‘Fools rush to implement retention without thought‘ – Tony Redmond, 13 April 2017
Tony Redmond’s quote above, as well as the rest of the article in ‘Bringing Compliance to Office 365 Groups‘, is as relevant today as it was in 2017.
Tony is a contributing author to the e-book ‘Office 365 for IT Pros‘, essential reading for anyone doing anything with Microsoft 365. Page 921 of the May 2020 edition contains the following paragraph, which expands on the quote above and contains probably the best guidance ever required in relation to this subject:
It is sensible to write down each of the retention labels that you plan to use before creating anything. It is much easier to delay the release of a label and the training of users to use the label properly than it is to launch a label into general circulation only to discover that you later need to withdraw it. Another thing to consider is how easy it is for users to decide between different retention labels when the time comes for them to apply a label. Too many labels, misleading names, or too much choice can lead to frustration and bad decisions.
How do you go about writing down each of the retention labels as part of a plan – especially for a Microsoft 365 environment that is already in full swing?
This post provides some suggestions to help you do this.
What is your records retention and disposal status?
A good starting point is to establish the current records retention and disposal status for your organisation. Do you have a records retention schedule, also known as a disposal authority or records authority?
If you have one of these documents, it would be useful to review it as a key part of the process is to ‘map’ the records retention classes to specific records across the various Microsoft 365 ‘workloads’ (e.g., Exchange, SharePoint, OneDrive, MS Teams etc), not just in one system (such as SharePoint).
You will need to know what and where these workloads are.
Where (and what) are the records in Microsoft 365?
If you are a records manager then there is a reasonably good chance that you have very little access to, or visibility of, all the content stored across Microsoft 365.
You may have access to one or more SharePoint sites, but unless you are a SharePoint Admin or Site Collection Admin on every site, your visibility will be very limited.
Most of the records in Microsoft 365 will be stored in Exchange, SharePoint, OneDrive for Business, or MS Teams.
- Emails created and sent by users are stored in Exchange mailboxes. There may also be public mailboxes. Unless there is a plan (or third-party app) to copy these (or some of these) emails out of Exchange (e.g., to SharePoint), most email records will probably remain in user’s mailboxes.
- Records that, in the past, would have been saved to a network file share (or EDRMS) will now be in SharePoint Online (corporate content) or OneDrive for Business (ODfB) (personal/working content).
- Chat messages in MS Teams are stored in a hidden area of the Exchange mailbox of each user who participates in the chat. Any documents shared in this chat area are stored in the OneDrive for Business of the person who shared the document.
- Channel-based Team chat messages in MS Teams are stored in a hidden area of the Exchange mailbox of the Office 365 Group linked with the Team. Any documents shared in this chat area are stored in the SharePoint site of the Office 365 Group linked with the Team.
So, fundamentally, records are stored in two primary workloads: Exchange mailboxes and SharePoint/OneDrive for Business.
What are the retention options?
There are two retention options in Microsoft 365. Both are configured in the Compliance portal of Microsoft 365. Access to this portal requires special privileges, which may not always be granted to records managers.
The two options are:
- Retention labels published as retention policies and then applied to the various workloads (Exchange email, SharePoint, OneDrive, Office 365 Groups (Exchange/SharePoint content)). These are sometimes described as ‘explicit’ policies because they are visible to end users. Organisations with an E5 licence can extend the way these labels are applied and retention managed.
- Retention policies that are applied directly to the various workloads (Exchange email, Exchange public folders, SharePoint, OneDrive, Office 365 Groups (Exchange/SharePoint content)). These are sometimes described as ‘implicit’ policies because they are not visible to end users. These policies automatically delete content at the end of a retention period, without any review possible.
Records managers will need to determine how to ‘translate’ each records retention class into one of the two options above, and how and where it will be applied in Microsoft 365.
Some of the options may also require the creation of new records retention classes – for example for the chat element in Microsoft Teams.
A suggested first model
Your IT probably already has some form of back-up regime (‘archive’) for mailboxes, used for disaster recovery and investigation purposes.
It might be worth creating two policies for mailboxes:
- All end-user mailboxes could have a single ‘implicit’ retention policy (e.g., 7 years).
- Mailboxes for specific staff (e.g., senior managers) could have a second, longer, ‘implicit’ retention policy. This policy will take over when the first one expires, but just for the mailboxes identified.
The use of retention policies in this way can replace the need for mailbox backups. No emails will ever actually be deleted while the retention policy is in place and all content can be retrieved via the Content Search option in the Compliance Portal.
Content Searches can also be used to retrieve and export emails.
OneDrive for Business
As with end-user mailboxes, OneDrive for Business accounts are generally inaccessible to records managers. To ensure that the content in those accounts is not deleted, a single Microsoft implicit retention policy of, say, 7 years could be applied to all ODfB accounts. This policy will create a hidden (to the user) ‘Preservation Hold’ library on the ODfB account.
Anything ‘deleted’ by the end user during the retention period will be moved to the Preservation Hold library, which is visible to the Global Admins and SharePoint Admins from this URL – /_layouts/15/viewlsts.aspx?view=14
In addition the OneDrive settings include the option (under ‘Storage’ in the ODfB admin portal) to retain OneDrive accounts for a period of time after they are inactive.
All content in these locations is accessible from a Content Search.
SharePoint is likely to be the most complicated in terms of retention policies if there is a requirement to keep content for different periods of time in accordance with the retention schedules/records disposal authorities.
There are likely to be three main options in relation to SharePoint content:
- One or more implicit retention policy/ies applied to one or more sites. When applied to a SharePoint site, a ‘Preservation Hold’ library retains anything that is ‘deleted’ by end users.
