For MSPs managing dozens of customer tenants, the increased speed and sophistication of attacks create a specific operational problem. Microsoft 365's built-in recycle bin and version history were never designed to serve as ransomware recovery tools. They were built for accidental deletion. In our view, an immutable backup isolated from the production environment and protected against access by attackers is the only defensible answer. This article explains why that architecture matters and why the gap between Microsoft's native tooling and purpose-built M365 backup is wider than most MSPs realize.
AI Is Changing the Ransomware Threat for SMBs
Traditional ransomware relied on broad, opportunistic campaigns. Phishing emails were sent in bulk, and attackers waited to see which credentials arrived. AI has permanently changed that model in three concrete ways, and this shift makes recovery infrastructure more important than detection as a primary control.
- First, AI tools now generate highly targeted phishing content that passes basic awareness training. Employee names, roles, and communication patterns are synthesized from publicly available data to construct messages that look genuinely internal. The barrier to a convincing spear-phishing attack is now near zero.
- Second, polymorphic payloads rewrite their own code between deployments. Security vendors that rely primarily on known-bad signatures are increasingly blind to first-encounter variants, and AI accelerates the emergence of new variants.
- Third, AI-orchestrated attacks now run encryption at machine speed. Once a session token is compromised, attackers automate bulk file access and encryption across a Microsoft 365 tenant faster than any human-driven response. The Anthropic Claude Mythos Preview release in April 2026, a model that demonstrated autonomous network takeover capabilities, confirmed the direction of travel. As the UK AI Security Institute noted, SMBs are disproportionately exposed because they lack the defensive depth of large enterprises. That is precisely the customer base MSPs serve.
For SMBs, the practical consequence is that incident response time is no longer a reliable primary control. What can be restored, from where, and how quickly is the question that now determines outcomes.
Why Microsoft 365's 93-Day Recycle Bin Is Not a Backup
Microsoft 365 provides a first-stage recycle bin that lasts 30 days and a second-stage recycle bin that lasts 93 days under a specific configuration. This is often mistaken for backup coverage. CyberSentriq's position is direct: it is not. Three limitations make this clear.
Retention is not the same as recoverability. Recycle bin data lives inside the same Microsoft 365 tenant it came from. If an attacker compromises a global admin account, which ransomware campaigns routinely target first, they can purge the recycle bin contents permanently. An attacker with sufficient permissions can eliminate the recovery option before an incident is even detected. The 93-day window has hard edges. Any item deleted before that window opens is unrecoverable through native tools. For compliance-driven customers in finance, healthcare, or legal services, a 93-day limit conflicts directly with regulatory retention requirements that often extend to 7 years.
Versioning does not cover all scenarios. SharePoint Online and OneDrive maintain version history, but that history is tied to the file surviving deletion. If a file is deleted, not just overwritten, the version history goes with it. A ransomware variant that overwrites file content in place may leave versions intact but make all of them unreadable. Microsoft's own shared responsibility guidance is explicit: Microsoft guarantees service availability, not the recovery of customer data. Protecting Microsoft 365 data remains the responsibility of the customer and, by extension, their MSP.
The launch of Microsoft 365 Backup as a native offering in early 2026 validated the importance of the backup market. However, it also highlighted several inherent limitations, including:
- Maximum retention period of 1 year
- Immutability confined to Microsoft's Azure environment
- Backup data resides within the same cloud infrastructure as the production Microsoft 365 tenant.
By contrast, independent backup solutions can provide longer retention periods, stricter and more flexible immutability policies, and the ability to store backup data in isolated environments, thereby strengthening resilience against ransomware, accidental deletion, and platform-wide incidents. These architectural constraints are a fundamental limitation, not a complete data protection strategy.
Immutable, Isolated Microsoft 365 Backup: The Last Line of Defense
Immutable backup means data that cannot be modified, overwritten, or deleted for a defined retention period, regardless of the permissions held by any account, including administrators. When combined with production isolation, backup storage hosted outside the Microsoft 365 tenant, and protection with separate credentials, it becomes the sole recovery path that attackers cannot reach. CyberSentriq's M365 backup architecture is built on four components that we consider non-negotiable for genuine ransomware protection.
