Microsoft 365 Backup for Small Business 2026 | The Backup Myth Explained

“Microsoft Backs Up My Data” The Most Expensive Myth in Canadian SMBs

There's a widespread, expensive belief among Canadian small and mid-sized businesses that goes something like this: "Our data is in Microsoft 365. Microsoft is the largest software company in the world. Of course they back it up."

They don't. Not in the way most business owners assume. And the gap between that assumption and the reality is responsible for a meaningful share of the unrecoverable data loss incidents we see in Canadian SMBs every year incidents that could have been prevented with backup infrastructure that costs less than a single junior employee's monthly salary.

This is the post that should be required reading for every Canadian business owner who runs on Microsoft 365. It covers what Microsoft actually does, what they explicitly don't, the six ways data gets lost in M365 every week across Canada, what proper SaaS backup looks like in 2026, and what the real cost of getting this wrong looks like.

The Shared Responsibility Model What Microsoft Actually Does

Microsoft operates Microsoft 365 under a documented "shared responsibility model." This is not a marketing concept it's an explicit contractual division of responsibilities between Microsoft and the customer, published by Microsoft and incorporated into the service agreement. Most SMBs have never read it. They should.

What Microsoft is responsible for

Microsoft is responsible for the operational continuity of the Microsoft 365 service itself. That means: physical infrastructure (data centres, servers, networking), the underlying platform (operating systems, virtualization, identity), service availability with a published uptime SLA, geographic redundancy (your data is replicated across multiple Microsoft data centres for resilience), and protection against catastrophic failures of Microsoft's infrastructure.

What Microsoft is explicitly not responsible for

Microsoft is explicitly not responsible for: protecting your data from your own users (accidental or malicious deletion), recovering data deleted beyond Microsoft's short-term retention windows, restoring data after a ransomware event affects your tenant, recovering from configuration mistakes (over-permissive sharing, retention policy errors, accidental tenant changes), or preserving data after an account is deprovisioned.

Why the model exists

Microsoft cannot meaningfully distinguish between an authorized user deleting a file deliberately and an attacker deleting that same file maliciously both look identical at the platform layer. The shared responsibility model recognizes this: Microsoft protects you from Microsoft, and you (or your IT provider) protect you from everything else.

Microsoft documents this directly in its Services Agreement and in the dedicated shared responsibility documentation under Microsoft Trust Center. The relevant phrase appears almost verbatim across multiple places: customers are responsible for their own data, including backup. It's not hidden. It's just not advertised.

The Six Ways You Can Lose Microsoft 365 Data (That Microsoft Won't Recover)

Across Canadian SMB environments, six recurring patterns account for almost all of the unrecoverable data loss incidents we see. None of them are exotic. All of them are common.

1. Accidental deletion

An employee deletes a folder she thinks is obsolete. It contained a project archive that turned out to be needed three months later for a client dispute. By default, the SharePoint Recycle Bin retains items for 93 days; OneDrive holds for 30 days for deleted users. After that window, the data is gone. Microsoft will not recover it.

2. Malicious deletion

A departing employee deletes their OneDrive contents on the way out. The IT team learns about it two weeks later when a colleague asks for a file. The 30-day account-deprovisioning window is well underway. Recovery requires either a backup or a forensic reconstruction Microsoft's standard retention does not preserve the deleted state.

3. Ransomware encrypting OneDrive and SharePoint files

Modern ransomware variants specifically target OneDrive and SharePoint sync clients on infected endpoints. Once a file is encrypted on the local sync folder, the OneDrive client dutifully syncs the encrypted version to the cloud, overwriting the clean version. Microsoft's version history can sometimes recover the unencrypted version, but only if discovered before the version retention rolls and only if the version history feature was enabled on that library.

4. Retention policy expiry

Email retention policies, when not configured deliberately, default to short windows. Default deleted-items retention in Exchange Online is 14 days. Default OneDrive deleted-user retention is 30 days. SharePoint Recycle Bin first stage is 93 days. After these windows expire, the data leaves Microsoft's systems. SMBs frequently discover this only when needed usually months too late.

5. Account termination

When a user leaves and the license is removed, Microsoft retains the mailbox and OneDrive for 30 days as a soft-delete window, then permanently deletes the data. SMBs that need to retain ex-employee data for legal hold, IP preservation, or compliance reasons (CRA, employment claims, professional obligations) need to either pay for an unused license indefinitely or have proper backup. Most do neither and discover the loss months later.

