Posted in Compliance, Electronic records, Exchange Online, Governance, Information Management, Products and applications, Records management, Retention and disposal

Records retention in Exchange Online

Retention policies created as labels in the classification section of  the Office 365 (O365) Security & Compliance admin centre can be applied to content in Exchange Online (EXO) mailboxes.

It may not be possible to apply more than one Office 365 retention policy to EXO mailboxes because, unless the mailbox is dedicated to a specific subject (for example, ‘Customer Complaints’), or using a dedicated Office 365 Group’s mailbox:

  • Emails generally contain content about multiple subjects.
  • The way the content is categorised in mailboxes , including through the use of rules and/or folders, varies between users.
  • The retention and disposal of records relies largely on the ability to assign retention policies to categories or groups of records, not individual records.
  • Organisational policies may require all user emails to be kept (‘archived’) for a period of time after they leave the organisation.

Unless emails are moved to a different storage location such as SharePoint, it may be necessary to continue apply a single, but shorter, O365 retention policy to mailboxes.

Exchange Messaging Records Management (MRM) policies

Until Office 365 retention policies appeared as an option, MRM policies applied in EXO were likely based on an organisational business requirement to keep the mailboxes (and other content) of departed users for potential legal or compliance reasons.

MRM policies in EXO are found under the ‘Compliance Management’ section of the EXO admin portal.


When this section is opened, the following message may appear:


The default MRM policy has the following options. These may be modified, or additional retention tags created, as required.


If the default MRM policies have not been changed (by the Exchange administrator), the default policy/ies will apply. This means that users can use the ‘Assign Policy’ option on folders and emails to decide how long they should be kept.

Emails that are deleted before a backup is made may not be retained.

Some organisations may decide to retain all emails and the mailboxes of departed users ‘forever’. They can do this by removing all the options except ‘Never Delete’.

How O365 Retention Policies are applied to Exchange

Retention labels created in Office 365 can be used to manage the retention of emails, including (to some degree) emails that have content that meets certain pre-defined conditions.

Retention labels are created in the Office 365 Security and Compliance admin portal under the ‘Classifications’ section. This section has three options:

  • Labels. This section is used to create both ‘Sensitivity’ and ‘Retention’ labels. There is also an ‘Auto-apply’ option in the Retention section.
  • Label policies. This section partially duplicates the options in the previous option (except the ‘Create’ option), and lists the labels that have been published.
  • Sensitive info types.

Auto-apply, as its name suggests, auto-applies an existing label based on certain conditions. The conditions are as follows:

  • Apply label to content that contains sensitive info. The sensitive info types are pre-defined options for (a) Financial data (e.g., credit card numbers), (b) Medical and Health (e.g., predefined health records), (c) Privacy (e.g., personal and sensitive information. There is also the option to create a Custom setting.
  • Apply label to content that contains specific words or phrases, or properties. This option works by looking for specific words or phrases.

New labels must be published before they appear or apply anywhere in Office 365.

During the publish process, policies must specify where (in the ‘Locations’ section) the policy is to be applied.

The default option is ‘All locations. Includes content in Exchange email, Office 365 groups, OneDrive and SharePoint documents.’ Alternatively, the policy may be set to specific locations including

  • The Exchange mailboxes of all or specific recipients, or excluding specific recipients.
  • All or specific SharePoint sites, or exluding specific sites.
  • All or specific OneDrive accounts, or excluding specific accounts.
  • All or specific Office 365 Groups, or excluding specific groups.

Note that content in Microsoft Teams is included in the Office 365 Groups options which includes both the SharePoint content and email/Teams chat content.

Mixing MRM and O365 retention policies – maybe not a good idea

If the default MRM policies are not removed, any O365 retention policy that is applied to EXO will appear in the list of retention tags under the default MRM policy, as can be seen in the screenshot below which shows three options in addition to the original MRM policies: ‘Temporary records – 7 days’, ‘Financial Records’, and ‘Company records – 7 years’. If nothing is changed in the environment, these policies can be applied by users to folders and emails. 


