Microsoft 365 backup that actually restores: Veeam vs Dropsuite vs Datto, tested on a real tenant

You'll learn

• Why Microsoft\u2019s native retention is not a backup, and what that actually breaks.
• Measured restore times for Exchange, SharePoint, and OneDrive across three M365 backup products.
• Which product wins for which client profile, and the switch-from-nothing path.

Why this matters

The backup conversation in M365 is cluttered with marketing — every vendor explains why Microsoft\u2019s native retention is insufficient without quantifying what that costs you. Here\u2019s what actually happens in the absence of a real third-party backup:

• A terminated employee\u2019s mailbox holds evidence relevant to an HR matter. Native retention kept it for 30 days; the HR process took 60. Evidence is gone.
• A malicious insider deletes 800 files in SharePoint. They hit the version history first, then empty the Recycle Bin, then force a purge. Native has no protection against an authorized admin doing this.
• Ransomware touches OneDrive via a synced endpoint. Versioning helps for small sets but at scale the restore UI is so slow it\u2019s unusable for 10,000+ files.

Native retention is a convenience feature. It is not a recovery mechanism. Every SOC 2 auditor agrees; every insurance carrier\u2019s control questionnaire asks about third-party M365 backup separately; every incident-response engagement we\u2019ve run in the last two years has hinged on whether the client had one.

The question isn\u2019t whether you need M365 backup. It\u2019s which one.

Test environment

62-user M365 Business Premium tenant. Mix of Exchange Online (62 mailboxes, 480GB total), SharePoint (14 sites, 2.1TB), and OneDrive (62 users, 180GB total). Retention requirements: 7 years for email, 5 years for SharePoint, 3 years for OneDrive.

Test scenarios:

1. Single-item restore — one email from 9 months ago.
2. Full mailbox restore — one user\u2019s entire mailbox to a new account.
3. Site-level SharePoint restore — one site from 60 days ago to a new location.
4. Bulk OneDrive restore — one user\u2019s full OneDrive to a recovery location.
5. Malicious-deletion scenario — admin force-purges 100 files; restore from immutable backup.

All three products were deployed in parallel for 30 days before testing, so they had real backup sets to restore from (not fresh-install artifacts).

The three contenders

Dropsuite — the pragmatic choice

Pricing (2026): ~$2.50/user/month for Email Backup, ~$2/user/month for OneDrive/SharePoint. So ~$4.50/user/month all-in for a typical profile.

Pros:

• Cleanest admin UI of the three. Finding a specific email in a 300k-message mailbox takes three clicks.
• Search across all backed-up data in one query — useful for e-discovery.
• Instant granular restore (single email, single file) with no staging.
• Built-in legal hold and audit logging.
• Predictable flat per-user pricing.

Cons:

• Retention caps at 10 years per subscription; you can extend but it\u2019s negotiated.
• Limited integration with on-premises infrastructure if you have hybrid workloads.
• No integrated BCDR for non-M365 data — you\u2019d still need something else for endpoints and line-of-business apps.

RTO observed:

• Single email: < 1 minute (the fastest of the three).
• Full mailbox to new user: 18 minutes.
• SharePoint site restore: 34 minutes.
• Bulk OneDrive restore: 22 minutes.
• Malicious deletion (100 files): < 1 minute.

Veeam Backup for Microsoft 365 — the granular power tool

Pricing (2026): Licensed per-user via distributor, typically $3.50-5/user/month depending on volume and retention. Backup target storage is extra — S3 / Azure Blob / on-prem object storage. Budget another $0.50-2/user/month for storage at realistic retention.

Pros:

• The deepest control over restore granularity. Calendar items, tasks, individual contact fields — anything in Exchange, SharePoint, OneDrive, and Teams.
• Object-locked immutable storage (on S3 / B2 / Azure) with WORM — protection against admin-initiated deletion and ransomware.
• On-prem backup target possible for orgs with data-residency requirements that extend beyond cloud.
• Strong hybrid-workload story — the same Veeam console also backs up your vSphere and physical servers.
• Mature ecosystem: integrations with every major SIEM, monitoring, and BCDR platform.

Cons:

• Setup is meaningfully more complex than Dropsuite. Allow 1-2 engineer-days to deploy, vs ~2 hours for Dropsuite.
• Storage cost is unbundled — good for cost optimization but adds a procurement step.
• The UI is functional, not delightful. Restore wizards have more steps.
• Licensing is perpetual + maintenance, not pure subscription — CFOs sometimes prefer subscription.

RTO observed:

• Single email: 3 minutes (slower because of the restore wizard).
• Full mailbox to new user: 24 minutes.
• SharePoint site restore: 41 minutes (limited by restore API throttling, which all three hit).
• Bulk OneDrive restore: 28 minutes.
• Malicious deletion (100 files): 4 minutes (select items + destination + wait).

