No, Microsoft 365 does not back up your data in the traditional, restorable sense that most business owners, IT admins, and compliance officers assume. Microsoft operates under a Shared Responsibility Model that places the duty to protect, retain, and recover your actual business content on you, the customer. The platform offers short-term retention, recycle bins, and limited recovery windows, but these tools do not satisfy long-term legal, regulatory, or disaster-recovery requirements under federal laws like SEC Rule 17a-4, HIPAA 45 CFR Β§164.308, or FRCP Rule 37(e).
The core problem is a dangerous misconception. Most organizations believe that because data lives “in the cloud,” it is automatically safe, recoverable, and compliant. The governing document that contradicts this belief is the Microsoft Services Agreement, which clearly advises customers to regularly backup their content using third-party services. The immediate negative consequence is catastrophic: deleted, corrupted, ransomware-encrypted, or malicious-insider-wiped data can become permanently unrecoverable within 14 to 93 days, and courts have sanctioned companies millions of dollars for failing to preserve electronically stored information (ESI) under Zubulake v. UBS Warburg.
A sobering statistic anchors the stakes. According to a 2025 ESG Research Report commissioned across the SaaS data protection industry, 53% of organizations using Microsoft 365 have experienced data loss events, yet fewer than 1 in 3 deploy a dedicated third-party backup solution. Here is what this article will help you master:
- π The exact legal and contractual reasons Microsoft does not act as your backup provider.
- π‘οΈ How native tools like Retention Policies, Litigation Hold, and the Recycle Bin actually work β and where they fail.
- βοΈ The federal statutes and court rulings that make third-party backup a compliance necessity.
- π§° Real-world scenarios showing how data loss happens inside Exchange, SharePoint, OneDrive, and Teams.
- π¨ The top mistakes, do’s, don’ts, pros, and cons of relying on Microsoft 365 for data protection.
The Shared Responsibility Model Explained
The Shared Responsibility Model is the single most important concept in cloud data protection, and it is the reason Microsoft 365 is not a backup service. Under this model, Microsoft is responsible for the infrastructure β the physical data centers, the network, the virtualization layer, and the uptime of the services themselves. The customer, however, is responsible for the data inside those services, including its accuracy, retention, recovery, and compliance with the law.
The plain-English explanation is this. Microsoft keeps the lights on; you keep the records. Microsoft guarantees that Exchange Online, SharePoint Online, OneDrive for Business, and Teams will be available and that the servers will not burn down. Microsoft does not guarantee that if your employee deletes a folder of contracts, you will be able to get it back six months later.
The consequence of misunderstanding this model is severe. Organizations assume Microsoft will restore lost mailboxes, recover ransomware-encrypted SharePoint libraries, or reverse a malicious admin wipe. When they open a support ticket expecting a full restore, Microsoft points them to the Microsoft Services Agreement, which states customers should “regularly backup” their content. The data is simply gone.
Consider a real-world mini-scenario. Marcus, a CFO at a Dallas CPA firm, loses his entire email archive of 18,000 messages after a terminated employee deletes shared mailbox content on their way out the door. Marcus calls Microsoft support on day 45, well past the 30-day deleted items retention window described in the Exchange Online limits. The messages are unrecoverable, and Marcus now faces an IRS audit without source documentation.
A common misconception holds that because Microsoft replicates data across multiple data centers, those replicas count as backups. They do not. Replication protects against infrastructure failure, not against user error, malicious deletion, ransomware, or retention-policy errors. Replicated corruption is still corruption, replicated in real time to every mirror.
Microsoft’s Role vs. Your Role
Microsoft’s role is narrow and well-defined. The company maintains service uptime under the Microsoft 365 Service Level Agreement, which promises 99.9% availability but says nothing about data recovery after user-caused loss. Microsoft also manages physical security, patching, hypervisor integrity, and geo-redundant storage of its infrastructure layer.
Your role, on the other hand, is extensive. You must classify data, apply retention, preserve records for litigation, encrypt where appropriate, manage identity and access, train employees, and recover from user-caused incidents. The Microsoft Learn documentation on data protection spells this out in detail, and it is the customer’s job β not Microsoft’s β to build a backup strategy.
