Are you struggling to stay compliant with industry regulations and company policies when it comes to managing your organization’s data? Look no further, because Microsoft 365 retention can help you stay compliant and secure. Microsoft Purview Data Lifecycle and Records Management provides powerful tools to enable you to automatically retain or delete content based on your retention schedules.
In this blog, I will walk you through the basics of setting up retention policies and labels in Microsoft 365, so you can start meeting regulatory requirements and protecting your organisation’s sensitive information.
What is data retention?
Data retention refers to the practice of preserving certain data for a designated period of time. It involves identifying, classifying, and storing data in such a way that enables organisations to meet legal and regulatory requirements, as well as internal policies. This practice helps organisations keep records of their operations and activities and to respond to legal or regulatory investigations and audits.
As a result, organisations can keep the data they need to fulfil their legal and regulatory obligations while being able to dispose of all data that is no longer required.
How does Microsoft 365 retention work?
Microsoft Purview Data Lifecycle Management offers a wide range of retention capabilities that allows organisations to manage, preserve, and dispose of their data to minimise risk and remain compliant with regulations. With Microsoft 365, you can set up retention policies that automatically delete data after a specified period, hold data in place for a certain amount of time, or both. This allows you to manage your data more effectively, comply with regulations and ensure that you are not retaining unnecessary data.
The retention setting allows you to either:
•Retain the content forever or for a specific duration to protect it from accidental or malicious deletion. For example, keep data for two years.
•Delete the content after the retention period. For example, delete Teams chat messages after 2 years or delete personally identifiable data after two years.
•Lastly, Retain and then delete after a period of time. Records managers, for example, must follow a retention schedule to keep records for a specified duration and then delete them.
How do Microsoft retention settings work with content in place?
A key benefit of Microsoft 365 retention is that users continue to work on files and emails as usual because retention rules apply to the content in its current location.
In a scenario where the retention rules retain, or retain and delete content, then when a user edits or deletes content, the system automatically copies the original content to a hidden folder that is not visible to users.
When the retention period expires, and the rules are to retain only, then the system deletes the copies of the data, and the original remains in place. However, if the rules are to retain and delete, then the system deletes the original and any copies.
The retention and deletion workflows differ depending on the workload. Microsoft provides detailed guidance if you require more details.
Learn about retention for SharePoint and OneDrive – Microsoft Purview (compliance) | Microsoft Learn
Learn about retention for Exchange – Microsoft Purview (compliance) | Microsoft Learn
Learn about retention for Teams – Microsoft Purview (compliance) | Microsoft Learn
Learn about retention for Yammer – Microsoft Purview (compliance) | Microsoft Learn
What are the Microsoft 365 retention capabilities?
Microsoft Purview provides several options to support your data lifecycle and record management requirements.
Retention policies
You apply retention policies at the container location, such as mailboxes, SharePoint sites, Teams etc. and all content in the container inherits the retention settings. If you subsequently move any content to another location, then the content is subject to the retention policy in the new location. The retention policies can retain content, delete content, or retain and delete content based on the content creation date or last modified date (files only).
For example, a retention policy can be defined that automatically deletes all Team chats older than two years, or a retention policy that retains all SharePoint site content for 1 year.
With the E5 licencing, Adaptive scopes can target the retention policies to specific groups of users, Sites or Microsoft 365 groups based on queries such as all users in the HR department or all sites related to HR. Because the Adaptive scopes are dynamic, the rules automatically add or remove users, sites or groups from the Adaptive scope. This allows you to target retention policies to specific groups, e.g. HR users’ mailboxes or UK-based SharePoint sites.
It is possible that some locations are subject to multiple policies; for example, a user’s Teams chats are in the scope of two policies.
- All Sharepoint sites – retain 1 year.
- All HR-related sites – retain 3 years.
In this scenario, the rules of retention apply. See the section below.
Retention labels
Retention labels are a way to apply retention policies to specific items, such as emails or documents. With retention labels, you can apply retention policies to individual items, such as a file or email, rather than applying the policy to an entire mailbox or site. This allows you to create multiple labels so you can be more granular in your data retention and compliance management. Retention is based on the content creation date or last modified date (files only). Additionally, with the E5 licencing, retention can start on an event. For example, a project end date.
You need to publish the labels to all locations, a subset of locations or Adaptive scopes locations (if you have the E5 licencing) before the labels are visible.
Once published, users can add retention labels to their content. Note that you can only apply one retention label to an item at any time. Additionally, with the E5 licencing, you can automatically apply a default retention label to a SharePoint document library or automatically apply labels based on metadata.
Furthermore, you can use retention policies and retention labels together. For example, a user adds a retention label to an email to retain it for 10 years, while the retention policy associated with the user’s mailbox only retains data for 1 year.
Record Labels
With the E5 licencing you can use retention labels for retaining your electronic records in Microsoft 365 in accordance with your records schedule before formally disposing of the records. This includes:
- Making a record immutable
- Automated labelling
- Start retention based on an event, e.g. project closed.
