Blog Post: 2 minute read.
Today I had the opportunity to try out the new label feature in the Office 365 Security & Compliance center for classifying data. This is not to be confused with labels you can apply in Azure Information Protection (AIP) as I’ve previously blogged about (AIP Labels: Keep it Simple). The retention labels I’m discussing in this post can be applied across Exchange, OneDrive, SharePoint and Office 365 Groups and retention can be applied based on this classification.
Check out this article by Microsoft explaining this feature: Overview of Labels.
Labels are configured in the Classifications section in the Security & Compliance Center in O365. First you add labels(1) and then you publish them as policies(2). This makes them available to apply to content. Below are 4 label policies I’ve defined in my tenant to cover different content and retention scenarios:
I’m a SharePoint gal from a ways back and I’m familiar with the traditional retention options available in SharePoint so I set out to discover how this new technique worked. Microsoft’s guidance is to start using these labels rather than In place records management and Record Centers for retention and Information Management Policies for deletion so I wanted to start thinking about how labels may affect the setup of libraries, sites, and even content types in SharePoint in the future.
First off, I really like the approach Microsoft is taking with data governance and retention in general. With the proliferation of content strewn across Outlook, OneDrive, SharePoint and now Office 365 Groups, we need a way to encompass all of these services when applying governance. I’ve talked about this numerous times before both in previous blog posts as well as presentations I’ve given. The inability to manage content across all services in the new collaboration world is very concerning for Information Management (IM) teams in most organizations.
Organizations need to empower employees to reap the benefits of new collaboration tools in the digital workplace, but they can’t compromise the security, compliance and protection of corporate assets while doing it.
Ideally we want to be able to govern retention across all O365 services using one classification scheme. This is where labels come into the picture…
For example, if you want to retain any content relating to Contracts across your organization, this would include not only documents sitting in a SharePoint document library (both in and outside of an O365 Group), but also emails sent back and forth with the contract vendor. Ideally, we should be able to classify content from all places consistently (by one standard label) and have the same retention apply to all.
Traditionally I would have defined an Information Management Policy within SharePoint to apply a retention for Contracts either at a content type or document library level, however this is not an option in an O365 Group’s site and wouldn’t have applied to emails related to those contracts. (A separate policy would have had to be set up for email retention)
This can now be accomplished with the new labels feature. We would add a “Contracts” label in the Security & Compliance Center and publish a policy to include the label to the entire tenant. Once published, it will be made available for end-users to apply to their content in Outlook, SharePoint, OneDrive and even an O365 Group.
When you publish a label to a policy you can target either the entire tenant or a specific SharePoint site. Please note that this is a site collection and not a web.
Exchange public folders and Skype do not support labels.
Optionally, you can also set a default label for a document library if, for instance, you had a library containing a specific type of content with a specific retention. This could also be done in our “Contracts” example if there was a document library that housed all of an organization’s contracts. Once the default label has been set, you can optionally apply the label to existing items in the library. You do this in Library settings by selecting the ‘Apply a label to items in this library’ option. In this example, I’ve published a “Litigation” policy to retain for 10 years from the time the item was labeled.
This does have limitations if you want to store content with different retention in the same library. Options?
- don’t store content with different retention in the same library OR
- since the label is only a default, it can be changed to a different label for any document if required.
The takeaway from this is there is still work to be done to appropriately plan your environments to take advantage of the new label feature.
What does the end-user see?
All published policies will be available to the end-user and will allow them to apply a label to their content if the label has been published to that location. To apply a label, you will see it as an option in the Document Details pane when you select a document in SharePoint. All label policies published to this site collection will appear in the drop-down. In this example shown, I’ve published 2 policies: 1 for Contracts and another for Budget. In Outlook, you right-click the item, select Assign policy and select the appropriate label.
Soon, you will be able to auto-apply a label based on managed properties marked as ‘searchable’ in the SharePoint search schema. This will be very helpful for targeting specific types of content in SharePoint you want to apply a specific label to. I look forward to seeing how this functions for environments making heavy use of content types and managed properties to drive different retention.
User Education is still key!
One thing I’m realizing about applying labels is user education is key. Similar to the application of AIP labels I discuss in my recent post, it is crucial for end-users to understand their role in the compliance picture in your organization. Although there can be controls put in place to auto-apply labels and I’m confident those features will become more sophisticated over time, it is still important for end-users to understand your organization’s classification scheme and how the data they’re working with fits into it. They can help ensure it is labeled correctly to drive compliance from the ground up.
I like what I’m seeing in this new wave of features for security and compliance across the O365 services and look forward to more capabilities being introduced in the coming months.
Thanks for reading,
Hi Joanne… I do like the direction Office 365 label policies are headed but I still find the implementation is in its infancy. This issue with this approach is asking business users to become records managers; there is a lot of room for inconsistencies and errors. Department or business unit level records custodians is still a must.
I’m looking forward to the advancement of MDM tools that dive deeper into specific content and aid with correctly labeling content. Some of these tools are available today but are 3rd Party.
Hi Bob, I completely agree. It all comes down to the end-user working with the content. This is why its so important for the automated controls to help out with that. I suspect these will become more advanced over time. It has a ways to go before the Information Management teams I work with (particularly in regulated industries) are satisfied with the capabilities. I do think the approach Microsoft is taking is spot on though. (Unified across all O365 services)
Thanks for the comment!
DO you know if, when using labels to declare Records, once the Record reaches the end of it’s retention period and is subject to disposition rules,does SharePoint leave a stub?
Hi Richard, I have not tested this out to see what happens when a record reaches its disposition period. I definitely will and will update the post. Thanks, Joanne
HI Joanne, how weird. I was looking for information on o365 labels and came across your site, which was very informative. After i noticed the tweets from Brussels and thought cookies… i am based in Brussels.Then i realised you are here. Hope you enjoy(ed) the best of Brussels.
