Where are the records in Microsoft 365?

Where are the records in Microsoft 365?

One of the consequences of the (relatively sudden) requirement to work from home from early 2020, was that Microsoft 365 – primarily Outlook and Teams (with ‘Files’ or SharePoint and OneDrive for Business behind the scenes) – became the de facto system to create and capture ‘unstructured’ records.

Unlike centralised electronic document and records management (EDRM) systems, into which end users were expected to copy emails or content created and stored on network drives (with varying degrees of success), the Microsoft 365 model meant leaving the records wherever they were created or captured and subjecting them to centralised controls, a paradigm shift for records that I described in this post in January 2020.

But where, exactly, are the records stored in Microsoft 365, and what are the recordkeeping implications?

An estimate of the volume of records stored in different Microsoft 365 applications

Record-creating applications

The four primary M365 applications used to create records are:

  • Outlook/Exchange Online (EXO) mailboxes
  • Microsoft Teams (MS Teams)
  • SharePoint Online (SPO)
  • OneDrive for Business (ODfB)

Other M365 applications that may create records include:

  • Planner/Tasks
  • Forms
  • Sway
  • Whiteboard

Exchange mailboxes/Teams content

Given the long history of email use, possibly between 30% and 40% of all records remain stored in ‘personal’ EXO mailboxes as emails and/or attachments. Some of these records may have been copied to an EDRMS. The exact figure will vary between organisations but many years of working with organisations and through legal ediscovery processes suggests that the figure is likely to be at least 30%.

Some emails may be copied to SPO (or even ODfB) but the default (and most common) approach is to leave them in Outlook/EXO mailboxes. This means of course that those records are inaccessible.

Unlike their on-premise server-based versions, EXO mailboxes store a much wider range of content. In addition to the default and user-created email folders visible to end-users, EXO mailboxes have a range of non-visible and non-accessible system and other folders that are used to store copies of content created by other applications.

  • Compliance copies (from the underlying Teams database) of Teams chats and private channel messages (stored in personal mailboxes) and channel messages (stored in Group mailboxes) are stored in an invisible folder ‘TeamsMessagesData’. Organisations may find that there are LOT more chats than channel messages.
  • Compliance copies of Yammer messages and community conversations, Forms created in Forms and responses to those forms, and Sways (stored in in html format) are all stored under the ‘ApplicationDataRoot’ folder.
  • Compliance copies of Planner tasks are stored in the AllToDoTasks folder.
  • Links to content stored in other folders, stored in search folders.
  • Third-party content (e.g., a company’s Facebook or Twitter content) ingested to EXO via Microsoft or third-party connectors.

(Source of above detail: Office 365 for IT Pros, March 2022 edition).

Implications for retention and disposition of records stored in EXO mailboxes

The use of EXO mailboxes to store both (visible) emails and other (invisible) content has direct implications for how these records can be managed and, eventually, subject to disposition.

  • EXO mailboxes that store both emails and Teams chats in separate areas of the same mailbox are typically regarded as ‘personal’ and off-limits for disposition review. Both emails and Teams chats are discoverable, as long as they are not deleted, via a Content Search or eDiscovery options in the Compliance admin center.
  • Retention policies must be applied separately to emails, Teams chats/channel messages and Yammer messages and conversations, all of which are stored in the same EXO mailbox. There is currently no retention coverage for any other content in the mailbox (Forms or Sways for example. Retention for Planner tasks is coming).

There are implications for the ability to restore from backups. For example, it is not possible to restore compliance copies of chat messages to Teams or Yammer conversations to Yammer.

SharePoint/OneDrive for Business (Teams ‘Files’)

SPO and ODfB are the other two locations where records (including copies of some emails) may be stored. Depending on usage (including via Teams and if network drives are no longer used), SharePoint might store as much as 40% of all records. ODfB (the replacement for ‘home’ or ‘personal’ drives) might account for as much as 15%.

The ability to create content and access ‘Files’ from Teams (chat or channels) can lead to the misunderstanding that files are ‘stored’ only in Teams. This is not correct. The Files tab points to either SPO or ODfB.

  • The chat ‘Files’ tab points to the ODfB of each participant; any files that are shared are visible to everyone in the chat. This includes the recordings of Teams meetings and, soon, Microsoft Whiteboard content.
  • The channel ‘Files’ tab points to the a folder with the same name of the general ‘Documents’ (Shared Documents) library of the SharePoint site linked with the Team. All files stored there are usually visible to all members of the Team. This includes the recordings of Teams channel meetings and the original copy of emails sent to channels (these are NOT stored in any organisational EXO mailbox).

Implications for retention and disposition of records stored in SPO sites and ODfB accounts

Retention policies may be published to all or specific SPO sites (within limits) and – unless a retention label or legal hold applies – will apply to individual items stored in libraries, without any label or tag visible.

  • Retention policies do not include the option for disposition review. Records (and other content) are either destroyed automatically or may be subject to a ‘do nothing’ action at the end of the retention period.

Retention labels, when published to SharePoint sites via label policies, apply to (and are visible when applied to) individual items stored in document libraries.

  • Some items tagged with retention labels may be subject to disposition review if the organisation has E5 licences and enables the option. Otherwise, as with retention policies, records (and other labelled content) may be destroyed automatically or subject to a ‘do nothing’ action at the end of the retention period.

Retention policies and/or labels may also be applied to ODfB accounts. As with EXO mailboxes, these accounts may be captured in backups.

Records stored in ODfB accounts will remain inaccessible to records managers and could potentially be destroyed through a disposal action without any review. However, as long as they are covered by a retention policy, the content in ODfB accounts will remain accessible to Compliance administrators through eDiscovery searches. Records managers should regularly monitor the size of ODfB accounts and provide guidance to IT or M365 admins on alternative options to access and/or manage the content stored in inactive accounts.

Final thoughts

Almost all records created or captured using Microsoft 365 applications will be stored in EXO mailboxes, SPO sites or ODfB accounts. MS Teams is an interface to these – and other – systems.

Records stored in SPO sites (including those linked with Teams) is typically accessible to records managers, whereas records stored in personal EXO mailboxes and ODfB accounts are usually inaccessible.

Records managers need to know where the records are stored in Microsoft 365, regularly monitor the size of records in those locations, and work closely with their IT colleagues to ensure that records are managed appropriately.

Feature image: Photo by Francesco Ungaro from Pexels

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s