Back

Microsoft 365 Retention Policies Protect Valuable Data

Microsoft 365 end users work with substantial amounts of content on a daily basis. Due to legal and regulatory obligations, information may be required to be preserved for a specific amount of time, or may need to be deleted after a certain period....

7 min read
Published on Jun 1, 2021
microsoft-365-retention-policies-protect-valuable-data

Microsoft 365 end users work with substantial amounts of content on a daily basis. Due to legal and regulatory obligations, information may be required to be preserved for a specific amount of time, or may need to be deleted after a specific time period. Microsoft retention policies provides necessary features to efficiently retain or delete information across SharePoint, Exchange, and Teams.

Reasons for Protecting Information

There are several reasons why administrators must ensure their company’s information can be easily restored.

  1. Compliance with industry and internal policies. For example, the Sarbanes-Oxley Act outlines standards for financial document record-keeping.
  2. Reduce the effects of a security breach. Set retention policies to permanently delete for sensitive data at regular intervals to prevent it from falling into the wrong hands.
  3. Legal Requirements. Legal holds are initiated upon notice from legal counsel and suspends normal disposition and processing of records in response to audits, litigation, or investigations.

Retention Policy Options

There are two options available to configure retention policies for content in Microsoft 365. The Retain Content option prevents permanent deletion but is available to locate via eDiscovery. Delete Content, however, permanently deletes the information in the environment.

Configure both options for other outcomes. Retain-only retains the content forever or for a specified length of time. Further, Delete-only permanently deletes the content or deletes it after a specified period of time. Lastly, Retain and then Delete, which retains the content for a specified time period but then permanently deletes it.

These options give administrators the flexibility to decide which data to save or delete, if they want to apply a single policy on a single type of data or the entire organization, or if they wish to apply a policy on some selective data based on keywords or type.

How to Use Retention Policy Options

Retention policies can be set in Exchange and Exchange public folders, Sharepoint, OneDrive accounts, Microsoft 365 Groups, Skype for Business, Teams channel messages and chat, and Yammer community and private messages.

There are two types of retention policies. Label policies publish retention labels that users apply to content. The actual retention policies apply or publish to all items in their locations, such as Exchange, SharePoint, Teams, etc. A single retention label includes in more than one retention label policy.

Select the locations to publish the label individually or published in all locations. Depending on where the label publishes determines where it applies. For example, if the label is published to admins and end-users, the policy can be applied to Exchange, SharePoint, OneDrive, and Microsoft 365 Groups. Other retention label policies and conditions can be found here.

Other considerations for applying retention labeling are as follows:

  • Apply single retention manually to an email or document by the end-user or admin. They also change or remove existing labels.
  • An existing label is not automatically removed or replaced by another label unless applied as a default.

Auto-Applied Label Policies

In the instance that multiple auto-applied label policies can apply a retention label, the label for the oldest auto-apply policy will be applied.

Apply the retention policies in the following ways:

  1. Allow users to apply their own retention labels to their content in Outlook, OneDrive, SharePoint and 365 Groups since are most familiar with the content.
  2. Configure retention labels to be applied to content automatically to match specific conditions such as types of information, keywords, and pattern matches.
  3. Begin the retention period based on when either an event, such as an employee leaving, or a contract expires, or from when the content is created, such as sending an email.
  4. Configure default retention values for entire libraries and folders so that all items stored in them inherit the label.

Recommended and regulatory periods can vary widely which is where retention policies can come in handy. The following are some examples of time-sensitive content that retention labels can be used effectively.

  • Retaining IRS tax forms and communications for the regulatory period of seven years.
  • The permanent deletion of any outdated press materials.
  • Retaining competitive research and subsequently deleting this information at pre-determined intervals.
  • Ensuring work visa information is never deleted or edited.

Retention Labels

Any of the above examples can have retention labels applied at the item level, i.e., document or email.

Microsoft’s records management solution supports retention labels for emails and documents within 365. As a result, mark items for retention as a record. This ensures that the content remaining in 365 as a record meets regulatory-level criteria. Of note, retention labels will no longer apply if the content is migrated outside of Microsoft 365. Additionally, a limit of 10K policies applies to tenants which include the policies that apply the labels, as well as the retention policies themselves.

