How Long Does OneDrive for Business Keep Deleted Files? (w/Examples) + FAQs

OneDrive for Business keeps deleted files for a total of 93 days by default across two stages of the Recycle Bin, and then the files are permanently purged unless a retention policy, litigation hold, or Preservation Hold Library is catching them in the background. The clock starts the moment a user deletes a file, and it does not reset when the item moves from the first-stage Recycle Bin to the second-stage Site Collection Recycle Bin. After day 93, recovery through normal admin tools ends, and only backups, retention policies, or eDiscovery holds can pull the file back.

The problem here is that most users assume “the cloud” means forever, and most small businesses never check their Microsoft 365 retention defaults until a file is already gone. Microsoft’s own OneDrive service description controls the Recycle Bin timers, while Microsoft Purview retention policies control legal holds. When a user leaves the company, a separate 30-day clock begins on the entire OneDrive, and that clock is controlled by the OneDrive account retention setting in the admin center.

According to Microsoft’s 2025 Digital Defense Report, more than 600 million identity attacks happen every day, and ransomware events often trigger mass file deletions inside OneDrive, which means the 93-day window becomes the last line of defense for millions of businesses every year.

Here is what you will learn in this guide:

• 🗑️ How the two-stage Recycle Bin works and exactly when the 93-day clock starts and stops
• ⏳ What happens to a departing employee’s OneDrive and how to extend the default 30-day retention
• ⚖️ How HIPAA, SOX, FINRA 17a-4, and FRCP Rule 37(e) change the answer for regulated industries
• 🛡️ How Preservation Hold Library, retention policies, and eDiscovery holds keep files past 93 days
• 🧠 The most common mistakes admins make, and how to avoid losing files you legally must keep

The 93-Day Rule: How OneDrive for Business Retention Actually Works

OneDrive for Business uses a two-stage Recycle Bin, and the total retention for a deleted file is 93 days from the moment of the first delete. The first-stage Recycle Bin is the one the end user sees inside their own OneDrive. The second-stage Recycle Bin, also called the Site Collection Recycle Bin, is the one a SharePoint or OneDrive admin sees. Microsoft documents this behavior in the SharePoint Recycle Bin article, and it applies to every commercial, education, and government plan.

When a user deletes a file in OneDrive, the file moves to the first-stage Recycle Bin. It stays there for up to 93 days. If the user empties the Recycle Bin, the file moves to the second-stage bin for the remainder of the 93 days. The clock does not reset. That means a file emptied on day 80 has only 13 days left in the second-stage bin before it is purged. This is the single most common misunderstanding, and it causes real data loss when admins assume they get a fresh 93 days after a user empties the bin.

The second-stage Recycle Bin has a size quota equal to 200% of the site’s storage quota, per the SharePoint limits documentation. If the bin fills up, the oldest items are purged first, even if they have not hit day 93 yet. Large restore operations and mass deletions can push items out of the bin early, which is a trap for ransomware recovery plans.

First-Stage Recycle Bin (User-Level)

The first-stage Recycle Bin lives inside the user’s own OneDrive and is reachable from the left navigation of the OneDrive web interface. The user can restore any item with two clicks, and the action writes an entry to the unified audit log in Microsoft Purview. The plain-English rule is simple: users get 93 days to click “Restore” before the file is gone from their view.

The consequence of ignoring this bin is permanent loss of the file from the user’s self-service recovery path. A common real-world example involves Maria, a paralegal who deletes a contract draft on April 1, empties her Recycle Bin on April 10 to “clean up,” and then needs the file back on July 5. The file is already purged because day 93 was July 3. The common misconception is that emptying the first-stage bin only hides the file; in reality, it moves the file to the second-stage bin but does not extend the timer.

Second-Stage Recycle Bin (Site Collection Admin Level)

The second-stage Recycle Bin is reached by a SharePoint admin through the SharePoint admin center or by the user through the “second-stage recycle bin” link at the bottom of the first-stage view. It holds items for the remainder of the original 93-day window. Admins can restore items on behalf of users, which matters when a user has already left the company or cannot access the tenant.

