7 thoughts on “Managing the retention of records in Microsoft 365 with an E3 licence

  1. Interesting article Andrew and helpful for those struggling with how to manage retention on an E3 licence. One point – you state that you can auto-apply labels with an E3 licence however the licensing information from Microsoft is pretty clear that with an E3 your only options are to manually apply labels or apply a basic policy to ‘workloads, specific locations or users’. So the options of managing retention with an E3 are really pretty slim. No auto-apply, no default labels for libraries and so on, leaving just the ‘safety net’ broad policy applying to a SP site and users or admins applying labels manually. Not scalable or sustainable.

    1. Thanks Alexander. I have an E3 licence. From the Compliance admin portal > Information Governance section, when I click on the ‘Labels’ tab, and then click on any label, the option ‘Auto-apply a label’ appears. However, the options are limited to (a) Apply label to content that contains sensitive info [unlikely to be used since retention is rarely based on sensitivity], (b) Apply label to content that contains specific words or phrases, or properties [keyword searches], and (c) Apply label to content that matches a trainable classifier [only uses the out of box 6 basic classifiers with an E3 licence]. Can you let me know if you don’t see those options?

  2. Hi Andrew – in the summary of options at the end of this really interesting article, you suggest
    Auto-apply some labels to specific content stored in SPO
    In https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance
    MS write
    Microsoft 365 E5/A5/G5/E3/A3, Office 365 E5/A5/G5/E3/A3, and SharePoint Plan 2 provide the rights for a user to benefit from a basic SharePoint or OneDrive retention policy and/or to manually apply a non-record retention label to files in SharePoint or OneDrive.
    Microsoft 365 E5/A5/G5/E3/A3 and Office 365 E5/A5/G5/E3/A3 provide the rights for a user to benefit from a Teams retention policy.
    Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance E5/A5/G5, and Office 365 E5/A5 provide the rights for a user to benefit from automatically applying retention labels

    I believe Microsoft are deliberately ambiguous with the term ‘automatically’. Do you have a view on whether it matters where or by what the retention label is applied automatically? If it was applied automatically by a feature within SP, then fair enough, a premium feature has been used and additional licence payment is due, but what if an external script created the retention label using (say) the SharePoint REST API or something similar? Wouldn’t that be using SharePoint as intended, not using a premium feature within SP and, as a consequence, permissible within an E3 licence?

    1. Thanks Tim, good points. E3 licence holders have the ability to auto-apply retention labels in three ways: (a) sensitivity, (b) basic keyword search, (c) six quite limited trainable classifiers (E5 holders can create their own trainable classifiers or potentially do this by using Syntex for certain commonly occurring document types).
      The meaning of ‘manually’ apply is interesting – when you publish labels as a retention policy to a SharePoint site, the Site Collection Admin or Owner has to go to the library and ‘manually’ select a default retention label that will by default apply to all the content in the library. Anyone with Member rights can ‘manually’ remove or change the default retention label (this is the case with auto-applied labels too, unless the item is declared a record or made read-only).
      One of the biggest challenges with retention labels (which nicely map to retention classes) is applying them correctly, whether automatically or manually. The Microsoft view seems to be that there is too much content, go with the automatic approach. My preference would be to non label-based retention policies (what I call ‘safety net’ policies) and use the labels selectively for specific content that has to be kept for longer.
      Also keep in mind that disposition reviews only work with labels but there are shortcomings with the reviews (insufficient information to make a decision) and the disposal (insufficient information retain about what was destroyed).

  3. Hi again Andrew – I have a further question for you, if I may. In the first para, you write that “Some of the retention-related options previously available to E3 licences, such as disposition review, are now only available with an E5 licence”. I relayed this to one of my colleagues who challenged it, saying that disposition reviews have been solely E5 for as long as he can remember. Is there any link or resource you can direct me that would allow me to counter the challenge? Thanks

    1. Thanks Tim, I have only ever had an E3 licence (including from 2016 to 2019 working in a very large organisation as a GA) and have always been able to see the Disposition Review area in my E3 tenant (now it’s a Dev tenant). However, from September 2020, when I go to the Disposition Review area I get an error message saying I need an E5 licence. So perhaps it was always available to E3-level GAs, but it’s now been restricted to organisations with an E5 licence. In any case, the Disposition Review area (and label-based process) lacks the functionality required for it to be worth considering as a ‘records management’ option. Depending on the trigger (date created, date modified, date labelled or an event) you could end up with 1000s of documents trickling in from various libraries with no contextual metadata. This functionality is inadequate from an Australian records management point of view, and there is only basic metadata kept about the original records after they have been destroyed (the so-called ‘proof of disposition’). There is also the problem that records just vanish from document libraries after they are approved for disposal, with no record kept in that site of what was destroyed past the 90 day recycle bin. There is also the problem of records that aren’t subject to the disposition review option – they are either just retained or deleted automatically (same as for non-label based retention policies).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s