The consequence of failing to perform your role is measured in both dollars and liability. A 2024 IBM Cost of a Data Breach Report pegged the average breach cost at $4.88 million, and SaaS-related incidents made up a growing share. A named example illustrates this. Jasmine, a SharePoint administrator at a Chicago law firm, assumed Microsoft would retain deleted site collections forever. When a junior admin deleted a client matter site, Jasmine discovered the 93-day recycle bin window had already expired because the deletion happened during a holiday freeze. The firm lost three years of privileged work product.
A common misconception is that Microsoft’s “data resiliency” features equal backup. They do not. Resiliency means Microsoft can recover from a drive failure. Backup means you can recover from your own mistake, an attack, or a compliance demand.
Why Microsoft Is Not a Backup Provider
Microsoft openly states it is not a backup provider. The Microsoft 365 Backup product page β an add-on released in 2024 β implicitly confirms this by offering paid backup as a separate service layered on top of the core suite. If the base subscription already covered backup, there would be no need for the add-on.
The plain-English reason is economic and architectural. Backup requires immutable, point-in-time, granular, air-gapped copies of data that can survive administrator compromise. Microsoft’s production environment is optimized for availability, not recoverability. Keeping a true backup of every tenant for every day would explode storage costs and slow the service.
The consequence is that customers who do not layer a third-party backup onto their tenant carry 100% of the data-loss risk. Consider Derrick, an IT director at a Miami manufacturing firm. When a ransomware strain encrypted his OneDrive-synced file shares, Derrick learned that the encrypted versions had already replicated into the cloud and aged out the Files Restore 30-day window. Without a third-party backup, Derrick paid the ransom.
A common misconception is that enterprise-tier licenses (E3, E5) include full backup. They do not. They include better retention and eDiscovery tools, but retention is not backup. Retention controls how long data is kept; backup controls whether you can restore data to a specific point in time.
Native Microsoft 365 Retention Tools
Microsoft 365 ships with several native retention and recovery tools that are often mistaken for backup. Each has a narrow purpose, a strict time limit, and a specific failure mode. Understanding each tool is the first step toward building a real data-protection plan that meets federal standards like FRCP Rule 26(b) for discoverability.
The key native tools are the Recycle Bin (first and second stage), Retention Policies in Microsoft Purview, Litigation Hold, In-Place Hold, Versioning, and Deleted Items recovery in Exchange. Each is governed by default time windows and tenant-level configurations documented in Microsoft Purview data lifecycle management.
These tools exist for a reason. They help administrators handle common, low-stakes recovery needs β an accidental email deletion, a botched document edit, a minor personnel change. They were never designed to replace enterprise backup, disaster recovery, or long-term archival obligations under laws like IRS Revenue Procedure 98-25, which governs electronic recordkeeping.
The consequence of relying solely on these tools is predictable data loss. A named scenario shows why. Priya, a compliance officer at a Boston biotech, assumed her tenant’s default retention policy protected all clinical trial documents. She discovered β during an FDA inspection β that a default 7-year policy had actually been set to 7 days by a contractor. The native tool did exactly what it was told; it just was not configured correctly.
A common misconception is that native retention equals backup plus compliance. It does not. Retention is a rule, and rules can be changed, deleted, or misconfigured by any privileged user. Backup is a copy, stored outside the production environment, that cannot be altered by the same credentials that manage the tenant.
Recycle Bin and Deleted Items
The Recycle Bin is the most familiar native tool, but it is also the most misunderstood. In SharePoint Online, deleted items move to the first-stage recycle bin for 93 days, then to the second-stage for the remainder of that 93-day pool. In OneDrive, the same 93-day rule applies. In Exchange, deleted items live for 14 days by default and can be extended to 30 days.
The plain-English explanation is that these bins are a safety net for accidents, not a backup. They give users a window to undo a mistake. Once the window closes, the data is purged from the service and is generally unrecoverable through Microsoft support.
The consequence of overreliance is illustrated by Kenji, a project manager at a Seattle architecture firm. Kenji deleted a client’s 2023 drawings folder on January 5 and only learned of the need to recover it on April 20 β 105 days later. The 93-day window had closed, and the files were gone.
A common misconception is that emptying the recycle bin deliberately still allows recovery via a support ticket. It does not. Once the second-stage bin is purged, Microsoft has no internal mechanism to restore individual user content, per the Exchange Online Service Description.
Retention Policies and Litigation Hold
Retention Policies in Microsoft Purview let administrators preserve content for a set duration, even after users delete it. Litigation Hold goes a step further, freezing all mailbox content indefinitely to comply with legal preservation duties under FRCP Rule 37(e).
