Ten tips for records managers to monitor records in Microsoft 365

Ten tips for records managers to monitor records in Microsoft 365

With the large-scale adoption of Microsoft 365 (M365), many records managers have had to find ways to manage the records that have been (and continue to be) captured and stored across the ecosystem, including via Teams, SharePoint Online, OneDrive for Business and Exchange Online.

The M365 ecosystem is more complicated than a single server-based Electronic Document and Records Management System (EDRMS). It is composed of multiple applications contained within a single tenant. At least two of these applications, Exchange and SharePoint, and also network file shares and ‘personal’ drives, previously existed in separate servers in the on-prem world.

Note: Records managers working in organisations that are part of a multi-tenant environment may find it much harder to monitor and manage records in the M365 ecosystem as they will generally not have or be able to obtain access to the full set of options listed in this post.

1 – Be a Global Reader (or Reports Reader)

The M365 Admin Center is in some ways the ‘landing page’ for IT Global Administrators, along with Azure Active Directory. Global Admins have access to everything in the environment, just as privileged IT accounts had or have with on-prem IT environments.

M365 includes two roles that can be very useful for records managers.

  • Global Reader. Provides read-only access to most parts of all M365 admin centers as described below and is the most useful in terms of monitoring the environment. IT/Global Admins may be reluctant to grant this role, as least on a permanent basis. It can be assigned temporarily if required.
  • Reports Reader. Provides read-only access to certain parts of the M365 admin centre. This role provides access to the Reports > Usage area of the M365 admin center – see below for more info.

The Global Reader role provides access to all the following (recordkeeping related) information in the M365 admin center:

  • A list of all users and guests, including details of (NOT access to) their account, licences, mail and OneDrive.
  • A list of all Teams and Groups, including M365 Groups (with or without a Team), Distribution Lists, Mail-enabled security Groups, and Security Groups.
  • A list of roles, showing who has been assigned what role. Ideally, the organisation will have agreed on and documented separately who has been assigned to these roles.
  • The Search and Intelligence section, including (a) insights into what people are searching for (overall dashboard, query analytics, user analytics, connection analytics), (b) pre-defined answers to common questions, (c) what data sources are linked to search, and (d) customisations and configurations. Note that this section is NOT used to search for content, see below.
  • Details of various other organisational settings, including those relating to external sharing from SharePoint.
  • Reports – Usage. One of the most useful areas for records managers to access (via Global Reader or Reports Reader) – see screenshot below. This section includes a visual dashboard of usage of all the applications and allows the user to drill down to the following: (a) a list of all SharePoints sites (including those linked with Teams); (b) a list of all OneDrive accounts, which is very useful to find out how much content is stored in individual accounts (useful to get a sense of who is not storing records in SharePoint!); (c) an overview of MS Teams activity; and (d) if enabled, the Microsoft 365 Usage Analytics which provides access to more detailed Power BI reporting (requires a Power BI licence).
  • Health > Service Health and > Message Centre. The Message Centre provides details of changes coming to the M365 environment and is useful to monitor.

Note that the Global Reader role gives access to all the Admin centres listed below.

Screenshot from the Reports > Usage dashboard

2 – Become a SharePoint Administrator (assigned role)

Because a large volume of content will be stored in SharePoint Online (SPO) or OneDrive for Business (ODfB), records managers will almost always find it useful to be able to access the SharePoint admin centre, either via the Global Reader role or being assigned the SharePoint admin role.

SharePoint Admin

The SharePoint admin centre provides the details of all SPO sites and various settings.

It also provides access to the Term Store/Managed Metadata Service and Global Content Types under ‘Content services’. If you are going to manage either of these two sections (which is likely), you will need edit access, so SharePoint admin will be required UNLESS the actual SharePoint admin creates the terms and gives you edit access. Either way, records managers are likely to provide advice and input on the use and application of Content Types.

Note: Retention policies for SharePoint are NOT set in the SharePoint admin centre. See point 3.

An alternative to this role is for records managers to be Site Collection Administrators with access to every site. See point 7.

3 – Get access to the Microsoft Purview Compliance admin center

The Microsoft Purview Compliance admin center includes a range of elements that records managers will need access to, to monitor, search for and manage records. Not all the available options are listed below, only those of most relevance to records managers. To get access to this center, records managers will need to be assigned the Compliance admin role or a custom role that includes all the elements required. In most cases it will be easier to grant access to the Compliance admin role.

Note: This role can be subject to Privileged Identity Management (PIM) access controls (managed from Azure AD). These controls can be used to provide access on demand for specific periods of time.

