x

Agile Insider Blog

using Microsoft 365 Retention Policies for sensitive data.

Microsoft 365 Retention Policies Protect Valuable Data

Microsoft 365 end users work with substantial amounts of content on a daily basis. Due to legal and regulatory obligations, information may be required to be preserved for a specific amount of time, or may need to be deleted after a specific time period. Microsoft retention policies provides necessary features to efficiently retain or delete information across SharePoint, Exchange, and Teams.

Reasons for Protecting Information

There are several reasons why administrators must ensure their company’s information can be easily restored.

  1. Compliance with industry and internal policies. For example, the Sarbanes-Oxley Act outlines standards for financial document record-keeping.
  2. Reduce the effects of a security breach. Set retention policies to permanently delete for sensitive data at regular intervals to prevent it from falling into the wrong hands.
  3. Legal Requirements. Legal holds are initiated upon notice from legal counsel and suspends normal disposition and processing of records in response to audits, litigation, or investigations.

Retention Policy Options

There are two options available to configure retention policies for content in Microsoft 365. The Retain Content option prevents permanent deletion but is available to locate via eDiscovery. Delete Content, however, permanently deletes the information in the environment.

Configure both options for other outcomes. Retain-only retains the content forever or for a specified length of time. Further, Delete-only permanently deletes the content or deletes it after a specified period of time. Lastly, Retain and then Delete, which retains the content for a specified time period but then permanently deletes it.

These options give administrators the flexibility to decide which data to save or delete, if they want to apply a single policy on a single type of data or the entire organization, or if they wish to apply a policy on some selective data based on keywords or type.

How to Use Retention Policy Options

Retention policies can be set in Exchange and Exchange public folders, Sharepoint, OneDrive accounts, Microsoft 365 Groups, Skype for Business, Teams channel messages and chat, and Yammer community and private messages.

There are two types of retention policies. Label policies publish retention labels that users apply to content. The actual retention policies apply or publish to all items in their locations, such as Exchange, SharePoint, Teams, etc. A single retention label includes in more than one retention label policy.

Select the locations to publish the label individually or published in all locations. Depending on where the label publishes determines where it applies. For example, if the label is published to admins and end-users, the policy can be applied to Exchange, SharePoint, OneDrive, and Microsoft 365 Groups. Other retention label policies and conditions can be found here.

Other considerations for applying retention labeling are as follows:

  • Apply single retention manually to an email or document by the end-user or admin. They also change or remove existing labels.
  • An existing label is not automatically removed or replaced by another label unless applied as a default.

Auto-Applied Label Policies

In the instance that multiple auto-applied label policies can apply a retention label, the label for the oldest auto-apply policy will be applied.

Apply the retention policies in the following ways:

  1. Allow users to apply their own retention labels to their content in Outlook, OneDrive, SharePoint and 365 Groups since are most familiar with the content.
  2. Configure retention labels to be applied to content automatically to match specific conditions such as types of information, keywords, and pattern matches.
  3. Begin the retention period based on when either an event, such as an employee leaving, or a contract expires, or from when the content is created, such as sending an email.
  4. Configure default retention values for entire libraries and folders so that all items stored in them inherit the label.

Recommended and regulatory periods can vary widely which is where retention policies can come in handy. The following are some examples of time-sensitive content that retention labels can be used effectively.

  • Retaining IRS tax forms and communications for the regulatory period of seven years.
  • The permanent deletion of any outdated press materials.
  • Retaining competitive research and subsequently deleting this information at pre-determined intervals.
  • Ensuring work visa information is never deleted or edited.

Retention Labels

Any of the above examples can have retention labels applied at the item level, i.e., document or email.

Microsoft’s records management solution supports retention labels for emails and documents within 365. As a result, mark items for retention as a record. This ensures that the content remaining in 365 as a record meets regulatory-level criteria. Of note, retention labels will no longer apply if the content is migrated outside of Microsoft 365. Additionally, a limit of 10K policies applies to tenants which include the policies that apply the labels, as well as the retention policies themselves.

The Microsoft 365 compliance center views how you use your retention labels in the tenant and where. Select Data classification and then Overview. Additional details can be viewed by using the content explorer and activity explorer. Content searching can be used to find items with a specific retention label after they have been applied to the content. Simply choose the retention label condition and enter the complete retention label name or part of the name with a wildcard.

A comprehensive table to view and compare all capabilities for retention policies and labels can be reviewed here.

Retention Label Order Flow

using Microsoft 365 Retention Policies for business data.

Cropped shot of a businessman reviewing business data.

If multiple retention settings on the same item will be implemented, it is important to know their order of precedence. For example, if you mark one item with a policy for delete-only and another for retain and then delete, this results in two delete actions that could conflict. By following the flow of retention and deletion for a single item, this conflict can be avoided.

Retention Wins Over Deletion

An item such as an email message configured with a retention policy in Exchange that deletes items after three years also has a label configured to retain it for five years. In this case, the retention label takes precedence and the email is deleted at the end of the five-year period.

The Longest Retention Period Wins

If the content configures with multiple retention periods, the content retains using the setting with the longest period. For example, if SharePoint configures a retention policy to hold all documents for five years, but a second policy for specific sites holds it for ten years, it follows the ten-year retention policy.

Explicit Wins Over Implicit

The retention label applied to an individual item provides explicit retention, giving it priority over a retention policy’s delete action. Therefore, a document assigned two retention policies, for five and ten years, with a retention label of seven years, will follow the label’s explicit policy and delete after seven years.

The Shortest Deletion Period Wins

When a document has two retention policies with one seven years and the other ten year, the document will be deleted at seven years since it is the shortest period out of the two. However, you cannot delete items in eDiscovery holds by any retention policy or label since it falls under the first principle of retention.

To prevent users and administrators from turning off, deleting, or making polices less restrictive on material that follows regulatory guidelines, a preservation lock can be applied when the policy is created. Without this lock, delete policies anytime. The items retain for 30 days to prevent accidental data loss. The original status can be re-enabled within the 30-day period to resume the policy without affecting the data.

Conclusion

Microsoft 365 retention policies are an effective tool for protecting sensitive data from deletion. While it is not a replacement for a true backup and recovery solution, the policies can provide peace of mind that individual documents, files, and emails will be retained during the amount of time specified.

If you are looking for Microsoft 365 experts to help meet compliance requirements in your Microsoft 365 and Azure Environments, contact us to schedule a free consultation.

Leave a comment

Learn More Today

Have questions or want to learn more about the services and solutions Agile IT has to offer?

Schedule a call with us today!

Schedule a Call
or

Request a Quote