Microsoft 365 Built-in Data Protection

Microsoft 365

Microsoft 365 is the most widely used cloud application for business and it has several different technologies that are designed to protect your data. Let’s take a closer look at Microsoft 365’s built-in data protection technologies and see what steps you might need to take for your own complete data protection needs.

OneDrive Recycle Bin

By default, Microsoft 365 applications like Word and Excel, save their files in OneDrive. The OneDrive Recycle Bin is the most basic Microsoft 365 data protection technology. It is primarily designed to protect against accidental file deletion. The OneDrive Recycle Bin allows you to undelete individual files as well as the entire contents of the OneDrive.

If you used a Microsoft account to sign into OneDrive, then items in the Recycle Bin are saved for 30 days before they are automatically deleted. If you’re signed in with a work or school account, then Recycle Bin items are saved for 93 days before they are deleted.

Sponsored: provides a modern solution for backing up Office 365 including full Teams support, SharePoint and OneDrive file metadata and sharing permissions, and many other advanced and modern features.

SharePoint Recycle Bin

SharePoint also uses a Recycle Bin. When you delete items from a SharePoint site, they are sent to the site Recycle Bin which is also known as the first-stage Recycle Bin. This also includes OneDrive files that are part of SharePoint sites. Deleted SharePoint items are retained for 93 days from the time they are deleted. The SharePoint Recycle Bin allows you to restore individual files as well as entire SharePoint site collections.

To restore a site collection, you need to be a Microsoft 365 Global Administrator or a SharePoint administrator. You can also restore items that were deleted by other users if you have edit permissions. When items are deleted from the first–stage site Recycle Bin, they are automatically moved to the site collection Recycle Bin, which is also known as the second-stage Recycle Bin.

A SharePoint site collection administrator is required to restore items from the second-stage site collection Recycle Bin. If an item is deleted from the second-stage site collection Recycle Bin or if it exceeds the 93-day retention time, then it is permanently deleted.

Microsoft 365 retention policies can be set to determine whether data is kept, and for how long, after a user or admin deletes it in SharePoint Online, OneDrive for Business, Exchange Online, and Teams.

OneDrive and SharePoint versioning

In addition to the Recycle Bin, Microsoft 365 also includes the ability to keep a version history of changed files where it retains older versions of the files that you have stored in OneDrive and SharePoint. Versioning is a part of all Microsoft 365 plans and by default it retains a minimum of 500 versions of a file.

Versioning can help you recover from accidental file deletion and edit mistakes as well as malware and ransomware infections. It works with all types of files including Microsoft 365 files, PDFs, photos, videos, and others. You can both view and restore previous version of files.

Exchange Online AV protection

Exchange Online includes Exchange Online Protection (EOP), which provides protection against spam and malware. EOP scans emails and it can detect phishing and other malware infected messages. It has built-in inbound and outbound malware and spam filtering. EOP offers multi-layered malware protection that’s designed to catch all known malware for Windows, Linux, and the Mac.

EOP provides multiple anti-malware scan engines as well as real-time threat response capabilities that are published to the global network every 2 hours. Messages with malware in any attachments are automatically quarantined. These quarantined messages can only be viewed and released by administrators.

SharePoint Online, OneDrive and Teams AV protection

Microsoft 365 uses a common virus detection engine for scanning files that users upload to SharePoint Online, OneDrive, and Microsoft Teams. This protection is included with all Microsoft 365 subscriptions. The Microsoft 365 virus detection engine runs asynchronously in the background. Files are not automatically scanned. Instead, heuristics are used determine the files that will be scanned.

When a file is found to contain malware, it is flagged. Users can’t download infected files using a browser. If an infected file is uploaded to OneDrive, it will have already been stored on the local machine before it’s flagged as malware. After the file has been marked as malware the user will be prevented from opening the synced file on their local machine.

Microsoft Defender for Office 365 add-on

Microsoft Defender for Office 365 provides stronger malware protection than the built-in options for Microsoft 365. However, it is not included in the base Microsoft 365 packages, and you must purchase it separately. Microsoft Defender for Office 365 extends standard Microsoft 365 data protection with a feature called Safe Attachments. With Safe Attachments all messages and attachments that don’t have a known virus/malware signature are routed to a special sandboxed hypervisor environment.

Machine learning is used to perform behavior analysis to detect malicious activity. If no suspicious activity is detected, then the message is delivered to the destination mailbox. Microsoft Defender for Office 365 also includes reporting and tracking capabilities that allow you to see who is getting targeted in your organization and the type of attacks you are experiencing.

Extending Microsoft 365 data protection with backup

As you’ve seen, Microsoft 365 does have several built-in data protection mechanisms. However, one of the things that it does not have is a full backup service. Some of the additional data protection measures that a third party backup solution can provide include:

  • Automated scheduled backups
  • Long term retention and archiving
  • Point-in-time recovery
  • The ability to search backups
  • Browsing and restoring prior data versions without a time limit
  • Assigning different protection settings for individual resources or groups.
  • Self-Service end-user access
  • Air-gapped ransomware protection for your backups

It’s important to realize that protecting Microsoft 365 data is the customer’s responsibility. While Microsoft 365 does have a several built-in data protection technologies, these are not a substitute for having backups. You need to use a backup solution along with these built-in data protection features to have a complete data protection strategy for your Microsoft 365 data.