.png?width=1024&quality=80&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000)
Microsoft 365 Backup, Built for Recovery

COMPLETE MICROSOFT 365 COVERAGE
One Backup for Every Workload
Exchange Online
Mailboxes, calendars, contacts
OneDrive
Files, folders, version history
SharePoint
Sites, libraries, lists
Teams
Channels, chats, files
Microsoft Won't Recover Your Data — You Will
Microsoft secures the platform and keeps it running. Under its shared-responsibility model, protecting and recovering the data inside Microsoft 365 is the customer's job — not Microsoft's.
Microsoft is responsible for
- Service & infrastructure uptime
- Physical data-center security
- Platform-level geo-redundancy
You are responsible for
- Recovering your data after an attack
- Restoring accidentally or maliciously deleted items
- Long-term retention for compliance
- Data left behind by departing employees
Ransomware & malware
Encrypts or destroys cloud data — including native recycle bins.
Accidental & malicious deletion
Items vanish past short native retention windows.
Retention gaps
Native retention is limited and not designed as a backup.
Departing employees
Licences are reclaimed and data is purged on a schedule.
Recover Even When Backups Are the Target
Modern attacks go after your backups first. Sophos keeps recovery data immutable and air-gapped — beyond the reach of an attacker who has compromised your tenant.
- Backups stored in immutable, air-gapped storage
- Isolated from your Microsoft 365 tenant and credentials
- Clean, point-in-time restore points to recover from
Frequently asked questions
No. Microsoft 365 provides availability and some native retention tools — recycle bins, versioning, and litigation hold — but these are not designed for fast, large-scale data recovery. Recycle bins expire, versioning has limits, and litigation hold is a legal discovery mechanism, not a restore solution. Organizations that need to recover from ransomware, accidental deletion, or admin error at scale require a dedicated third-party backup solution.
If an attacker gains admin credentials, they can tamper with or delete Microsoft's native retention policies before launching the main attack — eliminating your ability to recover from within the platform. Without a dedicated, air-gapped backup, organizations are left with limited options and face days or weeks of manual recovery effort. In environments with 1,000 or more users, that manual effort alone can take 14 days without a dedicated solution.
An air-gapped backup is isolated from your live environment — in this case, your Microsoft 365 tenant — so that an attacker who compromises your tenant cannot reach or destroy the backup. This isolation is the critical protection gap that native M365 tools cannot provide: if an attacker modifies retention policies or deletes data with compromised admin credentials, an air-gapped backup remains intact and recoverable.
Immutable backup storage uses WORM (Write Once, Read Many) locking to ensure that backup data cannot be altered, encrypted, or deleted after it is written — regardless of what credentials an attacker holds. Technologies such as SLA Retention Lock and Intelligent Data Lock enforce this at the storage level, providing a reliable recovery point even after a full admin account compromise.
No. Litigation hold is designed to preserve data for legal discovery — it prevents deletion for eDiscovery purposes but is not built for fast, granular data restoration at scale. It does not protect against ransomware, cannot restore a corrupted SharePoint site, and offers no defence against an attacker with admin credentials who modifies or deletes hold policies.
All four core M365 workloads carry data loss risk: Exchange Online mailboxes (email and calendar), OneDrive (files and personal sites), SharePoint (sites, document libraries, and lists), and Microsoft Teams (channel posts, chats, and files). Each has its own recycle bin expiry and retention limits. Without dedicated backup, data loss in any of these workloads — from ransomware, accidental deletion, or misconfiguration — may be unrecoverable once native retention windows close.
Manual recovery of 1,000 users using native Microsoft 365 tools takes approximately 14 days. That estimate covers locating data across workloads, working within Microsoft's API rate limits, and reconstructing mailboxes, sites, and Teams content without bulk restore tooling. A dedicated backup solution reduces this to hours through fast search, point-in-time snapshots, and granular or bulk restore options.
With native M365 tools, a privileged insider can modify or delete retention policies, emptying the safety net. A dedicated backup solution that enforces immutability and isolates backup storage from the tenant means that even an insider with full admin access cannot alter or delete protected backup copies. The backup chain remains intact regardless of what happens inside the tenant.
At minimum, look for: air-gapped, immutable storage that survives admin credential compromise; coverage across all four M365 workloads (Exchange, OneDrive, SharePoint, Teams); granular recovery down to individual emails or files alongside bulk restore for large incidents; automated policy-driven protection that discovers new users and sites without manual scheduling; multi-geo storage for data residency requirements; and predictable, per-user licensing with storage included.
Sophos M365 Backup and Recovery isolates backups from the M365 tenant with a true air gap. WORM-locked immutability, SLA Retention Lock, and Intelligent Data Lock ensure backup data cannot be destroyed or altered — even by an attacker holding full admin credentials. MFA is enforced independently of M365 credentials, and Bring Your Own Key (BYOK) encryption with Retention Lock Quorum Authorization prevents policy tampering. This combination addresses the most critical gap in a ransomware scenario: the attacker's ability to destroy your recovery options before you know an attack has started.
Sophos Backup and Recovery for M365 covers all four core workloads: Exchange Online (mailboxes, shared mailboxes, folders, inactive users), OneDrive (files, folders, personal sites, inactive user data), SharePoint (sites, lists, document libraries, subsites), and Microsoft Teams (channel posts, chats, files, Teams structure). A single per-user license covers all four workloads with software and storage included.
Yes. Recovery ranges from a single email, file, or Teams post through to an entire OneDrive or SharePoint site. Search by keyword, email subject, event title, author, or date range, or browse point-in-time snapshots. Restore to the original user or any other user — cross-user recovery is supported across all four workloads. Granular and bulk recovery options allow IT teams to respond at the right scale for the incident.
The product supports retention policies that extend well beyond Microsoft's defaults, enabling organizations to meet GDPR, HIPAA, and other regulatory requirements. Immutable, tamper-proof copies satisfy regulatory integrity and evidentiary standards. Role-based access controls allow compliance responsibilities to be delegated without granting broad admin rights, and point-in-time recovery enables rapid response to audit and legal inquiry.
Yes. Sophos M365 Backup and Recovery maintains independent backup copies that are not subject to Microsoft's recycle bin expiry windows. Emails, files, and Teams content can be recovered instantly even after native retention periods have closed. This covers individual user errors, bulk deletions from misconfigured scripts or automation, and admin errors applying policies incorrectly.
It is accessed through an SSO integration with Sophos Central — the console used to manage Sophos Endpoint, Email, Firewall, and MDR. This provides better visibility of your security posture and of the relationship between threat detection and the recovery workflow.
Licensing is per-user, with software and storage included at a fixed, predictable cost. A single license covers all four M365 workloads — Exchange Online, OneDrive, SharePoint, and Teams. There is no separate storage tier or infrastructure to manage.
It is available as a standalone product for new and existing Sophos customers. It is a strong fit for organizations with 200 or more M365 seats, IT teams with limited staff who need automated protection without operational overhead, and any organization with compliance or long-term retention requirements their current M365 configuration cannot meet.
Make Microsoft 365 Recoverable
Get the full technical overview of Sophos Backup and Recovery for Microsoft 365 — coverage, recovery options, and deployment.