  • Data lifecycle management > Microsoft 365. This section provides access to the following: (a) retention policy creation and management; (b) retention labels and label policy creation and management; (c) adaptive scope creation (subject to licencing); (d) policy lookup.
  • Data lifecycle management > Exchange (legacy). This section provides access to the legacy Messaging Retention Management (MRM) elements that were previously accessed via the Exchange admin center.
  • Records management (E5 licence required). This section provides access to the following: (a) Overview; (b) File plan creation and management (file-plan linked retention labels); (c) label policies, which also shows ‘manual’ labels created in the data lifecycle management section; (d) adaptive scope creation; (e) policy lookup; (f) event creation and management (used in retention policies and labels); and (g) disposition management (used to manage the disposition outcome relating to certain retention labels).
  • Information protection. This section is used to create information sensitivity labels and publish them. It also includes the ability to look up where these labels have been applied.
  • Audit. This section provides access to the Unified Audit Logs, for a very wide range of activities that are logged through the M365 environment – not just records. Records managers may need to spend some time working out how to use these logs and what needs to be captured for recordkeeping purposes. See point 4.
  • Content Search (and eDiscovery – a separate section but which uses the same search). Probably one of the most powerful search tools available for records managers and anyone else who needs to search ‘everything’ in any EXO mailbox, Teams chat/post, SharePoint site or ODfB account as long as it still exists – even if it has been deleted but it remains subject to a retention hold. Content found via this option can be exported or put on hold (eDiscovery). See point 5.
  • Data classification (E5 licence – see screenshot below). Again, one of the most useful sections in M365, this section includes a dashboard and a range of other options described below.
  • Alerts, Policies and Reports. View any alerts or reports and create policies.
  • Data Loss Prevention (DLP). It is arguable whether this section is more for Information Security managers or records managers, but either way, the section provides the ability to create powerful DLP policies.
Data classification section

Other useful sections

Other sections that may be useful to records managers in the Compliance admin center are: (a) Information barriers; (b) Inside risk management; (c) Privacy risk management; and (d) Subject rights requests.

4 – Learn to find out ‘who did what’ (audit logs)

The unified audit logs in M365 provide access to core and sometimes critical recordkeeping related information. The details in these logs are captured separately from the original records to which they relate.

  • Records in SharePoint have a 500-version (revision) history that shows who modified the document and when, and sometimes changes to metadata (depending on the configuration). If the (SharePoint viewers) site feature is enabled, it is also possible to see who viewed an item stored in a library. In most cases, this information will provide sufficient ‘audit’ information for those records.

If there is a requirement to obtain more information about other activity in SharePoint, including ‘everything’ that happened across the site for any given period, this can only be obtained from the unified audit logs, and only for the period of time allowed with the licence: (a) 3 months with an E3 licence, and (b) 12 months with an E5 licence. Both options provide the ability to create a retention policy to keep the logs for longer but retaining them in this way may not be the best way to retain that information long-term.

Records managers might consider exporting the full set of audit detail for specific sites on a regular basis (monthly or quarterly) and then saving that information in a separate library on the actual sites. This is the only way ‘out of the box’ to keep audit information with the records to which they relate.

See this Microsoft page ‘Search the Audit log in the compliance portal‘ for more details about how to use the logs and what information can be found and exported.

5 – Learn how to search for (almost) anything

A key requirement for all records managers is to ensure all records are managed appropriately, including to ensure that any disposal is authorised.

In addition to SharePoint sites, records are very likely to be created, captured or stored in personal or M365 Group Exchange mailboxes (including Teams chats/posts in hidden folders), and personal ODfB accounts. All of these last locations are generally inaccessible to records managers and cannot be searched using normal search capability. This is where Content Search becomes incredibly useful.

The content search functionality is not a single one-off search. It requires the user to develop a search ‘case’ that includes:

  • A name and description
  • A selection of places to search: (a) all or selected Exchange mailboxes (includes Teams chats/posts), (b) all or selected SharePoint sites (includes OneDrives), and (c) Exchange public folders.
  • Search conditions using either: (a) Condition card builder with keywords, or (b) Keyword Query Language (KQL) builder. Conditions may include: Date, Sender/Author, Size, Subject/Title, Retention label, Message kind, Type, Received, Recipients, Sender, Subject, To, Author, Title, Created, Last modified, File Type.

Every time a content search ‘case’ is created and run, the Global Admins are alerted and the activity is recorded in the audit logs. It is not possible to do such a search and not be noticed (unless you are the only Global Admin and no-one looks at the audit logs.

The power of the content search capability is the ability to find any item in any of the locations listed above, even when the item has been deleted, as long as (a) it is within the period before final deletion (e.g., 93 days for ODfB or SPO), or (b) remains subject to a retention policy. Additionally, a report on the results AND the full set of records found can be exported as required.

When linked with eDiscovery, records may also be subject to legal hold in addition to any retention policy that may apply.

6 – Use built-in Machine Learning and Artificial Intelligence (E5 licence)

Records managers in organisations that have extensive volumes of content stored in M365 may find that content searches won’t always find the information they need (although those searches are very good). This is where the power of Machine Learning (ML) and Artificial Intelligence (AI) comes in, via the Data Classification area in the Compliance admin center – helping to find content that doesn’t necessarily match search terms but is very similar to other records, and may be hidden away in personal Exchange mailboxes or ODfB accounts.

The Data Classification section includes a dashboard and then several tabbed sections as follows.

