For most small businesses, Microsoft 365's built-in retention and recycle bins are not a backup. They are short-window safety nets that purge on a clock, and Microsoft puts data recovery on the customer in its shared-responsibility model. To survive a departed employee, ransomware, or a malicious delete, you need an independent third-party backup with point-in-time recovery, meaning you can roll your data back to how it looked on a chosen earlier date.
Who this is for, and the Southern Colorado reality
This is for the Pueblo or Colorado Springs owner running a small team on Microsoft 365 Business Standard who has quietly assumed "it lives in the cloud, so it's backed up." That assumption is the trap. Most offices we work with across Southern Colorado are five to forty people, on a short commercial lease, with one part-time person who "handles the computers." Nobody is watching a retention clock. The first time anyone asks "can we get that mailbox back" is usually the day after it's gone for good. And in a regulated office, a dental practice or a downtown law firm, that gap becomes a compliance problem on top of a business problem.
Microsoft 365 backup options compared: native retention, Microsoft 365 Backup, Acronis, Veeam, Datto
| Option | Typical price | Best for | Key strength | Main drawback | GTZ verdict |
|---|---|---|---|---|---|
| Microsoft 365 native retention (recycle bin + retention policies) | Included with your M365 plan (as of June 2026) | Quick "oops, I deleted it yesterday" recovery | Free, already on, zero setup | Short windows that purge: Exchange 14 days, OneDrive/SharePoint a 93-day recycle bin span; not point-in-time | Not a backup. The foil, not the answer. |
| Microsoft 365 Backup (Microsoft's own paid add-on) | $0.15 per restorable GB per month, pay-as-you-go (as of June 2026) | Fast, large-scale restore inside Microsoft's own platform | 10-minute recovery point, point-in-time restore, kept up to 52 weeks | Your only copy stays inside Microsoft's trust boundary; newer product; billed per GB, not per user | Better than retention, but it is not an independent copy. |
| Acronis Cyber Protect (M365 backup) GTZ deploys this | custom / contact-sales pricing (as of June 2026) | Small offices that want one console for backup and endpoint security | Once-daily backup on the base plan, up to 6/day on the Advanced Backup pack, point-in-time restore, separate copy off the tenant | You are adding another console and another bill; the higher backup frequency and the EDR layer are separately licensed add-ons | What we run for clients. Independent copy, with endpoint security available from the same console. |
| Veeam Data Cloud for Microsoft 365 | roughly $2.63 to $3.50 per user/mo (as of June 2026) | Larger or IT-staffed orgs already standardized on Veeam | Mature platform, granular restore, strong reputation | Tiered plans get complex fast; focuses on backup and offers no endpoint-security tier | Solid, but heavier than a small office needs. |
| Datto SaaS Protection | custom / contact-sales pricing (as of June 2026) | Shops already inside the Datto/Kaseya stack | 3x daily backups, retention up to a year or infinite | Sold through the MSP (managed service provider) channel only, no public per-seat price; SaaS Protection is backup-only, endpoint security is a separate Datto/Kaseya product, not part of this SKU | Fine choice; we just prefer the Acronis console. |
A few notes on those figures. Native retention is included with your subscription, but it is governance tooling, not recovery tooling. Exchange Online keeps permanently deleted items in the Recoverable Items folder for 14 days by default, stretchable to a 30-day maximum and no further (Microsoft Learn). OneDrive and SharePoint give a 93-day window spanning the first-stage and second-stage recycle bins, after which items are permanently deleted (Microsoft Learn). Microsoft's own paid add-on is billed per gigabyte, not per user, so its $0.15 per restorable GB does not map cleanly onto the per-user figures the third-party tools quote. Compare the models, not just the numbers.
What "backed up" actually means here, and why each option falls short
The confusion starts with a fair assumption. You pay Microsoft every month and your files live on their servers, so surely Microsoft keeps copies. Microsoft keeps the service running. That is a different job. Under what Microsoft calls its shared-responsibility model, Microsoft owns the platform and you own your data: how it is retained, preserved, and recovered. Microsoft says so in its own Services Agreement, recommending that you "regularly backup Your Content and Data that you store on the Services" (Microsoft Services Agreement). When the vendor tells you to back up your own data, that is the whole argument in one sentence.
