Keepit vs Microsoft 365 Native Backup: Do You Need Third-Party? (2026)
Microsoft now offers native backup for M365. It has a 1-year retention limit, no immutability, and lives on the same infrastructure as your production data. Here is why that matters.
IDC Leader. Independent cloud. Unlimited retention.
Built-in. 1-year retention. Same infrastructure as production.
Microsoft now offers native backup for M365, and the natural question is: do you still need a third-party tool? Yes. Microsoft's native backup has a hard 1-year retention limit, no immutability, and stores backups on the same Azure infrastructure as your production data. If a ransomware attack encrypts your tenant, your backup is on the same platform. If a compliance requirement demands 7-year email retention, native backup cannot deliver. Microsoft itself recommends third-party backup. We distribute Keepit because your backup should not live in the same house as your data.
Keepit for Microsoft 365
Keepit is a pure-SaaS backup platform and 2025 IDC MarketScape Leader for SaaS Data Protection. It runs on Keepit-owned infrastructure (Equinix data centres, 7 global regions including Sydney), fully independent of Microsoft Azure. Immutability uses a proprietary Merkle tree architecture that cannot be disabled. Australian list pricing ranges from AUD $2.63 to $4.47/user/month (Business Essentials tier, depending on seat count and contract term) with unlimited retention and no egress fees.
Microsoft 365 Backup (Native)
Microsoft 365 Backup is Microsoft's native backup feature included with M365 subscriptions (some tiers). It provides point-in-time restoration for Exchange, OneDrive, and SharePoint with a 10-15 minute RPO. Retention is capped at 1 year with no extension option. Backups are stored on the same Azure infrastructure as production data. There is no immutable backup capability. Overage storage is charged at USD $0.15/GB/month. Microsoft explicitly recommends third-party backup solutions for full data protection.
Head-to-head comparison
| Feature | KKeepit for Microsoft 365 | MSMicrosoft 365 Backup (Native) |
|---|---|---|
| Maximum retention | Unlimited (configurable, no cap) | 1 year (hard limit, cannot be extended) |
| RPO (backup frequency) | Every 12 hours (~12-hour RPO) | 10-15 minute RPO |
| Infrastructure independence | Fully independent. Keepit-owned data centres, no Azure dependency. | Same Azure infrastructure as production M365 tenant. |
| Immutability | Merkle tree (structural, cannot be disabled) | None. No immutable backup capability. |
| Additional cost | from AUD $2.63/user/month | Included in some M365 tiers. Overage: USD $0.15/GB/month. |
| SaaS apps covered | 15+ (M365, Google Workspace, Salesforce, Azure AD, Dynamics, Power Platform) | Exchange, OneDrive, SharePoint only (within M365) |
| Same-vendor risk | None. Keepit is independent of Microsoft. | High. Backup and production on same vendor, same platform. |
| Cross-SaaS protection | Yes. Salesforce, Google Workspace, Azure AD, Dynamics, more. | No. M365 only. |
| Granular restore | Item-level restore for all protected workloads | Item-level restore for Exchange, OneDrive, SharePoint |
| Microsoft recommendation | N/A | Microsoft recommends third-party backup alongside native |
| AU data sovereignty | Keepit-owned Sydney data centre (Equinix) | Azure AU regions (Microsoft-owned) |
| Egress fees | None | Not separately charged, but overage storage at USD $0.15/GB/month |
Highlighted cells show where one product has a clear advantage for the majority of Australian mid-market and MSP use cases. Ties are unhighlighted.
The 1-year retention wall
Microsoft 365 native backup retains data for a maximum of 1 year. There is no configuration option to extend this. After 12 months, your backup data is gone.
For many Australian businesses, this is a disqualifying limitation. Financial services firms typically retain email for 7 years. Legal practices retain client correspondence indefinitely. Healthcare organisations retain patient communications for decades. Government agencies follow the National Archives of Australia retention schedules, which can require 10+ years for some record classes.
Keepit offers unlimited retention. You set the retention period. There is no cap. Whether you need 1 year, 7 years, or indefinite retention, the pricing does not change.
