Blog post: 2 minute read
I’m working with the new Retention classification feature in O365 and was confused when I noticed there were 2 places in the Security and Compliance Center where a Retention policy could be created:
The first one is by going to the Classifications section of the Security & Compliance Center, adding a label and publishing it to a policy. I’ve previously blogged about this here: Label Retention across O365. The screenshot below shows a Contract Policy that has been published using this method. It includes one label, Contract, that has been published to a specific O365 Group. From here, you can add additional labels to this policy or set up conditions to auto-apply it.
The second way to create/publish a policy is by going to the Data governance section of the Security & Compliance Center, clicking Retention and clicking ‘Create‘. I’ve previously blogged about this here: Retention in O365. The new way. The screenshot below is what I see when I go to the Data governance…Retention section. It not only shows the ‘Joanne’s Preservation policy’ retention policy I’ve created in this Retention section but also the Contract Policy created via a label shown above. BOTH policies will show in this list regardless where it was created.
What’s the difference? Here’s what I’ve discovered…
To be clear, these are both retention policies that can be used to apply unified retention/deletion across O365 locations. Why would you want to create one over the other? I’ve found these differences:
- Policies created within the Classification section can be applied by an end-user thru selection of a label whereas policies created within the Data governance section are generally more global in nature and will not be shown as a label that an end-user can select. They will work silently in the background (Preservation hold library) fulfilling the policy retention/disposition rules in the location(s) its been published to.
- A label can only be associated with policies published from the Classification section.
- An end-user will only see retention classification labels in the SharePoint UI – they will not have any indication that a retention policy is in effect for one added via Data governance/Retention.
- Both types of policies can be published to Exchange email, SharePoint sites, OneDrive accounts, and Office 365 groups however a policy created in the Data governance section can also be published to Skype for Business and Exchange public folders.
I found this nuance a bit confusing when I first started working with the new Retention feature in O365 and wondered why there would be two ways of applying a retention policy. It comes down to whether or not you want the end-user to be able to see and apply a label on their content at a granular level or if you want to apply retention at a more global over-arching level. You can have both types of retention policies published to the same location and if that is the case, the principles of retention will determine which policy will be adhered to:
- Retention wins over deletion
- Longest retention period wins
- Explicit inclusion wins over implicit inclusion
- Shortest deletion period wins
Whether you define your retention policies via a classification label or directly thru a retention policy, it will require a lot of forethought and planning with your Information Management team to ensure you have all of your important data covered. It’s a big, messy job but a very important one.
Thanks for reading.
Are institutions trying to solve the issues about first year retention?
What do you mean by this?
The retention is implemented differently with these two approaches as well which is very confusing. The preservation library is only for global retention. Labels lead to an error when a user tries to delete a document with a label on it that has retention applied and the document stays where it is.
Agreed. It definitely has a big end-user training component to it.
Hi. I’ve been looking at these options and trying to figure out which is best for us. One significant factor seems to be the reporting. If I use a label, I can monitor events using the Label Activity Explorer. I can’t use this same mechanism to report on a policy … ?
Hi Bill, you are correct. The mechanism to report on Content covered by a retention policy would be an eDiscovery search which is completely different. There may be some PowerShell you could run to show all locations covered by a policy as well although I have not tried that.
Hi Joanne, I am trying to get my head around the best approach to applying in-place retention policies within Sharepoint Online. Am I right in thinking that Microsoft are pushing us towards use of retention labels or are they still wedded to providing both of the approaches you outline in your post? My preference is for the IG specialists to control and apply the policies as part of the configured information architecture to ensure consistency and to reduce as much as possible the IG compliance burden on users. Sorry for the ramble – any advice or thoughts will be VERY gratefully received.
Unfortunately, it’s not a simple answer. Microsoft provides both solutions (retention labels and retention policies) as techniques to be leveraged to cover off the myriad of requirements organizations have on their data. They don’t recommend one over the other – they’re just different.
There are pros and cons to each. For instance, you cannot have a disposition review on content ONLY covered by a retention policy – it needs a retention label for that. A retention policy is applied at a container level (and unless you’re using auto-apply), everything in the container will fall under the retention. A label can be removed by a user, you cannot default an entire site’s content to the same label, etc.
This is why it is a combination of the two that should be deployed. Targeted retention labels to apply to content that has a specific retention period (default the label if you can) and the retention policies to cover off content outside of that is one option.
The degree to which you use either option (retention labels/retention policies) really depends on your organization’s regulatory requirements.
The comprehensive answer to this question would involve an analysis of your IG requirements and how the Office 365 ADG features translate into it.