Violating the 93-day ceiling is impossible to undo through the Recycle Bin itself, and the consequence is that the only remaining recovery paths are Preservation Hold Library, retention policies, or third-party backup. A mini-scenario: David, an IT admin, gets a ticket on day 95 to restore a deleted folder. The folder is gone from both bins. David has to pivot to eDiscovery to see if a retention policy caught the file in the Preservation Hold Library. The common misconception is that Microsoft keeps a “hidden copy” forever; it does not, unless a retention policy or hold exists.

Version History Inside the 93 Days

OneDrive keeps up to 500 versions of every file by default, per the SharePoint versioning documentation. Versions live with the file, not in the Recycle Bin. If the parent file is deleted, the versions go with it into the Recycle Bin and are restored together when the file is restored. If the 93-day window closes, the versions are lost along with the file.

The consequence of misunderstanding versioning is that admins sometimes assume version history is a backup; it is not. Priya, a finance manager, overwrites a spreadsheet 501 times in a week, which pushes the original formulas out of the version stack. The common misconception is that 500 versions equals unlimited history; in reality, the oldest versions are trimmed once the cap is hit.

What Happens When an Employee Leaves

When a Microsoft 365 user account is deleted, the user’s OneDrive enters a separate retention window that is distinct from the 93-day Recycle Bin. The default is 30 days, per the OneDrive retention and deletion article. Admins can extend this window up to 3650 days (10 years) through the SharePoint admin center or PowerShell. After the window ends, the entire OneDrive site, including every file and every Recycle Bin entry, is permanently deleted.

During the retention window, the departed user’s manager receives automatic access to the OneDrive if one is set in Microsoft Entra ID, per the access delegation rules. Admins can also grant access manually to any user. This is the window when legal, HR, and IT should export or transfer files. The consequence of missing the window is total loss of every file the employee owned, which often includes irreplaceable business records, client communications, and intellectual property.

A real-world example: Jamal resigns on March 1, and HR deletes his account on March 5 without telling IT. The 30-day clock starts on March 5 and ends on April 4. On April 10, legal asks for Jamal’s files for a contract dispute. Unless a retention policy or hold covered the files, they are gone forever. The common misconception is that a disabled account equals a deleted account; it does not. Disabling preserves the OneDrive indefinitely, while deletion starts the 30-day timer.

Extending the Default 30 Days

The SharePoint admin center “More features” page lets a global admin set the OneDrive retention to any value between 1 and 3650 days. The setting is tenant-wide, not per-user. Changes apply only to accounts deleted after the change, so setting 365 days today does not rescue a OneDrive that was deleted yesterday.

The consequence of leaving the default at 30 days is that most businesses lose departed-employee data before the business even realizes it mattered. Elena, a compliance officer at a broker-dealer, learns this the hard way when a FINRA Rule 17a-4 request lands 45 days after a trader’s account deletion. The common misconception is that Microsoft’s default is the “compliant” setting; for regulated industries, it almost never is.

Preservation Hold Library After Offboarding

If a retention policy covers the user’s OneDrive, deleted files move to the hidden Preservation Hold Library inside the site before the 93-day purge. The library is documented in Microsoft Purview retention. It preserves files for the duration of the retention policy, even if the user account and the OneDrive site are deleted, because the retention policy blocks the site from being purged until the policy expires or is released.

The consequence is powerful protection, but only if the policy was in place before the deletion. Ben, a health-plan administrator subject to HIPAA’s six-year retention rule, sets a six-year retention policy across all OneDrive sites, which means every deleted file hits Preservation Hold for the full six years. The common misconception is that Preservation Hold is visible to users; it is hidden, and only eDiscovery searches in Purview can retrieve items from it.

