Close-up of a black computer keyboard with a focused Windows key on a dark wood surface.

Backup & Microsoft 365: Why Retention ≠ Backup

At the center of daily operations for medical, dental, financial, and SMB teams across Middle Tennessee is Microsoft 365. Email, OneDrive files, SharePoint sites, Teams channels—you depend on them every minute of the day.

As a security-first MSP serving healthcare and compliance-driven organizations in Middle Tennessee, we see this misunderstanding all the time. And the risk is real: one wrong click or misconfigured retention policy can wipe out months of critical business data with no way back.

The Myth: "Microsoft 365 Already Backs Up Everything."

Let's clear this up.

Microsoft 365 does an excellent job with:

  • Redundancy (Microsoft keeps its cloud online)
  • High availability
  • Native retention policies for compliance
  • Basic recycling bin recovery

But Microsoft is very clear: you are responsible for your data.

This is the Shared Responsibility Model, and it applies to:

  • Exchange Online (email)
  • OneDrive
  • SharePoint
  • Microsoft Teams
  • Planner / To Do
  • Archived mailboxes / terminated employee data

If a user deletes data—intentionally or accidentally—retention policies only help if they were configured in advance and the retention window hasn't expired.

This poses a major compliance challenge for healthcare practices, financial institutions, and any business required to retain records for 6+ years.

Retention vs Backup: What's the Actual Difference?

Retention holds data for a window of time:

  • 14-30 days for deleted OneDrive files
  • 93 days for SharePoint sites
  • Configurable multi-year retention (if licensed and appropriately configured)

Retention manages lifecycle—it does not create a separate, immutable backup copy.

Backup Separate, Independent, Recoverable Copy

A proper Microsoft 365 backup solution provides:

  • Point-in-time recovery (restores data from any date)
  • Immutable backups (cannot be overwritten by ransomware or bad actors)
  • Cross-user restore (pull data even from terminated accounts)
  • Granular recovery (single file, folder, or mailbox)
  • Long-term retention for HIPAA/PCI/FTC audits
  • Independent storage outside the Microsoft cloud

That last point is huge: if your Microsoft 365 tenant is compromised, retention won't save you—but a backup stored in an independent system will.

Why This Matters in Healthcare & Compliance

Healthcare and other regulated industries must prove:

  • Data availability
  • Data integrity
  • Recoverability
  • Retention timelines

HIPAA and NIST both emphasize encrypted backups, tested restores, and documented recovery procedures (aligned with HICP & NIST 800-66 guidance).

FTC Safeguards and PCI require the same—written policies + verified backup testing.

Retention alone cannot meet these requirements, because regulators expect:

  • Evidence of backup success logs
  • Evidence of restoration tests
  • A defined RPO/RTO
  • Written backup procedures
  • Protection from ransomware

So, if your practice or business relies only on retention, you are one bad click away from a compliance incident.

How to Set RPO & RTO for Microsoft 365

RPO (Recovery Point Objective)

How much data can you afford to lose?

Example:

If your RPO is 4 hours, your backup must take snapshots at least every 4 hours.

RTO (Recovery Time Objective)

How long can you afford to be down while recovering data?

Example:

If your RTO is 2 hours, your recovery plan must restore files or mailboxes within that timeframe.

Quarterly Test Restores: The Step Most Providers Skip

Backups only matter if you can restore them.

That's why Johnson BTS performs quarterly restore testing for compliance-heavy clients:

  • Pull random files, folders, or mailboxes
  • Restore from various dates
  • Validate integrity
  • Document results for compliance audits
  • Update the disaster recovery plan

HIPAA, NIST, and HICP all emphasize testing, not just "having a backup".

And too many businesses discover during a crisis that their backup:

  • Didn't include all users
  • Didn't run properly
  • Didn't capture SharePoint libraries
  • Was storing data unencrypted
  • Couldn't recover the needed version

Quarterly testing eliminates those surprises.

Real-World Failure Scenarios We See (Retention Won't Save You)

1. Employee deletes their entire OneDrive before leaving

Retention doesn't cover everything—and often doesn't apply after 30-93 days.

2. Ransomware hits a synced OneDrive folder

Sync = ransomware spread.

Backup = clean versions to restore.

3. SharePoint admin accidentally deletes a site collection

After 93 days, it's unrecoverable without backup.

4. Global admin account compromised

Attackers often delete or corrupt retention policies.

5. Email mailbox corruption

Retention cannot restore a mailbox to a healthy point-in-time state.

6. Legal or audit requests for data from 3+ years ago

Retention is not long-term archival unless extremely custom-tailored.

These incidents are common, not rare—and retention alone does not protect you.

7. What a Proper Microsoft 365 Backup Solution Should Include

A complete solution includes:

  • Automatic snapshot backups (2-6 times per day)
  • Separate off-platform storage
  • Encryption at rest and in transit
  • Immutable storage (cannot be altered)
  • Support for Exchange, OneDrive, SharePoint, Teams
  • Unlimited retention or 7+ year archival
  • Granular recovery (single file to full restore)
  • Self-service or helpdesk-assisted restore options
  • Automated reporting for compliance

If your business touches healthcare, finance, or sensitive data, these features are not "nice to have"—they're required for risk reduction.

How Johnson BTS Protects Microsoft 365 Data

As a HIPAA-verified, security-first IT provider with 70+ years combined experience in healthcare & compliance-driven environments, our backup strategy includes:

  • Secure Backup Deployment - Encrypted, immutable, off-platform backups for all users and shared resources.
  • Defined RPO/RTO for Each Department - We tailor recovery objectives to clinical, administrative, financial, or executive needs.
  • Quarterly Restore Testing - Documented evidence for HIPAA, PCI, FTC, and internal audits.
  • Continuous Monitoring - Verification that backups run successfully with alerts on failures.
  • Disaster Recovery Integration - Backup aligns with your broader continuity plan so recovery is predictable—not reactive.

This aligns with the security-first, proactive model your brand is known for.

Retention Is Not Backup—And Your Business Needs Both

Microsoft 365 retention is a helpful safety net. A proper backup is your lifeline.

Ready to Protect Your Microsoft 365 Data?

If you want a clear, HIPAA-ready, audit-proof Microsoft 365 backup plan—built around your RPO/RTO needs—Johnson BTS can help.

[CTA]

Schedule A 15-Minute Discovery Call

 

Recent Articles

Business professionals around a large locked file folder symbolizing data security and cybersecurity protection.

The Hidden Bottleneck Killing Your Q1 Productivity (It's Not Your People)

 Robot handing a document to a businessman across a table in a modern office setting with large windows.

AI Tools Are Everywhere. Here's How to Use Them Without Making a Mess.

 Close-up of a modern office desk phone handset and keypad with blurred digital screen in the background

VoIP That Fits Healthcare & Dental: CloudPBX, Call Flows, and HIPAA