This chapter covers Microsoft 365's native data protection capabilities and how third-party backup solutions like Veeam fill critical gaps for organizations that require granular, long-term, and independent backups. While Microsoft 365 provides built-in retention, recycle bins, and eDiscovery, these are not backups in the traditional sense — they cannot protect against all data loss scenarios. For the MS-900 exam, approximately 5-10% of questions touch on data protection, retention, and backup options, often testing your ability to distinguish between Microsoft's native capabilities and third-party solutions like Veeam. Understanding these distinctions is essential for recommending the right data protection strategy for an organization.
Jump to a section
Imagine a public library with thousands of books, but no card catalog. Patrons borrow books, but there is no record of who has which book, when it was borrowed, or if it was returned damaged. If a book is lost, the library has no way to recover it or even know it's missing. This is the default state of Microsoft 365 — Microsoft provides high availability and redundancy, but no user-accessible backup. Now imagine the library implements a card catalog system that records every checkout, tracks book condition, and stores a second copy of every book in a secure vault. When a patron loses a book, the librarian can retrieve the vault copy and restore it to the shelf. This is Veeam Backup for Microsoft 365. Veeam acts as the librarian, pulling daily snapshots of every book (email, OneDrive files, SharePoint sites, Teams conversations) and storing them in a separate location (on-premises or cloud). If a user deletes an important email or a document is corrupted, the administrator can browse Veeam's catalog, select the item from a specific date, and restore it — without involving Microsoft's retention policies or eDiscovery. The key mechanistic parallel: Veeam's backup job is like the librarian's daily inventory check, comparing the current state of each book against the vault copy and updating the vault with any changes. The restore process is like retrieving the vault copy and placing it back on the shelf exactly as it was at the time of the last backup.
What Is Microsoft 365 Backup and Why Does It Exist?
Microsoft 365 is a Software-as-a-Service (SaaS) platform where Microsoft is responsible for the infrastructure, uptime, and disaster recovery of the service itself. This means Microsoft ensures that Exchange Online, SharePoint Online, OneDrive for Business, and Teams are highly available and that data is replicated across multiple datacenters. However, Microsoft does not provide a traditional backup service that allows you to restore data from any point in time independently. The shared responsibility model in SaaS places data protection and recoverability on the customer. Microsoft 365 includes several native data protection features: - Recycle Bin (for SharePoint and OneDrive) — retains deleted items for 93 days. - Retention policies (via Microsoft Purview) — preserve data for compliance or legal hold. - eDiscovery — search and export content for legal purposes. - Litigation Hold — preserve all mailbox content indefinitely. - Version history — restore previous versions of documents (up to 500 versions in SharePoint).
These features are designed for compliance and accidental deletion recovery, not for full-blown backup and disaster recovery. They cannot protect against:
Malicious insider deletion (user deletes data and empties recycle bin).
Ransomware that encrypts or deletes data across the tenant.
Data loss due to synchronization errors or third-party app corruption.
Retention policy gaps (e.g., data not covered by any policy).
Permanent data loss after the 93-day recycle bin window expires.
Third-party backup solutions like Veeam Backup for Microsoft 365 fill this gap by creating independent, off-site copies of your Microsoft 365 data that you control. Veeam pulls data via Microsoft Graph API and stores it in your own storage (on-premises, Azure Blob, AWS S3, etc.). This gives you the ability to restore individual items, mailboxes, sites, or entire Teams from any point in time that a backup was taken.
How Veeam Backup for Microsoft 365 Works Internally
Veeam Backup for Microsoft 365 (VB365) is a software solution that runs on-premises or in Azure VMs. It connects to your Microsoft 365 tenant using a service account with appropriate permissions (Global Admin or specific admin roles like Exchange Admin, SharePoint Admin, etc.). The backup process consists of several phases:
Discovery: Veeam enumerates all Microsoft 365 objects — users, mailboxes, SharePoint sites, OneDrive accounts, Teams, and Groups. This is done via Microsoft Graph API calls.
Backup Job Configuration: An administrator creates backup jobs specifying what to back up (e.g., all Exchange mailboxes, specific SharePoint sites) and where to store the backup (repository).