Retention Policies and Legal Holds Under Microsoft Purview

Microsoft Purview retention policies override the 93-day Recycle Bin rule for any file covered by the policy. A retention policy can be set to “retain only,” “delete only,” or “retain and then delete.” When a user deletes a file covered by a “retain” policy, a copy is silently written to the Preservation Hold Library, and the copy stays there for the full retention period. This is how regulated businesses satisfy record-keeping laws without relying on users.

eDiscovery holds work the same way but are triggered by litigation. When a custodian is placed on hold, every file in their OneDrive is preserved, including future deletes, until the hold is released. The consequence of releasing a hold early is potential spoliation sanctions under Federal Rule of Civil Procedure 37(e), which permits adverse-inference jury instructions, monetary sanctions, and case-dispositive orders when electronically stored information is lost.

A named example: Sarah, general counsel at a manufacturer, places three custodians on eDiscovery hold on January 10 during a patent dispute. One custodian leaves the company on February 1, and HR deletes his account on February 5. Because the hold blocks the deletion, the OneDrive remains intact in Preservation Hold, and Sarah can search it through Purview eDiscovery for years. The common misconception is that holds expire automatically; they do not, and forgetting to release them can keep data forever and balloon storage costs.

Retention Policy Priority and Conflicts

When multiple policies apply, Microsoft follows the principles of retention in this order: retention wins over deletion, the longest retention period wins, explicit inclusion wins over implicit, and deletion by the shortest period loses. The practical effect is that a one-year “delete” policy cannot override a seven-year “retain” policy on the same file.

The consequence of not understanding the priority is surprise over-retention, which creates CCPA/CPRA “data minimization” risk under California law. Liam, a privacy officer, assumes a one-year deletion policy is working, but a conflicting seven-year retention policy is silently overriding it. The common misconception is that the most recent policy wins; in reality, the strictest retention rule wins every time.

eDiscovery Hold vs. Retention Policy

The two tools look similar but serve different purposes. A retention policy is proactive and covers a class of data, while an eDiscovery hold is reactive and covers specific custodians for specific matters. Both write to the Preservation Hold Library, and both block the 93-day purge. Only Purview Premium eDiscovery supports custodial hold notifications, which matter for FRCP Rule 26 obligations.

The consequence of using the wrong tool is either over-preservation, which inflates storage costs, or under-preservation, which creates sanction risk. Nina, a litigation paralegal, uses a retention policy instead of a custodial hold and cannot produce a defensible chain-of-custody report. The common misconception is that retention policies satisfy litigation hold duties; they often do not, because they do not pin specific custodians.

Three Most Common OneDrive Deletion Scenarios

Below are three scenario tables based on the most frequent real-world deletion events inside OneDrive for Business.

Scenario 1: Accidental User Delete

Scenario 2: Offboarded Employee

Scenario 3: Ransomware Mass Delete

Plan-by-Plan Retention Differences

Microsoft’s retention rules are mostly identical across commercial plans, but there are a few important differences. The Microsoft 365 service descriptions are the controlling documents. Regulated and government clouds follow the same 93-day and 30-day defaults but have different eDiscovery licensing entitlements.

The consequence of choosing a plan without eDiscovery Premium is that custodial hold notifications, advanced indexing, and legal review workflows are not available, which can create FRCP Rule 26(f) preservation gaps. Tom, a CIO at a 300-person law firm on Business Premium, learns this during a commercial dispute and has to bolt on eDiscovery Premium mid-matter at a higher per-user price. The common misconception is that every “enterprise” plan includes the same eDiscovery tooling; only E5 and A5 include the Premium tier.

U.S. Legal and Regulatory Overlay

Federal law sets the floor for record retention, and state law often goes further. OneDrive defaults alone do not satisfy most regulated-industry obligations, which is why retention policies exist. The key federal frameworks every admin should know include HIPAA, SOX, GLBA, FINRA, and the Federal Rules of Civil Procedure.

HIPAA and Health Information

The HIPAA Privacy Rule requires covered entities to keep certain records for six years from creation or last effective date. OneDrive’s 93-day default will never satisfy that rule on its own. A Purview retention policy set for six years solves the gap by routing every deletion to Preservation Hold.

The consequence of non-compliance is tiered HIPAA penalties reaching $2,134,831 per violation per year under the 2024 HHS adjustments. Dr. Chen, a practice owner, relies on the Recycle Bin and loses patient communication logs on day 100. The common misconception is that HIPAA covers only medical records; it covers a broad set of communications and business records tied to PHI.

