This is the first of three posts that describe the main elements involved in setting up SharePoint Online to manage records.
This post focuses on the recordkeeping related elements in the Office 365 and Compliance admin portals:
- Office 365 Admin – Licences, Roles and AD Groups (including Office 365 Groups)
- Compliance Admin – Retention labels and policies (and some more options)
The second post focuses on SharePoint Online Admin centre configuration.
The third and last post focuses on SharePoint site collection provisioning and configuration to manage records.
Office 365 admin center
The main elements that impact on the management of records in Office 365 are Users (for licences), Roles and Groups, as can be seen in the screenshot.
Users – licencing and applications
Organisations that acquire Office 365 will generally have the relevant licences required (a) to set up and administer SharePoint Online, and (b) for users to use it (and OneDrive for Business).
This post assumes that organisations will have at least an E3 licence which includes SharePoint for end users, visible as an app when they log on to https://office.com, along with all other applications included in the licence, for example Exchange/Outlook, OneDrive for Business, MS Teams and so on. End users with access to these items will also be able to download and use the equivalent mobile device apps.
The three key roles that impact on the management of records in SharePoint are as follows:
Global Admin (GA)
- Are responsible for managing the entire Office 365 environment. This includes creating new Groups (Security Groups, Distribution Lists and Office 365 Groups).
- Are responsible for assigning key roles, including the SharePoint Administrator and Compliance Administrator (and other roles).
- May have responsibility for, and/or the skills and knowledge required to set up and administer SharePoint Online and create new sites for the organisation.
- May also be able to create and publish retention policies in the Compliance admin portal.
Note – Organisations that outsource the administration of Office 365 should always have at least one GA account to access the tenant if ever required. If they don’t have a log on, they should have or acquire a very good understanding of the access and privileges afforded to the outsourced company.
SharePoint Administrator (SP Admin)
The SP Admin role will usually be a ‘system’ role that is responsible for managing the SharePoint environment, including OneDrive for Business. As noted above, a GA with the right skills can also manage the SharePoint environment.
Generally speaking, SharePoint Administrators will focus on the technical and configuration aspects of SharePoint. They are not usually responsible for confirugint SharePoint to manage records, managing records, or creating and publishing retention policies. This role usually falls to either the GA or Compliance Administrator.
The Compliance Admin role is responsible, among other things, for the creation and publishing of retention labels and policies in the Compliance Admin portal. A GA can perform this role (along with all other roles) if required.
Compliance Admins will usually be responsible for disposition reviews linked with retention labels, and be involved in eDiscovery cases.
The Compliance Admin can search and view the audit logs for all activity across Office 365 and can carry out broad content searches with the ability to export the content of those searches. As this role is relatively powerful, it should be limited to key senior individuals in the organisation.
Office 365 and Security Groups
Office 365 Groups are Azure/Exchange objects just like Security Groups and Distribution Lists. Accordingly, there should be controls around their creation, including naming conventions.
As every Office 365 Group has an associated SharePoint site, organisations should consider restricting the ability for end users to create Office 365 Groups, and only allowing Global Admins and members of a Security Group to do this. Neither SharePoint Admins or Compliance Admins would normally create AD Groups.
If the ability to create Office 365 Groups is not restricted, an Office 365 Group will be created with an associated SharePoint site whenever:
- A new Team is created in MS Teams.
- A new Group is created from Outlook.
- A new Yammer Group/Community is created.
The ability to share content externally from SharePoint and OneDrive for Business is controlled from the Office 365 Admin portal. This is a global setting that can be disabled by the Global Admins if required.
It is assumed, for the purpose of this post, that that setting is enabled to allow external sharing.
Note that enabling external sharing at the global level does not enable it globally for all SharePoint sites; sites must be individually modified to allow it.
The Compliance admin portal can be accessed by the GAs and also the Compliance Admins (and some other roles). It is where retention labels and policies are created (in line with the corporate file plan/BCS) and published, and disposition reviews are undertaken, so records managers need access.
Other options in this section that relate to the management of records include the audit logs, content search and eDiscovery.
Retention policies may be applied to all the key workloads in Office 365 where records are stored:
- Exchange Online
- SharePoint Online
- OneDrive for Business
- MS Teams
- Office 365 Groups
Retention labels published as retention policies are visible to and can be applied by end-users. Generally these are more likely to be applied at the document library level rather than to individual records, or in mailboxes or OneDrive for Business.
Retention policies that are not based on labels may be applied to all, or parts of, the four workloads listed above. For example, they may be applied to all, or a sub-set of Exchange mailboxes or OneDrive for Business accounts, or SharePoint sites. Retention policies may also be applied to individual or team chats in MS Teams.
Organisations seeking to use retention policies in Office 365 should understand how these work, have a plan for their implementation, and keep track of what has been applied where.
- Retention policies for all mailboxes or all ODfB accounts may replace previous on-premise backup options for those workloads. It is unlikely that end-users will (or will want to) apply retention labels published as policies to individual emails or folders in mailboxes or OneDrive.
- SharePoint sites are likely to have either or a combination of explicit and implicit/invisible retention policies. Implicit, single period retention policies may be more suitable for entire smaller, short-lived SharePoint sites. Explicit retention policies may be more suitable for the diverse range of content on more complex and long-lasting sites. Some sites may be created and populated around the need to keep a particular type of record for a long period of time – for example, employee records.
The Office 365 audit logs are found in the Compliance admin portal. For an E3 licence, the content in the logs is stored for 90 days.
As audit logs are an important element in keeping records, organisations may need to consider ways to retain this content for a longer period.
Note – SharePoint document libraries record the name of anyone who edited a document (and also previous versions), but they don’t record the name of anyone who simply viewed it. SharePoint lists also include audit trails, making it possible to track changes in individual rows of a list.
Content searches and eDiscovery
The Compliance admin portal provides two similar options to search for content across Office 365. Both the Content Search and eDiscovery options provide the ability to establish a ‘case’ that can be run more than once.
The eDiscovery option provides the added ability to put content on Legal Hold. Advanced eDiscovery is available with a higher licence.
Click on the links below to read the next two posts:
- SharePoint Online Admin centre configuration.
- SharePoint site collection provisioning and configuration to manage records.