O365 Policy Options for Information Governance

Reading Time: 4 minutes

I’m currently working with organizations starting to roll out O365 Groups. While they all want to reap the benefits of collaboration in this digital workplace, organizations can’t compromise the security, compliance and protection of corporate assets while doing it. As O365 adoption specialists I believe the value-add we can bring to an organization is to help them make sense of the options available and provide guidance on which compliance features to enable at the right time in order to provide the protection they need.

With that in mind, I set out to document the options available for preservation, retention and destruction of information assets in O365 as of December 2016. I also want to identify which ones will currently work with O365 Groups and which ones are on the Roadmap. The options available span both the Security and Compliance Center and SharePoint directly.

This post will cover these features:

  • Preservation Policy
  • Deletion Policy
  • Information Management Policy
  • Group Site Classification
  • Site Policy

For each feature I’ll provide the following:

  • an example of a business request requiring you to implement the feature
  • where it’s defined
  • reference link
  • whether it works on a standard SharePoint Site
  • whether it works on a O365 Group Site and if it’s on the Roadmap

Preservation Policy

REQUEST: “Preserve content from the Sales Department mailboxes and sites for a specific customer for 2 years.”

To comply with industry regulations or internal policies, organizations want to preserve content for a certain period of time. With a preservation policy in Office 365, you can preserve content in sites, mailboxes, and public folders indefinitely or for a specific duration.

  • Defined in: Security and Compliance Center
  • Link: Overview of Preservation Policy
  • Works against SharePoint site templates: Yes
  • Works against O365 Group sites: Maybe? On First Release, I successfully added a preservation policy on a Group site. It correctly stored the changes in the Preservation Hold list, however it is still listed on the O365 Roadmap as “under development”.
o365-group-preservation-and-deletion-policy-roadmap-in-dev-and-testing
O365 Roadmap “Under Development”

Deletion Policy

REQUEST: “Delete documents from user’s OneDrive for Business if it hasn’t been modified for 5 years.”

Document deletion policies don’t replace records management or information management policies, which work best with structured data and content types. Instead, you should use document deletion policies when you need to broadly manage the automatic deletion of unstructured data such as OneDrive for Business sites and team sites.

  • Defined in: Document Deletion Policy Center
  • Link: Overview of Document Deletion Policy
  • Works against SharePoint site templates: Yes
  • Works against O365 Group sites: Maybe? On First Release, I was able to add a Deletion Policy to a Group Site, however feature is still showing on O365 Roadmap as “Under Development”
o365-group-preservation-and-deletion-policy-roadmap-in-dev-and-testing
O365 Roadmap “Under Development”

Information Management Policy

REQUEST: “Move a document to an archive location when its completion date has been reached.”

An information management policy is a set of rules for a type of content. In SharePoint Online, information management policies enable organizations to control and track things like how long content is retained or what actions users can take with that content. Information management policies can help organizations comply with legal or governmental regulations, or they can simply enforce internal business processes. Predefined policies include retention, auditing, barcodes, and labels.

  • Defined in: Site Collection/Content Type/Library/List/Folder
  • Link: Information Management Policy
  • Works against SharePoint site templates: Yes
  • Works against O365 Group sites: No, see Group Site Classification section below that will allow you to set an Information Management policy.

Group Site Classification

REQUEST: “Classify a Group as confidential to allow an information management policy to be applied to all files within its site.”

You can now apply a custom label to a SharePoint site and its associated O365 group during provisioning. This label will appear in the header of the site and group pages and serves as a reminder to users how they should use and share information on the site. In addition, you can programmatically access this site classification so you can apply additional security policies if required. In the future, we will be given the ability to link O365 information policies directly to site classification without the need for code.

  • Defined in: Group creation endpoints
  • Link: Group Site Classification Feature
  • Works against SharePoint site templates: N/A
  • Works against O365 Group sites: Coming soon – not yet in First Release
groupsiteclassificationroadmap
O365 Roadmap “Launched, but working on”

Site Policy

REQUEST: “Delete a site 1 year after its closed.”

You can use site policies to help control site proliferation. In SharePoint Online, a site policy defines the lifecycle of a site by specifying when the site will be closed and when it will be deleted.

  • Defined in: Root site of a site collection and then available in all sites under it
  • Link: Site Closure Policy
  • Works against SharePoint site templates: Yes
  • Works against O365 Group sites: No. Although the site collection feature is visible and you can activate it, it causes issues on the site when you close the site and mark as read-only (throws exception when browsing to the homepage of the site).

I’m anticipating the changes rolling out for O365 Groups in the coming months and how these features will integrate with them.

Organizations want this.

Thanks for reading.

-JCK

2 comments

  1. This is is an excellent article which helps enormously to understand what the governance policy options and limitations are in O365 and groups.
    Very helpful indeed.
    Thanks!

  2. I know this article is a bit older, but do you have any experience with retention that deletes an entire site collection? We have sites that all have a generic quality, and we want a default retention cyclus if no specific label is attached to the site or items in the site. We’re wanting to 1) check which sites haven’t been modified in a year; 2) after a check with the owner, to make the site read only voor seven years and then delete it after a final check at the end of the seven years.

    I’m wondering whether a modification to the site Policy (trigger is not closure date but “read only” date) might be possible and workable. But maybe I’m thinking zigzags when there’s a much simpler way…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.