The plain-English explanation is that these are preservation tools. They keep data available for eDiscovery and compliance, but they do not produce point-in-time, restorable copies the way a real backup does. They also cannot undo data corruption β if a file is encrypted by ransomware, the encrypted version is what gets preserved.
The consequence of confusing preservation with backup is legal exposure. In Coleman (Parent) Holdings, Inc. v. Morgan Stanley, the court sanctioned Morgan Stanley $1.45 billion (later reversed on other grounds) in part due to ESI preservation failures β a cautionary tale summarized by the Federal Judicial Center. Consider Alicia, a general counsel who placed a litigation hold on a custodian’s mailbox but did not back up SharePoint files. When ransomware hit, the preserved mailbox survived, but the SharePoint evidence did not.
A common misconception is that Litigation Hold blocks admin-level deletion. It does block user deletion and certain admin actions, but a determined global admin with sufficient privilege can still purge data, as documented in Microsoft’s admin role reference.
Versioning and Point-in-Time Recovery
SharePoint and OneDrive offer versioning, which keeps prior versions of a file. OneDrive Files Restore allows a user to roll back their entire library to any point in the previous 30 days.
The plain-English explanation is that versioning is great for undoing edits and Files Restore is useful for ransomware recovery β if the attack is detected within 30 days. Teams, however, has no native versioning for chat, and Teams channel files stored in SharePoint inherit that library’s version limits.
The consequence is inconsistent coverage. TomΓ‘s, a marketing director at an Atlanta agency, relied on Files Restore after a ransomware incident. He discovered the attack on day 32, one day past the window. All rollback was lost. The CISA ransomware guide warns explicitly that 30-day windows are insufficient for modern threats that dwell for months.
A common misconception is that Teams conversations are covered by SharePoint versioning. They are not. Teams chat messages live in a hidden Exchange mailbox location and follow Teams retention policies, which default to permanent but can be changed tenant-wide with a single click.
Federal Laws That Demand Real Backup
Federal law in the United States imposes data-retention duties that go far beyond Microsoft’s native capabilities. These laws do not name a specific technology, but they require outcomes β restorability, immutability, auditability, and retention periods β that only a true backup system can deliver consistently.
Key federal frameworks include SEC Rule 17a-4 for broker-dealers, FINRA Rule 4511 for member firms, HIPAA 45 CFR Β§164.316 for protected health information, the Sarbanes-Oxley Act Section 802 for public company records, and FRCP Rules 26 and 37(e) for litigation preservation.
The plain-English explanation is that these laws require you to prove you still have the data, produce it on demand, and preserve it in a form that has not been tampered with. Microsoft 365’s native tools can help, but they cannot guarantee compliance, especially if an administrator is compromised or a retention policy is misconfigured.
The consequence of non-compliance is steep. HIPAA civil penalties can reach $2,067,813 per violation category per year under the HHS Enforcement page. FINRA has fined broker-dealers hundreds of millions of dollars for recordkeeping failures, including a $125 million collective settlement documented by FINRA News. Imagine Rebecca, a privacy officer at a regional hospital, facing an Office for Civil Rights audit after a ransomware event destroyed six months of ePHI. Without a backup, she cannot demonstrate the required “contingency plan” under HIPAA.
A common misconception is that Microsoft’s own compliance certifications (SOC 2, ISO 27001, HIPAA BAA) transfer to the customer. They do not. Certification of Microsoft’s practices does not certify your configuration. The HIPAA Business Associate Agreement makes clear that the covered entity retains responsibility for its data.
HIPAA and Healthcare Data
HIPAA’s Security Rule requires covered entities to implement a contingency plan that includes data backup, disaster recovery, and emergency mode operations. The rule is prescriptive about outcomes and agnostic about tools, but the HHS Security Rule Guidance explicitly references “retrievable exact copies of electronic protected health information.”
The consequence of violating HIPAA’s backup requirement is a penalty under 45 CFR Β§160.404. The 2017 Presence Health settlement and similar actions show that OCR treats availability failures as seriously as confidentiality breaches.
Consider Dr. Okonkwo, a small-practice owner who stored all patient notes in OneDrive. A ransomware attack encrypted the notes, and Files Restore had aged out. Without a third-party backup, Dr. Okonkwo faced both patient-care risk and a mandatory breach notification under the HHS Breach Notification Rule.