SOX and Public Company Records

Sarbanes-Oxley Section 802 requires retention of audit records for seven years, and knowing destruction is a federal crime punishable by up to 20 years in prison. A seven-year OneDrive retention policy covering finance, audit, and executive OneDrives is the typical control.

The consequence of a gap is criminal exposure, SEC sanctions, and restatement risk. Ava, a CFO, sets an overbroad deletion policy that purges audit workpapers at year three. The common misconception is that SOX only applies to formal filings; it reaches every workpaper and communication supporting the audit.

GLBA, FINRA, and Financial Services

FINRA Rule 17a-4, aligned with SEC Rule 17a-4, generally requires broker-dealer records to be kept for three to six years in non-erasable, non-rewritable form, which Microsoft supports through Purview’s “Preservation Lock.” GLBA’s Safeguards Rule adds data-security expectations on top.

The consequence of failure includes FINRA fines that regularly exceed $1 million for books-and-records violations. Marco, a registered rep, deletes chat logs that fall under 17a-4, and his firm pays a seven-figure fine. The common misconception is that 17a-4 only applies to email; it covers all electronic business communications, including OneDrive files.

FRCP Rule 37(e) and Spoliation

FRCP Rule 37(e) governs sanctions for lost electronically stored information. Courts can impose adverse-inference instructions, monetary sanctions, or case-ending orders when a party fails to preserve ESI it had a duty to keep. The leading case interpreting the 2015 amendments is Klipsch Group v. ePRO E-Commerce, where the Second Circuit affirmed $2.7 million in sanctions.

The consequence of letting OneDrive default retention destroy relevant files after a litigation hold has attached is severe. Rachel, outside counsel, forgets to issue a Purview hold and the 93-day clock destroys key emails and files. The common misconception is that deletion has to be intentional; under Rule 37(e)(1), even negligent loss can trigger curative measures.

State Privacy Laws

California’s CCPA/CPRA and New York’s SHIELD Act add deletion duties on top of retention rules. Consumers can request deletion of personal information, and businesses must honor requests unless an exception applies. Over-retention in Preservation Hold Library can violate these rights if no exception is documented.

The consequence of over-retention under CPRA includes civil penalties up to $7,500 per intentional violation. Kendra, a privacy counsel, balances litigation holds against deletion rights with a documented legal-basis matrix. The common misconception is that retention always wins; state privacy law can force deletion unless a specific exception, like active litigation, applies.

Recovery Tools Beyond the Recycle Bin

When files are gone from both Recycle Bins, four tools remain for recovery. Each has limits, licensing needs, and gotchas. None of them is a replacement for a proper backup strategy, because Microsoft’s Shared Responsibility Model places data recovery squarely on the customer.

OneDrive Files Restore

OneDrive Files Restore lets a user roll their entire OneDrive back to any point in the last 30 days. It is the best tool for ransomware recovery because it reverses mass-delete and mass-encrypt events. It does not work for individual files older than 30 days, and it does not work after an account is deleted.

The consequence of ignoring Files Restore during a ransomware event is hours of manual file-by-file work and often permanent loss. Omar, an MSP engineer, uses Files Restore to roll back 20,000 encrypted files in minutes. The common misconception is that Files Restore is a backup; it only covers 30 days and lives inside the same tenant that just got attacked.

Microsoft Purview eDiscovery

Purview eDiscovery searches Preservation Hold Library and live OneDrive content together. It finds files that users cannot see through the Recycle Bin because they have already been caught by a retention policy or hold. It requires a license with eDiscovery entitlements and a compliance admin role.

The consequence of not using eDiscovery when Recycle Bins are empty is that admins miss files that are actually still there, just hidden. Ingrid, a compliance admin, recovers a contract from Preservation Hold 18 months after deletion. The common misconception is that eDiscovery is only for lawyers; it is a recovery tool any compliance admin can use.

