In this blog post we review SharePoint online backup options, including built-in Office 365 capabilities, Compliance retention policies and third-party tools.
SharePoint Built-in Capabilities
A SharePoint site (=SharePoint instance) can include native Microsoft data types (SharePoint lists docx, xlsx, pptx etc) as well as external data types.
The default data protection settings for native data types depend on where they are stored (Document libraries, Page libraries etc) and includes versioning as well as post-deletion retention.
When the versioning is enabled for native files, SharePoint retains file versions every time a file is modified or uploaded. When the max number of retained versions is reached, the oldest version is overwritten.
The built-in data protection for non-native file types includes post-deletion retention, but no versioning.
|Data Type||Versioning||Post-deletion retention|
|Document libraries||500 versions retained by default; can be increased to maximum 50,000 versions||93 days in first stage recycle bin + second stage recycle bin|
|Page libraries||No versioning by default; can be increased to maximum 50,000 versions|
|Power Apps data files||No versioning by default, can be enabled only for some apps|
|All non-native files||No versioning is available|
(settings, branding, views)
SharePoint site owners can configure versioning for most data locations (see instructions in the next section).
The post-deletion retention settings cannot be changed, with all data types (native as well as external) retained for 93 days after they are first deleted.
SharePoint supports versioning for native O365 formats; all deleted data (native & external formats) retained for 93 days
Let's look at the versioning settings for different SharePoint data locations/types (post deletion retention is the same 93 days for all data):
Document libraries (also called Files in Microsoft UI) typically store most of the SharePoint site data. One site can include multiple Document libraries which are essentially the site’s top level directories that contain files and sub-directories.
By default, site Document libraries are configured to keep the last 500 document versions (the limit can be increased to 50,000 at maximum).
Page libraries are site directories – similarly to Document libraries – that contain aspx page files. SharePoint interprets the files stored in Page libraries as web pages and enables to access & interact with them online.
The versioning is disabled by default, but can be enabled.
SharePoint lists are simple databases that can store data tables. They can be linked to Excel files, used in Power Apps (see below) or used as stand-alone data sources.
Similarly to Page libraries, the versioning can be enabled for Lists by site owners.
Power Apps data
Most Power Apps, when added to a site, store their data in Document libraries and Lists. However, some Power Apps create custom data locations (Surveys app creates a Survey data location, Pictures app creates a Pictures library).
Versioning can be enabled for most Power Apps data, except for Surveys and Shared mailboxes.
SharePoint sites can include subsites (=full-fledged sites within a SharePoint site).
Data within subsites follows a similar retention & versioning cadence as documents, lists and pages in the “parent” site (versioning can be configured for most data types, deleted items stay in trash bin for 93 days).
Site settings, Groups & linked data
SharePoint sites have MS Groups linked to them when a new site is created by default. A Group is a record in Azure Active directory that allows a group of O365 users to access resources & services.
When an entire site/subsite is deleted, it goes to the Second stage recycle bin (skipping the First stage recycle bin). It stays there for 93 days and can only be restored by the site administrators.
Built-in Recovery as A Backup Option
As discussed above, SharePoint versioning (for native Microsoft files) together with 93 days post-delection retention constitute the built-in SharePoint data protection capabilities.
Versioning is available in all Office 365 plans and is embedded in the native Office interface which makes it easy to use. Site owners can configure detailed settings, such as the number of retained versions (limited to 50,000) and the content approval workflow.
On the flip side, versions are only available for native data formats, and they can be deleted by SharePoint users (intentionally or unintentionally), leading to data loss. File versions can also be lost to ransomware and other kinds of cyber attacks.
Each retained file version consumes your storage quota, so if the versioning is configured to keep 1,000 last versions then the storage consumption will go up 1,000 times for native files (there are no increments, each file version is a “full” snapshot of a file).
How to configure versioning
- Go to library/list settings
- Set the number of versions you’d like to retain.
The retention period for deleted items is always set to 93 days and cannot be configured.
Why/Should I Backup Sharepoint Online
Despite the built-in Microsoft Office 365 retention and versioning capabilities 80%+ organizations use a backup and restore SharePoint online data.
Backup solutions duplicate some of the native Office 365 data protection features, they require administration and often come at a significant additional cost. So why do organizations use backup tools in addition to Office 365 versioning & retention? There are 5 main reasons.
Extend retention peroid
Data deleted from SharePoint data is retained in MS 365 for 93 days, this default period cannot be decreased or increased.
