Microsoft Purview Records Management has become a critical priority for organizations adopting AI tools like Microsoft 365 Copilot. Because Copilot surfaces everything a user can access, including redundant, obsolete, and trivial (ROT) data, weak governance now directly translates into productivity loss, compliance risks, and potential legal exposure.
In a recent episode of All Things M365 Compliance, I joined Ryan John Murphy and Susan Lamb, Principal Data Governance SME at Infotechtion and former global records management lead at Shell, to explore how Microsoft Purview has evolved and what practical steps organizations must take to clean up their data estate.
🧭 The Evolution of Records Management in Microsoft 365
Microsoft 365 has evolved significantly from its early days of basic records management. Today, it provides a comprehensive suite of capabilities—including retention labels, policies, auto-classification, and adaptive scopes. However, with more functionality comes greater complexity for organisations.
“Ten or twelve years ago, it was very basic records management. Today, M365 offers a rich range of tools, from record labels to retention policies, so businesses can retain valuable information and delete what they don’t need.”
— Susan Lamb
Organizations often struggle to choose the right tool for the job. Retention policies are popular because they apply across workloads, but retention labels offer more granular control at the file level.
“Most people gravitate to retention policies because they’re workload-wide. But when you’ve got file-level requirements, retention labels give you much more control.”
— Ryan John Murphy
⚠️ Why AI and Copilot Make Governance Urgent
AI doesn’t create new risks, it exposes existing ones. Because Copilot surfaces everything users already have access to, unmanaged ROT will directly reduce the quality and trustworthiness of AI outputs.
“Many customers migrated everything to the cloud without deleting ROT. Now Copilot surfaces this outdated information, and leaders are asking why their AI results don’t make sense.”
— Nikki Chapple
“AI is rubbish in, rubbish out.”
— Susan Lamb
To ensure trustworthy AI results, organizations must clean and govern their data now, not later.
🔍 Retention, Preservation, and Disposition – What’s the Difference?
Understanding the lifecycle of records is key to defensible governance in Microsoft Purview records management:
- Retention (labels or policies): Define how long records are kept, whether they are automatically deleted, or require review at the end of the period.
Preservation (litigation/eDiscovery holds): Protect data in place for legal or regulatory purposes, ensuring immutability.
Disposition: Provide a defensible, auditable process for permanently deleting records once obligations are met.
“You wouldn’t put everything on preservation hold just to keep it. Retention and preservation are different, but they work together for defensible disposition.”
— Susan Lamb
“Too many customers use eDiscovery holds as a blanket solution. That’s not governance, it’s a storage problem waiting to happen.”
— Ryan John Murphy
🌍 Simplifying Global Records Schedules
Global organizations often face thousands of retention requirements. At Shell, Susan led an initiative that reduced more than 5,000 retention categories down to just 180 grouped record types, dramatically simplifying governance.
“Simplicity is key. You don’t need every country’s laws mapped into Purview. Focus on big bucket schedules, adaptive scopes, and provisioning processes that show only relevant record labels to the right sites.”
— Susan Lamb
“When you provision a new Team or SharePoint site, capture metadata about its purpose, i.e. HR, Finance, Projects, and then apply adaptive scopes to show only the relevant record labels. That keeps governance practical for users.”
— Nikki Chapple
🗑️ Best Practices for Disposition Reviews
Disposition reviews often stall because users default to keeping everything. Susan shared a pragmatic approach:
“Out of 180 record types, only about 10 required disposition review. The rest had definite retention periods. If your review process isn’t working, you’re basically keeping it indefinitely.”
The key principle: disposition review should be the exception, not the default. Most content can and should be governed by definite retention rules.
✅ Top Tips for Records Management in Microsoft Purview
Here are seven practical steps to strengthen your governance program:
1️⃣ Eliminate ROT early
Clean up redundant, obsolete, and trivial data now—don’t wait for Copilot to surface it.