Back to my question, I know its not its purpose but is it possible to use labelling as a form of meta-tagging?
I loved Brussels! I enjoyed Sunday touring around and I’m in Haarlem right now – also a beautiful place.
To your question… since a retention label will be added as a piece of metadata to a library when you publish a label policy to a site collection, you can show it in views, group by it, filter by it, etc. I’m not sure if you could leverage it in a workflow, etc – I haven’t tried that.
Hope that answers your question.
Today I am in Rotterdam.. not following you honest 😁.
Thanks for the response and yes you shared question. I am just trying to find an easier way for my users to use metadata when we migrate.
Do you know how soon Microsoft will be supporting search properties for automating classification labels? There seems to be no information about this on Microsoft roadmaps 🙁
Not specifically for SharePoint searchable properties yet, but… there are two features at play that may help with this:
1. Just released in preview mode, you can associate a SharePoint metadata property to a list/library and then set an AIP classification on that. (I’ve recently blogged about this, however it does have limitations I’ve documented at the end of my post)
2. In addition to this, it was announced at Ignite (coming early 2018 I believe) that you will be able to have a combined AIP and Retention label in one.
The combination of the above two will get us a bit closer to setting a classification based on a property in SharePoint.
Hope that helps.
Do you know if it’s possible to apply a default label to all documents and data tenant-wide unless a specific label is chosen by the end-user? We’ve been contracted by another Government partner to administrate their Office 365 tenancy, and have to implement the UK’s Government Security Classifications, which requires all data to be OFFICIAL or higher.
Rather than applying a label, you can use an over-arching retention policy (still defined in the Security & Compliance Center) for your sites. It is a way of defining retention at a higher level rather than at a document level. You can apply this to all sites, groups, mailboxes, etc. In addition, you can still apply a label at the document/library level as well if there is a requirement to do so and then there is a set of rules that are evaluated to determine which retention rule applies (MSFT has documented the precedence rules are, let me know if you can’t find the rules).
Hope that helps,
It appears that the application of a retention policy is a point in time activity and would not automatically apply to day-forward content where the policy would automatically apply to new content created within a site, group, mailbox, etc. Is there a way of applying the retention policy to a sites by default, as in site templates, or is it an activity based application (do it once, do it again later to catch new content, etc.)?
Perhaps I don’t understand your question. Once a retention policy has been published to a site collection, it will apply to both existing content as well as any net-new content added to it. Has that not been your experience?
Hi Joanne, any news from Microsoft about classification labels supporting search properties? I heard this capability would be available Q1 2018 – but I haven’t seen any announcements or mention in the Roadmap.
I haven’t seen anything yet. I will be keeping an eye out for that one.
I am interested as to how labels can be applied to a user’s emails and attachments, either automatically or manually. I spoke to a user this morning who has retain both the email trail and any attachments for both regulatory and contractual reasons. I thought I would start with labels in a single user mailbox before reviewing MS Teams & channel email addresses + flows.
Thank-you for writing this – it was very helpful. Is it possible to force users to select a label when they save a document to Sharepoint? Thanks!
No, it’s not. Other than setting a default for a library or folder, you cannot force a label.
Sorry I am a bit late to the party on this one!
I really like the O365 labels. I wanted to investigate the point that differing policies can be assigned to SharePoint Site Collections.
Makes sense that HR labels are not in the Finance Site Collection to assist usability.
However when I sat with IT to set this up we were only able to apply our first policy to all of SharePoint. I think I might have missed something.
Hi Matthew, if you deselect the box to publish to all locations, you should get an option to select specific SharePoint sites. You should have the option to be as granular as you want on the site collections included.
Hard to be any more helpful than that without seeing what you’re seeing.
Hope that helped.
What’s is the difference between data governance retention and classification-label-retention in security compliance
Hi Shubu, Data Governance retention is for defining policies not associated with a label (although you will ALSO see any label policies in their as well) Both retain content, it’s just how you want to apply your retention – users are unaware there is a retention policy in effect. I’ve recorded a video (on the right nav of my blog) that explains it a bit better.
Great post Joanne. Our Tenant Admin and Compliance Administrator tried to publish a retention label in a label policy which applies to a specific SharePoint site. They were unable to publish it and when we asked Microsoft, they said that the person needs “Full Control” in the SharePoint site in order to publish the label. Have you noticed the same behavior? It is a problem for us because it means we will need to add the Tenant Admin and Compliance Administrator to the Owner group of each site. They are already Site Collection Administrators in our sites but it seems it’s not enough…
Hi Isabelle, I’m not aware of this requirement. I’m going to test and get back to you. It may turn into a post as well.:)
Thanks for your informative blog Joanne.
We have just published Retention Labels to all Office Groups in our organisation but we would like to set a default label on selected groups.
Can this be done using a PowerShell / PNP script? as asking the Office Group owners to set it themselves is not ideal.
Yes, you can use Set-PnPLabel targeting the document libraries in the Groups you want to set it for. Link: https://docs.microsoft.com/en-us/powershell/module/sharepoint-pnp/set-pnplabel?view=sharepoint-ps
Hi Joanne. Your blog has been very helpful as we start down the path of retention and compliance! Apologies ahead of time for all the questions.Does an error occur if someone tries to delete a SharePoint site that has a retention policy assigned to it? What if the site has been unused for 5 years and the site only has a 3 year retention? Does it allow for deletion at that point even though there’s still a retention policy applied? Does an error occur if you try to delete a SharePoint site that has one or more files in it that are labeled for retention?
I’ll be adding your questions (great questions by the way) to another blog post for more visibility. Not sure when this will happen though – hopefully soon!