Where Veeam wins decisively: a restore target of "a specific calendar item from a specific mailbox on a specific date" takes under 2 minutes in Veeam. Dropsuite handles it; Datto makes it painful.

Datto SaaS Protection — the BCDR stack play

Pricing (2026): Typically bundled with Datto BCDR — ~$3/user/month standalone, $2/user/month if you\u2019re already on Datto endpoint or Datto SIRIS.

Pros:

• Best-in-class if you\u2019re already a Datto shop. One vendor, one console, one support contract.
• Strong phishing-recovery story — "restore this user\u2019s mailbox to 30 minutes before the breach" works as advertised.
• Competitive restore speed on single-item recovery.
• Unlimited retention on the higher SKU.

Cons:

• Restore UX for SharePoint and OneDrive is slower than competitors — shows its origin in email-first design.
• If you\u2019re not on Datto BCDR for endpoints/servers, you\u2019re paying for platform you don\u2019t use.
• Reporting and compliance evidence output is less polished than Dropsuite or Veeam.
• Some M365 Teams chat scenarios restore as transcripts rather than interactive threads.

RTO observed:

• Single email: 2 minutes.
• Full mailbox to new user: 31 minutes.
• SharePoint site restore: 52 minutes (noticeably slower than competitors).
• Bulk OneDrive restore: 38 minutes.
• Malicious deletion (100 files): 3 minutes.

Other products we considered but excluded

• Barracuda Cloud-to-Cloud Backup: similar positioning to Dropsuite, marginally cheaper, but the restore UI is dated and search is weaker. Use if you\u2019re already a Barracuda email-security customer.
• AvePoint Cloud Backup: very deep feature set, strong SharePoint controls, but the price premium doesn\u2019t justify the extra capability for most SMB clients.
• SkyKick: good product, common in the channel, but cost has crept up and the value-gap vs Dropsuite has narrowed.

The decision tree

• "We\u2019re a 40-150 person services firm, no on-prem, no strong existing backup vendor." → Dropsuite. Cheapest, fastest, easiest admin.
• "We need 7+ year retention with object-lock immutability and we already run Veeam for servers." → Veeam. The operational integration is worth it.
• "We\u2019re already on Datto BCDR for endpoints and appliances." → Datto SaaS Protection. One throat to choke, bundled pricing.
• "We have 500+ users, complex SharePoint governance, multi-geo tenants." → Veeam or AvePoint. Evaluate both.

How we switch a client from native-only to third-party

1. Week 1 — procure licenses, deploy agent / auth the tenant. Initial backup starts. For Dropsuite / Datto this is near-instant; for Veeam there\u2019s a setup step for the backup target.
2. Week 2 — validate first full backup cycle. Review storage utilization forecast.
3. Week 3 — run a test restore for each data type (mailbox, SharePoint, OneDrive). Document the runbook.
4. Week 4 — publish the runbook, train the help-desk, set monitoring alerts, document in your compliance platform.

A full-tenant first backup on a 62-user tenant takes 36-72 hours depending on total volume. Plan capacity with that in mind.

The mistakes we see most often

1. "Microsoft backs up M365" — no, Microsoft provides infrastructure availability. Your data retention + recovery is your responsibility per the shared-responsibility model. Microsoft\u2019s own documentation says this explicitly.

2. Deploying and not restoring — a backup you\u2019ve never restored from is an assumption, not a backup. Quarterly restore tests are cheap insurance and required by most compliance frameworks.

3. Ignoring Teams chat history — M365 Teams messages are part of the retention picture; not every product handles them well. Verify this before purchase if Teams is a primary collaboration tool.

4. Under-estimating SharePoint restore time — even the fastest products hit Microsoft\u2019s Graph API throttling on large sites. If your SharePoint is 5TB+, plan for multi-hour restore windows and design your RTO accordingly.

5. Skipping the immutability layer — any product that can be deleted by a compromised admin account isn\u2019t a real ransomware control. Veeam\u2019s object-lock, Dropsuite\u2019s legal hold, Datto\u2019s immutable tier — pick one, configure it, evidence it.

If you want help with this

Picking, deploying, and validating M365 backup is standard work for us. We do it as a 4-week project or as part of broader managed-IT engagements. The free IT health check includes a backup-coverage review — we\u2019ll tell you exactly what\u2019s protected, what isn\u2019t, and the cost delta to close the gap.

Further reading

• Volume 1 — MFA rollout. Backup protects against breach; MFA reduces the probability you need it.
• Volume 7 — Shadow AI & Copilot data residency. Where backup meets AI: what happens to data you\u2019ve given Copilot?
• Cloud & Backup services — the managed-IT service that runs this end-to-end.