- Disposition management
- Proof of disposition
Holds
Holds are also a form of retention that retains the content indefinitely. You can use holds to preserve content subject to legal or regulatory requirements. This content can be email threads, Teams messages documents, or a broader set of content, such as all emails related to a particular case. The content is on Hold until the Hold is released or the eDiscovery case is closed.
What types of Microsoft 365 data can be retained?
The key locations support Microsoft 365 retention, however, it is important to note that some applications, such as Planner and Forms, do not support retention.
The table below shows where you can use Microsoft 365 retention policies and retention labels.
What are the rules of Microsoft 365 retention?
Content can be subject to multiple retention policies and be classified with a retention label. Therefore, Microsoft has defined retention principles to determine what happens to that content.
Retention wins over deletion example
An item is subject to two retention policies
- Retention policy 1 deletes content after 1 year.
- Retention policy 2 retains content for 2 years.
In this scenario, the retention rule for policy 2 is the longest so the retention period is 2 years. When the retention period expires content is deleted as per policy 1.
Longest retention wins example
An item is subject to two retention policies and a retention label
- Retention policy 1 retains content for 1 year.
- Retention policy 2 retains content for 10 years.
- Retention label retains the item for 2 years.
In this scenario, retention policy 2 has the longest retention so the retention period is 10 years.
Explicit wins over implicit for deletions example
An item is subject to
- Retention policy 1 deletes content after 1 year
- Retention label deletes the item after 3 years.
In this scenario, because a retention label is explicitly applied, the label rules apply. The item is deleted after 3 years.
Shortest deletion wins example
An item is subject to two retention policies,
- Retention policy 1 deletes content after 1 year
- Retention policy 2 deletes content after 2 years.
In this scenario, the shortest deletion period wins, so the item is deleted after 1 year.
Note. eDiscovery/Litigation/In-Place Holds retain content indefinitely. Therefore they win when it comes to retention over deletion and also longest retention wins.
I recommend using the Microsoft flowchart to understand your retention and deletion rules. See Flowchart to determine when an item is retained or deleted – Microsoft Purview (compliance)
Where do I configure Microsoft 365 retention policies and labels?
You can create retention policies and retention labels in the Microsoft 365 Purview Center via PowerShell or the new Microsoft Graph APIs for retention. Use the Microsoft Graph records management API – Microsoft Graph beta | Microsoft Learn.
You need to be assigned the Records Management role to create retention policies and labels. There is also a View-Only Record Management role that allows you to view the retention configurations. For details on which roles and the role groups, see Permissions in the Microsoft Purview compliance portal – Microsoft Purview (compliance) | Microsoft Learn
What licensing do I need?
The Microsoft 365 retention capabilities depend on your Microsoft 365 licencing. The Microsoft web page Microsoft 365 guidance for security & compliance – Service Descriptions | Microsoft Learn provides a detailed overview of the Microsoft Purvuew Data Lifecycle Management functionality and licencing.
Make sure you understand the difference between retention policies, retention labels and the principles of retention.
How do I get started with Microsoft 365 retention?
Implementing retention policies in Microsoft 365 can help organisations to improve their security and compliance posture and protect sensitive data. The implementation is a multi-step process that requires proper planning and execution. Here are the key steps for planning to implement retention in Microsoft 365:
Assess your current data management needs
Undertaking an initial assessment before implementing retention policies in Microsoft 365 is an essential step in the process, as it helps you to understand your current data retention needs.
- Identify what data is stored where and who the business owners are.
- Understand your organisation’s legal and regulatory requirements.
- Analyse current data management practices.
- Establish what data you need to keep, for how long and what data can be deleted.
- In addition, identify the types of data that need to be preserved for legal or regulatory purposes.
Understand Microsoft Purview Data Lifecycle Management capabilities
Understand how retention and deletion works across different workloads in Microsoft 365, and the different use cases for retention policies, retention labels, records management and holds.
Based on your assessment, map your retention requirements to the appropriate technical controls to create your retention schedule.
Develop and test your retention schedule
Test your retention policies & labels to ensure that they work as intended and meet your organisation’s data retention needs.
Monitor the retention policies and labels to ensure that they are being applied correctly and that data is being retained or deleted as intended.
Consider a phased implementation of retention labels and policies
Start with the basic scenarios first, for example policies that apply to locations such as mailboxes or Teams chats.
Create retention labels and policies to retain and/or delete data.
Ensure you have checked your policies and labels against the principles of retention flow chart to confirm there are no unexpected behaviours.
Phase your deployment by targeting key departments or data locations.
Provide user adoption and training so users know how to assign the retention labels and policies to the appropriate data, such as email, SharePoint sites, or files.
Review and update your retention policies
Review your retention policies regularly to ensure they still meet your organisation’s data management needs. Update the policies as needed to reflect changes in your organisation’s data management needs or to comply with new regulations.
Summary of Microsoft 365 retention
Microsoft 365 Retention Policies and Labels are powerful tools in Microsoft 365 that can help you effectively manage your data retention to ensure that you retain only the information you need and stay compliant with regulations. Want to know more watch a short video on the subject of Retention Policies and Retention Labels on Empowering.Cloud,