The 1-year limit also creates a practical problem for investigations. If legal discovers a dispute involving emails from 18 months ago, native backup cannot help. If HR needs to review an employee's communications from two years prior, native backup cannot help. These scenarios are not hypothetical. Our partners encounter them regularly.
Same-vendor risk: your backup lives with your data
This is the core problem with native backup, and it applies to any vendor backing up their own platform.
Microsoft 365 native backup stores your backup data on the same Azure infrastructure as your production M365 tenant. If a ransomware attack targets your Azure tenant, your production data and your backup data are in the same blast radius. If Microsoft experiences a regional Azure outage, your production environment and your backup are both affected. If an administrative error or a compromised global admin deletes data, the backup may be subject to the same access controls.
This is why Microsoft itself recommends third-party backup. Their own documentation states that customers should use independent backup solutions for full data protection. They are not saying this as a courtesy. They are acknowledging that same-platform backup has structural limitations.
Keepit stores your backup on entirely separate infrastructure. No Azure. No Microsoft. A Keepit-owned data centre in Sydney, on hardware that Keepit operates. There is no shared authentication, no shared administrative access, and no shared failure domain between your M365 tenant and your Keepit backups.
No immutability means no ransomware insurance
Microsoft 365 native backup does not offer immutable storage. There is no write-once mechanism. There is no protection against a compromised administrator deleting or modifying backup data.
Keepit's Merkle tree immutability makes backup data structurally tamper-proof. Once data is written, it cannot be modified or deleted by any account, including Keepit's own administrators. This is not a configuration setting you enable. It is built into the storage architecture.
For organisations pursuing Essential Eight Maturity Level 2 or 3, the ability to demonstrate that backup data cannot be tampered with is increasingly a hard requirement. Auditors ask how immutability works, who can override it, and whether it can be disabled. With Keepit, the answers are: Merkle tree cryptographic hashing, nobody, and no. With Microsoft native backup, there is no immutability to audit.
The absence of immutability also means Microsoft native backup cannot serve as a reliable last line of defence against insider threats. A disgruntled administrator with global admin privileges could potentially access both production data and backup data through the same console.
When native backup is enough
We distribute Keepit, so we have a commercial interest here. But intellectual honesty matters, and there are scenarios where Microsoft native backup is sufficient.
If your organisation has no regulatory retention requirements beyond 1 year, if you do not need immutable backups for compliance, if your risk tolerance accepts same-vendor backup, and if your M365 environment is the only SaaS application you need to protect, native backup covers the basics at no additional cost.
Small businesses with under 50 users, minimal compliance obligations, and tight budgets may find native backup adequate for day-to-day accidental deletion recovery. The 10-15 minute RPO is actually better than Keepit's 12-hourly schedule for rapid point-in-time recovery of recently changed files.
However, even in these scenarios, we would suggest the business formally documents that they have accepted the risk of same-vendor backup, 1-year retention limits, and no immutability. If that risk is accepted knowingly, native backup is a valid choice. If it is accepted unknowingly because nobody evaluated the limitations, that is a different problem.
Our recommendation
For any Australian business with regulatory retention requirements, compliance obligations, or data that matters beyond 12 months, native backup is insufficient on its own. Microsoft agrees with this assessment.
Use Keepit as your primary backup and treat Microsoft native backup as a convenient first line of defence for quick restores of recently deleted items. The two are not mutually exclusive. Native backup gives you fast RPO for the last 12 months. Keepit gives you unlimited retention, immutability, infrastructure independence, and coverage across 16+ SaaS platforms.
We distribute Keepit because backup insurance that lives on the same platform as the thing it protects is not real insurance. Your fire insurance policy is not stored inside the building.
See also: Keepit vs Veeam for M365 | Keepit vs Druva
Frequently asked questions
Yes. Microsoft's own documentation recommends that customers use independent third-party backup solutions for full M365 data protection. This is an explicit acknowledgment of the limitations of native backup, particularly around retention, immutability, and same-platform risk.
