Using Microsoft 365 Retention Policies as Backup

Backup vendors promote the idea that Microsoft (Office) 365 compliance retention policies and other native tools are not viable backup options and organizations need third-party services to back up their Microsoft 365 data. Afi is a developer of Microsoft 365 backup service, but we do not share this view.

We believe that Microsoft Compliance Retention Policies are a powerful tool that has many advantages over third-party M365 backup services. They provide continuous data backup, unlimited data retention and provide 99.99% uptime (we’ll later discuss the argument about getting backup from the same vendor the provides the underlying service).

In this blog post we’ll discuss the main capabilities of Microsoft 365 retention policies, pros, cons and the cost of using compliance retention for Microsoft 365 backup. Check our other article if you want to learn more about native Microsoft 365 data recovery tools for SharePoint or for Teams data.

Around 4% of organizations rely on Microsoft compliance retention policies to backup their Microsoft 365 data. This data is based on a survey of 102 of Microsoft 365 users conducted by Afi in Dec 2020 (the users don’t include Afi customers), showing results that are in line with with other similar surveys by Gartner1 and IDC2.

The survey also shows that the standard Microsoft 365 data protection capabilities is the primary backup tool for 44% of customers, meaning that organizations are 10x+ times more likely to rely on standard recovery than on compliance retention policies.

The main reason for the low adoption of retention policies is not the lack of features. Coupled with the standard M365 data protection the compliance retention obviously provide far more complete protection than the standard recovery tools alone.

The compliance retention policies are simply unavailable for most M365 customers. They are only included in the most senior E3 and E5 Microsoft 365 plans that account for 16% of Microsoft 365 seats in customer accounts. And even the organizations that have E3 and E5 licenses may not have them for all users (using cheaper plans for non-office, non-exec or frontline workers).

If you use a Microsoft 365 business plan ($12.5-$20 depending on the plan) and want to upgrade to E3/E5, your price will increase by $7.5/month/user or more. See section 4 for more details on retention policies’ cost.

You can enable retention for most Microsoft 365 applications and their data types. Once a retention policy is on, it makes sure that the existing items (at the moment when the retention policy is created) and all new data remain in Microsoft 365 for a prescribed period of time.

If users or admins delete data, the retention policy will remove it from Microsoft 365 applications, but the items will still be accessible & searchable using Compliance eDiscovery and in the Preservation library.

Exchange Online

The retention policies preserve all email messages, including unsent drafts, messages moved to the trash bin, messages stored in the Archived folder as well as in the in-place archive.

Exchange data can be exported in a PST file or a set of individual messages using the eDiscovery admin interface. Administrators with eDiscovery permissions can also access deleted messages in Recoverable Items Exchanage folder.

Although Microsoft recommends enabling a separate retention policy to capture Teams data, the policy we enabled for Exchange mailboxes also captured a system folder TeamsMessagesData with all Teams channel and individual messages that the Exchange users sent (though not the messages they received).

SharePoint Online and OneDrive

Compliance retention helps retain files and list items and their versions. The versions are retained only if the versioning is enabled for the library/OneDrive.

The items can be exported offline in their original folder structure. If there is more than one version of a file (list), all of them will be exported (old versions will have "_vX" added to them where X is the version number).

How Standard Versioning Works With Retention

Retention policies are often described to retain all document/item versions created, but this is not 100% correct.

The retention policies rely on the standard SharePoint & OneDrive versioning mechanism to retain versions. Retention policies retain versions only if the standard versioning is enabled. By default, the versioning is turned on for Document Libraries and OneDrives and the number of retained versions is set to 500. No versions are retained for other data types (lists, web pages, etc) by default.

The standard versioning is available in all Microsoft 365 plans, but when it is used without the retention policies it is significantly limited by the fact that users can accidentally or intentionally delete file versions. When you enable the compliance retention you overcome this limitation as Microsoft 365 will not allow to delete versions while a relevant retention policy is on for the data (see Deletion flow for details on what happens to versions if you delete an entire file).

You can disable or enable versioning for each document library and list (one by one) when you create it or later. The settings allow to retain up to 50,000 versions for documents and lists. Admins can also disable versioning entirely (this is the default setting for lists).

Retained data and versions do count towards your Microsoft 365 storage quota making it an important component of cost of using compliance retention as a backup option.

In our experience the additional storage consumption associated is most relevant for SharePoint and OneDrive data:

• OneDrive for Business storage is in theory unlimited in E3/E5 subscription plans. Once your users exceed 1TB you can request Microsoft support to increase/remove the limit. However, you cannot increase the limit for all users at once and instead have to address each user’s limit each time he/she reaches it in stages, following the Microsoft process which takes time if you have many users
• The total SharePoint limit (pooled across all SharePoint sites in your Microsoft 365 tenant) is set at 1TB + 10GB x number of M365 users in your tenant. Whenever you exceed the limit, you need delete data or purchase additional storage priced at $200/month/TB (when paid annually), or $250/month/TB (when paid monthly).

Storage limits are less relevant for Exchange online because E3/E5 plans include unlimited auto-expanding archiving and for Teams because most of Teams data is stored on SharePoint sites and user OneDrives.

How Much additional storage Retention generates in 1 year

Let's estimate the average storage requirements for using retention policies as a backup with 1 year history.

• In the example below the domain has 1,000 users and 6TB of data across all SharePoints (6 GB of SharePoint storage per user is the global average across all our customers)
• 1-year versioning is estimated to add +90% to the total storage (the assumptions related to the change rate and avg. number of versions per year are based on those metrics amount Afi customers)
• Retained deleted data will add 10% of storage
• As a result, the total storage will grow from 6TB to 12TB due to 1-year retention & versioning, slightly exceeding Microsoft 365 licensing limit (11TB).

Neglecting the small storage overage, 1-year retention only additional cost the user licenses upgrade. The incremental cost will depend on your current plan. If you have Business Premium licenses ($20/user/month), then the incremental cost to upgrage to E3 ($32/user/month) will be $12/user/month.

The cost of retention policies as backup?

Most organizations require 3+ years retention for backups. If you extend the retention policies period to 3 years, then the additional storage in example above will grow to approx. 24TB (using the same assumptions):

• the 24TB total storage will exceed Microsoft licensing limit by 13TB
• to accommodate the overage you can to purchase storage capacity
• Microsoft offers additional storage in chunks of 1TB priced at $200/month
• the total cost of additional storage will thus be $2,600/month (=$200*13TB)
• this translates into $2/user/month (based on 1,000 users in our example).

If you combine the $2/user/month in storage costs with the incremental price of E3 licenses ($12/user or more), then the total cost of using retention policies is $14/user/month. This is significantly more expensive than the price of third-party backup solutions (typically $1.5-5/user/month, depending on solution).

At the same time, if you already have Microsoft 365 E3 licenses then the incremental $2/user/month cost of storage is very close to the cost of a third party backup solution.

You can enable retention policies for the users that have E3/E5 licenses using the following steps:

1. Go to http://compliance.microsoft.com/ -> Policies -> Retention
2. Create a new policy and select the type of resources (or individual SharePoints/users/Teams that you’d like to apply it to

It may take up to a few hours for the policy to take effect. Once it is applied, the data will follow the retention cadence you specified in the policy and you can use the eDiscovery module to export it offline. If you need to recover data back to Microsoft 365, you will have to first download it offline and then upload it manually to the SharePoint/Exchange/OneDrive resources.

Check Microsoft documentation for detailed steps on how to enable and customize compliance retention policies.

All product names are trademarks or registered trademarks of their respective holders; use of them does not imply any affiliation with or endorsement by them.