Initial Full Backup: The first backup of each object is a full backup — Veeam downloads all data from Microsoft 365. For a mailbox, this includes all emails, calendar items, contacts, tasks, and folders. For SharePoint, it includes all document libraries, lists, pages, and metadata.
Incremental Backups: Subsequent backups are incremental — only changes since the last successful backup are downloaded. Veeam uses change tracking mechanisms like Microsoft Graph delta queries to identify what has changed. This reduces bandwidth and storage.
Storage Optimization: Veeam compresses and deduplicates data before writing to the repository. Compression ratios vary but average 2:1 to 3:1 for email data.
Restore: When a restore is needed, the administrator uses the Veeam console to browse the backup, select the item(s), and restore them back to the original location or to an alternate location. Veeam supports granular restore (single email, file, folder, or entire mailbox/site).
Key Components, Defaults, and Timers
Backup Repository: The target storage for backup files. Default location is a local folder on the Veeam server, but you can use network shares, Azure Blob, Amazon S3, or S3-compatible object storage.
Backup Proxy: The component that retrieves data from Microsoft 365 and sends it to the repository. Default: installed on the Veeam server. You can add additional proxies for load balancing.
Backup Job Schedule: Default is daily at a specified time. You can set multiple runs per day (e.g., every 4 hours) for critical data.
Retention Policy: How long to keep backups. Default: 14 days for daily backups, 4 weeks for weekly, 12 months for monthly. You can customize these.
Backup Window: The time window during which backup jobs can run. Default: any time.
Throttling: Veeam respects Microsoft Graph API throttling limits. By default, it uses a 10-minute window for requests and can be configured to back off when throttled.
Concurrent Tasks: Default number of concurrent tasks per proxy is 5. You can increase this based on resources.
Bandwidth Throttling: Optional setting to limit network usage (e.g., 50 Mbps).
Configuration and Verification Commands
Veeam Backup for Microsoft 365 is GUI-based, but you can use PowerShell for automation. Common tasks:
- Install Veeam Backup for Microsoft 365: Download from Veeam website and run setup. - Add Microsoft 365 Organization: In Veeam console, go to Backup Infrastructure > Microsoft 365 > Add Organization. Provide tenant ID, application ID, and client secret from an Azure AD app registration. - Create Backup Job: In Veeam console, go to Backup Jobs > Add. Select objects (Exchange, SharePoint, OneDrive, Teams), set schedule, retention, and repository. - Start Backup Job: Right-click job > Start. - Check Job Status: In Veeam console, monitor job progress. Use PowerShell:
Get-VBRJob -Name "Exchange Mailbox Backup" | Get-VBRJobSessionRestore Items: In Veeam console, select backup > Restore. Choose item(s) and destination.
Interaction with Related Technologies
Microsoft Graph API: Veeam uses Graph API to access Microsoft 365 data. Graph API has rate limits: 10,000 requests per 10 minutes per application per tenant. Veeam manages this with throttling logic.
Azure AD Application Registration: Veeam requires an app registration with delegated permissions (e.g., Mail.Read, Sites.Read.All, User.Read.All). The app must have admin consent.
Microsoft 365 Retention Policies: Veeam backups are independent of Microsoft's retention. Even if Microsoft deletes data due to a retention policy, Veeam retains its copy until the Veeam retention period expires.
Azure Blob Storage: Often used as a backup repository for long-term retention. Veeam supports Azure Blob hot, cool, and archive tiers.
What the Exam Tests
MS-900 focuses on understanding the shared responsibility model and the limitations of native Microsoft 365 data protection. You need to know:
That Microsoft 365 does NOT include traditional backup; it includes recycle bins (93 days), retention policies, and eDiscovery.
That third-party backup solutions like Veeam are needed for independent, long-term, and granular recoverability.
That Veeam stores data in customer-controlled repositories (on-premises or cloud).
Common scenarios where native protection fails (ransomware, malicious deletion, retention gaps).
That Microsoft's Service Level Agreement (SLA) covers service availability, not data recoverability.
You will NOT be tested on Veeam-specific configuration details or PowerShell commands. The exam expects you to recognize the need for third-party backup and the capabilities they provide.
