Microsoft released its ‘Records Management’ solution for Microsoft 365 during 2020. The solution is only accessible to organisations with an E5 licence (or an E5 Security and Compliance licence).
Some of the retention-related options previously available to E3 licences, such as disposition review, are now only available with an E5 licence. However, for cost and other reasons, many organisations have decided to stay with E3 and asked if it is still possible to manage the retention of records.
According its licencing guidance ‘Microsoft 365 licence guidance for security and compliance‘, E3/A3 (and E5/A5) licences provide the following ‘information governance’ capability:
- A basic organization-wide or location-wide Exchange mailbox retention policy and/or to manually apply a non-record retention labeling to mailbox data.
- A basic SharePoint or OneDrive retention policy and/or to manually apply a non-record retention label to files in SharePoint or OneDrive.
- A Teams retention policy.
This post describes how the retention of records could be managed with an E3 licence and recommends that organisations intending to deploy Microsoft’s retention policies (whether E3 or E5) develop a plan for their deployment based on a detailed understanding of the following:
- What records exist and where they are stored across the main Microsoft 365 workloads – Exchange Online (EXO) mailboxes, SharePoint Online (SPO) sites, Microsoft Teams (MS Teams), and OneDrive for Business (ODfB) accounts.
- What retention is required, including for EXO mailboxes and personal/ODfB accounts for which retention was previously ‘managed’ through backups, and MS Teams chats.
- What type of retention policy will apply to what workloads.
- How will disposition be managed (including of original storage locations, not just the records), and what evidence of destruction is required?
- How will any limitations and shortcomings be addressed to minimise legal risk?
Where are the records?
A good starting point with retention planning is to establish where the records that will be subject to retention policies are stored.
Most records are created and stored in one of the primary four workloads – Exchange Online (EXO) mailboxes, SharePoint Online (SPO) sites, Microsoft Teams (MS Teams), and OneDrive for Business (ODfB) accounts.
While SharePoint sites (including Teams-based sites and Teams channels) may be used to logically ‘group’ records (e.g., in a team site, a document library, or a channel), this is not the case for EXO mailboxes, ODfB accounts, MS Teams 1:1 or private channel chats (a compliance copy of these chats is stored in the personal EXO mailboxes of participants in the chat).
EXO mailboxes and ODfB accounts usually contain a range of records on different subjects, with different retention requirements. Personal chat messages could be about any subject.
For most of the past three decades, the requirement to keep specific emails or other records meant that end-users had to copy those records to another system, including an EDRMS or even SharePoint, or print and place them on a file. The ability to find old records depended more often than note on the ability to recover them from back-up tapes, a process ironically often referred to as ‘archiving’.
Action: Organisations should establish a list of where records are stored in Microsoft 365 and how retention (including via backups) is currently managed.
What retention is required?
The next step in the process is to establish how long these records need to be kept.
Most of the time this will be based on an organisational records retention policy or schedule. These policies or schedules describe groups of records and how long they must be retained – for example, financial records generally must be retained for seven years. Specific types of financial records may require shorter or longer retention.
This model generally works well when records have been stored in logical groups (e.g., a whole SPO site/Team, or document library), but are more difficult to apply for individual records stored with other records in personal EXO mailboxes, ODfB accounts, SPO sites, or MS Teams chats. If records with longer retention requirements in these locations are not stored elsewhere, or cannot be specifically identified, all the records may have to be kept for the longest retention period.
The start of retention is usually based on a trigger action. Typically these are based on (a) date created, (b) date modified, or (c) date of last action. However, they may also be based on less specific events, for example: (a) 7 years after a contract has expired, (b) 25 years after an employee leaves, (c) when a child turns 21. These less specific events need special attention.