Third-Party Backup

Third-party SaaS backups, such as those listed in Microsoft’s AppSource backup category, store OneDrive data outside the tenant. They protect against tenant-level disasters, malicious admin activity, and retention policy failures. The NIST SP 800-171 Rev. 3 control CP-9 contemplates independent backup copies for controlled unclassified information.

The consequence of relying only on native tools is that a compromised admin account can empty Recycle Bins and release holds, destroying every native recovery path. Grace, a CISO, layers a third-party backup with 7-year retention on top of native controls. The common misconception is that Microsoft backs up customer data for recovery; the service description states Microsoft only backs up for disaster recovery of the platform.

Microsoft Support Escalation

Microsoft Support cannot restore files that are permanently purged from the Recycle Bin after day 93 unless a retention policy caught them. The Microsoft service health and support docs are clear on the limit. There is no hidden lever.

The consequence of expecting Microsoft to “just restore it” is wasted hours on a ticket that ends with “the file is not recoverable.” Raj, a helpdesk lead, learns to set this expectation with users from day one. The common misconception is that a support ticket overrides retention timers; it does not.

Mistakes to Avoid

• Leaving the offboarded-user retention at the 30-day default in a regulated industry, which almost always violates HIPAA, SOX, or FINRA timelines.
• Assuming emptying the first-stage Recycle Bin gives a fresh 93 days in the second-stage bin, when it actually shares the same clock.
• Disabling instead of deleting accounts forever, which silently inflates storage costs and creates unused license bills.
• Relying on OneDrive versioning as a backup, when the 500-version cap and deletion-with-file rules make it unreliable.
• Forgetting to place a litigation hold when a duty to preserve attaches, which triggers FRCP Rule 37(e) sanctions risk.
• Releasing an eDiscovery hold before confirming all matters are closed, which can destroy responsive ESI and expose counsel to malpractice claims.
• Ignoring the second-stage Recycle Bin size quota, which silently purges older items during ransomware or mass-delete events.
• Using a one-size-fits-all retention policy across an entire tenant, which over-retains sensitive personal data and violates CPRA data minimization.
• Granting Recycle Bin access to users in roles that should have no delete rights, which destroys audit chain-of-custody.
• Skipping a third-party backup and assuming Microsoft is responsible for customer-data recovery, which the Shared Responsibility Model rejects.
• Setting retention policies without documenting the legal basis, which fails GDPR Article 30 and CPRA record-of-processing expectations even for U.S. entities with EU or California data.

Do’s and Don’ts for OneDrive Retention

Do’s

• Do set a tenant-wide offboarded-user retention of at least 1 year, per the OneDrive retention settings, because the 30-day default rarely matches HR or legal needs.
• Do build a Purview retention-policy matrix by data class, because mixing finance, HR, and general data in one policy over-retains personal data and under-retains audit records.
• Do document the legal basis for every retention policy, because FTC Safeguards Rule and CPRA both demand a written record.
• Do test Files Restore quarterly on a pilot OneDrive, because an untested recovery plan fails under ransomware pressure.
• Do layer third-party backup for crown-jewel OneDrives, because tenant-level attacks can defeat every native recovery path.
• Do use Purview Preservation Lock on policies that must not be weakened, because it satisfies SEC 17a-4(f) non-rewritable requirements.

Don’ts

• Don’t rely on the Recycle Bin as a retention strategy, because 93 days never satisfies a regulated retention schedule.
• Don’t delete a departing employee’s account before HR, legal, and IT sign off, because the 30-day clock is the last chance to export their work product.
• Don’t grant global-admin to anyone who also handles deletions, because a single compromised account can empty every bin and release every hold.
• Don’t ignore the audit log, because Purview Audit captures delete events that support post-incident recovery.
• Don’t forget to map retention policies to specific data classifiers, because mismatched scope leads to over-retention and privacy-law exposure.
• Don’t rely on support to undo a day-94 deletion, because the service description does not promise recovery beyond the Recycle Bin.