A common misconception is that signing Microsoft’s BAA is enough. It is not. The BAA obligates Microsoft to protect PHI under its direct control; it does not obligate Microsoft to back up your OneDrive.
SEC 17a-4 and Financial Records
Broker-dealers must preserve business records under SEC Rule 17a-4 for set periods, with electronic records kept in a non-rewriteable, non-erasable (WORM) format or equivalent, per the 2022 amendments. FINRA Rule 4511 extends similar duties to all member firms.
The consequence of violating 17a-4 is direct regulatory action. In 2022 and 2023, the SEC levied over $2 billion in fines against major banks for off-channel communications and recordkeeping failures, as reported by the SEC Press Releases page. Microsoft 365 alone cannot produce WORM-compliant records without an add-on or third-party solution that layers immutability on top.
Consider Angela, a compliance officer at a New York broker-dealer. She relied on Purview retention policies but discovered during an SEC exam that a policy change had shortened retention from 7 years to 3. Without an immutable third-party archive, Angela could not reconstruct the deleted records.
A common misconception is that Microsoft 365’s preservation features are automatically WORM. They are not by default. You must enable specific Preservation Lock features, and even then many firms choose third-party archiving vendors for defensible compliance.
FRCP and eDiscovery Duties
The Federal Rules of Civil Procedure Rule 37(e) imposes sanctions when a party “failed to take reasonable steps to preserve” electronically stored information. Rule 26 governs what must be produced in discovery. Together, they make data preservation a legal duty, not an IT preference.
The consequence of spoliation is severe. In Zubulake v. UBS Warburg, the court issued an adverse inference instruction that ultimately led to a $29.2 million verdict, as recounted by Cornell Law. In Pension Committee v. Banc of America Securities, Judge Scheindlin imposed sanctions for negligent preservation.
Consider Marcus again, now defending his CPA firm in a malpractice suit. Because the firm relied only on native retention, a key email chain had been purged. The opposing party moved for sanctions under Rule 37(e)(2), and the court issued an adverse inference that doomed the defense.
A common misconception is that a litigation hold protects future data. It protects data that exists at the moment the hold is placed. Data already purged before the hold cannot be un-deleted, a point emphasized in the Sedona Conference Commentary on Legal Holds.
Three Common Data Loss Scenarios
Every Microsoft 365 data-loss event follows one of three patterns. Mapping your exposure to these patterns is the fastest way to size your backup needs and match them to federal obligations.
Scenario 1: Accidental Deletion
| What Happens | What It Costs You |
|---|---|
| A user drags a SharePoint folder to the recycle bin and then empties it to “clean up space.” | The 93-day second-stage bin counts down silently; by day 94, the folder is unrecoverable via Microsoft support. |
| An administrator removes a departing employee’s mailbox to save licensing fees. | The mailbox is purged after 30 days unless a Litigation Hold was set before deletion, per Exchange Online rules. |
| A project manager deletes a Teams channel believing the project is closed. | Channel files, tabs, and chat history disappear; recovery depends on tenant-level Teams retention. |
Scenario 2: Malicious Insider or Ransomware
| Attack Vector | Resulting Damage |
|---|---|
| A terminated employee mass-deletes shared-drive content before their access revokes. | OneDrive Files Restore offers 30 days of rollback, but only if detected; shared SharePoint sites require admin-level recovery attempts. |
| A ransomware strain encrypts locally synced OneDrive files, replicating encryption to the cloud. | Encrypted versions propagate; versioning helps only if each file has sufficient historical versions retained. |
| A compromised global admin purges mailboxes using PowerShell commands. | Without third-party backup, purged items bypass Litigation Hold protections in certain configurations. |
Scenario 3: Retention Policy Misconfiguration
| Configuration Error | Business Consequence |
|---|---|
| A default “delete after 1 year” policy is applied tenant-wide instead of a department-specific 7-year rule. | Millions of records silently purge on a rolling basis; violations of SEC 17a-4 or HIPAA may go undetected for years. |
| A Purview retention label is removed by a well-intentioned admin cleaning up “unused” labels. | All items previously held by that label lose preservation, and deletions that were blocked now succeed. |
| A Teams retention policy is shortened from “forever” to “30 days” during a storage audit. | Three years of internal communications evaporate within 30 days, eliminating discoverable chat history. |
Mistakes to Avoid
Even skilled IT teams fall into predictable traps when they assume Microsoft 365 is a backup service. Each mistake below carries a direct, measurable consequence, and most appear in real incident post-mortems documented in the CISA Incident Response library.