Action: Organisations should ‘map’ retention requirements to the locations where the records are stored. This process will likely involve a discussion regarding the replacement (or supplementation) of email backups with retention policies, and may end up looking something like the following:
| Workload | Retention |
| EXO mailboxes of senior managers | 25 years |
| EXO mailboxes of all other employees | 7 years |
| MS Teams 1:1 chats of senior managers | 25 years |
| MS Teams 1:1 chats of all other employees | 7 years |
| MS Teams private channel chats | As per retention policies |
| ODfB accounts of senior managers | 10 years |
| ODfB accounts of all other employees | 7 years |
| SPO sites that are not subject to more specific policies | 7 years |
| Microsoft 365 Groups (includes mailbox and SPO site) | As per retention policies |
| SPO sites with specific retention requirements, per site or library | As per retention policies |
What are the retention options with an E3 licence?
The three main options available with an E3 licence – labels, label policies, and retention policies – are all set from the Compliance admin portal under the ‘Information Governance’ section.
The table below summarises the options:
| Type of policy | Can be used for |
| ‘Implicit’, ‘safety net’ retention policies. These policies: (a) work in the back end and cannot be changed by an end-user; (b) create a preservation hold library in SPO sites and ODfB accounts, and hold deleted emails in a hidden EXO mailbox folder; (c) provide an alternative to back-ups, although it should be kept in mind that all content that is retained in this way contributes to the overall storage quota; (d) do not retain record of what was destroyed. | EXO, SPO, MS Teams, ODfB |
| ‘Explicit’ label-based retention policies. Labels must be published to the required workloads before they become visible. Records cannot be deleted once a label has been applied, but end-users can change or remove the label and then delete the record. Label-based policies do not retain a record of what was destroyed. | EXO, SPO, ODfB |
| ‘Explicit’ label-based retention policies that are auto-applied based on three limited options – see below. Records cannot be deleted once a label has been applied. These policies do not retain a record of what was destroyed. | EXO, SPO, ODfB |
The three auto-apply options are as follows:
- Apply label to content that contains sensitive information. Unlikely to be used as retention is never based on sensitivity.
- Apply label to content that contains specific words or phrases, or properties. Possibly useful. Recommend that organisations do a Content Search first to see what records may exist.
- Apply label to content that matches a trainable classifier. E3 licences provide six out of the box, limited classification options including ‘profanity’. These are unlikely to be of any value.
Mapping the E3 options
Given the options available, the following is a suggested mapping of records, retention and policy options:
| Workload | Retention | Retention policy |
| EXO mailboxes of senior managers | 25 years | Retention policy, plus possibly labels auto-applied to specific records |
| EXO mailboxes of all other employees | 7 years | Retention policy, plus possibly labels auto-applied to specific records |
| MS Teams 1:1 chats of senior managers | 25 years | Retention policy |
| MS Teams 1:1 chats of all other employees | 7 years | Retention policy |
| MS Teams private channel chats | As per retention policies | Retention policy |
| ODfB accounts of senior managers | 10 years | Retention policy, plus possibly labels auto-applied to specific records |
| ODfB accounts of all other employees | 7 years | Retention policy, plus possibly labels auto-applied to specific records |
| SPO sites that are not subject to more specific policies | 7 years | Retention policy |
| Microsoft 365 Groups (includes mailbox and SPO site) | As per retention policies | Retention policy |
| SPO sites with specific retention requirements, per site or library | As per retention policies | Retention policy (safety net) plus label-based retention policy for specific records |
Policy limits
Organisations planning to deploy retention policies should be aware of the limits on custom policies, as described on this Microsoft page, ‘Create and configure retention policies‘. There are no limits on policies that apply to an entire workload (e.g., all EXO mailboxes).
- 1,000 mailboxes
- 1,000 Microsoft 365 groups
- 1,000 users for Teams private chats
- 100 sites (OneDrive or SharePoint)
The page above notes also that ‘There is also a maximum number of policies that are supported for a tenant: 10,000. However, for Exchange Online, the maximum number is 1,800. The maximum number includes retention policies, retention label policies, and auto-apply retention policies.’
How will disposition be managed
Microsoft 365 retention policies retain records for a specified period and usually then delete the records automatically. No record is retained of what was deleted. Even with an E5 licence, only limited metadata is retained and only on those records subject to disposition review.
Organisations deploying retention policies with an E3 licence need to understand the potential risks associated with being unable to provide evidence of what was destroyed.
