Someone says we don't need M365 backup because SharePoint keeps versions.

SharePoint version history is great for 'oops, I overwrote this document', not for ransomware, mass-delete, or an ex-employee deliberately wiping their workspace. Versions live in the same tenant as the original, so anything that hits the tenant hits the versions too.

Try this first

1. 1Confirm what version history can do: restore an earlier file within the same site, provided the file itself still exists. For a deleted item you have to recover from recycle bin first, then pick a version.
2. 2Test what it can't do: restore an encrypted site after ransomware, recover an accidentally deleted site collection, or mass-undelete hundreds of items in one go without a script.
3. 3The default version limit on SharePoint Online is 500 major versions per item. Ransomware that touches each file once burns one version, fine. Ransomware that touches it 500 times wipes your history.
4. 4The site-collection recycle bin keeps deleted items for 93 days. After that, gone. For longer retention you need a real backup or a retention policy with proper duration.
5. 5Document the difference between 'undo' (versions/recycle bin) and 'backup' (an independent copy outside the tenant) for your leadership. Version history is undo, not backup.
6. 6Roll out 3rd-party M365 backup (Veeam, AvePoint, Dropsuite) when you want an independent copy outside the tenant. That is backup.

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.