If the organisation has decided to remove all retention tags except ‘Never Delete’ and a new O365 retention policy is applied to EXO, the ‘Never Delete’ option will prevail and the O365 policy will not work.

Accordingly, careful consideration needs to be given to the creation of O365 retention policies that may be applied to EXO records.

Should user mailboxes be kept ‘forever’?

Many IT departments keep user mailboxes of departed staff (and most other content on the network) for a long time, usually on backups, ‘just in case’ they may be required for legal or compliance requirements, including investigations into misconduct.

Recent personal experience with subpoenas for mailboxes of departed staff indicates that 10 years is likely to be the maximum retention requirement for these types of records. There may be a case to keep certain individual mailboxes for much longer, which the O365 policy allows for.


What happens when emails reach the end of their O365 retention policy period?

O365 retention policies define how long records are to be retained before they are either deleted or ready for review (via the Records Management – Dispositions section of the O365 Security and Compliance admin portal).

The following options define what happens when retention is enabled:

  • Retain the content (a) for a specific period (n days/months/years) or (b) forever. Option (b) is the same as the MRM policy ‘Never Delete’.
    • Action to be taken at the end of the period (except ‘forever’): (a) Delete the content automatically, (b) Trigger a disposition review (i.e., notify specific people), or (c) Do nothing, leave the content as is.
  • Don’t retain the content, just delete it if it’s older than n days/months/years.
  • Retain or delete the content based on: (a) When it was created, (b) When it was last modified, (c) When the label was applied, (d) based on an event.

The three actions above define the options for records managers:

  • Allow the emails to be deleted automatically. This is possibly the easiest and most efficient option but it will result in the deletion of any emails when they reach the end of the retention period – if they are kept in Exchange. Importantly, if a specific period of time (e.g., 7 years) is set for email retention, this could start to delete the emails of users who are still with the organisation after that period expires. This fact may affect the retention period that is set. 
  • Trigger a disposition review – see below. This option would be onerous to implement; it would take a lot of effort to review the individual emails of a departed user as part of a disposition review. It would, however, allow for selective review by using the ‘filter’ option in the Dispositions area.
  • Do nothing. This option may be useful for specific types of records, but not emails.

Disposition Reviews

Emails that are subject to a disposition review will appear in the Records Management – Dispositions section of the O365 Security and Compliance centre. Note that the ‘Type’ must be changed from ‘Documents’ to ‘Emails’ to see the emails that are due for disposal. As noted above, while it is possible to filter by user to review the emails, this process could be quite onerous.



The nature of email makes it almost impossible to categorise them into categories that map to different retention and disposal policies.

Most mailboxes will be subject to a single retention policy.

Office 365 retention policies can and probably should replace the default EXO MRM policies that govern the retention of emails.

Retaining emails in the mailboxes they are stored in ‘forever’ is not a practical retention model. 10 years is a reasonable maximum period, but exceptions may be required.

If O365 retention policies replace EXO MRM policies, records managers need to specify (a) how long emails need to be kept for and (b) whether they can simply be deleted when they reach the end of the retention period or need to be reviewed before deletion.


‘Overview of Retention Policies’ (accessed 9 August 2019)

‘Set up an archive and deletion policy for mailboxes in your Office 365 organization’ (accessed 6 August 2019)

Posted in Electronic records, Exchange Online, Governance, Information Management, Office 365, Office 365 Groups, Products and applications, Records management, Retention and disposal, SharePoint Online

Office 365 admin and Security and Compliance portals – records management options and settings

If you plan, or want to understand how, to manage records ‘out of the box’ in the Office 365 ecosystem including in SharePoint Online, Exchange Online and MS Teams, you will need to know the available options and settings. These would normally be set by the Office 365 Global Admins (GAs) or, in some cases, devolved to Customised Administrators. GAs have access to all parts of the Office 365 environment including SharePoint Online, Exchange, OneDrive and Microsoft Teams.