Need backup that is actually independent of Microsoft?
CRS distributes Keepit across Australia, New Zealand, and the Pacific. We will show you exactly what Microsoft native backup covers, where it stops, and what Keepit adds. If native backup is genuinely enough for your requirements, we will tell you that.
Related comparisons
Keepit vs Veeam for Microsoft 365 Backup (2026)
One is SaaS with vendor-independent infrastructure. The other is self-managed software you run yourself. Real pricing, real trade-offs.
Keepit vs Veeam Data Cloud for Microsoft 365 Backup (2026)
Both are fully managed SaaS. One runs on Azure, the other does not. One covers 16+ SaaS apps, the other covers 4. Real pricing and honest trade-offs.
Keepit vs AvePoint Cloud Backup for Australian Organisations (2026)
AvePoint has IRAP. Keepit has 16+ workloads. Both cover M365 and Google Workspace. The comparison is closer than most people expect.
Keepit vs Datto SaaS Protection for MSPs (2026)
Broader SaaS coverage with vendor independence, or the Kaseya ecosystem with deeper PSA integration? An MSP-focused comparison.
Keepit vs Acronis Cyber Protect Cloud for M365 Backup (2026)
Pure SaaS backup with vendor-independent immutability, or an integrated backup-and-security bundle? What matters more for your M365 protection.
Keepit vs Druva for Microsoft 365 Backup (2026)
Two SaaS-native backup platforms with immutable storage. One owns its infrastructure. The other runs on AWS. That difference matters more than you think.
Keepit vs SkyKick Cloud Backup for MSPs (2026)
Broader SaaS coverage with independent immutability, or white-label simplicity with 6x daily backups? An MSP comparison for M365 backup.
Gladinet CentreStack vs Microsoft SharePoint: Cloud Enablement vs Full Migration (2026)
Cloud-enable the file server you already have, or migrate to SharePoint. Which path fits your customer.
Keepit vs Arcserve SaaS Backup: The OEM Relationship You Should Know About (2026)
Arcserve SaaS Backup is a Keepit OEM. Here's why the rebranded version loses on API, workloads, channel, and AU support.
Proxmox VE vs Microsoft Hyper-V: Hypervisor Strategy After 2025 (2026)
Microsoft has deprecated standalone Hyper-V Server and is pushing Azure Stack HCI. Where Proxmox picks up the slack.
UFSConnect vs OneDrive for Business: Keep Your File Server or Migrate? (2026)
Cloud-enable the file server you already have, or migrate everything to OneDrive. What IT actually loses in the switch.
Keepit vs Barracuda Cloud-to-Cloud Backup: M365 Backup Compared (2026)
Hourly backups and bundled security, or 16+ SaaS workloads with structural immutability? A practical comparison for MSPs and IT teams protecting Microsoft 365.
Keepit vs Rewind for Jira Cloud Backup (2026)
Two SaaS backup platforms that cover Jira Cloud, but with fundamentally different infrastructure models and pricing approaches.
Keepit vs Rewind for Confluence Cloud Backup (2026)
Comparing two approaches to protecting your Confluence knowledge base: independent immutable cloud versus Marketplace-native backup.
Keepit vs GitProtect for GitHub Backup (2026)
Two backup platforms that protect GitHub repositories and metadata, with different infrastructure models, coverage depth, and pricing.
Keepit vs GitProtect for Azure DevOps Backup (2026)
Two platforms that back up Azure DevOps, the workload Microsoft explicitly says it will not recover for you.
Keepit vs Acsense for Okta Backup (2026)
A multi-workload SaaS backup platform versus a dedicated Okta resilience specialist. Different tools for different problems.
Keepit vs Zendesk Native Backup: Why Zendesk Exports Are Not Enough (2026)
Zendesk provides data exports and a 30-day recycle bin. Here is why that is not a backup strategy, and what Keepit adds.
Guardz vs Microsoft Defender for Business: When AV-Only Is Not Enough (Australia 2026)
Bundled AV versus real managed detection and response across identity, endpoint and email.