Backup And Recovery

Microsoft 365 Backup And Recovery Buyers’ Guide 2025

How to choose the right Microsoft 365 backup and recovery solution.

Last updated on Jan 03, 2025
Caitlin Harris Written by Caitlin Harris
Tom King Profile Technical review by Tom King
Microsoft 365 Backup And Recovery Buyers’ Guide

State of the market: Microsoft 365 backup and recovery solutions create a secure, point-in-time copy of the data stored in your MS365 apps. This allows you to easily recover data lost due to human error, technical issues, natural disaster, and cyberattacks like ransomware.

  • The data backup and recovery market was valued at USD 13.57 billion in 2023, and is expected to grow at a CAGR of 13.3% to reach a value of USD 25.23 billion in 2028.
  • Growth is being driven by an increase in ransomware attacks against SaaS applications and the need to achieve compliance with regulatory data protection standards.
  • As of February 2024, Microsoft’s 365 suite holds the second-largest share in the global office suite technology market.
  • Microsoft offers its own cloud backup service, but this isn’t included in Microsoft 365 subscriptions. Within MS365, your data is only natively backed up for an average of 30-90 days.
  • This leaves over a million organizations using MS365 apps vulnerable to permanent data loss—whether accidental or malicious.

Why Trust Us: We’ve researched, demoed, and tested several dozen leading cloud backup and recovery solutions, spoken to organizations of all sizes about their Microsoft 365 backup challenges and the features that are most useful to them, and interviewed executives from leading providers in the backup and recovery space.

You can find our product reviews, interviews, and Top 10 guides to the best backup and recovery products on the market in our Backup And Recovery Hub.

Our Recommendations: Before we jump in, here are our top tips on how to choose the right M365 backup solution to address your business need: 

  • For enterprises: Choose a solution that can handle terabytes (or even petabytes) of data and that allows you to scale up your storage on demand.
  • For SMBs: Look for per-user pricing to help keep costs down and an intuitive interface that’s easy to navigate. You may also wish to consider a managed backup solution, where the provider will take care of creating and restoring backups for you.
  • For compliance-focused organizations: Make sure the solution can help you achieve compliance with any federal or industry data protection standards relevant to your business. Look for long-term, flexible retention periods and encrypted and tamper-proof backup storage, and make sure the provider has data centers in the location you’re required to store your backups.
  • For security-focussed organizations: Follow the 3-1-2 rule (create at least three copies of your data, store them in at least two different types of media, and keep at least one copy off-site) and look for a solution that offers encryption, immutable backups, and role-based access controls.
  • For everyone: Choose a reputable, well-known vendor with lots of experience in the backup space and positive user reviews. This will reduce the risk of the vendor going out of business, meaning your data will be secure and available for a long time.

How M365 Backup And Recovery Works: MS backup and recovery solutions are typically deployed as a SaaS platform or an on-prem solution. Once deployed, they connect to your organization’s Microsoft 365 environment via Microsoft API to pull copies of your data. Typically, they do this via either continuous replication or scheduled replication:

  • Continuous replication involves copying your data to a secondary location in real-time as users make changes within your environment. This gives you the most up-to-date copy of your data and is the most common type of M365 backup.
  • Scheduled replication requires you to decide how often you want the solution to create backups, e.g., daily or weekly. While this is cost effective, you run the risk of permanently losing any data that’s created between a data loss incident your most recent backup.

Once your backup solution has created copies of your data, it writes those copies out to a secure, secondary location—this can be either in the cloud or on-prem, depending on the solution’s offering.

  • Cloud storage is particularly effective for M365 backups as you can use Microsoft’s API to deploy cloud-to-cloud backups quickly and easily, and you don’t have to worry about running out of storage space or maintaining backup servers. However, cloud storage can be costly.
  • On-prem storage (e.g., hard drives, disks, or physical servers) is secured by your firewall and enables low-latency recovery as you don’t need an internet connection to recover data. However, you need to hire staff to create, maintain, and manage the backup server, and this type of storage is vulnerable to natural disasters.
  • Hybrid storage (one copy on-prem and another in the cloud) is typically considered the most secure as no single point of failure can destroy all of your backups. 

Once created and stored, you can use your backups to recover data. The best solutions give you lots of flexibility when it comes to choosing what data you want to recover (i.e., from individual file restores to full tenant restores) and to which location you’d like to recover it (i.e., the original location or a new one).

Benefits Of M365 Backup And Recovery: There are three main use cases for M365 backup and recovery tools:

  1. A M365 backup solution can safeguard your company against permanent data loss. 
    • 20% of SaaS data loss is caused by accidental deletion. With a M365 backup tool, you can easily restore individual files and emails that have been misplaced or accidentally deleted.
    • Natural disasters are responsible for 5% of business downtime. If your business stores data on-prem and is hit by a flood, fire, hurricane, or other disaster, a M365 backup tool can help you recover that data and make sure your users can still access it during periods of extended downtime.
    • 80% of organizations have been hit by at least one ransomware attack in the last 12 months and, in 93% of attacks, the threat actors attempt to compromise their victim’s backups. With a M365 backup tool, you can create immutable, tamper-proof backups that can’t be compromised by a cybercriminal, and with which you can safely recover from a ransomware attack.
  2. Backing up your M365 data can help you prove compliance with data protection standards.
    • HIPAA, GBLA, SOX, and NIST CSF explicitly require you to backup data. You can read more about these requirements here.
  3. Implementing a third-party backup and recovery tool can save valuable IT resource.
    • By this point, we’ve established that you need backups of your M365 data.
    • Because Microsoft doesn’t back up data within M365 natively, you’re responsible for creating backups of your own data. Doing this manually can be time-consuming, complex, and costly—especially if you handle lots of data or need to build your own backup servers.
    • With a third-party M365 backup solution, your provider can help you recover your data in the event it’s lost or damaged, and if you choose a cloud storage option, you don’t need to build or maintain a server and you only pay for the storage you need.