See the next post for a list of the options and settings available in SharePoint Online to manage records.

Note, the description below is for a typical E3 licenced level organisation. E5 licences provide additional capability some of which is referenced below with a comment.

Office 365 admin portal options and settings

The options and settings in the Office 365 admin portal required to manage records are listed below.

Customised administrator

In addition to the GAs, the Office 365 admin portal is where customised administrators are set up. Typically these admins will have log ons that are different from their normal user log on and will not need the full range of licence options. The SharePoint Admin role is a customised administrator.

Records managers could potentially be SharePoint Admins if they are suitably skilled. Otherwise, at the very least they should be Site Collection Administrators and work closely with the SharePoint Admins to ensure that SharePoint Online (SPO) is configured correctly.

Office 365 Groups

Records managers need to understand how Office 365 Groups work.

Most people know that Distribution Lists (DL) are used to send emails to multiple people. However, DLs cannot be used to control access to IT resources; this is achieved by using Security Groups (SG). SGs, on the other hand, are not email enabled.

Office 365 (O365) Groups are ‘kind of’ a mix of DG and SG functionality in that they can be used to control access to certain resources in Office 365 (including SPO) AND they can be used to contact all members of the Group.

Image source:

But O365 Groups are much more. They are in many respects central to Office 365.

  • Every new O365 Group creates a SharePoint site (this is not optional).
  • If the creation of O365 Groups is not controlled, every new Team in MS Teams creates an O365 Group that in turn creates a SPO site.
  • If you use Yammer, every new Yammer group also creates an O365 Group that creates a SPO site.
  • Again, if not controlled, any user can create a new O365 Group from Outlook.

In short, you need to either allow their creation and expect to see multiple uncontrolled SPO sites, or control their creation. There is no middle path.

Additionally, if the creation of O365 Groups is not controlled, the Owners of the new O365 Group (usually the person who created it and anyone else they invite) will become the Site Collection Administrators, locking the SharePoint Admins out of the site. They will need to call on the O365 GAs to give them access to the site.

External Sharing for SharePoint and O365 Groups

Although it relates more to security, external sharing is a option and setting that may require input from the information or records management area. External sharing is initially enabled in the O365 Admin portal in the Settings – Services and Add-ins section.


Note, even if this setting is enabled, SPO sites don’t have this enabled by default. The setting is controlled from the SharePoint Admin portal.

External access for Office 365 Groups is set in the following setting:


Office 365 Security and Compliance admin portal options and settings

The options and settings in the Office 365 Security and Compliance admin portal required to manage records are listed below.

Permissions – Roles – Records Management (and others)

The Security and Compliance admin centre includes several roles in the ‘Permissions’ section that may be required by records and/or information management staff, especially to establish records retention schedules, manage dispositions, check audit logs and manage eDiscovery cases and legal holds.

Classification – Labels (Records Retention labels)

Records retention policies in O365 are set in the O365 Security and Compliance Portal in the Classifications section. These retention policies may be applied across SPO, Exchange Online, Teams.

Some thought needs to go into this including potentially grouping policies that have the same retention requirement (e.g., 7 years), or using the File Plan (see below) and other options now available to group them. This requires records management input.


Classification policies used for records retention will be applied across all of the O365 environment, not just SPO. However, your IT department may want to implement different rules for Exchange (e.g., using the default MRM policy to keep all emails ‘forever’) or OneDrive (e.g., a 7 year retention for everyone’s content after they leave).

Click this link for more details about Retention Policies.

Records Management – Dispositions

The O365 Security and Compliance Centre includes a ‘Records Management’ section that has three options: File Plan, Events, Dispositions. Records Managers should have access to these areas; this is achieved by them having the ‘Records Management Role’ in the ‘Permissions’ section.

The ‘File Plan’ section displays a list of retention policies (labels) with any details added to the ‘File Plan’ section (shown above), thereby providing the records manager with a view of all labels and any added details, for example by numbering, citation and so on.

The ‘Events’ section shows any events that have been defined for use in retention policies.

