A while ago I wrote an article:
Recently, Tony Redmond wrote this article on a similar topic:
That then lead to the following debate:
I’ve also seen people quote the following from Microsoft:
which contains the following clause:
“We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”
However, it is important to note at the top of that document:
“These terms (“Terms“) cover the use of those Microsoft consumer products, websites, and services listed at the end of these Terms here (#serviceslist) (the “Services“).”
Note hyperlink to “services” that agreement actually covers. That leads to the following URL:
and when you look through that list there are no M365/O365 commercial services listed:
Thus, that Microsoft Services Agreement doesn’t apply when talking about data retention in Microsoft 365 commercial products.
In fact, the following slide was taken from a recent Microsoft Ignite 2020 presentation:
Here’s the time stamped video it came from – https://youtu.be/zBHXVGrxBqM?t=1971 (Protecting Exchange Online Mailboxes As A Secure Vault)
I will also highlight the following article:
“The minimum value is 30 days and the maximum value is 3650 days (ten years).”
As my original article states and Tony Redmond reinforces, the importance is to understand what M365 does out of the box with data retention and how that can and ‘should’ be configured to reduce risk. After which, third party products can be added to supplement what Microsoft 365 does. As I say, more backups are good but at some point they fail to significantly reduce risk for the investment made in them. That point is up to the individual business to determine.
It is important to have the correct information when it comes to data retention and recovery in Microsoft 365, and if you don’t appreciate what can be done with Microsoft 365 out of box then I’d encourage you to go and take a closer look, because it does a pretty good job in my opinion.