o365 retention policies
February 11, 2019

Why Office 365 Retention Policies Could Be Putting Your Business at Risk

Microsoft’s Office 365 subscription service offers organisations a range of benefits. From access to the latest Office productivity tools such as Word and Excel to the high-availability and global reach of its cloud-based email, collaboration, and messaging services, the business benefits are unmistakable.

Office 365 also offers enterprises data security in the cloud. It ticks all the compliance boxes for a vast range of international regulatory standards.

However, when it comes to protecting your data, the retention policies on Exchange Online may be putting your business at risk.

Office 365 Retention Policies

Retention policies on Office 365 give organisations the ability to retain and delete content using a predefined configuration. The problem with these policies is that managing them is extremely complex. Office 365 comes with twelve preset retention settings. These range from a policy that allows a user to delete content in one week to another that stores it indefinitely.

Complicating things further, the default setting for all content is to move it to an archive after two years. Users can also tag items as personal and transfer them to an archive after 12 months, five years or never.

All these options not only increase the complexity of managing data on Office 365, but they also increase organisational risk. As users have the default ability to tag items for deletion, you could end up losing data your business needs.

Securing Data on Office 365 is a Shared Responsibility

Office 365 is Software as a Service (SaaS). As it aligns with the SaaS cloud service model, there are specific parts of the service that fall under Microsoft’s responsibility and particular components that the subscriber needs to manage.

With SaaS, the service provider is responsible for managing the entire solution stack. From maintaining the physical infrastructure to ensuring the availability and security of the application is their responsibility. However, as the subscriber is responsible for controlling access to the service, the data the subscriber stores on the platform is also their responsibility.

Retention Policies are not Backups

As subscribers are responsible for managing and securing their data on Office 365, ensuring they implement the appropriate measures to protect their information is vital. While retention policies offer some data protection services, they are not data backups. Microsoft’s responsibility is to ensure the availability and integrity of the data stored on Office 365.

However, availability and integrity is not backup. A backup is an offline independent copy of your data that can be restored if the source system or service is unavailable. Office 365 ensures availability by replicating your live data to multiple instances across their global data center. This data protection strategy means any change in your data is then replicated across your Office 365 environment.

As Microsoft explicitly states that a point in time restoration is out of scope for Office 365, there are a few scenarios where this policy can result in you losing valuable business data.

Accidental or deliberate deletion, retention policy gaps, and security threats can all result in irrecoverable data loss on Office 365. If a user deletes data, it can result in a loss of critical information. The default Office 365 retention policy for deleted items is only 14 days. If the data is not recovered from the user’s subfolder before that period expires, it is permanently deleted by Microsoft. Retention policy gaps is another risk that could result in irrecoverable data loss.

Office 365 retention policies are complicated. Although they do offer some protection, the possibility of data loss due to a gap in your retention policies is a reality. Security threats could also result in an organisation losing data on Office 365. Internal threats such as a user deliberately deleting data and external threats such as ransomware could all result in irrecoverable data loss.

Backing Up Your Data on Office 365 is Your Responsibility

Protecting your data on Office 365 is your responsibility. As there are a few scenarios where Microsoft data protection technologies do not ensure the recoverability of your data, you need to implement a proper backup solution for the critical information you store on Office 365.

Not only is this a compliance requirement, but a proper backup solution will help you recover vital data should it ever be lost by deletion, retention policy gaps, or a security incident.

Probax Backup for Office 365

Probax Backup for Office 365 is a cloud-to-cloud backup as a service offering which provides a simple, automated and secure backup solution for Microsoft Office 365. With Probax Backup for Office 365, organisations can:

  • Enhance protection of Office 365 data from accidental deletion, threats and retention policy gaps;
  • Quickly restore individual Office 365 items and files with industry-leading recovery flexibility; and
  • Meet legal, compliance, and data sovereignty requirements with efficient eDiscovery of Office 365 backup archives and your choice of AWS storage location (USA, Canada and Australia).

Probax Backup for Office 365 is available on a monthly subscription, with the option to backup Exchange only, OneDrive & SharePoint only, or all three for a discounted bundled rate. For a limited time, Probax is offering new and existing partners 50% off Probax Backup for Office 365 until June 30. This offer must be claimed by February 14 and terms and conditions apply. For more information, visit or promotion page (US Partners / Australian Partners

For more information, please refer to our media release (USA / AUSTRALIA) or products page.