Retention and recycle bins were built for content lifecycle and basic governance, not point-in-time recovery. Picture the three ways small offices actually lose data. A staffer leaves, you remove their license to stop paying, and the clock starts; with native retention only, that mailbox and OneDrive are recoverable about 30 days by default before they are gone (Microsoft Learn). Ransomware or BEC (business email compromise) encrypts or wipes content, and the damage often isn't caught until the short window has rolled past. Or someone deletes a shared folder on purpose, and ninety-three days later it is unrecoverable. None of these are exotic. They are Tuesday.
So let me name the real drawback of each option, including the one we sell. Native retention is free and already on, and that is exactly why it lulls people; it is not point-in-time and it purges on a fixed clock. Microsoft now sells a paid native add-on, confusingly also called Microsoft 365 Backup, and credit where it's due, it is real point-in-time recovery with a 10-minute recovery point and copies kept up to 52 weeks (Microsoft Learn, Microsoft 365 Backup FAQ). But your only copy still lives inside Microsoft's own trust boundary. If the problem is the platform, a billing lockout, a tenant compromise, a deletion that propagates, your backup is sitting in the same house as the fire.
Veeam is a genuinely mature platform, and if you have IT staff standardized on it, stay there; for a fifteen-person office with no IT department, the tiered plans are more machine than the job needs, and Veeam Data Cloud focuses on backup with no endpoint-security tier (Veeam). Datto SaaS Protection does the core job well, with 3x daily backups and retention up to a year or infinite, but it is backup only and runs through the Datto/Kaseya channel with no public per-seat price (Datto). And Acronis, the one we deploy, is not flawless either: you are adding another console and another line on the bill, and the higher backup frequency and the endpoint-security layer are separately licensed add-ons, not the base price. The upside still tips it for the offices we serve. It backs up Exchange, OneDrive, SharePoint, and Teams once a day on the base plan, up to six times a day on the Advanced Backup pack, with point-in-time restore and a separate copy off your tenant (Acronis), and it runs from the same console as Acronis EDR (endpoint detection and response), a separately licensed add-on, so backup and endpoint security share one pane of glass when a client wants both.
In the small-office Microsoft 365 work we do across Pueblo and Colorado Springs, the deciding question is almost never which tool has the prettiest restore screen. It is "do we have a copy of this data that does not depend on the same account we just lost access to." That is the line between a bad afternoon and a closed business.
If your only copy of your business data lives inside the same Microsoft account that just got compromised, deleted, or locked out, you do not have a backup. You have a single point of failure with good uptime.
When native M365 retention is enough, and when you need third-party backup
Choose to lean on native Microsoft 365 retention if your only risk is a user deleting last week's email and asking for it back within a couple of weeks, you have no compliance retention obligation, and you genuinely accept that anything older than the recycle-bin window is gone. That is a narrow box, and most real businesses do not fit in it.
Choose an independent third-party backup such as Acronis if any of these are true. You let people go and need their mailbox and files for longer than 30 days. You handle protected data and may need to keep records well beyond a year, common for dental, medical, and legal offices, though we'd have you confirm your specific HIPAA or regulatory retention duties with your compliance advisor rather than treat a backup tool as legal cover. You want your data to survive ransomware or a tenant compromise, which means the copy has to live somewhere your Microsoft account cannot reach. Or you want a defined recovery time objective (RTO), meaning how fast you can be back up, instead of hoping a clock hasn't run out. Answer "yes" to even one and native retention is not enough.
One practical note for our market: a real backup does not care whether you can run Cat6 ethernet cabling or how your internet behaves during an outage, because Microsoft 365 backup is cloud-to-cloud. That is a relief in older Pueblo buildings where pulling cable is its own project. The copy is built and stored independently of your office network.