Common M365 Backup And Recovery Challenges: There are a few common challenges that you might come across when implementing a M365 backup solution. Here’s what they are and how to overcome them:

  1. API limitations: To backup and restore M365 data, your Microsoft API needs to ingest and output data. Microsoft limits the number of API calls that you can make daily per user account, which means that a) restoring data can be a slow process and b) you can’t provide accurate Recovery Time Objectives (RTOs). We recommend creating a separate storage site for business critical files, so that you can restore them as required without API limitations.
  2. Data storage security: Backups stored on-prem are vulnerable to physical data loss (i.e., natural disasters, accidental hardware damage). Backups stored in the cloud are reliant on the security of the cloud storage provider. To ensure no single point of failure can destroy all your backups, we recommend choosing a reliable data center (e.g., Azure, AWS, or Google Cloud) and following the “3-2-1” rule.
  3. High storage costs: Data storage costs vary between backup providers but they’re typically quite high. For example, AWS S3 is charged at USD 21-23 /TB/month. For companies with lots of data, this can quickly add up. We recommend looking for a solution with “per user” pricing, which is a monthly or annual cost based on how many active users your company has.
  4. M365 coverage: Not all backup providers cover all M365 applications. Make sure you choose a solution that covers all the apps your organization is currently using—this information should be readily available on their website.

Best M365 Backup And Recovery Providers: Our team of cybersecurity analysts and researchers has put together a shortlist of the best providers of backup and recovery solutions for Microsoft 365, as well as adjacent lists covering similar topics:    

Features Checklist: When comparing M365 backup and recovery solutions, Expert Insights recommends looking for the following features:

  1. Automated backups: Look for a solution that creates backups automatically. We recommend continuous backups for M365 apps, but if this isn’t possible, you should schedule backups at least daily.
  2. Secure backup storage: Your data should be encrypted in transit and at rest, and your backups should be immutable. Some solutions also offer built-in malware scanning.
  3. Granular recovery options: You should be able to carry out full restores or individual files restores on demand, export files in their original formats or as a PTS, EML, or ZIP file, and restore files to a location of your choice. Restores should be of the same quality as the original copy (this is particularly important for images).
  4. Search functionality: Look for strong filtering, tagging, and keyword search capabilities that will help you search your backup database for the data you want to restore.
  5. Data retention: If you work in an industry such as healthcare or finance that requires data to be stored for a certain period, you should look for a solution that a) offers long-term retention and b) allows you to set multiple retention periods. 
  6. Access controls: With role-based access controls, you can enable end users to restore their own files and mailboxes, while admins can restore anything. This will help reduce helpdesk tickets.
  7. Notifications: The solution should notify you if a backup is successful or has failed.
  8. Scalability: You should be able to easily increase your storage to accommodate your organization’s growth.
  9. Compliance: Make sure the solution is compliant with any federal or industry data protection standards relevant to your business. Specifically, look at retention periods, data sovereignty, and encryption.

Future Trends: As the backup and recovery market grows, we expect to see three key evolutions.

First, we expect more vendors to move to SaaS products, rather than on-prem, self-hosted products.

  • M365 is cloud-based, and it’s easier to set up cloud-to-cloud backups than on-prem backups.
  • One example of this is Veeam, a backup provider that previously dominated in the on-prem space but have recently launched a cloud-hosted product. 

Second, we expect ransomware protection features to be included in cloud backup products as standard.

  • These include immutable/tamper-proof backups, malware detection, and fast recovery options in the event of a ransomware attack.
  • As part of this, we may see more automation on the recovery side:
    • “Organizations will prioritize automated cyber recovery solutions to speed up incident response and reduce human error. Automated workflows will guide recovery processes, restoring critical systems and applications in a structured, prioritized manner to minimize downtime and financial losses.” – Andy Kerr, Acronis

Finally, we expect to see more backup providers embracing a zero-trust architecture within their solutions.

  • The zero trust principle states that no entity—human or machine—should be trusted with network access by default.
  • Within the backup space, this will mean verifying every data access request to ensure only legitimate users can access the backup repository, thereby protecting backups from compromised user accounts.

Further Reading: You can find all of our articles on M365 backup and recovery in our Backup And Recovery Hub.

Want to jump right in? Here are a few articles we think you’ll enjoy: 

Caitlin Harris
LinkedIn Email

Deputy Head Of Content

Caitlin Harris is Deputy Head of Content at Expert Insights. Caitlin is an experienced writer and journalist, with years of experience producing award-winning technical training materials and journalistic content. Caitlin holds a First Class BA in English Literature and German, and provides our content team with strategic editorial guidance as well as carrying out detailed research to create articles that are accurate, engaging and relevant. Caitlin co-hosts the Expert Insights Podcast, where she interviews world-leading B2B tech experts.
Tom King Profile Tom King
Email

Cybersecurity Analyst

Tom King is an Information Security Engineer. He holds a First-Class Honours Degree in Cybersecurity from Sheffield Hallam University. Tom works with Expert Insights product testing team, where he conducts independent technical reviews of cybersecurity solutions and services across a range of software categories, including email security, identity and access management, and network protection.