Pros and Cons of OneDrive’s Native Retention

Pros

• Included at no extra cost in every commercial plan, per the service description, which keeps budget predictable.
• Integrates natively with Purview, Entra ID, and SharePoint, which reduces tooling sprawl.
• Two-stage Recycle Bin gives both users and admins self-service recovery inside a 93-day window.
• Preservation Hold Library silently protects files without user action when a retention policy is in place.
• Files Restore provides fast ransomware rollback for up to 30 days across an entire OneDrive.
• Audit logging through Purview ties delete events to users, devices, and timestamps for forensic review.

Cons

• 93-day ceiling is too short for almost every regulated industry, which forces extra policy work.
• 30-day offboarded default causes unexpected data loss when HR and IT are not aligned on timing.
• Retention policy complexity creates conflicts and silent over-retention risks that violate state privacy laws.
• No native backup outside the tenant, which leaves the customer exposed under the Shared Responsibility Model.
• eDiscovery Premium requires E5 or A5, which puts the best recovery tools behind a higher-priced SKU.
• User education gap is real, because most end users believe “the cloud” means infinite history.

Key Entities to Know

The OneDrive retention ecosystem involves several interlocking actors, and understanding each role helps avoid data loss. Microsoft designs the rules, tenants configure them, and regulators enforce the outcomes.

• Microsoft Corporation — Publishes the OneDrive service description that controls Recycle Bin defaults and account deletion timers for every tenant.
• Microsoft Purview — Hosts retention policies, eDiscovery, audit logging, and Preservation Lock features that override default 93-day behavior.
• SharePoint Online — Provides the storage substrate and site-collection Recycle Bin that hold OneDrive data.
• Microsoft Entra ID — Manages user accounts, the “manager” delegation for offboarded OneDrives, and role-based access for admins.
• U.S. Department of Health and Human Services — Enforces HIPAA retention rules through the Office for Civil Rights.
• Securities and Exchange Commission — Enforces SEC Rule 17a-4 record retention for broker-dealers.
• FINRA — Enforces parallel Rule 4511 requirements for member firms.
• Federal Trade Commission — Enforces the Safeguards Rule under GLBA and general consumer-protection authority.
• California Privacy Protection Agency — Enforces CPRA deletion and data-minimization duties.
• Federal courts — Apply FRCP Rule 37(e) when ESI is lost, including OneDrive files destroyed by the 93-day clock.

Forms and Processes Inside the Admin Experience

The key administrative process is “Manage user profiles” inside the SharePoint admin center, which controls OneDrive retention after account deletion. Admins open the SharePoint admin center, navigate to “More features,” choose “User profiles,” and then “My Site Settings.” The “Days to retain personal sites” field accepts any value from 1 to 3650. The setting applies to every future deletion across the tenant.

A second key process is creating retention policies in the Purview portal. The admin chooses OneDrive as the location, selects either all users or specific users, sets the retention period, and picks “retain,” “retain and delete,” or “delete only.” The admin can add Preservation Lock if the policy must be immutable. The consequence of mis-scoping the policy is silent over-retention or silent gaps.

A third process is placing an eDiscovery hold inside a Purview eDiscovery case. The compliance admin creates a case, adds custodians, selects OneDrive locations, and applies the hold. The hold silently routes deletes to Preservation Hold Library until the case is closed. The consequence of leaving a hold open after a matter closes is indefinite over-retention and rising storage bills.

Key Court Rulings and Agency Actions

Federal courts and U.S. agencies have shaped how OneDrive retention interacts with legal duties. Klipsch Group v. ePRO E-Commerce affirmed millions in sanctions for ESI spoliation and remains the leading Second Circuit case on Rule 37(e). Zubulake v. UBS Warburg established the baseline duty to preserve ESI and the reasonableness standard still cited today. Pension Committee v. Banc of America Securities described gross negligence standards that pre-date the 2015 amendments but continue to inform practice.

On the agency side, FINRA has brought repeated 17a-4 enforcement actions against broker-dealers for failure to preserve electronic communications. The SEC’s 2022 off-channel communications sweep produced more than $1.1 billion in fines, much of it tied to deleted messages and files. OCR regularly publishes HIPAA resolution agreements that include record-retention failures.

