Microsoft 365 Backup and Data Protection: A Practical Guide for Businesses
Microsoft 365 guarantees that email stays online, documents sync, and collaboration tools keep working. It does not guarantee that data can be recovered once it is gone. Those are two different promises, and the gap between them is where most Nigerian businesses discover, too late, that Microsoft was never backing up their data in the first place.
Microsoft operates on a shared responsibility model: it protects the infrastructure, while the organisation using it is responsible for the data.
Retention policies inside Exchange, SharePoint, and OneDrive create a narrow, time-limited safety net, not a backup. Once that window closes, typically 30 to 93 days depending on the service, Microsoft generally cannot restore what has been deleted, and no support ticket changes that.
This article covers what Microsoft 365 actually protects, where the retention gaps are, the specific risks Nigerian businesses face, and what proper backup requires.
What Microsoft 365 Protects and What It Doesn’t
| Microsoft’s Responsibility | The Organisation’s Responsibility |
|---|---|
| Infrastructure and platform uptime | Business data |
| Service availability | Backup |
| Hardware and physical security | Retention policies |
| Platform resilience | Recovery testing and compliance |
That table is the whole shared responsibility model at a glance: Microsoft’s guarantee stops at uptime, and everything to the right of it is the organisation’s to manage.
The Retention Windows
Each service inside Microsoft 365 has its own default retention limit, and all of them are shorter than most organisations assume.
- Exchange Online: deleted items are recoverable for up to 30 days by default, and soft-deleted mailboxes persist for a further 30 days before being permanently deleted.
- SharePoint and OneDrive: the recycle bin retains files for 93 days by default, after which they are gone. Version history is governed primarily by administrator configuration, within limits set by license tier.
- Teams: chat messages and files are stored across Exchange Online and SharePoint. Their recoverability depends on the underlying Microsoft 365 retention configuration rather than on Teams itself.
These are default windows, not fixed ceilings. Microsoft 365 also includes advanced retention tools through Microsoft Purview, such as litigation hold, in-place hold, retention policies, and retention labels, which can preserve content for years rather than months. These are compliance and legal-hold features, though, not independent backup. They still live inside the same Microsoft 365 tenant as the production data, so they remain exposed if an attacker gains sufficient administrative control over that tenant, a risk that a genuinely independent backup does not share.
Version history is often assumed to close this gap on its own, but it was never designed to replace independent backup, particularly once limits are reached, content is permanently deleted, or the compromise reaches deep enough into the tenant itself.
Nigerian Compliance Context
Nigeria’s Data Protection Act 2023 requires appropriate security measures, including protection against data loss, and Microsoft’s default retention policies fall well short of that bar on their own. Financial institutions must retain records for 7 years under CBN guidelines; healthcare providers have their own retention obligations for patient records; and legal firms need client files long after a matter closes. None of these requirements is met by a 30- or 93-day window.
Organisations planning an M365 deployment are better served by understanding these limitations from the outset. Our guide to Microsoft 365 implementation in Nigeria covers what a properly scoped rollout should include.
Retention Versus Backup: What’s the Difference?
Most of the confusion about Microsoft 365 data protection stems from treating retention and backup as the same thing. They are not.
| Retention | Backup |
|---|---|
| Limited time window (30-93 days) | Long-term storage (years) |
| Stored within the same M365 tenant | Independent, separate storage |
| Policy-driven, automatic deletion | Point-in-time recovery from any date |
| Vulnerable to the same threats as the source | Immutable, protected from ransomware |
| No control over retention caps | Full control over what is kept and for how long |
Retention handles recent mistakes well: a file deleted on Monday and restored on Tuesday is retention working exactly as designed. Backup is what protects against everything retention cannot reach: data deleted months ago, files corrupted during a migration, documents needed for a legal matter years later, or a complete tenant loss following a security incident.