-
Production isolation.
CyberSentriq stores backup data entirely on Microsoft Azure. This is not a feature differentiation; it is an architectural principle. A backup that shares infrastructure with the system it protects is not a true backup; it is a redundant copy on the same plane of failure. When a tenant is compromised or when a Microsoft Azure regional event occurs, a backup stored off-cloud remains completely unaffected.
-
Write-once immutability.
Once a backup snapshot is written, it cannot be changed. Ransomware that successfully accesses backup storage cannot encrypt or overwrite historical snapshots. This is the control that makes recovery reliable rather than hopeful.
-
Encryption and access controls.
CyberSentriq encrypts backup data at rest and in transit. Role-based access control and MFA govern who can initiate restores, reducing the blast radius of any single compromised credential.
-
Unlimited retention.
Unlike Microsoft's one-year native retention ceiling, CyberSentriq retains backup data for as long as the policy requires to meet compliance obligations across regulated sectors, without workarounds or additional licensing. For financial services, healthcare, and legal customers, this is not an optional upgrade. It is a baseline requirement. For MSPs, this architecture also has a commercial dimension. It converts a reactive incident response conversation into a proactive resilience service that can be positioned at every customer onboarding. MSPs that include immutable M365 backup as standard reduce the likelihood that a live ransomware incident becomes a customer retention event.
Fast Recovery. No Disruption
Backups completed every day. Powering automated backups at scale, trusted where downtime isn’t an option.
Microsoft recycle bins retain data for 93 days; we ensure indefinite recovery with unlimited retention.
M365 & Entra ID seats protected daily
Zero Downtime. Users access files instantly while restores run in the background, reducing downtime from hours to seconds.
Granular vs Bulk Recovery During a Live Incident
Recovery speed matters as much as recovery coverage. Two modes of restore apply in ransomware scenarios, and CyberSentriq's view is that MSPs need both available from the same platform. Granular restore allows recovery of individual items from a single email, a specific file version, or one SharePoint library without touching the broader environment. This is the right approach when the scope of impact is contained or when an investigation is still determining exactly what was affected. Restoring a single mailbox folder while broader containment work continues avoids overwriting clean data with a bulk restore.
Bulk restore replaces large datasets from a known-good backup snapshot. This is appropriate when encryption is widespread, and the fastest path back to operation is a full tenant restore to a point in time before the attack. The critical requirement is that the recovery point is clean, which is only verifiable when backup data is held in isolated, immutable storage separate from the compromised environment.
The distinction matters operationally. MSPs managing multiple customer tenants during a concurrent incident cannot afford a recovery process that requires hours of manual triage before a single file is restored. CyberSentriq's platform supports both granular and bulk restores within a unified multi-tenant interface, reducing resolution time and the number of people required to manage recovery at scale.
Protecting Identity: Why Entra ID Backup Matters as Much as Data
Most ransomware recovery plans are built around data: email, files, and SharePoint. Identity is consistently the part that gets missed, and it is also what ransomware attackers target first. CyberSentriq considers Entra ID backup a required component of any complete Microsoft 365 backup deployment, not an optional add-on.
Microsoft Entra ID holds the keys to the Microsoft 365 environment:
- Conditional Access Policies govern authentication.
- App registrations define what third-party tools can access.
- Privileged role assignments determine who can do what.
When attackers compromise a Microsoft 365 tenant, they frequently:
- Modify Entra ID configurations before encrypting data.
- Turn off security controls.
- Escalate their privileges.
- Create hidden persistence that survives a data restore.
Microsoft does not provide a native off-cloud Entra ID backup. In early 2026, Microsoft introduced a native Entra ID backup preview in the Microsoft Entra admin center, but it does not resolve the structural problem. Microsoft stores Entra backup data inside Azure, on the same infrastructure as the live tenant. A tenant-level ransomware incident places both production identity data and the native backup in the same blast radius simultaneously.
The scope limitations at launch are also significant, including:
- Restore granularity.
- Retention window.
- Cross-tenant recovery.
These are all more constrained than with purpose-built solutions.