- Assuming geo-redundancy equals backup. The outcome is unrecoverable data after user-caused deletion, because replication copies deletions too.
- Treating the Recycle Bin as long-term storage. The outcome is a 93-day cliff after which the data is purged without warning.
- Skipping a BAA review for healthcare data. The outcome is HIPAA violations when the BAA’s actual scope is narrower than assumed.
- Confusing Litigation Hold with backup. The outcome is preserved corruption β ransomware-encrypted files are held in their encrypted state.
- Leaving retention policy changes unlogged. The outcome is silent data loss when a shortened policy purges records before anyone notices.
- Granting too many global admin roles. The outcome is a single compromised credential capable of purging tenant-wide data, per Microsoft security baseline.
- Ignoring Teams chat retention. The outcome is loss of business-critical decisions made in chat, which often never appear in email.
- Relying on OneDrive Files Restore beyond 30 days. The outcome is missed recovery windows when attacks dwell longer than a month.
- Forgetting SharePoint site collection deletion protections. The outcome is entire sites being recoverable for only 93 days before permanent loss.
- Failing to test restores. The outcome is a backup system that appears to work until the day you actually need it under pressure.
Do’s and Don’ts of Microsoft 365 Data Protection
Do’s
- Do deploy a dedicated third-party backup solution, because Microsoft’s own Services Agreement recommends it.
- Do test restores every quarter, because untested backups have a high failure rate under real incident pressure.
- Do document your retention policies in writing, because written policies satisfy the “reasonable steps” requirement under FRCP Rule 37(e).
- Do apply Preservation Lock to compliance-critical policies, because it prevents even admins from shortening retention.
- Do monitor admin activity with Microsoft Purview Audit, because early detection of rogue admin behavior limits damage.
Don’ts
- Don’t assume your license tier includes backup, because even E5 does not offer true point-in-time restore.
- Don’t skip backing up Teams, because chat and channel files are often the primary record of business decisions.
- Don’t rely on a single admin account, because MFA-bypass attacks target privileged identities.
- Don’t store backups in the same tenant, because an attacker who owns the tenant owns the backups.
- Don’t confuse OneDrive sync with backup, because sync propagates deletions and encryption in real time.
Pros and Cons of Native Microsoft 365 Protection
Pros
- Easy to enable with no extra licensing cost for basic retention and recycle bins.
- Integrated directly with Microsoft Purview for unified compliance management.
- Includes Litigation Hold for eDiscovery support in regulated industries.
- Provides point-in-time rollback for OneDrive via Files Restore within 30 days.
- Supports immutable WORM via Preservation Lock when configured.
Cons
- Does not offer true point-in-time backup of entire tenants with granular restore.
- Recycle bin windows are short and unforgiving, especially in Exchange and SharePoint.
- Admin-level compromise can bypass many preservation protections.
- Teams chat coverage is inconsistent and policy-driven rather than copy-driven.
- Misconfiguration of retention can silently destroy years of records.
Building a Defensible Backup Strategy
A defensible strategy starts with classifying data by regulatory regime. Identify which content falls under HIPAA, SEC 17a-4, FINRA 4511, SOX, GLBA, FERPA, or general FRCP duties. The NIST SP 800-209 guidelines provide a clear framework for storage security that maps to backup planning.
The plain-English approach is three-fold. First, keep Microsoft’s native tools for short-term recovery and accidental deletion. Second, add a third-party backup like Veeam Backup for Microsoft 365, AvePoint Cloud Backup, Druva, or Barracuda Cloud-to-Cloud Backup for point-in-time, immutable copies. Third, consider Microsoft’s own Microsoft 365 Backup add-on for near-native integration.
The consequence of skipping any layer is predictable failure. Consider Lauren, a director of IT at a multi-state credit union. She deployed a third-party backup but never tested restores. When a ransomware attack hit, the backup turned out to have been failing silently for three months. Lauren’s institution faced GLBA Safeguards Rule scrutiny under 16 CFR Β§314.
A common misconception is that any third-party backup meets all compliance needs. It does not. You must match the backup’s retention, immutability, and chain-of-custody features to the specific statute you are covering. A Sedona Conference framework or auditor’s checklist is the right tool for that mapping.