2️⃣ Use “big bucket” retention schedules
Simplify thousands of rules into a manageable set of record types.
3️⃣ Leverage adaptive scopes
Automatically target labels using metadata such as HR, Finance, or Project.
4️⃣ Differentiate retention and preservation
Retention governs lifecycle; preservation protects legal or regulatory interests.
5️⃣ Automate classification
Use Purview auto-labelling with sensitive info types or trainable classifiers to reduce user burden.
6️⃣ Streamline disposition reviews
Reserve reviews for exceptional cases; rely on definite retention rules elsewhere.
7️⃣ Engage the right stakeholders
Records management is a business decision. Involve Legal, Compliance, and business leaders—not just IT.
❓ FAQ: Microsoft Purview Records Management
Which Microsoft 365 license do I need for Records Management?
Core retention policies and labels are included in Microsoft 365 E3. Advanced features, such as event-based retention, disposition review, proof of disposition, adaptive scopes, and auto-labelling, require Microsoft 365 E5 or the Microsoft 365 E5 Compliance add-on.
What’s the difference between retention labels and retention policies?
Retention policies apply at the workload level (e.g., all mailboxes in Exchange, all sites in SharePoint). Retention labels apply at the item level (e.g., an individual document or email), providing more granular control.
How is preservation hold different from retention?
Preservation holds protect data for legal reasons. Retention ensures business records are kept for the right duration.
Do I really need disposition reviews?
Not always. Use them only when data requires validation before deletion.
How does Gen AI, such as Copilot, impact records management?
Copilot doesn’t override permissions, but it does surface everything a user has access to. That means poorly governed, outdated, or ROT content will show up in results, reducing AI quality and trust.
Who should own records management in Microsoft 365?
Not just IT. It requires Legal, Compliance, Data Protection Officers, and business leaders.
📌 Key Takeaways
- Data quality underpins AI: Clean data ensures Copilot delivers trustworthy results.
- Simplify: Use “big bucket” retention schedules and make governance practical for users.
- Retention ≠ Preservation: Apply the right mechanism for the right scenario.
- Disposition reviews = exception: Default to definite retention rules.
- Cross-functional ownership: Records management is a strategic business decision, not just an IT responsibility.
“This is not owned by IT. Records management in Purview is a strategic business decision that requires stakeholders from across the organization.”
— Nikki Chapple
🎥 Want Real-World Insights on Records Management?
👉 Watch All Things M365 Compliance episode with Susan Lamb, Ryan John Murphy and Nikki Chapple.
📚 References & Further Reading
🔗 Microsoft Documentation
- Records Management in Microsoft Purview
- Retention Policies vs. Retention Labels
- Adaptive Scopes in Microsoft Purview
📝 Blog Posts on NikkiChapple.com
- Microsoft 365 Retention Archive and Backup Strategies Explained
- How To Use Microsoft 365 Retention Policies And Labels
💡 Want More Insights? Stay Updated!
🔐 Stay ahead in Microsoft 365 security, compliance, and governance with expert advice and in-depth discussions.
📺 Watch on YouTube:
All Things M365 Compliance – Dive into the latest discussions on Microsoft Purview, data security, governance, and best practices.
🎧 Listen on Spotify:
All Things M365 Compliance – Your go-to resource for deep dives into Microsoft Purview, DLP, Insider Risk Management, and data protection strategies.
📌 Follow Me for More Insights:
- 🔹 LinkedIn: Nikki Chapple – Connect for updates, discussions, and articles.
- 🔹 Bluesky: @nikkichapple – Join the conversation on compliance and data security.
- 🔹 Twitter/X: @chapplenikki – Stay up-to-date with quick insights on M365 security and governance.
📌 Explore More on My Website:
nikkichapple.com – Discover more blog posts, resources, and stay at the forefront of Microsoft 365 compliance and security trends.
💬 Let’s Connect!
Have questions about Microsoft 365 security or compliance? Reach out to me, share your thoughts, or join the conversation! 🚀