The retention windows and recovery-point numbers that decide your M365 backup
Anchor on the windows, because the windows are where businesses get hurt. Exchange Online keeps permanently deleted items 14 days by default and 30 days at most, OneDrive and SharePoint give a 93-day recycle-bin span then permanent deletion, and with native retention a deleted user's data is typically recoverable about 30 days before it's purged (Microsoft Learn). Those are not backup retention numbers. Those are eviction notices.
The difference that matters between the real tools is not backup frequency. Microsoft's add-on captures changes about every 10 minutes (Microsoft Learn, Microsoft 365 Backup FAQ), Acronis runs once daily on its base plan and up to six times on the Advanced Backup pack (Acronis Advanced Backup data sheet), and Datto takes 3x daily (Datto). The frequency gap matters less than independence. The third-party copy is the one that survives losing the account.
On cost the third-party options land in low single digits per user per month at small-office volume as of June 2026, but they are sold differently. Veeam publishes roughly $2.63 to $3.50 per user per month (Veeam); Acronis and Datto both quote through partners rather than post a public per-seat number; and Microsoft's add-on sits outside the comparison, billed at $0.15 per restorable GB per month rather than per user (Microsoft). For a fifteen-person office, the real backup line is dinner-out money against the cost of permanently losing a client's records. We treat backup as part of the managed IT and email setup we build for every client, folded into the wider cybersecurity and BCDR (business continuity and disaster recovery) plan.
Frequently asked questions
Isn't my Microsoft 365 data already backed up by Microsoft?
No. Microsoft keeps the service running and provides short retention and recycle bins, but under its shared-responsibility model recovering your data is your job. Microsoft's own Services Agreement recommends you back up your content yourself. Built-in retention is a safety net, not a backup.
How long does Microsoft 365 actually keep deleted items?
Exchange Online keeps permanently deleted mail items for 14 days by default, configurable to a 30-day maximum. OneDrive and SharePoint hold deleted files across a 93-day recycle-bin span, then delete them permanently. After those windows, native recovery is gone.
What happens to a departed employee's mailbox and files?
With native retention, when you delete the user or pull their license, their mailbox and OneDrive are typically recoverable for about 30 days by default, then purged. If you need that data longer, for a handoff, a dispute, or a records obligation, you need a third-party backup or a litigation hold in place before they leave.
Does a third-party backup help against ransomware?
That is one of its main jobs. A separate, point-in-time copy stored off your tenant lets you restore to a clean point from before the attack. If your only copy lives inside the same Microsoft account the attacker reached, you may have nothing clean to restore from.
Isn't Microsoft's own paid Backup add-on enough?
It is a real improvement over retention, with point-in-time restore and a 10-minute recovery point, and it is priced at $0.15 per restorable GB per month. But the copy stays inside Microsoft's own platform. If the failure is the platform itself, a tenant compromise or a lockout, you want a copy that lives somewhere independent. That is what a third-party backup gives you.
We're a dental or legal office. Does this affect compliance?
It can. Regulated records often must be retained well beyond the native windows, and short retention does not satisfy that on its own. We can't give legal advice, so confirm your exact HIPAA or regulatory retention duties with your compliance advisor, then we'll build a backup retention policy that supports them.
The bottom line for a Southern Colorado office
If you run your business on Microsoft 365 in Pueblo or Colorado Springs, the built-in retention is a convenience, not a safety plan. The windows are short, the clock is unforgiving, and Microsoft has told you in writing that backing up your data is your responsibility. An independent third-party backup is the piece that turns "we lost it" into "give us an hour." We run Acronis for our clients because it pairs a real, off-tenant point-in-time copy with endpoint security available from the same console, and it scales down cleanly to a small office. Let's look at your actual tenant, your retention windows, and the data you cannot afford to lose, then size it to your team.
Disclosure: GTZ installs and manages Acronis Cyber Protect for clients.
Free Consultation
Questions About Your IT?
Book a free assessment with Efrain. No sales pitch, no obligation.
Get Your Free Assessment