The 3-2-1 Rule Applied to SaaS
The classic 3-2-1 backup rule β three copies, on two different media, with one off-site β still applies to SaaS. For Microsoft 365, this means one copy in the production tenant, one copy in a third-party SaaS backup, and one copy exported or stored in a separate cloud region or provider.
The consequence of ignoring 3-2-1 is single-point-of-failure risk. If your only copy is in the Microsoft tenant, any tenant-level incident β from account compromise to billing dispute β can cut off access. The CISA Zero Trust Maturity Model explicitly calls for assume-breach planning that 3-2-1 supports.
Consider Ravi, a startup CTO who backed up his Microsoft 365 tenant to the same Azure subscription that hosted his production workloads. When a billing dispute froze the subscription, both production data and backup data were inaccessible simultaneously. Ravi’s company lost two weeks of operations.
A common misconception is that exporting to PST files counts as backup. It does not scale, does not preserve metadata consistently, and fails eDiscovery tests, per the Federal Rules of Evidence 901 authentication standards.
Choosing the Right Vendor
Vendor selection should map to your regulatory profile. Healthcare organizations need BAA-signed vendors with HIPAA-compliant storage. Broker-dealers need WORM-capable archives that meet 17a-4(f). Law firms need chain-of-custody documentation for ESI production.
The consequence of a poor vendor choice is usually discovered too late, during a restore or an audit. A 2025 Gartner Magic Quadrant for SaaS Backup evaluates vendors on recovery speed, granularity, and compliance. Picking a low-cost vendor without these features can save dollars today and cost millions tomorrow.
Consider Denise, a compliance manager at a Philadelphia hedge fund. She picked a consumer-grade backup for her Microsoft 365 tenant because it was cheap. During an SEC examination, the backup could not produce the WORM-compliant records required under 17a-4(f), and her firm faced sanctions.
A common misconception is that all vendors restore at the same speed. They do not. Some vendors quote “full tenant restore” times of days rather than hours, which can violate RTO commitments in HIPAA contingency plans.
FAQs
Does Microsoft 365 back up my data automatically?
No. Microsoft operates under a Shared Responsibility Model that places backup duties on the customer. The service provides short-term retention and replication, but not restorable point-in-time backup of user content.
Is Litigation Hold the same as backup?
No. Litigation Hold preserves data for legal purposes but does not produce point-in-time restorable copies. Encrypted or corrupted data stays encrypted or corrupted, even under a hold.
Can I recover a deleted SharePoint site after 93 days?
No. The SharePoint second-stage recycle bin retains deleted site content for 93 days total. After expiration, Microsoft support cannot restore the site for you.
Does Microsoft 365 Backup (the add-on) replace third-party tools?
No. The add-on covers Exchange, SharePoint, and OneDrive with fast native restores, but many organizations still layer third-party solutions for cross-tenant, cross-cloud, and long-term archival needs.
Is OneDrive Files Restore enough for ransomware recovery?
No. Files Restore offers 30 days of rollback, but many ransomware campaigns dwell for longer before triggering. Post-30-day attacks cannot be rolled back using this tool alone.
Does HIPAA require me to back up Microsoft 365 data?
Yes. HIPAA’s Security Rule requires a contingency plan with retrievable exact copies of ePHI. Native Microsoft 365 tools alone rarely satisfy this standard without added backup.
Are Microsoft’s replicated data centers considered backup?
No. Replication protects against infrastructure failure, not user error or malicious deletion. Replicated data reflects deletions and encryption in real time.
Can a global admin bypass Litigation Hold?
Yes. In certain configurations and with sufficient privilege, admin actions can remove holds or purge data. Preservation Lock and strict role management limit this risk.
Does Teams chat get backed up by default?
No. Teams chat follows tenant-level retention policies, which can be changed or shortened. True backup of Teams chats requires a third-party solution in most cases.
Is exporting to PST a valid long-term backup?
No. PST files do not scale, lose metadata, and fail chain-of-custody tests. They are not suitable for regulated industries under SEC 17a-4 or FINRA 4511.
Does Microsoft’s BAA cover backup failures?
No. The BAA governs Microsoft’s handling of PHI within its infrastructure. Customer-side backup duties under HIPAA remain the covered entity’s responsibility.
Are E5 licenses enough for SEC 17a-4 compliance?
No. E5 includes advanced retention and Preservation Lock, but many broker-dealers still require a dedicated WORM-compliant archive for defensible 17a-4(f) compliance.