There are at least two ways to approach this point, but in all cases the approach and options must be legally defensible:
- Ensure that organisational policies clearly indicate what records will be destroyed without any record being kept. For example, with certain exceptions, most emails, Teams chats, SPO sites and the content of ODfB accounts will only be kept for 7 years and then destroyed.
- Establish a process to ensure that a record is kept of specific records that have been destroyed. For example, the metadata of records, due for disposal and stored in document libraries in specific SPO sites, will be captured (and stored separately) before the records are destroyed, and then the document library will be deleted. This is a labour-intensive process and may only be used on some sites.
Addressing E3 licence limitations and shortcomings
The limitations of E3 licence retention policies (and also E5 licences from an evidentiary point of view) should not put organisations off using the out of the box options or cause them to acquire third-party products.
The retention options available in Microsoft 365 now provide functionality that assists recordkeeping compliance, for example the ability to apply ‘back end, safety net’ retention policies to EXO mailboxes, MS Teams chats, ODfB accounts and whole SPO sites. Coupled with the ability to locate all records, including ‘deleted’ records via Content Search, this should be a boon to records managers and also to IT (saving the latter from having to recover records from backup tapes).
On the other hand, deploying the options can be complex and requires good planning and governance documentation. The lack of good governance can lead to the inadvertent loss of records as KPMG found in August 2020 (‘IT blunder permanently erases 145,000 users’ personal chats in KPMG’s MS Teams deployment‘).
Once retention policies have been deployed, the next most complex task may be the disposition approval and destruction process for those records for which a formal disposition review and approval process is required, including the requirement to establish a list of records to be destroyed.
As noted above, even the E5 licence options for disposition review and ‘proof of disposition’ are inadequate in terms of the metadata that is presented and retained. Until Microsoft provides the ability to record the metadata of every record that is due for disposal and/or destroyed, based on ANY type retention policy this process will continue to be a manual task for records managers.
Organisations may consider acquiring a limited number of E5 Security and Compliance licences to gain access to the E5 ‘Records Management’ capability to gain access to other options including File Plan, auto-classification options, and Disposition Review. However, aside from these options (and the ability to auto-apply labels more broadly) these options may not add much more capability to the existing options already available with an E3 licence.
Summarising the options
Based on the above details, organisations with E3 licences might do the following:
- Create several ‘safety net’ retention policies for EXO mailboxes, ODfB accounts, MS Teams chats and general SPO sites. EXO/ODfB retention policies may be (a) based on current back-up periods and (b) be split into ‘senior’ and all other employees. They may also create policies for Microsoft 365 Groups which will cover the Group’s EXO mailbox and SPO site. Some of these policies may map to existing retention classes in the records retention schedules, but others such as the EXO, ODfB and MS Teams policies may need to be added.
- Create label-based retention policies for content stored in specific SPO sites where more granular retention policies are required per library. However, keep in mind these can be changed or removed by end-users with add/edit access. Generally it is not recommended to apply label-based policies to EXO or ODfB unless end-users will apply these accurately and consistently.
- Auto-apply some labels to specific content stored in SPO, EXO and ODfB (having identified that these records exist first via a Content Search). These labels should have a retention period that is longer than the safety net policy or any other label-based policy.
- Establish a ‘manual’ disposition review process for records that are subject to label-based retention policies.
References:
Microsoft 365 licensing guidance for security and compliance
Records about the world 
Interesting article Andrew and helpful for those struggling with how to manage retention on an E3 licence. One point – you state that you can auto-apply labels with an E3 licence however the licensing information from Microsoft is pretty clear that with an E3 your only options are to manually apply labels or apply a basic policy to ‘workloads, specific locations or users’. So the options of managing retention with an E3 are really pretty slim. No auto-apply, no default labels for libraries and so on, leaving just the ‘safety net’ broad policy applying to a SP site and users or admins applying labels manually. Not scalable or sustainable.
