We’re excited to announce that Protection Unit Offboarding (aka backup deletion) is now available! This feature empowers organizations to manage their backup data with greater precision, compliance, and control.
Why does this matter?
It’s been a popular request from customers and ISV partners to delete specific SharePoint sites or OneDrive accounts, particularly in scenarios involving compliance, cost management, and operational agility. Up until now, Microsoft 365 Backup only supported product-level offboarding—meaning you could discontinue the service or switch providers, but not delete backups at the individual SharePoint site, Exchange mailbox, or OneDrive account level. This posed challenges for customers needing to do the following:
- Meet regulatory requirements for deleting personally identifiable information (PII) when users leave.
- Correct accidental data inclusion due to automation or manual errors.
- Adapt to changing business policies, such as discontinuing Exchange backups while retaining SharePoint.
- Purge backups when transferring to a new provider.
- Manage licenses and costs by removing unnecessary protection units.
What’s available in Protection Unit Offboarding (aka backup deletion)?
Here’s a quick summary of what’s available in this new feature:
- Targeted deletion: Delete backups at the protection unit or policy level, reducing storage costs and supporting compliance.
- Error prevention: Avoid accidental retention of data from automation or manual mistakes.
- Business agility: Easily adapt backup configurations as your needs evolve.
Admin overview
Admins can initiate backup deletion for single or multiple protection units using Microsoft Graph APIs or PowerShell Cmdlets—enabling end-to-end automation and seamless integration into existing workflows.
Guardrails for security and compliance
- Grace periods: All purge requests have a grace period (typically 30–90 days) for review or cancellation.
- Notifications: System-generated alerts keep admins informed at every stage.
- Role-Based Access Control (RBAC): Only authorized admins can initiate offboarding.
- Audit events: Every action is logged for compliance and traceability.
How to offboard a site, mailbox, or OneDrive
Here’s a quick step-by-step guide to using this backup capability:
- Identify the protection unit:
Use Microsoft Graph API or PowerShell to find the correct protection unit ID. - Remove from policy:
Unassign the unit from any backup policy to set its state to unprotected. - Initiate offboarding:
Use the offboard API or PowerShell cmdlet to start the process. Notifications will be sent. - Monitor grace period:
Review or cancel the request if needed. All actions are logged. - Confirm deletion:
After the grace period, the unit and backups are permanently deleted. Attempting to access deleted data will confirm successful offboarding.
For detailed technical steps and troubleshooting, refer to Protection Unit Level Offboarding page and Protection Unit Level Offboarding Microsoft Graph APIs page on Microsoft Learn.
What’s next?
This feature is now generally available for all Microsoft 365 Backup customers. Haven’t set up Microsoft 365 Backup yet? Get started today!
Future enhancements will include partial purges, bulk actions by department or region, exclusion lists, and improved notifications. Stay tuned!
- Diksha Upadhyay
Diksha is a Senior Product Manager on the Microsoft 365 Backup team
Microsoft