The Dispositions section has two parts, a basic dashboard that shows all retention policies and the number of records covered by those policies:


If the records manager clicks on any of the policies it displays the records due for disposal and provides the various options for disposal. It also shows records that have been disposed on a separate tab.



The search section has two options: Content search, and Audit log Search. Access to both may be controlled but records managers may need to have the ability to ask for information from either from the GAs.


The eDiscovery section is where eDiscovery cases are established. Cases are a form of content search that, once completed, puts any retention policies on hold (legal hold) under the case has been removed.

eDiscovery cases may includes searches across all of Office 365 (Exchange email, O365 Group email, Teams messages, To-Do, Sway, Forms, SPO, OneDrive, O365 Group SPO sites, Teams sites, Exchange public folders) or selected parts only. They may also be used to search mailboxes for specific individuals or selected SPO sites.


All of the above (and all other settings) should form part of a governance document that details the O365 environment. Settings should only be changed with agreement of everyone in a governance team.

Posted in Compliance, Exchange Online, Office 365, Office 365 Groups, Products and applications, Records management, Retention and disposal

Managing the retention and disposal of emails in Office 365

In a recent blog post (, James Lappin provided a good overview of the direction that Microsoft have gone with retention and disposal in Office 365.

A key point with almost anything to do with SharePoint Online (that differentiates it from on-premise) is that SharePoint Online (and its ‘personal’ end-user service, OneDrive for Business) is just one element of the Office 365 ecosystem. That is, you can no longer really regard SharePoint as a standalone service that can be managed independently of the other services you may or may not decide to use.

For example:

  • Office 365 Groups (which are an Exchange object, similar to Distribution Lists and Security Groups) all have an associated SharePoint site. O365 Groups are in many way at the ‘heart’ of the Office 365 security/permission model. You cannot create an O365 Group without a SharePoint site.
  • Teams in MIcrosoft Teams (yes the duplication of wording is unfortunate) create an Office 365 Group (which in turn creates a SharePoint site). Alternatively, you can create an Office 365 Group (with a SharePoint site) and link that Group to the new Team. So, Teams in Microsoft Teams have their own Team site.
  • If you enable the ‘Create Site’ option in the end-user SharePoint portal, and the user selects ‘Team site’, this creates an Office 365 Group also.
  • If you allow anyone to create an Office 365 Group, then any new Yammer group creates an Office 365 Groups and – yes, you got it right – a SharePoint.
  • Retention policies for Exchange and SharePoint are set as ‘classification policies’ in the Office 365 Security and Compliance admin portal. This, by the way, is also where you set the new Information Security policies that have only recently appeared. They are both a type of label.

It can be quite overwhelming at first, but the key point is that you cannot regard SharePoint as an isolation application any more. However, most IT shops are pretty ‘hardened’ to the idea that the Exchange ‘box’ (the server) and the SharePoint box are managed by different teams, and one challenge in the new Office 365 world may be to convince the Exchange admins that they should be friends with the SharePoint admins AND the records team.

Backing up as a retention option

It is important to understand that IT departments often regarding ‘backing up’ as a form of retention (or ‘archiving’). Your IT department will almost always have a back-up regime for its on-premises servers.

However, you cannot (easily, cost efficiently) back up SharePoint Online or Exchange Online like you could back up your on-premises environments, but there are many vendors in the market who will offer you a solution to this.

Most IT shops consider back ups to be an archive from which they can retrieve content, a kind of alternative records retention regime. This factor may impact on any decisions that may need to be made with retention policies applied to both Exchange Online and SharePoint Online.

The problem with applying retention and disposal policies to email

It almost goes without saying that, while retention policies can be applied to Exchange Online, typically (a) the content is structured (in multiple folders) differently by every person and (b) the content is mixed together so no retention policy can normally apply to all emails in a single folder.

It is why, generally speaking, we ask users to copy emails into SharePoint (or other EDRM) containers or aggregations (document libraries, files), to keep the content in context.