The consequence for OneDrive admins is that failure to align retention with these regimes is not merely a technical mistake; it is a liability event. Priscilla, an in-house counsel, reads these cases annually and updates retention playbooks based on new guidance. The common misconception is that cloud storage shifts these duties to Microsoft; the duty stays with the business.

State-Level Nuances to Watch

State laws increasingly affect OneDrive retention, especially where personal data is stored. New York SHIELD Act requires reasonable security and disposal of private information. Illinois BIPA imposes retention limits on biometric identifiers with statutory damages of $1,000 to $5,000 per violation.

Texas Data Privacy and Security Act and Virginia’s CDPA both give consumers deletion rights and impose minimization duties. Massachusetts 201 CMR 17 mandates written information security programs that cover retention.

The consequence of ignoring state law is penalty exposure that can exceed federal fines in aggregate. Wes, a multi-state retailer’s compliance lead, maps retention policies to each state’s strictest rule, including BIPA’s three-year cap on biometric retention. The common misconception is that the strictest federal rule sets the ceiling; several state laws go further, and preemption is rare in privacy.

FAQs

Does OneDrive for Business keep deleted files forever?

No. OneDrive for Business keeps deleted files for a total of 93 days across first-stage and second-stage Recycle Bins, then permanently purges them unless a retention policy or legal hold intervenes.

Can an admin extend the 93-day Recycle Bin window?

No. Microsoft does not allow tenants to extend the 93-day Recycle Bin timer; longer retention requires a Microsoft Purview retention policy or an eDiscovery hold to preserve files past day 93.

Does emptying the first-stage Recycle Bin reset the clock?

No. Emptying the first-stage bin moves the file to the second-stage Site Collection Recycle Bin but keeps the same 93-day timer that started at the original delete.

Is OneDrive version history a backup of my files?

No. Version history is capped at 500 versions per file and is lost if the file is permanently deleted, so it should not be treated as a backup solution.

Are OneDrive files preserved when an employee is offboarded?

Yes. When an account is deleted, the OneDrive is preserved for 30 days by default and can be extended to 3,650 days through the SharePoint admin center’s user-profile settings.

Does a retention policy override the 93-day Recycle Bin limit?

Yes. A Microsoft Purview retention policy routes deleted files to the hidden Preservation Hold Library for the full retention period, bypassing the 93-day Recycle Bin timer entirely.

Does Microsoft back up OneDrive data for customer recovery?

No. Microsoft backs up only for platform disaster recovery, and the Shared Responsibility Model places customer-data recovery on the tenant, which is why third-party backups are widely used.

Can Microsoft Support restore a file deleted more than 93 days ago?

No. Microsoft Support cannot recover files past day 93 unless a retention policy, eDiscovery hold, or third-party backup captured them before the Recycle Bin purge.

Is the default 30-day offboarding retention HIPAA-compliant?

No. HIPAA requires six-year retention of many records, so the 30-day OneDrive offboarding default must be paired with a Purview retention policy to stay compliant.

Can an eDiscovery hold preserve a departed user’s OneDrive?

Yes. An eDiscovery hold placed before account deletion preserves the entire OneDrive in Preservation Hold Library until the hold is released, even past the normal 30-day window.

Does OneDrive Files Restore work for single files?

Yes. Files Restore rolls an entire OneDrive back to any point in the last 30 days, and admins can selectively restore changes, making it useful for both mass and targeted recovery.

Can a ransomware attack defeat the Recycle Bin?

Yes. Mass deletions that exceed the Recycle Bin size quota cause early purging of older items, which is why Files Restore and third-party backups are essential ransomware defenses.

Is deleting OneDrive files after a litigation hold a crime?

Yes. Under SOX Section 1519, knowing destruction of records relevant to a federal matter is a felony, and FRCP Rule 37(e) allows sanctions for negligent loss tied to litigation.

Do state privacy laws force deletion of OneDrive files?

Yes. Laws like CCPA/CPRA and Virginia CDPA require honoring consumer deletion requests unless a specific legal exception, such as active litigation, documented compliance need, or contract obligation, applies.