6. Third-party app sync errors

Many SMBs have third-party tools backup apps, migration tools, sync utilities, AI agents connected to their tenant. A misconfigured rule in any of these can mass-delete or mass-overwrite legitimate data. The pattern shows up most often during migrations, vendor changes, or AI agent rollouts. Microsoft's logs will show exactly what happened, but Microsoft will not undo it.

These six patterns share a common feature: in each case, Microsoft's infrastructure is functioning exactly as designed. There's no Microsoft outage, no Microsoft mistake, nothing for Microsoft to fix. The data loss happened inside the customer's responsibility zone and the customer did not have backup in place.

The 3-2-1 Rule for SaaS Data

The classic data protection rule 3 copies of data, on 2 different media, with 1 offsite was developed for on-premises file servers in the 1990s. It still applies in 2026, with a SaaS-specific adaptation.

3 copies

The production copy in Microsoft 365, plus two independent backups. "Independent" matters: a copy stored in the same Microsoft tenant doesn't count, because a tenant-level event (compromise, misconfiguration, policy change) affects both.

2 different storage media

The two backup copies should not both live in the same vendor's infrastructure. The production data is at Microsoft. One backup might be at a SaaS backup vendor like Veeam, Datto, AvePoint, or similar. A second copy might be in cold cloud storage (Azure Blob immutable, AWS S3 Glacier with object lock) separate vendor, separate billing, separate failure mode.

1 copy offsite (or in this case, off-tenant and immutable)

For SaaS, "offsite" no longer means physical separation it means logical separation from the production environment. Immutable backup storage is the modern equivalent. Once written, the backup cannot be deleted or modified by anyone (including admins) for the configured retention period. This is the single most important defence against ransomware and against malicious insider deletion.

Why this matters specifically for SaaS

On-premises, you owned the disk. If your file server was destroyed, you had the disk and could attempt recovery. With SaaS, you don't own the storage layer at all. If your tenant is compromised, your account is locked, your subscription lapses, or your data exits Microsoft's retention windows, the production copy effectively ceases to exist from your perspective. There's nothing physical to recover. The only meaningful protection is an independent backup copy outside Microsoft.

What Proper Microsoft 365 Backup Looks Like in 2026

A modern SaaS backup posture for a Canadian SMB has six characteristics. If your current backup arrangement is missing any of them, the gap is worth closing.

Daily incremental backups

Backups should run at least daily, with incremental capture so that point-in-time restores are precise. Real-time or near-real-time backup is available from several SaaS backup vendors, particularly for high-value mailboxes.

Coverage across Exchange, OneDrive, SharePoint, and Teams

All four major workloads should be covered. Teams in particular is often missed Teams chat history, channel messages, files within Teams, and Wikis all live in different underlying storage and need explicit backup coverage.

Long-term retention

Seven years is a sensible default for Canadian businesses, aligning with CRA record-keeping requirements (six years from end of fiscal period for most records) and with most professional and contractual retention obligations. Some industries healthcare, legal, financial services require longer.

Point-in-time recovery

The ability to restore a mailbox, a OneDrive, or a SharePoint site to its state on a specific date and time. Critical for ransomware recovery (restore to before encryption) and for forensic investigations (recover the state of a folder before a deletion event).

Granular item-level restore

The ability to restore a single email, single file, or single SharePoint list item without restoring the entire mailbox or library. This is what gets used 95% of the time most recovery requests are for one specific item, not for an entire account.

Immutable backup storage

Backup data, once written, cannot be deleted or modified for the configured retention period. This protects backups from ransomware that targets the backup repository, from compromised admin credentials, and from insider threats.

What Proper Microsoft 365 Backup Costs in Canada

Microsoft 365 backup pricing in Canada in 2026 is straightforward and reasonable relative to the risk it covers.

For a typical Canadian SMB, expect to pay $4 to $8 CAD per user per month for a full-coverage M365 backup solution including Exchange, OneDrive, SharePoint, and Teams, with 7-year retention and immutable storage. For a 50-user business, that's $200 to $400 CAD per month, or $2,400 to $4,800 CAD per year.