Yet the standard retention period is often inadequate. The average time for data loss detection 140-314 days (the time between the data loss/breach event and its discovery) – indicating that the 93 days retention is not sufficient to recover the data.
Ransomware can and does affect data stored in Office 365 SharePoint online.
When a user laptop is infected by a ransomware it typically encrypts files on the user’s local machine and the changes are synchronized to SharePoint online sites via mapped drives.
Ransomware can affect all or only some the SharePoint online data, with the files that could not longer be opened, or containing encrypted data when they are opened.
Some of the strategies specifically for cloud:
- Encryption malware that specifically targets SharePoint online and other cloud data sources will typically perform multiple overwrites in an attempt to exceed the default limit on the number of retained versions
- E.g. if a Document library retention is set to 500 versions (default setting) and a ransomware encrypts/modifies each file 500 times, the Office 365 will no longer have the original (non-encrypted) version of the files
- Encrypt only a subset of files to pass retention limits unnoticed.
How backup options
There are two main alternatives to the built-in SharePoint data protection options.
Compliance policies are a part of Microsoft Compliance Center portal, which is available in E3 and higher Office 365 plans. They enable unlimited retention of items deleted or modified SharePoint items, which can then be exported offline (there are no restore capabilities back to Office 365).
There are 30+ Office 365 backup solutions and most of them provide SharePoint backup with different degrees of flexibility & accuracy. Most vendors enable automated backups, restore back to SharePoint sites and unlimited retention. The solutions differ in their support of SharePoint data types (many tools skip unsupported file formats, including lists or web pages).
Using Compliance Retention for SharePoint Backup
Office 365 Compliance Center enables to configure retention policies that will keep versions of SharePoint items for all or specified sites.
Once the compliance retention policies are configured, they retain all newly uploaded and modified items (the retention does not occur when an item is deleted, but when it is created or edited).
Administrators can search the retained data and download it. with no option to automatically restore data back to SharePoint online. The compliance retention policies only retain files and pages, without the directory structure.
Pros and Cons
The compliances retention capabilities are included in the E3 and more senior plans. However they may be hard to use as a permanent SharePoint backup and recovery option.
The search and export operations sometimes take hours and sometimes days to complete. It took us approx. 8 hours to run a content search for a single SharePoint site, as the search either returned no results or completed with an error.
Once the search operation executed successfully and returned results, it took us a few hours to download them (each export attempt took approx. 1 hour and more often finished with an error than not).
How to Enable Compliance Retention & Use them to Recover
To configure retention and recover lost items:
- Go to http://compliance.microsoft.com/ -> Policies -> Retention
- Create a policy and select the SharePoint sites you’d like to apply it to (make sure you paste Site URLs, not their names)
It may take up to 30 minutes for the policy to take effect. After it is succesfully applied all files uploaded to SharePoint sites (or new versions created) will be retained by the policy.
To recover the retained items administrators need to use the Office 365 search & export capabilities. The items can be downloaded offline in zip folders (with the directory structure preserved).
Check our other blog post about Microsoft Compliance retention policies to learn more.
Third-party Backup Tools
AvePoint provides one of the most complete SharePoint backup options compared to other players. It enables backup and restore of pages and OneNote notebooks (most other solutions can backup these data types, but cannot restore them correctly back to SharePoint).
AvePoint also support Classic site pages, workflows and site permissions. At the same time, it does not have the offline export capabilities and has slower performance & reliability compared to other solutions.
|Classic Site Pages|
|Restore to another site|
To learn more about AvePoint and other Office 365 backup tools check our other blog post.
SharePoint online backup with Afi
Afi Office 365 backup provides full support for SharePoint sites backup. Most significant differences from legacy solutions include:
- the only solution providing full backup and recovery of Classic site pages
- the only metada backup permissions, created by create date
- non-destructive as well as in-place restore restore
- groups navigation
- Lists web pages best support
- Admin permission settings and self-service recovery portal
To backup all or selected SharePoint sites in Afi:
- Head to Protection Management screen the sites you want to protect. Use Sites subgroup if you want to select all sites in your domain
- Assign a protection level to SharePoint sites. Enable the auto-protection option if you want to automatically backup all newly created SharePoint sites.
In addition to protecting existing SharePoint sites administrators can configure Afi to auto-protect all newly created SharePoint sites (standalone, as well as Team/Group sites).
In case an entire SharePoint site is deleted from Office 365, its backup will remain in Afi and will be available for search, preview, download and restore to another site.
All product names are trademarks or registered trademarks of their respective holders; use of them does not imply any affiliation with or endorsement by them.