But in most cases the content (the emails) still remains in Exchange too.

Challenges when applying retention and disposal actions to emails

There are several challenges for the application of records retention and disposal policies in Exchange/Outlook.

  • Do you have a blanket approach to all email, disallowing the deletion of any email for say 7 years?
  • Or do you apply a much shorter retention policy to all emails (say 12 months or less)? (Cue – ‘but what if I want to get my email back after 5 years’ from a user with a labyrinthine email folder structure)
  • Do you rely on users to copy emails to SharePoint or other EDRM containers where they will be stored in context?

The core problem with email is that it’s personal to each user. While it may be good to be able to apply a retention policy to emails, my sense is that anything that is optional will almost always fail to be taken up.

Having a single retention policy (e.g., 7 years) applied to the email accounts of departed users may be a good option (similar to the same policy applied to the OneDrive accounts of departed users).

Another newish option is to use the new Microsoft Flow options to automatically move emails and/or attachments to SharePoint document libraries.

Every organisation is likely to be different and all options need to be considered, understood and then applied – along with the question: ‘Do we (really) need to back this up’?

Posted in Compliance, Data Loss Prevention - DLP, Exchange Online, Governance, Information Classification, Information Management, Information Security, Legal, Office 365, OneDrive for Business, Products and applications, Security, SharePoint Online, Training and education

SharePoint Online and OneDrive for Business – Preventing external sharing of data

A recent (September 2017) article suggested that OneDrive for Business (ODfB) (and by extension SharePoint Online (SPO); ODfB is a SharePoint-based service), a key application in Office 365 was a potential source of data leaks and/or target for hacking attacks.

I don’t disagree that, if not configured correctly, any online document management system – not just ODfB/SPO – could be the source of leaks or the target of external attacks. Especially if these systems, and the security controls that can protect the data in them, are not properly configured, governed, administered, and monitored.

But, I would ask, what controls do most organisations have in place now for documents stored in file shares and personal file folders, not to mention USB sticks, and the ability to send document via Bluetooth to mobile devices or upload corporate data to third-party document storage systems? Probably not many, because users have no other way to access the data out of the office.

As we will see, the controls available in Office 365 are likely to be more than sufficient to allow users to access to their documents out of the office, while at the same time reducing (if not eliminating) the sharing of documents with unauthorised users.

How to stop or minimise sharing from OneDrive for Business and SharePoint Online

There is one simple way to prevent the sharing of data stored in SPO and ODfB with external people – don’t allow it.

There are several ways to control what can be shared, each allowing the user a bit more capability. All these options should be based on business requirements and information security risk assessments, and Office 365 configured accordingly.

In this article I will start with no sharing allowed, and then show how the controls can be reduced as necessary.

External sharing – on or off

This is the primary setting, found in the main Office 365 Admin centre under Settings > Services & add-ins > Sites. If you turn this off, no-one can share anything stored in SPO or ODfB.

The option is shown below:


If you do allow sharing, you need to decide (as shown above) if sharing will be with:

  • Only existing external users
  • New and existing external users [Recommended]
  • Anyone, including anonymous users

The second option is recommended because it doesn’t restrict the ability to share with new users. The last option is unlikely to be used in most organisations and comes with some risks.

The next place to set these options are in the SPO and ODfB Admin centres.

OneDrive admin center

If the previous option is enabled, the following options are available for ODfB. Note that BOTH SharePoint and OneDrive are included here because the latter is a part of the SharePoint environment.

  • Let users share SharePoint content with external users: ON or OFF.
    • NOTE: If this option is turned OFF, all the following options disappear.
  • If sharing with external users is enabled, the following three options are offered:
    • Only existing external users
    • New and existing external users [Recommended]
    • Anyone, including anonymous users
  • Let users share OneDrive content with external users: ON or OFF
    • This setting must be at least as restrictive as the SharePoint setting.
  • If sharing with external users is enabled, the following three options are offered
    • Only existing external users
    • New and existing external users [Recommended]
    • Anyone, including anonymous users

If sharing is allowed, there are three sharing link options:

  • Direct – only people who already have permission [Recommended]
  • Internal – only people in the organisation
  • Anonymous access – anyone with the link

You can limit external sharing by domain, by allowing or blocking sharing with people on selected domains.

