Microsoft now offers native backup for M365. It has a 1-year retention limit, no immutability, and lives on the same infrastructure as your production data. Here is why that matters.
IDC Leader. Independent cloud. Unlimited retention.
Built-in. 1-year retention. Same infrastructure as production.
Microsoft now offers native backup for M365, and the natural question is: do you still need a third-party tool? Yes. Microsoft's native backup has a hard 1-year retention limit, no immutability, and stores backups on the same Azure infrastructure as your production data. If a ransomware attack encrypts your tenant, your backup is on the same platform. If a compliance requirement demands 7-year email retention, native backup cannot deliver. Microsoft itself recommends third-party backup. We distribute Keepit because your backup should not live in the same house as your data.
Keepit is a pure-SaaS backup platform and 2025 IDC MarketScape Leader for SaaS Data Protection. It runs on Keepit-owned infrastructure (Equinix data centres, 7 global regions including Sydney), fully independent of Microsoft Azure. Immutability uses a proprietary Merkle tree architecture that cannot be disabled. Pricing is approximately $1.99/user/month with unlimited retention and no egress fees.
Microsoft 365 Backup is Microsoft's native backup feature included with M365 subscriptions (some tiers). It provides point-in-time restoration for Exchange, OneDrive, and SharePoint with a 10-15 minute RPO. Retention is capped at 1 year with no extension option. Backups are stored on the same Azure infrastructure as production data. There is no immutable backup capability. Overage storage is charged at $0.15/GB/month. Microsoft explicitly recommends third-party backup solutions for full data protection.
| Feature | KKeepit for Microsoft 365 | MSMicrosoft 365 Backup (Native) |
|---|---|---|
| Maximum retention | Unlimited (configurable, no cap) | 1 year (hard limit, cannot be extended) |
| RPO (backup frequency) | 3x daily (~8-hour RPO) | 10-15 minute RPO |
| Infrastructure independence | Fully independent. Keepit-owned data centres, no Azure dependency. | Same Azure infrastructure as production M365 tenant. |
| Immutability | Merkle tree (structural, cannot be disabled) | None. No immutable backup capability. |
| Additional cost | ~$1.99/user/month | Included in some M365 tiers. Overage: $0.15/GB/month. |
| SaaS apps covered | 15+ (M365, Google Workspace, Salesforce, Azure AD, Dynamics, Power Platform) | Exchange, OneDrive, SharePoint only (within M365) |
| Same-vendor risk | None. Keepit is independent of Microsoft. | High. Backup and production on same vendor, same platform. |
| Cross-SaaS protection | Yes. Salesforce, Google Workspace, Azure AD, Dynamics, more. | No. M365 only. |
| Granular restore | Item-level restore for all protected workloads | Item-level restore for Exchange, OneDrive, SharePoint |
| Microsoft recommendation | N/A | Microsoft recommends third-party backup alongside native |
| AU data sovereignty | Keepit-owned Sydney data centre (Equinix) | Azure AU regions (Microsoft-owned) |
| Egress fees | None | Not separately charged, but overage storage at $0.15/GB/month |
Highlighted cells show where one product has a clear advantage for the majority of Australian mid-market and MSP use cases. Ties are unhighlighted.
Microsoft 365 native backup retains data for a maximum of 1 year. There is no configuration option to extend this. After 12 months, your backup data is gone.
For many Australian businesses, this is a disqualifying limitation. Financial services firms typically retain email for 7 years. Legal practices retain client correspondence indefinitely. Healthcare organisations retain patient communications for decades. Government agencies follow the National Archives of Australia retention schedules, which can require 10+ years for some record classes.
Keepit offers unlimited retention. You set the retention period. There is no cap. Whether you need 1 year, 7 years, or indefinite retention, the pricing does not change.
The 1-year limit also creates a practical problem for investigations. If legal discovers a dispute involving emails from 18 months ago, native backup cannot help. If HR needs to review an employee's communications from two years prior, native backup cannot help. These scenarios are not hypothetical. Our partners encounter them regularly.
This is the core problem with native backup, and it applies to any vendor backing up their own platform.