Thanks Alexander. I have an E3 licence. From the Compliance admin portal > Information Governance section, when I click on the ‘Labels’ tab, and then click on any label, the option ‘Auto-apply a label’ appears. However, the options are limited to (a) Apply label to content that contains sensitive info [unlikely to be used since retention is rarely based on sensitivity], (b) Apply label to content that contains specific words or phrases, or properties [keyword searches], and (c) Apply label to content that matches a trainable classifier [only uses the out of box 6 basic classifiers with an E3 licence]. Can you let me know if you don’t see those options?
Hi Andrew – in the summary of options at the end of this really interesting article, you suggest
Auto-apply some labels to specific content stored in SPO
In https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance
MS write
Microsoft 365 E5/A5/G5/E3/A3, Office 365 E5/A5/G5/E3/A3, and SharePoint Plan 2 provide the rights for a user to benefit from a basic SharePoint or OneDrive retention policy and/or to manually apply a non-record retention label to files in SharePoint or OneDrive.
Microsoft 365 E5/A5/G5/E3/A3 and Office 365 E5/A5/G5/E3/A3 provide the rights for a user to benefit from a Teams retention policy.
Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance E5/A5/G5, and Office 365 E5/A5 provide the rights for a user to benefit from automatically applying retention labels
I believe Microsoft are deliberately ambiguous with the term ‘automatically’. Do you have a view on whether it matters where or by what the retention label is applied automatically? If it was applied automatically by a feature within SP, then fair enough, a premium feature has been used and additional licence payment is due, but what if an external script created the retention label using (say) the SharePoint REST API or something similar? Wouldn’t that be using SharePoint as intended, not using a premium feature within SP and, as a consequence, permissible within an E3 licence?
Thanks Tim, good points. E3 licence holders have the ability to auto-apply retention labels in three ways: (a) sensitivity, (b) basic keyword search, (c) six quite limited trainable classifiers (E5 holders can create their own trainable classifiers or potentially do this by using Syntex for certain commonly occurring document types).
The meaning of ‘manually’ apply is interesting – when you publish labels as a retention policy to a SharePoint site, the Site Collection Admin or Owner has to go to the library and ‘manually’ select a default retention label that will by default apply to all the content in the library. Anyone with Member rights can ‘manually’ remove or change the default retention label (this is the case with auto-applied labels too, unless the item is declared a record or made read-only).
One of the biggest challenges with retention labels (which nicely map to retention classes) is applying them correctly, whether automatically or manually. The Microsoft view seems to be that there is too much content, go with the automatic approach. My preference would be to non label-based retention policies (what I call ‘safety net’ policies) and use the labels selectively for specific content that has to be kept for longer.
Also keep in mind that disposition reviews only work with labels but there are shortcomings with the reviews (insufficient information to make a decision) and the disposal (insufficient information retain about what was destroyed).
Hi again Andrew – I have a further question for you, if I may. In the first para, you write that “Some of the retention-related options previously available to E3 licences, such as disposition review, are now only available with an E5 licence”. I relayed this to one of my colleagues who challenged it, saying that disposition reviews have been solely E5 for as long as he can remember. Is there any link or resource you can direct me that would allow me to counter the challenge? Thanks
Thanks Tim, I have only ever had an E3 licence (including from 2016 to 2019 working in a very large organisation as a GA) and have always been able to see the Disposition Review area in my E3 tenant (now it’s a Dev tenant). However, from September 2020, when I go to the Disposition Review area I get an error message saying I need an E5 licence. So perhaps it was always available to E3-level GAs, but it’s now been restricted to organisations with an E5 licence. In any case, the Disposition Review area (and label-based process) lacks the functionality required for it to be worth considering as a ‘records management’ option. Depending on the trigger (date created, date modified, date labelled or an event) you could end up with 1000s of documents trickling in from various libraries with no contextual metadata. This functionality is inadequate from an Australian records management point of view, and there is only basic metadata kept about the original records after they have been destroyed (the so-called ‘proof of disposition’). There is also the problem that records just vanish from document libraries after they are approved for disposal, with no record kept in that site of what was destroyed past the 90 day recycle bin. There is also the problem of records that aren’t subject to the disposition review option – they are either just retained or deleted automatically (same as for non-label based retention policies).