Microsoft 365 does a good job of helping organisations keep data for compliance. Retention policies, recycle bins and soft deletes are all useful features. But there’s a growing and risky assumption behind them:
Retention is often mistaken for recovery.
In real-world incidents, that assumption breaks down quickly.
Retention protects data rules – not your business
Retention in Microsoft 365 is designed to meet regulatory and legal requirements. It ensures information is kept for a defined period and prevents permanent deletion before that time.
What it does not do is guarantee that you can easily or quickly restore data after an incident.
Recovery is about answering very practical questions:
-
Can we get the data back?
-
How quickly?
-
In the state it was in before something went wrong?
Retention alone can’t reliably answer those questions.
Where retention fails in real incidents
Most data loss in Microsoft 365 doesn’t come from dramatic system failures. It comes from everyday scenarios that retention was never built to handle well.
Account Takeover
If an attacker gains access to a user account, they can delete or corrupt large volumes of data. Because those actions are legitimate from the system’s point of view, retention doesn’t always help you identify the right version to restore, or restore it cleanly.
Insider Deletion
Not all data loss is malicious. Accidental deletions by staff, or intentional removal by departing employees, are common causes of data gaps. Recycle bins have limits, and once those are exceeded, recovery becomes complex or impossible.
Sync and configuration errors
A misconfigured sync, automation, or third-party app can overwrite or delete data at scale. Retention may technically hold copies somewhere, but recovering specific mailboxes, folders, or items can be slow, manual, and incomplete.
In each case, the issue isn’t whether data exists somewhere, it’s whether you can recover it properly when you need it.
Email: the most common point of failure
Email remains the primary target for attackers and the most frequent source of data loss. Phishing attacks often lead to compromised mailboxes. Once inside, attackers can:
-
Delete emails and folders
-
Empty recycle bins
-
Alter retention-relevant content
-
Hide activity long enough for recovery windows to close
Even without an attacker, users frequently delete important emails by mistake, only realising weeks or months later. At that point, standard retention tools offer limited help.
Email is business-critical, highly active, and constantly changing, which makes it the weakest link if recovery depends on retention alone.
Recovery needs speed, clarity and control
During an incident, IT teams don’t have time for uncertainty. They need to:
-
Find the right data quickly
-
Restore it to the right place
-
Avoid disrupting live users
-
Prove what was recovered and when
Retention tools weren’t designed for this. They prioritise preservation over usability. That’s why recovery often becomes slow, manual, and risky just when pressure is highest.
What best practice says
UK guidance, including from the National Cyber Security Centre (NCSC), is clear: organisations should assume that data loss will happen and plan accordingly.
That means:
-
Preparing for account compromise, not just system failure
-
Separating backup and recovery from production systems
-
Ensuring data can be restored independently and reliably
Retention plays a role in compliance. Backup plays a role in resilience. They are not the same thing.
Retention is necessary — but not sufficient
Microsoft 365 gives you powerful tools, but they are shared-responsibility tools. Microsoft keeps the platform running. Your organisation is responsible for protecting and recovering its data.
A dedicated backup approach doesn’t replace retention. It complements it. It gives you a safety net when human error, attack, or technical failure inevitably occurs.
If your recovery plan relies solely on recycle bins and retention policies, it may work, until the day it really matters.