Install Veeam Backup Software
Download the Veeam Backup for Microsoft 365 installer from the Veeam website. Run the setup on a Windows Server VM (on-premises or in Azure). The installer installs the Veeam console, backup proxy, and management services. You must have .NET Framework 4.7.2+ and PowerShell 5.0+. During installation, you specify the service account that will run the Veeam services. This account needs local admin rights on the server. After installation, launch the Veeam console and connect to the local server.
Register Azure AD Application
In the Azure portal, create an App Registration under Azure Active Directory. Set the redirect URI to `https://localhost` (for Veeam console). Under API permissions, add Microsoft Graph delegated permissions: Mail.Read, Mail.ReadWrite, MailboxSettings.Read, MailboxSettings.ReadWrite, Calendars.Read, Calendars.ReadWrite, Contacts.Read, Contacts.ReadWrite, Tasks.Read, Tasks.ReadWrite, Sites.Read.All, Sites.ReadWrite.All, User.Read.All, Group.Read.All, Group.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, and offline_access. Grant admin consent for the organization. Create a client secret and note the Application (client) ID and tenant ID. This app allows Veeam to authenticate and access Microsoft 365 data.
Add Microsoft 365 Organization
In the Veeam console, go to Backup Infrastructure > Microsoft 365 > Add Organization. Provide the tenant ID, application ID, and client secret from the Azure AD app. Veeam will authenticate and discover all Microsoft 365 objects (users, groups, sites). You can also specify a proxy server if needed. Veeam will show the number of mailboxes, OneDrive accounts, SharePoint sites, and Teams discovered. This step establishes the connection between Veeam and your tenant.
Create Backup Job for Exchange
In the Veeam console, click Backup Job > Microsoft 365 > Exchange. Name the job (e.g., 'Exchange Mailbox Backup'). Under Objects, select which mailboxes to back up (all, specific users, or distribution groups). Under Storage, select the backup repository (default is local folder on Veeam server). Under Schedule, set frequency: daily at 10 PM. Under Retention, set days: 14, weeks: 4, months: 12. Under Advanced, enable 'Backup item-level data' for granular restore. Click OK to save the job. This job will now run according to schedule.
Run Initial Full Backup
Right-click the newly created job and select 'Start'. Veeam will start the initial full backup. For each mailbox, Veeam calls Microsoft Graph API to download all mailbox data (emails, calendar, contacts, tasks). This can take hours for large mailboxes. Monitor progress in the Veeam console under 'Running Jobs'. After completion, the job status will show 'Success'. The backup repository will contain a .vbk file (full backup) for each mailbox. Subsequent runs will be incremental (.vib files). You can verify backup integrity by browsing the restore points.
In a typical enterprise deployment, Veeam Backup for Microsoft 365 is used to protect thousands of mailboxes and terabytes of SharePoint data. For example, a multinational corporation with 10,000 employees uses Veeam to back up all Exchange Online mailboxes, OneDrive for Business accounts, and SharePoint Online sites. They have a Veeam server running on-premises with 16 vCPUs and 64 GB RAM, backed by a NAS repository with 50 TB of usable storage. Backup jobs are scheduled daily at 8 PM local time, with incremental backups every 4 hours for critical executive mailboxes. Retention is set to 30 days daily, 12 weeks weekly, and 12 months monthly. The organization also replicates backups to Azure Blob Storage (cool tier) for off-site disaster recovery. A common problem they faced was a ransomware attack that encrypted all OneDrive files. Native Microsoft 365 recycle bin could restore files deleted within 93 days, but the ransomware had also corrupted version history. With Veeam, they were able to restore all OneDrive accounts to a point-in-time before the attack, recovering 99% of data. Another scenario: a user accidentally deleted a SharePoint site collection that contained critical project documents. The site was beyond the 93-day recycle bin window. Veeam allowed the administrator to restore the entire site collection from a backup taken 60 days prior, then merge it with the current state. Performance considerations: Veeam proxies can be scaled out by adding additional proxy servers to handle large volumes. Throttling from Microsoft Graph API can slow backups; Veeam automatically adjusts request rates. Bandwidth usage can be capped to avoid saturating internet links. Misconfiguration examples: using a single proxy for 10,000 mailboxes causes backups to take too long and exceed the backup window. Not using Azure Blob for off-site storage leaves the organization vulnerable if the on-premises repository is destroyed. Setting retention too short (e.g., 7 days) may not cover compliance requirements. The key lesson: always test restores periodically to ensure backups are valid.