Compare that to the cost of a single ransomware incident affecting OneDrive and SharePoint files (typical recovery: $50,000 to $250,000 CAD plus business interruption), the cost of a single CRA audit response without proper email retention (typical: $15,000 to $40,000 CAD in advisor and legal fees), or the cost of a single dispute with a departed employee where the employer cannot produce relevant communications. The economics aren't close.

Backup is one of the few security investments where the ROI math is unambiguous in favour of doing it. The reason most SMBs don't is not cost it's the assumption that they don't need to.

The Real Cost of Getting This Wrong Three Canadian Scenarios

Three composite scenarios, each based on patterns we've seen in the Canadian SMB market, illustrate where the loss actually lands.

Scenario 1: The departed engineer

A 40-person engineering firm in Edmonton. A senior engineer resigns to join a competitor. IT removes his licence per process. Six months later, a major project he led goes into a warranty dispute, and the firm needs every email and document related to that project. The licence has been removed for 6 months well past Microsoft's 30-day retention window. The data is gone. The firm settles the warranty dispute on the worst available terms because they cannot produce the project record. Cost: settlement uplift estimated at $180,000 CAD, plus legal fees of $35,000 CAD.

Scenario 2: The OneDrive ransomware sync

A 25-person professional services firm in Toronto. An attacker deploys ransomware on a partner's laptop. The OneDrive sync client cheerfully syncs the encrypted versions of every file in the partner's OneDrive including the partner's working folder for active client engagements to the cloud. Microsoft's version history goes back 30 days for the standard configuration; many of the working files have not been modified in months and have rolled past their version retention. Recovery from Microsoft is partial. Without a third-party backup, the firm spends 6 weeks reconstructing client files from email archives, paper records, and client copies. Cost: $145,000 CAD in lost billable time, plus reputational damage with affected clients.

Scenario 3: The CRA audit

A 70-person Calgary distributor receives a CRA audit notice covering fiscal years 2021–2023. The audit team requests email correspondence with specific suppliers and customers from that period. The distributor's mailbox retention policy was set to 2 years to manage storage cost in 2022. The relevant emails have rolled out. The distributor's accounting team reconstructs as much as they can from invoices and bank records. The audit assessment is materially worse than it would have been with full email evidence. Cost: estimated additional assessment of $90,000 CAD plus advisor fees of $25,000 CAD.

In each scenario, a backup solution costing $2,400 to $4,800 CAD per year would have prevented the loss in full.

How GAM Tech Approaches Microsoft 365 Data Protection

GAM Tech provides Microsoft 365 backup and data protection as a core component of our managed IT services for Canadian businesses. Our approach reflects how we approach all data protection: assume the loss will happen, and design for recovery.

1. Backup deployment. We deploy a third-party Microsoft 365 backup solution covering Exchange, OneDrive, SharePoint, and Teams, with daily incremental backups, 7-year retention by default (extendable for regulated industries), point-in-time recovery, granular item-level restore, and immutable backup storage hosted outside the Microsoft tenant.

2. Configuration alignment. We configure Microsoft 365 retention policies to align with your business and regulatory requirements rather than relying on defaults, and we document the retention map for compliance reference.

3. Recovery rehearsal. Backups that haven't been tested are theoretical. We rehearse recovery scenarios single-item restore, full mailbox restore, ransomware rollback to a point in time at defined intervals and produce evidence for cyber insurance and audit purposes.

4. Ongoing monitoring. Backup jobs are monitored continuously by our 24/7 internal team. Failed jobs are addressed before they become a gap; retention drift is caught and remediated.

Microsoft 365 backup is included in our managed IT services for clients on Gold and Platinum, and available as an add-on for clients on Silver. With offices in Calgary, Edmonton, Red Deer, Vancouver, Victoria, Toronto, Ottawa, and Montréal, and a 24/7 internal Canadian team never outsourced GAM Tech is SOC2 certified and B-Corp certified, and operates with a 5-minute response guarantee for managed clients.

Frequently Asked Questions About Microsoft 365 Backup for Canadian Businesses

Does Microsoft back up my Microsoft 365 data?

Microsoft maintains the operational continuity of the Microsoft 365 service itself including geographic redundancy across data centres but Microsoft does not back up your business data against your own users, against ransomware, against accidental or malicious deletion, or beyond short-term retention windows. Microsoft documents this explicitly in its shared responsibility model. Customers are responsible for their own data backup.

How long does Microsoft 365 keep deleted data by default?

