Veeam Backup for Microsoft 365 -- Exchange Online, SharePoint, Teams, OneDrive, and Why Microsoft Doesn't Back It Up for You

Veeam v13 Series | Component: Veeam Backup for Microsoft 365 v8 | Audience: Sysadmins, MSP Engineers

Every MSP has this conversation multiple times a year: "Why do I need to back up Microsoft 365? Microsoft handles that." They don't. Microsoft's data redundancy protects against infrastructure failure on their end. It doesn't protect against accidental deletion, ransomware, a rogue admin, retention policy gaps, or the security lapse where a user gets compromised and their mailbox gets wiped. Microsoft's own service agreement is explicit: you're responsible for your data. They make the platform available. What's in it is yours to protect.

Veeam Backup for Microsoft 365 is a separate product from VBR. It protects Exchange Online, SharePoint Online, OneDrive for Business, and Teams. Here's what you need for a production deployment: authentication, organization connection, backup job design for each service, storage considerations, and the restore workflows that actually matter when someone calls asking where their email is.

1. Why Microsoft Doesn't Back Up Your Data

Microsoft's retention policies are not backup. The standard deleted item retention in Exchange Online is 14 days for items deleted from the Deleted Items folder and 14 days for soft deleted items. After that, items are gone. SharePoint has a recycle bin with a 93-day retention but it's a recycle bin, not a point-in-time backup. It doesn't protect against ransomware that overwrites files rather than deletes them. OneDrive has version history but the version window is 30 days by default for most licenses.

Teams is the one that catches people off guard the most. Teams isn't self contained. It's an abstraction layer over Exchange Online (mailbox), SharePoint Online (files and channels), and OneDrive (chat attachments). When you back up Teams properly you're backing up the data in those underlying services plus the Teams metadata: settings, membership, channel structure, and configurations. If you only back up Exchange Online and SharePoint Online, you're missing the glue that makes Teams data usable in a restore scenario.

2. Authentication: Modern App Only vs Legacy

VBM365 supports two authentication methods for Microsoft 365 organizations. Modern app only authentication is the current standard and what you should use for all new deployments. It authenticates via a Microsoft Entra application (formerly Azure AD app registration) with a certificate rather than a user account with credentials. This is more secure and survives MFA policy changes that would break a user account based connection.

Legacy authentication using a service account is still supported but being phased out as Microsoft continues deprecating basic auth across their services. If you're on legacy authentication, plan the migration to modern app only authentication before it stops working rather than after.

Team chats backup is only supported with modern app only authentication. It requires access to Microsoft Graph Teams Export APIs, which aren't available via legacy authentication. If backing up Teams chats is a requirement, modern app only authentication is mandatory.

3. Adding a Microsoft 365 Organization

1. In the VBM365 console, click Organizations, then Add. Select Microsoft 365 as the organization type.
2. Choose Modern Authentication with application (recommended). VBM365 prompts you to create or use an existing Microsoft Entra application. Click Register to let VBM365 create the application automatically, or provide an existing application ID and certificate if you manage your own app registrations.
3. Sign in with a Global Administrator account to grant the required API permissions to the application. The specific permissions depend on which services you're backing up. VBM365 requests the minimum permissions needed for the services you select.
4. Select which services to back up: Exchange Online, SharePoint Online and OneDrive for Business, Teams, and Teams chats. You must select both Exchange Online and SharePoint Online and OneDrive for Business before Teams becomes available as a checkbox.
5. After the organization is added, VBM365 performs an initial sync to discover mailboxes, sites, and teams. This can take several minutes for large tenants.

4. Backup Job Design

What to Back Up and What Not To

Shared mailboxes and resource mailboxes (room and equipment mailboxes) don't require a VBM365 license and can be backed up at no additional cost. Include them. They contain data that matters in compliance and litigation scenarios even though they're not personal mailboxes.

Archive mailboxes count as part of the same licensed user and don't require an additional license. If a user has an online archive, the mailbox and archive are both protected under one license.

Teams: you need a license for each user who is an active team member and has a paid Teams license in Microsoft 365. You don't need to license users who only appear in Teams data as external guests.

Scope: All vs Selected Objects

For most environments, creating a backup job scoped to the entire organization rather than individual users or sites is the right design. When new users are added to Microsoft 365, they're automatically included in the next backup run without any job reconfiguration. The exception is if you have a two tier service: some users with full backup and some with a lighter tier. In that case, scope jobs to groups or organizational units rather than individual users so membership changes are reflected automatically.

5. Storage: Where Backups Live

VBM365 stores backup data in a Backup Repository. This can be a local directory on the VBM365 server, a network path, an Azure Blob storage account, or an Amazon S3 bucket. For production deployments with compliance requirements, the answer is almost always object storage: it's cheaper than local disk at the retention windows required for Microsoft 365 data, and Azure Blob or S3 with Object Lock gives you immutability.

Sizing VBM365 storage is different from sizing VBR storage. Microsoft 365 data is largely unstructured: email attachments, document files, SharePoint content. It doesn't deduplicate and compress as aggressively as VM disk images. Budget storage based on the total mailbox size plus SharePoint content plus OneDrive content across all protected users, with a multiplier for the retention window you're targeting. A 90-day retention on 1 TB of Microsoft 365 data is not 1 TB of backup storage. It's closer to 3 to 5 TB depending on change rates and attachment volumes.

6. Restore Workflows

Exchange Online Item Restore

The most common restore request. In the VBM365 console or Veeam Explorer for Microsoft Exchange, select the organization, browse to the user, find the mailbox items to restore, and choose whether to restore to the original mailbox, to a different mailbox, or export to PST. Restoring to the original location is a single operation. If the user's mailbox has been deleted, you need to restore to a different active mailbox or PST file first.

SharePoint and OneDrive Restore

Veeam Explorer for Microsoft SharePoint handles site, library, list, and item level restores. Browse to the site, navigate the content tree, and restore the version you need to the original location or a different location. For OneDrive, the Explorer shows the user's files and folders as they existed at the backup point you select. OneNote notebooks larger than 2 GB are saved as folders with individual OneNote items rather than a single notebook file.

Teams Restore

Teams messages cannot be restored directly back to Teams channels. The restore process exports Teams messages as MSG files that can be accessed through Veeam Explorer for Microsoft Exchange. Channel files and SharePoint content associated with Teams channels restore through Veeam Explorer for Microsoft SharePoint. This is a real limitation to communicate to customers before they assume a Teams restore works the same as a mailbox restore.