MS-900 objective 4.2 (Describe data protection and backup solutions) focuses on understanding the shared responsibility model and the limitations of Microsoft 365 native data protection. The exam tests your ability to identify when a third-party backup solution is necessary. Key exam points:
Microsoft 365 native data protection features: Recycle Bin (93 days for SharePoint/OneDrive, 30 days for Exchange), Retention Policies (via Microsoft Purview), eDiscovery, Litigation Hold. These are NOT backups — they are compliance and accidental deletion recovery tools.
Third-party backup solutions: Veeam, Commvault, AvePoint, etc. They provide independent, off-site, long-term, and granular recoverability. Veeam is the most commonly referenced in MS-900 materials.
Shared responsibility: Microsoft is responsible for service availability (99.9% SLA for Exchange Online), but customers are responsible for their data. The exam often presents scenarios where data is lost due to user error, ransomware, or retention policy gaps, and asks which solution is appropriate.
Common wrong answers:
- Selecting 'Microsoft 365 Backup' as a built-in service — there is no such service. Microsoft does offer 'Microsoft 365 Backup' as a preview (announced 2023), but it is not the same as native features. The exam may reference this as a new option, but traditional third-party backup is still the standard. - Confusing retention policies with backups. Retention policies preserve data for compliance but do not allow point-in-time recovery. - Thinking that the Recycle Bin is sufficient for all data loss scenarios. It is limited to 93 days and does not protect against data corruption or malicious deletion that empties the bin. 5. Edge cases: What if a user leaves the organization and their OneDrive is deleted? Native retention policies can preserve it for a period, but a backup provides indefinite retention. What if a Teams channel is deleted? Native recycle bin for Teams is limited (21 days for deleted channels). Veeam can restore the entire team. 6. Elimination technique: If the question asks for 'independent, off-site, long-term backup', the answer is always a third-party solution. If the question asks for 'compliance or accidental deletion within 93 days', native features may suffice.
Microsoft 365 does not include a traditional backup service; native features are for compliance and accidental deletion within limited timeframes.
Third-party backup solutions like Veeam provide independent, off-site, long-term, and granular recoverability.
The shared responsibility model makes customers responsible for protecting their data in SaaS environments.
Veeam Backup for Microsoft 365 uses Microsoft Graph API to access and download data, storing it in customer-controlled repositories.
Veeam supports incremental backups after the initial full backup, reducing bandwidth and storage usage.
Default retention in Veeam is 14 days daily, 4 weeks weekly, 12 months monthly — customizable.
Common wrong answer on MS-900: confusing retention policies or recycle bin with actual backup.
Microsoft's SLA covers service availability, not data recoverability.
Veeam can restore individual items (email, file) or entire mailboxes/sites from any backup point.
For the exam, know that third-party backup is needed for ransomware protection, long-term retention, and independent recovery.
These come up on the exam all the time. Here's how to tell them apart.
Native Microsoft 365 Data Protection
Recycle Bin retains deleted items for up to 93 days (SharePoint/OneDrive) or 30 days (Exchange).
Retention policies preserve data for compliance but do not allow point-in-time restore.
eDiscovery can search and export data but is not a backup mechanism.
No off-site, customer-controlled copy of data.
Cannot recover data after the recycle bin period expires or if data is corrupted.
Veeam Backup for Microsoft 365
Retains data for as long as configured (e.g., years) independent of Microsoft 365.
Allows granular restore from any backup point (specific email, file, folder, mailbox, site).
Stores data in customer-controlled repository (on-premises or cloud).
Protects against ransomware, malicious deletion, and data corruption.
Supports long-term retention and off-site disaster recovery.
Mistake
Microsoft 365 includes a built-in backup feature that can restore any data from any point in time.