The distinction comes down to one question: if data is lost today and only discovered six months later, during an audit or a legal discovery request, what happens? With retention alone, that data is gone permanently. With backup, it is recoverable.
The Real Risks Nigerian Businesses Face
Ransomware That Syncs
Ransomware attacks on African businesses rose sharply over the past few years, and the mechanics of a Microsoft 365 environment make the damage worse, not better. Modern ransomware encrypts files on a local machine, and because OneDrive syncs automatically, those encrypted files upload straight to SharePoint, with the encryption then spreading into shared folders.
Version history can record successive encrypted versions of a file, gradually pushing older clean versions further back in the version history.
Microsoft’s built-in ransomware detection can automatically detect and roll back many incidents, and catching the attack within a few hours gives version history a stronger chance to help. An attack that runs slowly, overnight, or over a weekend can still fill that same version history with encrypted copies before detection kicks in. Microsoft Defender for Office 365 detects threats effectively, but detection and automatic rollback do not cover every scenario, particularly when a compromise directly targets an administrator account.
Recovery in Nigeria is complicated by ransomware incidents that coincide with power disruptions, making the response window even tighter. Our guide to ransomware protection for Nigerian businesses covers prevention in more detail.
Insider and Access Risk
Consider a Port Harcourt oil services company that terminated a senior project manager who, unknown to the company at the time, held admin-level SharePoint access. In his final week, he systematically deleted older projects, archived proposals, and reference materials.
The damage surfaced three months later, when the documentation was needed for a legal dispute, by which point the 93-day retention window had long since closed. The resulting legal case cost far more to defend without the original documentation to draw on, and the lost institutional knowledge was harder to quantify at all.
Accidental Deletion
Or consider a Lagos-based consulting firm that learned the same lesson through simple human error. An operations manager, cleaning up the SharePoint document library, deleted what she believed was an old folder. Four months later, during a routine audit, the firm discovered that the folder had contained six months of financial records, client contracts, and project documentation, and that Microsoft could not recover it; the 93-day window had already passed.
Reconstructing the records took weeks of senior staff time, on top of the awkwardness of asking clients to resend signed contracts.
These costs are consistent across incidents. Direct reconstruction typically costs ₦500,000 to ₦5 million, depending on business size, while professional recovery services charge ₦1-5 million for attempts that often fail outright. NDPA penalties add another layer: fines can reach ₦10 million or 2% of annual gross revenue, whichever is higher, for data controllers or processors of major importance, and ₦2 million or 2% of revenue for other organisations.
Reputational damage is harder to price, and in Nigeria’s tightly networked business community, it tends to spread faster than businesses expect.
What Microsoft 365 Backup Should Include
Proper backup follows the 3-2-1 rule: three copies of the data, on two different storage types, with one copy held offsite. Production data inside Microsoft 365, on its own, never satisfies this, no matter how well the retention settings are configured.
A genuine Microsoft 365 backup solution should meet four conditions.
Storage must be immutable, meaning it cannot be deleted or encrypted. If ransomware can reach the backup, it was never really a backup.
Recovery must be point-in-time, restoring data from any date rather than only the most recent version, and the backup must be independent of the source, living in a separate system so that a compromised M365 tenant cannot expose it. It also needs to support long-term retention, since many Nigerian businesses need seven years of financial records, employment files, and contracts held well beyond what M365’s native policies allow.
A few common practices get mistaken for backup, but none of them qualifies. OneDrive syncing to a local PC is not a backup, since ransomware reaches both copies at once. SharePoint version history alone is not backup, for the reasons already covered, and monthly PST exports are not backup either; they are manual, incomplete, and difficult to restore at any scale.
Nigerian infrastructure adds its own requirements on top of these. A backup solution needs to handle interrupted connections gracefully during power cuts, and restore times need to account for limited bandwidth. Naira-denominated pricing removes the exchange-rate uncertainty that comes with dollar-billed alternatives.
