Microsoft 365 operates on the shared responsibility model, meaning that Microsoft maintain their infrastructure but you’re still responsible for additional data protection scenarios and to comply with laws and regulations. 

Here is what Microsoft says in their Service Agreement for Microsoft 365: 

“We recommend that you regularly backup your content and data that you store on the services or store using third-party apps and services.”

Microsoft native cloud backup protection…

  1. Loss of service due to hardware or infrastructure failure.
  2. Loss of service due to natural disaster or data centre outage.
  3. Short-term (93-day) user error with recycle bin/version history, including new OneDrive “Files Restore”.
  4. Short-term (14-day) administrative error with soft-delete for Groups, Mailboxes or services-lead rollback.

What’s not covered…

  1. Loss of data due to malicious insiders, hacktivists, malware or ransomware.
  2. Recovery from prolonged outages.
  3. Loss of data due to departing employees and deactivated accounts.
  4. Long-term accidental deletion coverage with selective rollback.
  5. Permissions fiascoes that interrupt user access.