Correct
Microsoft 365 does not include a traditional backup service. Native features like Recycle Bin (93 days), retention policies, and eDiscovery serve compliance and accidental deletion recovery, but they are not backups. You cannot restore data from an arbitrary point in time beyond retention limits, and you cannot recover data if it is purged from the recycle bin or if retention policies are misconfigured.
Mistake
Microsoft's SLA guarantees data recoverability.
Correct
Microsoft's Service Level Agreement (SLA) covers service availability (uptime), not data recoverability. For example, Exchange Online has a 99.9% uptime SLA. If Microsoft experiences an outage, they guarantee the service will be restored, but they do not guarantee that your data will be recoverable if you accidentally delete it or if a ransomware attack occurs.
Mistake
Retention policies in Microsoft Purview are equivalent to backups.
Correct
Retention policies preserve data for a specified period for compliance or legal hold. They do not provide point-in-time recovery. For example, a retention policy can keep all emails for 7 years, but if a user deletes an email today, it remains in a hidden folder until the retention period expires. However, you cannot restore the email to its original location as of a specific date. Backups allow you to restore data as it existed at the time of the backup.
Mistake
Veeam Backup for Microsoft 365 stores data inside Microsoft 365.
Correct
Veeam stores backup data in a customer-controlled repository, which can be on-premises (local disk, NAS) or cloud-based (Azure Blob, AWS S3). The data is independent of Microsoft 365. This ensures that if the Microsoft 365 tenant is compromised or data is deleted, the backup remains intact.
Mistake
Third-party backups are unnecessary because Microsoft 365 has a 93-day recycle bin.
Correct
The 93-day recycle bin only protects against accidental deletion of items that have not been permanently deleted (emptied from recycle bin). It does not protect against ransomware, data corruption, or malicious deletion where the user empties the recycle bin. Also, some data types (like Teams channel messages) have shorter recycle bin periods (21 days). Third-party backups provide longer retention and independent recovery.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, Microsoft 365 does not have a built-in backup feature that allows you to restore data from arbitrary points in time. It includes Recycle Bin (93 days for SharePoint/OneDrive, 30 days for Exchange), retention policies, and eDiscovery, but these are not backups. For true backup with independent, long-term retention, you need a third-party solution like Veeam.
A retention policy preserves data for a set period for compliance or legal hold. It does not allow you to restore data as it existed at a specific point in time. A backup creates a point-in-time copy that you can restore from. For example, a retention policy might keep all emails for 7 years, but if a user accidentally deletes an email, you can recover it only if it is still in the retention hold (hidden folder). A backup lets you restore the mailbox as it was yesterday, even if the email was permanently deleted.
Veeam uses an Azure AD application registration with delegated permissions to access Microsoft 365 data via the Microsoft Graph API. The app is granted permissions like Mail.Read, Sites.Read.All, and User.Read.All. Veeam authenticates using the application ID and client secret. This connection allows Veeam to enumerate and download mailboxes, SharePoint sites, OneDrive accounts, and Teams data.
Yes, Veeam supports granular restore. You can restore a single email, calendar item, contact, OneDrive file, SharePoint document, or entire folder. You can also restore an entire mailbox or site collection. The restore can be to the original location or an alternate location.
If the recycle bin is emptied, the data is permanently deleted from Microsoft 365 after a short period (default 93 days for SharePoint/OneDrive, but if emptied, it may be gone sooner). Native features cannot recover it. With Veeam, you can restore the data from the last backup before the deletion, as long as the backup is within your retention period.
Veeam Backup for Microsoft 365 is software that you install on-premises or on a VM in a cloud (e.g., Azure). It runs as a Windows service and connects to your Microsoft 365 tenant. The backup data is stored in a repository that you control (local disk, NAS, Azure Blob, AWS S3). Veeam also offers a cloud-based service called Veeam Backup for Microsoft 365 Cloud Edition, but the traditional deployment is self-managed.
Default retention is 14 days for daily backups, 4 weeks for weekly backups, and 12 months for monthly backups. You can customize these values. The retention policy determines how long backup files are kept before being automatically deleted.
You've just covered Microsoft 365 Backup and Veeam Options — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?