Microsoft 365 native backup stores your backup data on the same Azure infrastructure as your production M365 tenant. If a ransomware attack targets your Azure tenant, your production data and your backup data are in the same blast radius. If Microsoft experiences a regional Azure outage, your production environment and your backup are both affected. If an administrative error or a compromised global admin deletes data, the backup may be subject to the same access controls.
This is why Microsoft itself recommends third-party backup. Their own documentation states that customers should use independent backup solutions for full data protection. They are not saying this as a courtesy. They are acknowledging that same-platform backup has structural limitations.
Keepit stores your backup on entirely separate infrastructure. No Azure. No Microsoft. A Keepit-owned data centre in Sydney, on hardware that Keepit operates. There is no shared authentication, no shared administrative access, and no shared failure domain between your M365 tenant and your Keepit backups.
Microsoft 365 native backup does not offer immutable storage. There is no write-once mechanism. There is no protection against a compromised administrator deleting or modifying backup data.
Keepit's Merkle tree immutability makes backup data structurally tamper-proof. Once data is written, it cannot be modified or deleted by any account, including Keepit's own administrators. This is not a configuration setting you enable. It is built into the storage architecture.
For organisations pursuing Essential Eight Maturity Level 2 or 3, the ability to demonstrate that backup data cannot be tampered with is increasingly a hard requirement. Auditors ask how immutability works, who can override it, and whether it can be disabled. With Keepit, the answers are: Merkle tree cryptographic hashing, nobody, and no. With Microsoft native backup, there is no immutability to audit.
The absence of immutability also means Microsoft native backup cannot serve as a reliable last line of defence against insider threats. A disgruntled administrator with global admin privileges could potentially access both production data and backup data through the same console.
We distribute Keepit, so we have a commercial interest here. But intellectual honesty matters, and there are scenarios where Microsoft native backup is sufficient.
If your organisation has no regulatory retention requirements beyond 1 year, if you do not need immutable backups for compliance, if your risk tolerance accepts same-vendor backup, and if your M365 environment is the only SaaS application you need to protect, native backup covers the basics at no additional cost.
Small businesses with under 50 users, minimal compliance obligations, and tight budgets may find native backup adequate for day-to-day accidental deletion recovery. The 10-15 minute RPO is actually better than Keepit's 3x daily schedule for rapid point-in-time recovery of recently changed files.
However, even in these scenarios, we would suggest the business formally documents that they have accepted the risk of same-vendor backup, 1-year retention limits, and no immutability. If that risk is accepted knowingly, native backup is a valid choice. If it is accepted unknowingly because nobody evaluated the limitations, that is a different problem.
For any Australian business with regulatory retention requirements, compliance obligations, or data that matters beyond 12 months, native backup is insufficient on its own. Microsoft agrees with this assessment.
Use Keepit as your primary backup and treat Microsoft native backup as a convenient first line of defence for quick restores of recently deleted items. The two are not mutually exclusive. Native backup gives you fast RPO for the last 12 months. Keepit gives you unlimited retention, immutability, infrastructure independence, and coverage across 15+ SaaS platforms.
We distribute Keepit because backup insurance that lives on the same platform as the thing it protects is not real insurance. Your fire insurance policy is not stored inside the building.
CRS distributes Keepit across Australia, New Zealand, and the Pacific. We will show you exactly what Microsoft native backup covers, where it stops, and what Keepit adds. If native backup is genuinely enough for your requirements, we will tell you that.
One is SaaS with vendor-independent infrastructure. The other is self-managed software you run yourself. Real pricing, real trade-offs.
Both are fully managed SaaS. One runs on Azure, the other does not. One covers 15+ SaaS apps, the other covers 4. Real pricing and honest trade-offs.
AvePoint has IRAP. Keepit has 15+ workloads. Both cover M365 and Google Workspace. The comparison is closer than most people expect.
Broader SaaS coverage with vendor independence, or the Kaseya ecosystem with deeper PSA integration? An MSP-focused comparison.
Pure SaaS backup with vendor-independent immutability, or an integrated backup-and-security bundle? What matters more for your M365 protection.
Two SaaS-native backup platforms with immutable storage. One owns its infrastructure. The other runs on AWS. That difference matters more than you think.
Broader SaaS coverage with independent immutability, or white-label simplicity with 6x daily backups? An MSP comparison for M365 backup.