Trainable classifiers

This section contains a range of built-in trainable classifiers created by Microsoft. As can be seen from the names, these types of classifiers look to identify digital objects that are similar to if not the same as others – for example, agreements, bank statements and so on. New classifiers can be created and trained as required.

Some of the default trainable classifiers that can be used

Sensitive info types

This section also contains a range of built-in sensitive information types created by Microsoft. An example of a sensitive information type could be a health record or personal and sensitive information (PSI). This information can sometimes be stored accidentally or deliberately in inappropriate and/or non-secure locations such as personal Exchange mailboxes (e.g., as attachments to emails), ODfB accounts and even SharePoint sites. New sensitive information types can be created from this section.

Some of the many sensitive info types. Many of the types below this list are country-specific

Exact Data Matches

There is by default nothing in the EDM area of this section except the following description: ‘Exact data match (EDM) classifiers use exact values from your org’s data to detect matches instead of generic patterns. They can then be included in several compliance solutions to classify and protect sensitive data.’

The following self-explanatory detail appears when ‘Create EDM classifier’ is selected.

Content Explorer

All of the above, and more, comes together in the Content Explorer section. This section allows records managers to leverage the ML and AI capability of M365 to find and identify content stored across the M365 environment based on the various classifications including both retention labels and sensitivity labels.

A section of Content Explorer showing matches against a Sensitive Info Type.

As indicated in the screenshot above, the Content Explorer section allows records managers to review what type of content may be stored across the four main workloads – Exchange, OneDrive, SharePoint and Teams. The left-hand navigation groups matching content by each of the classifications and shows how many items match in each workload.

Note: Both trainable classifiers and sensitive info types use ML and AI to identify matching information. These matches may not always be accurate but may become more so as more and more content is stored in the system.

On the right hand-side, the authorised user (e.g., the records manager) can double-click on each folder to drill down to individual mailboxes, OneDrives, SharePoint sites and Teams. Items that match the classifier can be reviewed, regardless of the permissions that have been applied (as with Content Search also).

7 – Become a SharePoint site collection administrator

Point 2 above suggested that records managers might become SharePoint admins. The alternative (and perhaps better option) for records managers who don’t want to administer SharePoint is to be added to every SharePoint site as a Site Collection Administrator. This is best achieved by adding a single Security Group to each site; the Security Group may be named accordingly (e.g., ‘SG_SiteCollectionAdmins’) and include both SharePoint admins and records managers.

Site collection admin access will give records managers access to every site. This can be denied if required on a site-by-site basis.

Aside from being able to access anything on the site, site collection admins can also access the Preservation Hold library and view the Site usage analytics that include what content on the site has been shared externally. They can check on retention and apply retention labels (in addition to any ‘back end’ retention policies that may already be applied).

Site collection admin access also allows records managers to work closely with SharePoint admins to determine what to do with disused or ownerless sites.

8 – Really understand how Microsoft 365 Groups work and their connection with Teams

Microsoft 365 Groups were introduced in 2016. Despite this, there is often a poor level of knowledge and understanding about these Groups work, and how they connect with Teams.

Very simply:

  • Every M365 Group has an Exchange mailbox AND a SharePoint site. This can obviate the need copy emails to SharePoint as the Group’s email and SharePoint site are inexorably linked (and would be subject to the same retention policy).
  • Every Team (with channels, not the chat area) is based on an M365 Group. The membership of the Team (Owners/Members) is the same as the M365 Group.
  • Access to the M365 Group SharePoint site (the ‘Files’ tab) is restricted to the Group/Teams Owners and Members. If access to the SharePoint site members is changed, this act changes the membership of the Group/Team. They are not different things.
  • Compliance copies of the Teams standard channel messages are saved to a hidden folder in the M365 Group mailbox. (Compliance copies of Teams private channel messages on the other hand are saved to a hidden folder in the personal Exchange mailbox of the members of the private channel).
  • The Teams calendaring capability comes from the M365 Group mailbox calendar.
  • When a Teams meeting is scheduled in a Teams channel and recorded, the recording is saved to the M365 Group SharePoint site’s Documents library, in the folder linked to the channel.
  • M365 Group mailboxes are visible in Outlook UNLESS the Team was created first. M365 Group mailboxes can replace Shared Mailboxes and also Distribution Lists.

Records managers may find it useful to learn exactly how Microsoft 365 Groups work and their relationship with Security Groups, Distribution Lists, mail-enabled Security Groups – and also Shared Mailboxes.

9 – Consider learning some PowerShell

Subject to the level of access provided, records managers might find it useful to learn PowerShell as this can provide access to information that isn’t always easy to access otherwise. Certain actions in SharePoint can only be performed via PowerShell; for example, ‘force’ deleting a deleted site (that is not subject to a retention policy).

Using PowerShell requires various components to be installed on the user’s computer as well as the relevant access and/or role. Some suggested Microsoft links to learn more are listed below:

10 – Learn more about Microsoft 365

Microsoft provides a range of learning material to learn more about Microsoft 365. Click the link to start your journey.


One thought on “Ten tips for records managers to monitor records in Microsoft 365

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s