Backup & Recovery
How to Back Up Microsoft 365: A Complete Guide
17 December 2025 · 0x1m3 · 6 min read
<svg width="24" height="24" viewBox="0 0 24 24" fill="none" style="display: inline-block; vertical-align: middle; margin-right: 8px;"><path d="M12 2L2 7l10 5 10-5-10-5zM2 17l10 5 10-5M2 12l10 5 10-5" stroke="#4A7AB5" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>
Most businesses assume Microsoft backs up their data. Microsoft does not.
This single misconception has caused more data loss incidents than any technical failure. If your organisation runs Microsoft 365 (M365) — Exchange Online, SharePoint, Teams, or OneDrive — your data is your responsibility. Here is why, and exactly how to protect it.
---
<svg width="24" height="24" viewBox="0 0 24 24" fill="none" style="display: inline-block; vertical-align: middle; margin-right: 8px;"><path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z" stroke="#4A7AB5" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>
The Shared Responsibility Model
Microsoft operates under a shared responsibility model. Understanding this model is the first step to protecting your data.
Microsoft is responsible for:
- Infrastructure uptime (data centres, servers, networking) - Platform availability (keeping M365 services running) - Physical security of their data centres - Operating system and application patching
You are responsible for:
- Your data (emails, files, conversations, contacts) - Account security (access controls, passwords, MFA) - Retention policies and compliance - Recovery from accidental deletion, malicious deletion, or ransomware
Microsoft will keep M365 running. They will not recover the emails your finance team accidentally deleted three months ago. They will not restore the SharePoint site an ex-employee wiped before leaving. They will not roll back the Teams data encrypted by ransomware.
That is your job. And without a backup solution, you cannot do it.
---
<svg width="24" height="24" viewBox="0 0 24 24" fill="none" style="display: inline-block; vertical-align: middle; margin-right: 8px;"><path d="M10.29 3.86L1.82 18a2 2 0 001.71 3h16.94a2 2 0 001.71-3L13.71 3.86a2 2 0 00-3.42 0zM12 9v4M12 17h.01" stroke="#4A7AB5" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>
Why Native M365 Retention Is Not Backup
Microsoft does offer retention features — deleted item recovery, litigation hold, and retention policies. These are not backups. Here is why:
Deleted item recovery has a time limit. Soft-deleted items are recoverable for 14-30 days (depending on configuration). After that, they are gone permanently.
Retention policies preserve data for compliance, but they are not designed for rapid, granular restore. Finding and restoring specific items is slow and cumbersome.
Litigation hold prevents deletion but does not protect against ransomware encryption or corruption.
No point-in-time recovery. If ransomware encrypts your Exchange mailbox, Microsoft cannot roll it back to yesterday's clean state. You need a backup that can.
---
<svg width="24" height="24" viewBox="0 0 24 24" fill="none" style="display: inline-block; vertical-align: middle; margin-right: 8px;"><path d="M22 11.08V12a10 10 0 11-5.93-9.14" stroke="#4A7AB5" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M22 4L12 14.01l-3-3" stroke="#4A7AB5" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>
What Cove Backs Up in Microsoft 365
Cove Data Protection provides purpose-built M365 backup that covers every critical service:
Exchange Online
- Backed up 6 times per day - Granular restore: individual emails, contacts, calendars, or entire mailboxes - Point-in-time recovery to any backup snapshot - Covers shared mailboxes and archive mailboxes
SharePoint Online
- Backed up 4 times per day - Site-level and item-level restore - Document libraries, lists, and site structure preserved - Version history maintained
Microsoft Teams
- Backed up 4 times per day - Channel conversations and files protected - Team structure and membership preserved on restore - Covers both standard and private channels
OneDrive for Business
- Included in backup schedule - Individual file and folder restore - Full account recovery available - Protects against accidental deletion and ransomware encryption
---
<svg width="24" height="24" viewBox="0 0 24 24" fill="none" style="display: inline-block; vertical-align: middle; margin-right: 8px;"><path d="M14 2H6a2 2 0 00-2 2v16a2 2 0 002 2h12a2 2 0 002-2V8z" stroke="#4A7AB5" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M14 2v6h6M16 13H8M16 17H8M10 9H8" stroke="#4A7AB5" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>
Setting Up M365 Backup: A High-Level Guide
Implementing Cove for Microsoft 365 follows a straightforward process:
Step 1: Authorise Cove to access your M365 tenant. This uses standard Microsoft OAuth — Cove connects via API with the permissions you grant. No agents to install.
Step 2: Select users and services to protect. Choose which mailboxes, SharePoint sites, Teams, and OneDrive accounts to back up. New users can be added automatically.
Step 3: Configure backup frequency and retention. Exchange defaults to 6 backups per day. SharePoint and Teams default to 4 per day. Set retention periods based on your compliance and business requirements.
Step 4: Verify initial backup completion. The first backup captures a full snapshot of your selected data. Subsequent backups are incremental, transmitting only changes.
Step 5: Test a restore. Perform a test restore of an individual email or file to confirm your backup is operational. Do not skip this step.
---
<svg width="24" height="24" viewBox="0 0 24 24" fill="none" style="display: inline-block; vertical-align: middle; margin-right: 8px;"><path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z" stroke="#4A7AB5" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M22 6l-10 7L2 6" stroke="#4A7AB5" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>
Retention and Compliance
For South African organisations, the Protection of Personal Information Act (POPIA) requires that personal data be retained only as long as necessary — but also that it be recoverable when legitimately needed.
Cove supports flexible retention policies that let you balance compliance with practical recovery needs. Set different retention periods for different data types. Archive mailboxes can retain longer than standard mailboxes. SharePoint data can follow different rules than Exchange.
All backed-up data is encrypted with AES-256 and stored in Cove's data centres, including facilities in South Africa, ensuring data sovereignty compliance.
---
<svg width="24" height="24" viewBox="0 0 24 24" fill="none" style="display: inline-block; vertical-align: middle; margin-right: 8px;"><path d="M12 22c5.523 0 10-4.477 10-10S17.523 2 12 2 2 6.477 2 12s4.477 10 10 10z" stroke="#4A7AB5" stroke-width="2"/><path d="M12 6v6l4 2" stroke="#4A7AB5" stroke-width="2" stroke-linecap="round"/></svg>
Do Not Wait for a Data Loss Event
Most organisations implement M365 backup after losing data they could not recover. That is the expensive way to learn this lesson.
Microsoft protects the infrastructure. You protect the data. OAS + Cove makes that simple — automated, encrypted, and backed up multiple times per day.