If a former employee deletes a folder out of OneDrive on their last day, how long do you have to get it back?

Most business owners assume the answer is "as long as it takes — Microsoft has it." That's not how Microsoft 365 actually works. And it's the kind of misunderstanding that turns into a very bad day when something gets deleted, ransomwared, or wiped.

What Microsoft actually keeps for you

Microsoft 365 includes some retention by default, but it's much shorter and narrower than most people think:

• OneDrive and SharePoint: deleted files sit in a recycle bin for 93 days, then they're gone.
• Exchange mailboxes: deleted items sit in "Recoverable Items" for 14 days by default (extendable to 30 with a policy change).
• A deleted user's mailbox: 30 days from account removal, then permanently purged.
• Teams chats: recoverable only briefly, and the recovery story is famously messy.

Microsoft is transparent about this. Their shared-responsibility model says they protect the infrastructure; you protect the data. Read your tenant agreement and you'll find the same thing.

Where most businesses get burned

Three patterns we see repeatedly when something goes wrong:

• The 90-day discovery. An employee leaves, their files get deleted as part of offboarding cleanup, and three months later someone realizes a critical contract or project file was in there. The recycle bin is empty by then.
• The ransomware case. Ransomware encrypts the user's OneDrive. OneDrive faithfully syncs the encrypted version to the cloud, replacing the good files. You have 30 days of version history, which sounds like a lot until you realize the encryption may have started 45 days ago.
• The audit request. A regulator, an attorney, or an insurance adjuster asks for emails from 18 months ago for a former employee. The mailbox was deleted 14 months ago. You can't produce them.

What a real backup looks like

"Real" backup of Microsoft 365 means a third-party tool that takes daily snapshots of mail, OneDrive, SharePoint, and Teams, and stores them separately from your tenant. The two we deploy most often are Datto SaaS Protection and Acronis Cyber Protect Cloud, but the category is healthy — Veeam, Barracuda, and AvePoint all do this well.

Three things to look for when evaluating any of them:

1. Independent storage. If the backup lives in your Microsoft tenant, it's not a backup — it's a second copy in the same blast radius.
2. Granular restore. You should be able to restore a single email, a single OneDrive file, or a single Teams channel — not just the whole tenant.
3. Retention long enough to matter. Anything under one year is usually too short for legal and audit scenarios. Seven years is the standard for most regulated industries.

The 30-second test

If you want to know where you actually stand, ask your IT person or provider this question:

"If a user accidentally deleted a folder from their OneDrive six months ago, can we restore it?"

If the answer involves any hedging — "maybe," "we'd have to check," "depends on whether they emptied the recycle bin" — you have a backup gap. Most businesses do.

What's your current Microsoft 365 backup setup? Genuinely curious how others are handling this — especially anyone in a regulated industry with longer retention needs.