External users have two options:

  • External users must accept sharing invitations using the same account that the invitations were sent to [Recommended]
  • Let external users share items they don’t own. [This should normally be disabled]

A final ‘Share recipients’ checkbox allow the owners to see who viewed their files.

SharePoint admin center

The SPO admin center (to be upgraded in late 2017) has two options for sharing.

The first option is under the ‘sharing’ section which currently has the following options:

Sharing outside your organization

Control how users share content with people outside your organization.

  • Don’t allow sharing outside your organization
  • Allow sharing only with the external users that already exist in your organization’s directory
  • Allow users to invite and share with authenticated external users [Recommended]
  • Allow sharing to authenticated external users and using anonymous access links

Who can share outside your organization

  • [Checkbox] Let only users in selected security groups share with authenticated external users

Default link type

Choose the type of link that is created by default when users get links.

  • Direct – only people who have permission [Recommended, same as above]
  • Internal – people in the organization only
  • Anonymous Access – anyone with the link

Default link permission

Choose the default permission that is selected when users share. This applies to anonymous access, internal and direct links.

  • View [Recommended]
  • Edit

Additional settings (Checkboxes)

  • Limit external sharing using domains (applies to all future sharing invitations). Separate multiple domains with spaces.
  • Prevent external users from sharing files, folders, and sites that they don’t own [Recommended]
  • External users must accept sharing invitations using the same account that the invitations were sent to [Recommended]

Notifications (Checkboxes)

E-mail OneDrive for Business owners when

  • Other users invite additional external users to shared files [Recommended]
  • External users accept invitations to access files [Recommended]
  • An anonymous access link is created or changed [Recommended]

Sharing via the Site Collections option

In addition to the options above, sharing options for each SharePoint site are set in the ‘site collections’ section as follows. Note that the default is ‘no sharing allowed’. A conscious decision must be taken to allow sharing, and what type of sharing.


When a site collection name is checked, the following options are displayed.

Sharing outside your company

Control how users invite people outside your organisation to access content

  • Don’t allowing sharing outside your organisation (default)
  • Allow sharing only with the external users that already exist in your organization’s directory
  • Allow external users who accept sharing invitations and sign in as authenticated users
  • Allow sharing with all external users, and by using anonymous access links

If anonymous access is not permitted (setting above), a message in red is displayed:

Anonymous access links aren’t allowed in your organization

SharePoint Sharing option

The SharePoint Admin Centre has an additional ‘Sharing’ section with the same settings as shown above for ODfB. It is expected that these multiple options will be merged in the new SharePoint Admin Centre due for release in late 2017.

Additional security controls

In addition to all the above settings, there are a range of additional controls available:

  • All user activities related to SPO and ODfB, including who accessed, viewed, edited, deleted, or shared files is accessible in the audit logs.
  • SPO and ODfB content may be picked up by Data Loss Prevention (DLP) policies and users prevented from sending them externally. This is of course subject to the DLP policies being able to identify the content correctly.
  • SPO and ODfB content may be subject to records retention policies set by preservation policies. These may impact on the ability to send documents externally.
  • SPO and ODfB content may be subject to an eDiscovery case.
  • Administrators can be notified when users perform specific activities in both SPO and ODfB.
  • Sharing (and access to the documents once shared) may be subject to security controls enforced through Microsoft Information Protection.


In summary, the settings above allow an organisation to strongly control what can be shared. If sharing is allowed, certain additional controls determine whether the sharing is for internal users or for users external to the organisation. If the latter is chosen, there are further controls on what external users can do. Audit controls and policies may also control how users can share information externally.

The key takeaway is that organisations should ensure that the sharing options available in Office 365 are based on the organisation’s business requirements and security risk framework.