Microsoft released its ‘Records Management’ solution for Microsoft 365 during 2020. The solution is only accessible to organisations with an E5 licence (or an E5 Security and Compliance licence).
Some of the retention-related options previously available to E3 licences, such as disposition review, are now only available with an E5 licence. However, for cost and other reasons, many organisations have decided to stay with E3 and asked if it is still possible to manage the retention of records.
According its licencing guidance ‘Microsoft 365 licence guidance for security and compliance‘, E3/A3 (and E5/A5) licences provide the following ‘information governance’ capability:
- A basic organization-wide or location-wide Exchange mailbox retention policy and/or to manually apply a non-record retention labeling to mailbox data.
- A basic SharePoint or OneDrive retention policy and/or to manually apply a non-record retention label to files in SharePoint or OneDrive.
- A Teams retention policy.
This post describes how the retention of records could be managed with an E3 licence and recommends that organisations intending to deploy Microsoft’s retention policies (whether E3 or E5) develop a plan for their deployment based on a detailed understanding of the following:
- What records exist and where they are stored across the main Microsoft 365 workloads – Exchange Online (EXO) mailboxes, SharePoint Online (SPO) sites, Microsoft Teams (MS Teams), and OneDrive for Business (ODfB) accounts.
- What retention is required, including for EXO mailboxes and personal/ODfB accounts for which retention was previously ‘managed’ through backups, and MS Teams chats.
- What type of retention policy will apply to what workloads.
- How will disposition be managed (including of original storage locations, not just the records), and what evidence of destruction is required?
- How will any limitations and shortcomings be addressed to minimise legal risk?
Where are the records?
A good starting point with retention planning is to establish where the records that will be subject to retention policies are stored.
Most records are created and stored in one of the primary four workloads – Exchange Online (EXO) mailboxes, SharePoint Online (SPO) sites, Microsoft Teams (MS Teams), and OneDrive for Business (ODfB) accounts.
While SharePoint sites (including Teams-based sites and Teams channels) may be used to logically ‘group’ records (e.g., in a team site, a document library, or a channel), this is not the case for EXO mailboxes, ODfB accounts, MS Teams 1:1 or private channel chats (a compliance copy of these chats is stored in the personal EXO mailboxes of participants in the chat).
EXO mailboxes and ODfB accounts usually contain a range of records on different subjects, with different retention requirements. Personal chat messages could be about any subject.
For most of the past three decades, the requirement to keep specific emails or other records meant that end-users had to copy those records to another system, including an EDRMS or even SharePoint, or print and place them on a file. The ability to find old records depended more often than note on the ability to recover them from back-up tapes, a process ironically often referred to as ‘archiving’.
Action: Organisations should establish a list of where records are stored in Microsoft 365 and how retention (including via backups) is currently managed.
What retention is required?
The next step in the process is to establish how long these records need to be kept.
Most of the time this will be based on an organisational records retention policy or schedule. These policies or schedules describe groups of records and how long they must be retained – for example, financial records generally must be retained for seven years. Specific types of financial records may require shorter or longer retention.
This model generally works well when records have been stored in logical groups (e.g., a whole SPO site/Team, or document library), but are more difficult to apply for individual records stored with other records in personal EXO mailboxes, ODfB accounts, SPO sites, or MS Teams chats. If records with longer retention requirements in these locations are not stored elsewhere, or cannot be specifically identified, all the records may have to be kept for the longest retention period.
The start of retention is usually based on a trigger action. Typically these are based on (a) date created, (b) date modified, or (c) date of last action. However, they may also be based on less specific events, for example: (a) 7 years after a contract has expired, (b) 25 years after an employee leaves, (c) when a child turns 21. These less specific events need special attention.
Action: Organisations should ‘map’ retention requirements to the locations where the records are stored. This process will likely involve a discussion regarding the replacement (or supplementation) of email backups with retention policies, and may end up looking something like the following:
|EXO mailboxes of senior managers||25 years|
|EXO mailboxes of all other employees||7 years|
|MS Teams 1:1 chats of senior managers||25 years|
|MS Teams 1:1 chats of all other employees||7 years|
|MS Teams private channel chats||As per retention policies|
|ODfB accounts of senior managers||10 years|
|ODfB accounts of all other employees||7 years|
|SPO sites that are not subject to more specific policies||7 years|
|Microsoft 365 Groups (includes mailbox and SPO site)||As per retention policies|
|SPO sites with specific retention requirements, per site or library||As per retention policies|
What are the retention options with an E3 licence?
The three main options available with an E3 licence – labels, label policies, and retention policies – are all set from the Compliance admin portal under the ‘Information Governance’ section.
The table below summarises the options:
|Type of policy||Can be used for|
|‘Implicit’, ‘safety net’ retention policies. These policies: (a) work in the back end and cannot be changed by an end-user; (b) create a preservation hold library in SPO sites and ODfB accounts, and hold deleted emails in a hidden EXO mailbox folder; (c) provide an alternative to back-ups, although it should be kept in mind that all content that is retained in this way contributes to the overall storage quota; (d) do not retain record of what was destroyed.||EXO, SPO, MS Teams, ODfB|
|‘Explicit’ label-based retention policies. Labels must be published to the required workloads before they become visible. Records cannot be deleted once a label has been applied, but end-users can change or remove the label and then delete the record. Label-based policies do not retain a record of what was destroyed.||EXO, SPO, ODfB|
|‘Explicit’ label-based retention policies that are auto-applied based on three limited options – see below. Records cannot be deleted once a label has been applied. These policies do not retain a record of what was destroyed.||EXO, SPO, ODfB|
The three auto-apply options are as follows:
- Apply label to content that contains sensitive information. Unlikely to be used as retention is never based on sensitivity.