For MSPs managing multiple customer tenants, there is no unified recovery console; each tenant is managed separately. CyberSentriq's Entra ID backup captures the full scope of identity configuration, Conditional Access policies, app registrations, service principals, role assignments, and user attributes, and stores it off-cloud in the same isolated, immutable environment as Microsoft 365 data. Multiple daily backups, full change history between snapshots, and object-level point-in-time restore give MSPs a defensible, complete recovery capability that Microsoft's native tooling does not match.
The Hidden Risk: Identity Loss After Ransomware Recovery
Even when data backup is in place, identity loss after a ransomware incident creates a failure scenario that most MSPs encounter unprepared. CyberSentriq's incident response experience consistently surfaces this as the most common gap in an otherwise solid recovery plan. The sequence plays out like this. Ransomware hits. Data is encrypted. The MSP initiates recovery from an immutable backup. Files and emails are restored. The customer expects to be operational. But Conditional Access policies that the attacker has deleted or modified are not present. MFA configurations are broken. App integrations that relied on service principals return authentication errors. Users can access the environment but cannot authenticate into the tools they depend on.
This is not a data problem. It is an identity problem, and a data-only backup cannot solve it.
Identity change detection addresses this directly. CyberSentriq compares the current Entra ID tenant state against a prior backup snapshot to identify exactly which configurations changed during the attack window, distinguishing attacker modifications from legitimate administrative changes. MSPs can then restore only the affected identity objects, Conditional Access policies, role assignments, and app registrations without rolling back the entire tenant state. This reduces recovery time, avoids overwriting legitimate post-incident changes, and closes the authentication gap that leaves customers unable to operate even after a successful data restore.
Including Entra ID backup in every Microsoft 365 backup deployment is the operational answer to the most common ransomware recovery failure. It is not a premium service tier; it is the complete recovery story that customers need and the service differentiation that MSPs can position at onboarding.
Complete Microsoft 365 recovery starts with immutable backup and ends with identity recovery. Make both part of every deployment to deliver the resilience your customers expect and the service differentiation your MSP needs.
Get in touch to see how CyberSentriq delivers complete Microsoft 365 recovery.
Ready to get Started
AI-Driven Ransomware FAQs
Standard backup copies data to a secondary location but typically allows an administrator to modify or delete that data. Immutable backup uses write-once storage that cannot be altered or deleted during the defined retention period by anyone, including the backup platform's own admin accounts. This prevents ransomware actors who gain administrative access from destroying the recovery point. It is also the control that separates compliant, audit-ready backup from basic data copying.
AI compresses the attack timeline from days to hours. Targeted phishing, polymorphic payloads that bypass signature detection, and machine-speed encryption mean an attacker who compromises a session token can automate bulk encryption before standard monitoring tools generate an actionable alert. The April 2026 Claude Mythos Preview release demonstrated autonomous system compromise capabilities that confirm the direction of travel. Recovery readiness, what can be restored and from where, is now the primary defensible control, not detection speed.
The recycle bin is accessible within the Microsoft 365 tenant. An attacker with global admin permissions can permanently purge recycle bin contents, eliminating the recovery path before the incident is detected. Immutable backup stored outside the tenant is not accessible to tenant-level credentials, which is why production isolation is the key architectural requirement, not retention duration alone. Microsoft's newer native M365 Backup product improves on the recycle bin. Still, it introduces its own limitations: one-year maximum retention, no immutable storage, and backup data stored on Azure inside the same infrastructure as the live tenant.
Identity change detection compares the current state of a Microsoft Entra ID tenant against a prior backup snapshot to identify what changed during an attack window. This allows MSPs to restore only the configurations modified or deleted by the attacker, Conditional Access policies, role assignments, and app registrations without rolling back the entire tenant state. It reduces recovery time and avoids overwriting legitimate administrative changes that occurred before or after the incident.
It closes the most common gap in ransomware recovery. An MSP that restores Microsoft 365 data but cannot restore identity configuration leaves the customer unable to authenticate into their recovered environment. That customer is still down even after a technically successful data restore. Adding Entra ID backup to every Microsoft 365 deployment means both data and identity are recoverable from the same isolated, immutable snapshot. That is the complete recovery service customers need, and the commercial differentiator MSPs can demonstrate at onboarding, before an incident forces the conversation.