canada. *Responding to a Privacy Breach.* priv.gc.ca
- Canadian Centre for Cyber Security. *ITSAP.40.002: Tips for Backing Up Your Information.* cyber.gc.ca
- Statistics Canada. *Survey of Digital Technology and Internet Use, 2023.* statcan.gc.ca
Cloud Forces configures, monitors, and verifies Microsoft 365 backup for Canadian SMBs — ensuring your Exchange, SharePoint, and OneDrive data meets CRA retention requirements and PIPEDA safeguard obligations. Explore our Managed Apps services or book a free Microsoft 365 backup assessment to confirm whether your data is actually protected.
Anton Kuznetsov is the founder and principal engineer of Cloud Forces, the Toronto firm he started in 2018 to make custom software and AI practical and affordable for Canadian SMEs. He works hands-on across application development, cloud architecture, and the production systems Cloud Forces runs for its clients.
Ready to bring AI to your business?
Book a free AI Readiness Consultation — no commitment required.
Book Free Consultation