We had a client reach out recently with a problem that sounds simple but turned into a real headache. Someone had accidentally deleted a large batch of files from a shared SharePoint document library. Nobody noticed for over a month. By the time someone went looking for those files, they had been sitting in the recycle bin for 29 days and counting.
The good news: this client is on our cybersecurity plan, which includes independent offsite backups of their entire Microsoft 365 environment. We restored everything in about 15 minutes. But if they hadn't had those backups, this story would have ended very differently.
Microsoft 365 Does Not Back Up Your Data
This is the single biggest misconception we encounter with business owners using Microsoft 365. People assume that because their data lives "in the cloud," it's automatically protected. It's not.
Microsoft's own service agreement says it plainly: "We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services." That's Microsoft telling you, in writing, that protecting your data is your responsibility.
Microsoft 365 provides retention, not backup. There's an important difference. Retention means your data sticks around for a while after it's deleted. Backup means you have an independent copy that you can restore at any point, regardless of what happens in the original environment.
Key distinction: Retention gives you a limited window to undo mistakes. Backup gives you a permanent safety net. Microsoft provides the first. You need to provide the second.
The SharePoint Recycle Bin Problem
SharePoint has a two-stage recycle bin system, and it's designed more for quick "oops I deleted the wrong file" moments than for real data recovery. Here's how it works:
Stage 1: The User Recycle Bin (Days 1-30)
When someone deletes files from SharePoint, they go to the site recycle bin. During this window, things work reasonably well. You can select multiple files, restore entire folders, and the folder structure comes back intact. If you catch a deletion within the first few weeks, it's manageable.
Stage 2: The Second-Stage Recycle Bin (Days 30-93)
After approximately 30 days, files automatically move from the user recycle bin to the second-stage recycle bin (sometimes called the site collection recycle bin). This is where the problems start.
In the second-stage recycle bin:
- No bulk restore. You cannot select all files and restore them at once. Each file must be restored individually.
- No folder structure. Files lose their original folder hierarchy. Everything is a flat list of individual files.
- No search that actually helps. If you have 900 files to restore, you're scrolling, clicking, restoring, one at a time.
After 93 days total, the files are permanently deleted. No recycle bin, no recovery, no phone call to Microsoft that will get them back.
What Happened to Our Client
Someone on the team had accidentally deleted a folder containing close to 1,000 files. It wasn't malicious, it wasn't a cyberattack. It was a simple mistake that went unnoticed for over a month because nobody happened to need those particular files right away.
By the time the deletion was discovered, those files had already moved to the second-stage recycle bin. If we had needed to recover them through Microsoft's built-in tools, someone would have been sitting at a computer clicking "restore" on individual files, one by one, with no way to rebuild the original folder structure automatically. For nearly 1,000 files.
That's not a 15-minute fix. That's potentially days of manual work, assuming you even know which files you need and where they originally belonged.
What actually happened: Because this client had independent offsite backups running daily, we pulled up the backup from the day before the deletion, selected the folder, and restored it. Original structure, all files, done in minutes.
Why This Matters More Than You Think
This wasn't a ransomware attack. It wasn't a disgruntled employee. It was an accident. And accidents like this happen more often than you'd expect:
- An employee drags a folder into another folder without realizing it, effectively "hiding" or overwriting files
- Someone cleans up what they think is old project data, not realizing other teams still need it
- A sync conflict between OneDrive and SharePoint silently removes files
- An automated workflow or integration misfires and deletes content
The common thread in all of these scenarios is that nobody notices right away. By the time someone goes looking for the files, the easy recovery window has closed.
What Microsoft 365 Backup Actually Looks Like
A proper Microsoft 365 backup solution runs independently from Microsoft. It takes daily snapshots of your SharePoint sites, OneDrive accounts, Exchange mailboxes, and Teams data. If something goes wrong, whether it's accidental deletion, ransomware, or a rogue admin, you can roll back to any point in time.
Here's what you should expect from a real backup solution:
- Independent storage. Backups live outside of Microsoft 365, so a compromise in your tenant doesn't affect your backups.
- Point-in-time restore. Pick any date and restore to that exact state, not just "whatever's in the recycle bin."
- Granular recovery. Restore a single file, a folder, an entire mailbox, or a full SharePoint site.
- Folder structure preserved. When you restore, everything goes back where it belonged.
- Unlimited retention. Your backups don't expire after 93 days. You can go back months or years.
The Question to Ask Your IT Provider
If you're working with a managed IT provider or MSP, ask them this question: "If someone accidentally deleted an entire SharePoint folder a month ago and we just found out, how would you restore it?"
If the answer involves the words "recycle bin" or "we'd have to do it one file at a time," that should concern you. If the answer involves the words "we'd restore from backup," you're in good shape.
If your organization manages its own IT, the question is even simpler: do you have an independent backup of your Microsoft 365 data? Not retention policies. Not litigation hold. An actual, independent backup that you could restore from if Microsoft's built-in tools fail you.
Bottom line: If your MSP isn't running independent backups of your Microsoft 365 data, you're one accidental deletion away from a very bad day. The recycle bin is not a backup strategy.
Frequently Asked Questions
Does Microsoft 365 back up my data?
No. Microsoft 365 provides limited retention, not true backup. SharePoint and OneDrive files in the recycle bin are permanently deleted after 93 days, and Microsoft's own service agreement recommends that you maintain independent backups of your data.
How long do deleted SharePoint files stay in the recycle bin?
Deleted SharePoint files stay recoverable for 93 days total. However, after approximately 30 days, they move from the user recycle bin to the second-stage recycle bin, where you lose the ability to bulk-restore or preserve folder structure.
Can I bulk restore deleted SharePoint files after 30 days?
No. Once files move to the second-stage recycle bin, you can only restore them one at a time. There is no option to select all, restore by folder, or rebuild the original directory structure. For large deletions, this turns a simple recovery into days of manual work.