- One or more explicit label-based retention policies applied to one or more sites. When applied to a SharePoint site, the option to apply it appears for each document library on the site. Once applied (manually), end users cannot delete anything and if the library is synced to File Explorer, the File Explorer view of the library will be read only.
- A combination of implicit and explicit retention policies.
The decision to apply what policy to what site will depend on your SharePoint architecture and the content stored in each site. For example:
- A SharePoint site that only stores records that map to one records retention class could have either a single implicit policy (if there is no requirement for disposal review) or a single explicit policy that is applied manually to each library.
- A SharePoint site that contains records that map to multiple retention classes, but for one business function and also ‘working papers’ could have (a) one implicit policy to cover the working papers and (b) one label-based retention policy with multiple labels – one for each class. This means, for (b), that a specific retention label can be applied to each library as required.
- SharePoint sites linked with Office 365 Groups and Teams. Depending on the content in the site, it may be possible to apply a single retention policy for all M365 Groups (which covers both the SharePoint site and the mailbox), or a similar policy created for a Group of SharePoint sites (which excludes the mailbox).
As noted above, the chat content in MS Teams is stored in Exchange mailboxes – (a) the mailbox of each participant for one-to-one chat, and (b) the mailbox of the Office 365 Group for channel-based chat.
You may consider having a relatively short-term retention period for one-to-one chat. The retention period for the channel based chat will depend on the subject matter and should – ideally – be the same as for the linked SharePoint site. For example:
- A Team set up for a specific business function and activity (or activities) will have channel based chat and a linked SharePoint site. Both should be subject to the same retention period.
- A Team set up for low-level discussion about a subject that may be not be covered by any retention period could be subject to a general retention policy for the chat and the SharePoint content.
Bringing it together
As noted at the beginning of the post, if you are going to use retention policies in Microsoft 365 you need a plan and you need to document it. It doesn’t matter too much if the environment is already active.
However, you will need to have discussions with your Microsoft 365 Global Admins, Compliance Admins and SharePoint Admins and know where the content is stored.
- The Global Admins can give you a list of every Office 365 Group and Team in MS Team (these are connected – every Team is based on an O365 Group).
- The SharePoint Admins (or Global Admins) can give you a list of every SharePoint site.
There are some potential ‘quick wins’, such as agreement with IT regarding Exchange mailboxes, OneDrive for Business accounts, and MS Teams.
The more complex requirement is to map the classes in your records retention schedules/disposal authority to content stored in SharePoint, including for standard sites (not linked with Microsoft Groups), communication sites, and sites linked to Office 365 Groups.
You can start to do this by having a list of all the sites exported from the SharePoint Admin portal. This should allow you to see how many sites exist, how much content they hold, and if they are active or not.
It is probably a good idea for the records manager to be included as a Site Collection Administrator, including by being a member of a Security Group added to every SharePoint site. This will help the records manager gain visibility of the content of each site, however they should be very careful about browsing the content as everything is recorded in audit logs.
Document and plan
The outcome of all these actions should be one or more documents that describe (a) where records are stored and (b) the retention policy and action that will apply to those records.
- For Exchange mailboxes, OneDrive for Business accounts, and MS Teams, this may be a single line for each policy.
- For SharePoint, there should be a listing of every site and the retention policy or policies that apply to that site.
- Additionally, for SharePoint sites where an explicit label-based retention policy is applied, the listing should show which libraries this has been applied to. If a disposal review option has been selected, there should be a process to ensure that the metadata of the library where the records are stored is exported and stored in a different location. The original library may then be deleted.
5 thoughts on “Planning for retention management in Microsoft 365”
Andrew, as per usual, an excellent post – and a great contribution for everyone trying to understand it. You touched briefly on the role of the records manager, which is one of my outstanding questions for agencies that really want to try and do this. The RM really seems to be tied quite tightly to platform administration. Is this the general IT centric approach that only really thinks about how to manage the scaffold that the information fits into, rather than the information itself – and has thus forgotten that these might be separate groups of people?
Good question Karl and thanks for the feedback. It is, I think, becoming a bit of a problem in some organisations, the yawning gap between IT and the Records Managers. I’ve been fortunate that all my jobs in the past 20 years were in IT and had a role in managing records. It’s much harder if the Records Managers are outside of IT as they are often regarded with less trust. As a result, records managers don’t get the access they need (and often don’t have the knowledge/training even if they had the access), and IT don’t know how to manage records and/or are reluctant to implement recordkeeping themselves. If I could create a graphic it would show IT on one side of a brick wall holding a new ‘records management’ toy asking how to use it, while records managers on the other side of the wall wondering why they don’t see what they need to see or manage.
Thanks so much for these posts, super helpful to have someone writing on 365 from a records management perspective. Can I ask, from your description of retention above, using it in a GDPR context would worry me – for example, if I applied a 7 year retention policy to all exchange mailboxes, that would mean that if somebody had case management emails with sensitive personal data and they needed to delete them when the case was closed – they would be hidden from view but retained and findable under a Data Subject Access Request?
Hi Lisa, thanks for the feedback. Yes, any content in a mailbox will remain there for the period of the retention policy. One thing to keep in mind is that, in the past (or perhaps even now), emails may be captured by daily (or more regular) backup processes. So copies may exist on back up tapes, even if deleted by end users. We were subject to a major inquiry from 2018 and the first thing the lawyers asked for was the mailboxes for the past 10 years of (quite a lot of) staff. This meant retrieving them from backup, which meant that ‘deleted’ emails were probably still there. The only alternative to backup or M365 retention policies – using out of the box options – would be to continue using the Exchange Messaging Records Management (MRM) retention tags and policies. This would allow end users to tag emails for deletion (assuming they actually do it), but it also means that other emails could also be deleted – all without a record of this destruction being kept.