Default retention windows in Microsoft 365 are limited. Exchange Online deleted items: 14 days. OneDrive after a user is deleted: 30 days. SharePoint Recycle Bin first stage: 93 days. After these windows, data is permanently removed and cannot be recovered through Microsoft. These defaults are appropriate for Microsoft's purposes they are not appropriate as a business backup strategy.

Do I need a third-party backup if I use Microsoft 365?

Yes, for any business that needs to recover from accidental deletion beyond a few weeks, malicious deletion by a departing employee, ransomware affecting OneDrive or SharePoint, retention errors, or compliance-grade data preservation. Microsoft's native retention tools were never designed as a substitute for backup, and Microsoft documents this directly.

How much does Microsoft 365 backup cost in Canada?

For a typical Canadian SMB, full-coverage Microsoft 365 backup (Exchange, OneDrive, SharePoint, Teams) with 7-year retention and immutable storage runs approximately $4 to $8 CAD per user per month. For a 50-user business, that's roughly $2,400 to $4,800 CAD per year typically less than one major recovery event would cost.

What happens to a former employee's Microsoft 365 data when their account is deleted?

When a Microsoft 365 user account is deleted, Microsoft retains the mailbox and OneDrive contents in a soft-deleted state for 30 days. After that, the data is permanently removed from Microsoft's systems. For Canadian businesses with employment, IP, or compliance retention requirements that extend beyond 30 days, a third-party backup is the standard solution.

Will Microsoft 365 protect my data from ransomware?

Microsoft provides some ransomware protection version history on OneDrive and SharePoint, ransomware detection alerts, and rollback assistance for OneDrive personal accounts. Business protection is partial: version history retention is limited and tenant-resident, ransomware that targets the OneDrive sync client can overwrite cloud copies, and admin-level compromise can defeat tenant-resident protections. A dedicated SaaS backup with immutable storage closes these gaps.

How long should we retain Microsoft 365 data for compliance in Canada?

Seven years is a sensible default for most Canadian SMBs, aligning with CRA record-keeping requirements (six years from end of fiscal period) and most professional, contractual, and employment retention obligations. Healthcare, legal, financial services, and some other regulated sectors may require longer retention. Confirm with your accountant and legal counsel for your specific obligations.

What is immutable backup storage and why does it matter?

Immutable backup storage is backup data that, once written, cannot be deleted or modified for the configured retention period — even by administrators with full credentials. It matters because the most common ransomware tactic in 2026 is to compromise the admin account and delete the backups before encrypting production data. Immutable storage prevents this outcome. Most modern SaaS backup solutions support immutable storage as a default option.

Do we need to back up Microsoft Teams?

Yes. Teams data lives across multiple underlying storage layers chat history in Exchange, files in SharePoint and OneDrive, channel posts in a separate substrate. A complete Microsoft 365 backup needs explicit Teams coverage, not just Exchange and SharePoint. Backing up Teams properly preserves chat history, channel messages, and file context, which is increasingly important for collaboration-heavy businesses.

How does GAM Tech handle Microsoft 365 backup for Canadian businesses?

GAM Tech deploys third-party Microsoft 365 backup with daily incremental capture across Exchange, OneDrive, SharePoint, and Teams, with 7-year default retention, point-in-time recovery, granular item-level restore, and immutable backup storage. We rehearse recovery scenarios at defined intervals and monitor backup health continuously through our 24/7 internal Canadian team. Backup is included in managed IT services for Gold and Platinum clients and available as an add-on for Silver clients across Calgary, Edmonton, Red Deer, Vancouver, Victoria, Toronto, Ottawa, and Montréal.

Stop Assuming Start Backing Up

The single most expensive belief in Canadian SMBs is that Microsoft is taking care of data backup. They aren't, and they say so. The good news: closing the gap is inexpensive, mature, and quick to deploy. The infrastructure exists, the costs are reasonable, and the protection is real.

If your business runs on Microsoft 365 and you don't have a third-party backup with 7-year retention and immutable storage, GAM Tech can deploy one within days and walk you through the configuration alignment that makes it actually useful in a recovery scenario. With offices in Calgary, Edmonton, Red Deer, Vancouver, Victoria, Toronto, Ottawa, and Montréal, and a 24/7 internal Canadian team, we support Canadian businesses anywhere in the country.

Book a 30-minute Microsoft 365 data protection conversation to find out where your tenant is exposed and what proper backup would look like for your business.