Proper document management systems build backup and retention policy together from the start, rather than treating them as separate concerns to bolt on later. The same 3-2-1 logic applies just as directly to website backups.
Choosing and Implementing a Microsoft 365 Backup Solution
Requirements scale predictably with organisation size, but the underlying need for independent backup does not disappear at the small end. A business of five to twenty users still depends heavily on cloud data and should budget for a lightweight cloud-to-cloud backup service alongside properly configured retention policies rather than relying on retention alone. The cost is typically modest compared with the impact of losing even one month of records.
A business with 20 to 100 users generally needs professional backup as a baseline rather than an option: automated daily coverage across Exchange, SharePoint, OneDrive, and Teams; department-specific retention rules; and quarterly recovery drills to confirm the backups still work.
Enterprises above a hundred users need a defined recovery time and recovery point objective, a hybrid approach spanning on-premises and cloud storage, and coordination across multiple offices and limited-bandwidth locations, integrated with a broader disaster recovery plan.
Implementation follows a consistent sequence regardless of size: selecting a solution against clear criteria (automated versus manual, full-tenant versus selective, restore granularity, and Nigerian support availability), configuring it with proper role separation between who can restore data and who can delete backups, and then maintaining it through monthly reporting reviews, quarterly restore tests, and annual compliance checks.
The most common failure point is not the technology but the follow-through: backups configured once and never tested again.
For a detailed comparison of specific vendors, pricing models, and how to evaluate them against Nigerian business requirements, our guide to choosing Microsoft 365 backup solutions covers that evaluation directly. Organisations still deciding whether to manage this internally or bring in outside expertise may also find our guide on when to hire IT support in Nigeria useful.
The Cost of Doing Nothing
The reconstruction, recovery, and NDPA figures above are not one-off numbers; they hold consistently across incidents like these, and reputational damage on top of them resists a clean number entirely.
Most Microsoft 365 backup platforms charge per protected user each month, with the exact rate shaped by retention period, storage model, and feature set. That structure makes recovery capability a more useful comparison point across vendors than headline subscription price alone.
The underlying arithmetic holds regardless of vendor. For most Nigerian SMEs, a year of backup costs less than a single month of senior staff time spent reconstructing lost data, and if backup prevents even one major loss event every three to five years, it pays for itself several times over. A single ₦2 million reconstruction bill could otherwise have funded years of backup service.
The value extends beyond the direct cost comparison, too. Backup gives an organisation confidence going into a compliance audit, cuts recovery time from weeks to hours, and reassures clients and investors that data is being managed professionally, a detail that carries particular weight during due diligence.
Very small businesses with minimal critical data and strong manual processes might reasonably defer backup for a period. But most organisations underestimate how dependent they already are on their data until the moment they lose some of it.
How to Audit Current Microsoft 365 Protection
A short internal audit is usually enough to reveal where the real gaps sit. It helps to confirm whether Exchange retention settings are documented, whether a restore has ever actually been tested rather than assumed to work, whether Teams chats are covered by anything beyond the default 30-day window, and whether SharePoint permissions get reviewed on a regular schedule.
Whether a mailbox from six months ago could realistically be recovered today is another good test.
Whether any backup copy exists outside Microsoft 365 itself is the question that usually matters most. Most organisations that run through this exercise find at least one gap they did not know existed.
Next Steps
From there, a realistic risk assessment helps clarify the stakes, such as what losing three months of email would mean operationally, or how ransomware encrypting SharePoint would be handled in practice. Getting this right usually benefits from expert input, ideally from a partner who understands both Nigerian regulatory requirements and the practical realities of local infrastructure.
The question is rarely whether backup matters. It is a matter of when data loss happens, not if, and whether backup is already in place when it does.
Need help implementing proper Microsoft 365 backup for a Nigerian business? PlanetWeb Solutions provides backup assessment, implementation, and ongoing management aligned with NDPA requirements. Speak to our team or explore our IT consulting services and managed support services.