The Microsoft 365 compliance center views how you use your retention labels in the tenant and where. Select Data classification and then Overview. Additional details can be viewed by using the content explorer and activity explorer. Content searching can be used to find items with a specific retention label after they have been applied to the content. Simply choose the retention label condition and enter the complete retention label name or part of the name with a wildcard.

A comprehensive table to view and compare all capabilities for retention policies and labels can be reviewed here.

Retention Label Order Flow

using Microsoft 365 Retention Policies for business data. Cropped shot of a businessman reviewing business data..

If multiple retention settings on the same item will be implemented, it is important to know their order of precedence. For example, if you mark one item with a policy for delete-only and another for retain and then delete, this results in two delete actions that could conflict. By following the flow of retention and deletion for a single item, this conflict can be avoided.

Retention Wins Over Deletion

An item such as an email message configured with a retention policy in Exchange that deletes items after three years also has a label configured to retain it for five years. In this case, the retention label takes precedence and the email is deleted at the end of the five-year period.

The Longest Retention Period Wins

If the content configures with multiple retention periods, the content retains using the setting with the longest period. For example, if SharePoint configures a retention policy to hold all documents for five years, but a second policy for specific sites holds it for ten years, it follows the ten-year retention policy.

Explicit Wins Over Implicit

The retention label applied to an individual item provides explicit retention, giving it priority over a retention policy’s delete action. Therefore, a document assigned two retention policies, for five and ten years, with a retention label of seven years, will follow the label’s explicit policy and delete after seven years.

The Shortest Deletion Period Wins

When a document has two retention policies with one seven years and the other ten year, the document will be deleted at seven years since it is the shortest period out of the two. However, you cannot delete items in eDiscovery holds by any retention policy or label since it falls under the first principle of retention.

To prevent users and administrators from turning off, deleting, or making polices less restrictive on material that follows regulatory guidelines, a preservation lock can be applied when the policy is created. Without this lock, delete policies anytime. The items retain for 30 days to prevent accidental data loss. The original status can be re-enabled within the 30-day period to resume the policy without affecting the data.

Conclusion

Microsoft 365 retention policies are an effective tool for protecting sensitive data from deletion. While it is not a replacement for a true backup and recovery solution, the policies can provide peace of mind that individual documents, files, and emails will be retained during the amount of time specified.

If you are looking for Microsoft 365 experts to help meet compliance requirements in your Microsoft 365 and Azure Environments, contact us to schedule a free consultation.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Screen Capture Protection in Windows 365 | Boost Security

How to Enable Screen Capture Protection in Windows 365 for Enhanced Security

Learn how to enable and use screen capture protection in Windows 365 to secure sensitive information and prevent unauthorized captures, enhancing your organization's data security.

Jan 21, 2025
7 min read
Office 365 Collaboration Tools

Office 365 Collaboration Tools: Are They Right for Your Organization?

Explore how Office 365's collaboration tools can enhance your organization's productivity and security.

Jan 12, 2025
6 min read
NIST 800 171 vs NIST 800 53

NSA Cybersecurity Collaboration: No-Cost Services Available to DoD Contractors

Learn how NSA cybersecurity collaboration provides no-cost services to DoD contractors, helping enhance security and compliance with advanced cyber protections.

Jan 10, 2025
6 min read
When is a New CMMC Assessment Needed

Understanding When and Why You Need a New CMMC Assessment

Learn when to schedule a new CMMC assessment, what triggers reassessments, and how changes in scope, contracts, or compliance impact your certification process.

Jan 6, 2025
9 min read
How Does VDI Solve the CUI and CMMC Conundrum?

How Does VDI Solve the CUI and CMMC Conundrum?

Explore how VDI for CUI helps businesses meet compliance requirements, ensuring secure data access while simplifying CMMC certification.

Dec 30, 2024
9 min read
Disaster Recovery Plan Enough

Is your disaster recovery plan enough?

Strengthen your Office 365 disaster recovery plan with granular backup, retention policies, and solutions to prevent data loss.

Dec 18, 2024
7 min read

Ready to Defend and Secure Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Defend. Secure. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Defend. Secure. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation