by Joanne C KleinBlog Post: 3 minute read

Based on the recent numbers shared during the SharePoint Virtual Summit in May 2017, the amount of data inside O365 is growing at a staggering rate (300% increase in the amount of content stored in SharePoint in the past year). For those heavily regulated organizations, Information Management teams within them are looking at these numbers with growing concern. Although it can seem like a daunting task to implement retention and protection for content across all O365 services, there is a measured approach you can take to start you down the path to success.

Remember… starting is way better than standing still. 🙂

The following is my measured approach to get started. Each organization will differ according to their own regulatory and compliance requirements; however, I believe they will all primarily follow the same steps.

The typical teams involved in the process:

  • Information Management (IM) Team – this team is responsible for defining the retention schedule and classification. The retention schedule typically include security, retention and handling controls (can it be shared externally, when should it be destroyed, can it be destroyed?).
  • Information Technology (IT) Team – this is the team that is responsible for understanding and configuring the Security & Compliance features in O365.
  • Change Management (CM) Team – this team communicates the change to the organization based on the impact to the end-user. They provide the business value and “What’s in it for me” answers.

Continue reading “O365 Data Governance and Retention: A Measured Approach”


O365 Data Governance and Retention: A Measured Approach

2 Places for Office 365 Retention PoliciesBlog post: 2 minute read

I’m working with the new Retention classification feature in O365 and was confused when I noticed there were 2 places in the Security and Compliance Center where a Retention policy could be created:

ClassificationSectionThe first one is by going to the Classifications section of the Security & Compliance Center, adding a label and publishing it to a policy. I’ve previously blogged about this here: Label Retention across O365. The screenshot below shows a Contract Policy that has been published using this method. It includes one label, Contract, that has been published to a specific O365 Group. From here, you can add additional labels to this policy or set up conditions to auto-apply it.


DataGovernanceSectionThe second way to create/publish a policy is by going to the Data governance section of the Security & Compliance Center, clicking Retention and clicking ‘Create‘. I’ve previously blogged about this here: Retention in O365. The new way. The screenshot below is what I see when I go to the Data governance…Retention section. It not only shows the ‘Joanne’s Preservation policy’ retention policy I’ve created in this Retention section but also the Contract Policy created via a label shown above. BOTH policies will show in this list regardless where it was created.

What’s the difference? Here’s what I’ve discovered…

Continue reading “O365 Retention Policies… labels optional”

O365 Retention Policies… labels optional

Where does the search title come from- (11)Blog post: 1 minute read.

I’m spending some time learning about the new unified Retention policies in Office 365. I really like the unified approach for retention and deletion policies as it is a “one-stop shop” to encompass all services across O365 including:

  • Exchange email
  • SharePoint sites
  • OneDrive accounts
  • Office 365 groups
  • Skype for Business
  • Exchange public folders

Over the past few years I’ve learned a lot about the Information Management discipline and how the new O365 collaboration services are disrupting their world in a big way. Information Management teams will need to translate their organization’s retention schedule into the capabilities of the Retention Labels/Policies feature in the Security & Compliance center in Office 365. Depending on the regulatory requirements of an organization, this task will range in complexity. Continue reading “Office 365: Certificate of Destruction”

Office 365: Certificate of Destruction

Where does the search title come from- (9)Blog post: 3 minute read.
[Update August 2017] Do Not Track Preview feature added to end of post**

Azure Information Protection(AIP) is a cloud-based solution that helps protect an organization’s documents and emails. AIP provides protection for your data in 3 main ways:

  • Classification and Labeling
    • allows you to classify data at time of creation/modification and stores a label embedded directly as metadata in files and email headers as clear text. This allows other services (Data Loss Prevention for example) to read the classification and take further action. Due to the fact the label is in clear text and stored with the document, it remains protected regardless of its location. Refer to my recent blog post: AIP Labels: Keep it Simple (or KISS).
  • Protection and Use Rights
    • optionally protects data by persistent encryption and allows only authorized users to access. This ensures data is protected at all times regardless of where its stored or with whom its shared. The protection technology uses Azure Rights Management (Azure RMS) in the cloud and Active Directory Azure Rights Management (AD RMS) on-premises.
  • Tracking and reporting
    • provides the ability for users to track their documents and revoke access if they suspect risky behaviours.

This blog post will address the last bullet above – document tracking. Continue reading “Tracking documents with Azure Information Protection”

Tracking documents with Azure Information Protection

Preservation Policies in O365 (3)Blog post: 3 minute read.

Retention. It’s not the most exciting topic in the world of Office 365, but it is a very important one. It’s the feature that ensures your organization is keeping things for as long as you should and, just as important, disposing of things as soon as you should. My current focus within Office 365 is to understand the new Retention features and how they work across the O365 collaboration services.

Retention OptionRetention policies are administered from the Security and Compliance Center in O365 within the Data governance section. Whether the policy has been defined via a published label (Label Retention across O365) or by creating one directly within this Retention section, they will all appear on this page. A Retention policy can include content from not only Exchange mailboxes, public folders, Skype conversations, SharePoint sites and OneDrive for Business content but also Office 365 Group mail and files. A retention policy is the only feature that can both retain and delete content across Office 365. As content is spread across these services, this is your “one-stop shop” for retention. A very good thing.

Here is the official Microsoft link describing what a retention policy is and when you might want to have one: Overview of retention policies.

Follow along for a quick walk-thru of adding a retention policy for an O365 Group’s site and the ‘magic’ behind the scenes. Continue reading “Retention in O365. The new way.”

Retention in O365. The new way.

AIP and Retention Labels: What’s the diff?

by Joanne C KleinBlog post: 2 minute read.

Are you suffering from label confusion in Office 365? Well I sure was. I set out to understand what all these labels were being used for and what the relationship, if any, was between them. In this post, I’ll use real-world examples to illustrate the differences between the two types of labels.

AIP Labels

Azure Information Protection (AIP) labels are used to apply a sensitivity setting to documents across Office 365. They are defined in the Azure Information service of the Azure portal. (Read my post on how to get started with AIP labels) When applied, it appears as a sensitivity setting in the UI ribbon (in the Office client) and is stored in clear text as a property in the document backstage in ‘Advanced Properties’. The label can be manually set by an end-user, can be recommended to an end-user based on document/email content or it can be automatically based on document/email content (based on an appropriate O365 license). Continue reading “AIP and Retention Labels: What’s the diff?”