- Apply label to content that contains specific words or phrases, or properties. Possibly useful. Recommend that organisations do a Content Search first to see what records may exist.
- Apply label to content that matches a trainable classifier. E3 licences provide six out of the box, limited classification options including ‘profanity’. These are unlikely to be of any value.
Mapping the E3 options
Given the options available, the following is a suggested mapping of records, retention and policy options:
|EXO mailboxes of senior managers||25 years||Retention policy, plus possibly labels auto-applied to specific records|
|EXO mailboxes of all other employees||7 years||Retention policy, plus possibly labels auto-applied to specific records|
|MS Teams 1:1 chats of senior managers||25 years||Retention policy|
|MS Teams 1:1 chats of all other employees||7 years||Retention policy|
|MS Teams private channel chats||As per retention policies||Retention policy|
|ODfB accounts of senior managers||10 years||Retention policy, plus possibly labels auto-applied to specific records|
|ODfB accounts of all other employees||7 years||Retention policy, plus possibly labels auto-applied to specific records|
|SPO sites that are not subject to more specific policies||7 years||Retention policy|
|Microsoft 365 Groups (includes mailbox and SPO site)||As per retention policies||Retention policy|
|SPO sites with specific retention requirements, per site or library||As per retention policies||Retention policy (safety net) plus label-based retention policy for specific records|
Organisations planning to deploy retention policies should be aware of the limits on custom policies, as described on this Microsoft page, ‘Create and configure retention policies‘. There are no limits on policies that apply to an entire workload (e.g., all EXO mailboxes).
- 1,000 mailboxes
- 1,000 Microsoft 365 groups
- 1,000 users for Teams private chats
- 100 sites (OneDrive or SharePoint)
The page above notes also that ‘There is also a maximum number of policies that are supported for a tenant: 10,000. However, for Exchange Online, the maximum number is 1,800. The maximum number includes retention policies, retention label policies, and auto-apply retention policies.’
How will disposition be managed
Microsoft 365 retention policies retain records for a specified period and usually then delete the records automatically. No record is retained of what was deleted. Even with an E5 licence, only limited metadata is retained and only on those records subject to disposition review.
Organisations deploying retention policies with an E3 licence need to understand the potential risks associated with being unable to provide evidence of what was destroyed.
There are at least two ways to approach this point, but in all cases the approach and options must be legally defensible:
- Ensure that organisational policies clearly indicate what records will be destroyed without any record being kept. For example, with certain exceptions, most emails, Teams chats, SPO sites and the content of ODfB accounts will only be kept for 7 years and then destroyed.
- Establish a process to ensure that a record is kept of specific records that have been destroyed. For example, the metadata of records, due for disposal and stored in document libraries in specific SPO sites, will be captured (and stored separately) before the records are destroyed, and then the document library will be deleted. This is a labour-intensive process and may only be used on some sites.
Addressing E3 licence limitations and shortcomings
The limitations of E3 licence retention policies (and also E5 licences from an evidentiary point of view) should not put organisations off using the out of the box options or cause them to acquire third-party products.
The retention options available in Microsoft 365 now provide functionality that assists recordkeeping compliance, for example the ability to apply ‘back end, safety net’ retention policies to EXO mailboxes, MS Teams chats, ODfB accounts and whole SPO sites. Coupled with the ability to locate all records, including ‘deleted’ records via Content Search, this should be a boon to records managers and also to IT (saving the latter from having to recover records from backup tapes).
On the other hand, deploying the options can be complex and requires good planning and governance documentation. The lack of good governance can lead to the inadvertent loss of records as KPMG found in August 2020 (‘IT blunder permanently erases 145,000 users’ personal chats in KPMG’s MS Teams deployment‘).
Once retention policies have been deployed, the next most complex task may be the disposition approval and destruction process for those records for which a formal disposition review and approval process is required, including the requirement to establish a list of records to be destroyed.
As noted above, even the E5 licence options for disposition review and ‘proof of disposition’ are inadequate in terms of the metadata that is presented and retained. Until Microsoft provides the ability to record the metadata of every record that is due for disposal and/or destroyed, based on ANY type retention policy this process will continue to be a manual task for records managers.
Organisations may consider acquiring a limited number of E5 Security and Compliance licences to gain access to the E5 ‘Records Management’ capability to gain access to other options including File Plan, auto-classification options, and Disposition Review. However, aside from these options (and the ability to auto-apply labels more broadly) these options may not add much more capability to the existing options already available with an E3 licence.
Summarising the options
Based on the above details, organisations with E3 licences might do the following:
- Create several ‘safety net’ retention policies for EXO mailboxes, ODfB accounts, MS Teams chats and general SPO sites. EXO/ODfB retention policies may be (a) based on current back-up periods and (b) be split into ‘senior’ and all other employees. They may also create policies for Microsoft 365 Groups which will cover the Group’s EXO mailbox and SPO site. Some of these policies may map to existing retention classes in the records retention schedules, but others such as the EXO, ODfB and MS Teams policies may need to be added.
- Create label-based retention policies for content stored in specific SPO sites where more granular retention policies are required per library. However, keep in mind these can be changed or removed by end-users with add/edit access. Generally it is not recommended to apply label-based policies to EXO or ODfB unless end-users will apply these accurately and consistently.
- Auto-apply some labels to specific content stored in SPO, EXO and ODfB (having identified that these records exist first via a Content Search). These labels should have a retention period that is longer than the safety net policy or any other label-based policy.
- Establish a ‘manual’ disposition review process for records that are subject to label-based retention policies.