Blog post: 3 minute read
For those who don’t know me, one of my areas of focus in the Office 365 Security and Compliance Center is Data Protection.
The Office 365 compliance feature I’ll discuss in this post is the Preservation Policy. A Preservation policy is a type of Retention policy and can be applied to standard Exchange mailboxes, SharePoint sites, OneDrive for Business sites as well as Office 365 Group mail and files.
What’s a use case for a Preservation policy? If an organization has a Legal Department, for litigation and compliance reasons this feature could be deployed to preserve all activity from their site collection for 2 years after last modification. (Including all mailbox, SharePoint Online, Office 365 Group, and OneDrive for Business content)
DISCLAIMER: My walk-thru below covers only a SharePoint Online example.
I recommend downloading Microsoft’s recent white paper titled ‘Modernizing Enterprise Content Management with Microsoft Content Services’ to learn about Microsoft’s approach to what was traditionally referred to as Enterprise Content Management (ECM). ECM has undergone a drastic evolution in recent years to what will now be called Content Services. The four pillars of Content Services are: Harvest, Create, Coordinate and Protect.
Preservation Policies are part of the ‘Protect’ pillar.
#1 – Setting it up
Preservation policies are administered from the Security and Compliance Center in O365 via the Retention link under the Data governance section. A preservation policy is a type of retention policy.
Here is the official Microsoft link describing what a preservation policy is and when you might want to have one: Overview of preservation policies.
To comply with industry regulations or internal policies, organizations want to preserve content for a certain period of time. With a preservation policy in Office 365, you can preserve content in sites, mailboxes, and public folders indefinitely or for a specific duration.
Whether you’re applying the policy to a standard SharePoint Site Collection or a SharePoint Site Collection that is part of an O365 Group, the setup steps are the same. At a high level here are the steps:
- Navigate to your Security and Compliance Center. (https://protection.office.com)
- Under Data Governance … Retention … click New(+).
- Enter a policy name and description.
- Select how long you would like to retain the content and optionally if it should be deleted when the retention period has been reached. This can be based on when it was created or last modified.
- Optionally, you can choose to use advanced retention settings. This will allow you to configure some conditions to limit the preservation policy to specific content. As of the time of this writing, you can use sensitive information types or a keyword query to detect content containing specific words or phrases. Please refer to this post to do this – Keyword queries and search conditions for content search (KQL relies on the search index). Note: At the current time, you cannot use a SharePoint content type in the query however.
- Choose the locations you want the preservation to happen in: Exchange email mailboxes, Office 365 Groups, OneDrive and/or SharePoint documents.
- Include/exclude each mailbox and SharePoint site as required. Note: for SharePoint, you must provide the Site Collection URL and not a web URL.
- Optionally turn on preservation lock. This will make the policy locked preventing it from being turned off. This is what give O365 the SEC 1784 compliance certification!
- The policy will take up to 1 day to be deployed to all locations you have identified. Note: while the preservation policy is being deployed to all content sources, the status will be ‘Pending‘. Preservation will not start until the status is ‘On’.
Once preservation policies are added, you can view them in the Data governance section of the Security & Compliance Center within the Retention section. They will be listed in-line with retention policies created via a Retention label.
Important thing to know about a preservation policy is the end-user working with the content really has no idea the policy is in effect from a content editing perspective. They can continue to add/edit/delete content as they normally would, all the while the preservation policy is working silently in the background ensuring the content is being preserved in another location.
When I edit a document in a site with a preservation policy, it will allow me to edit the document, but adds an item into a special list created on the site called the Preservation Hold Library (/sites/yoursitename/PreservationHoldLibrary). It creates the list in the site (or subsite) you are making the change in and it only creates the list when it is required (I.e. the first time a change is made and an item needs to be inserted into the list, it will create the list if it doesn’t already exist). You must be a site collection administrator to see this list.
Here is the metadata on a Preservation Hold Library (I’ve highlighted the ones that are key to the preservation policy):
#2 – Policy is deployed… now what?
New Content
Any content added to the site after the preservation policy was put into effect will be preserved after deletion. Changes on new content aren’t copied to the Preservation Hold library the first time it’s edited, only when it’s deleted. (Unless you have versioning turned on)
For example, on my O365 group I uploaded a document (my resume in the screenshot below) after the policy was deployed. I made 2 separate edits (saved each time) and then deleted the document. Only after I deleted the document did these 3 items get added to the Preservation Hold library on the site.
Existing Content
If an item exists at the time the policy was put into effect, the first time you make a change to the document it will insert an item into the Preservation Hold Library list. Subsequent edits on the document will not insert an additional item into the list, however if the document is ever deleted, all versions of the document will be inserted into the list as separate items.
For example, if this is the version history on a document at the time of deletion:
… when the document is first edited, a snapshot of the document and its metadata as it existed prior to the change is inserted as an item in the Preservation Hold Library list (the item identified as 12 minutes ago in the diagram below). Once the document is deleted, all previous versions are inserted as items into the Preservation Hold Library list:
#3 – Site Collection Lock
Once a preservation policy has been placed on a standard SharePoint site collection, you will see a lock icon next to the URL in the Site Collection list in the SharePoint Online Admin Center. This indicates the site cannot be deleted as it has a policy applied to it (shown below). For SharePoint sites provisioned with an Office 365 Group, you cannot see these sites listed below however the new SharePoint Admin Center (currently in preview) may show them – I will update this post once I test that out.
#4 – Removing a Preservation Hold
Content in the Preservation Hold Library list will be removed when one of three things happen:
- A policy administrator has changed the rules for what’s covered by the policy and the content no longer complies.
- The policy has been disabled.
- The policy end date has been reached and you have configured content to be deleted after it has. (Retaining for 2 years and 2 years has been reached)
If you’ve configured the policy to delete content after the preservation period, the retained content is not deleted immediately – this is done by a timer process.
#5 – Legacy features
If you had a legacy preservation policy defined, they will still continue to preserve the content in the Preservation Hold Library as described in an Office support article:
What happened to legacy preservation policies?
If you were using a preservation policy, that policy has been automatically converted to a retention policy that uses only the retain action – the policy won’t delete content. The preservation policy will continue to work and preserve your content without requiring any changes from you. You can find these policies on the Retention page in the Security & Compliance Center. You can edit a preservation policy to change the retention period, but you can’t make other changes, such as adding or removing locations.
SUMMARY
The preservation policy is part of the Protect pillar of Microsoft’s Content Services. It is clear Microsoft is serious about Data Governance across their entire suite of Office 365 services including Exchange, OneDrive for Business and SharePoint (including content in Group files and conversations) however the capabilities need to become more robust as the needs of organizations are wide and varied when it comes to compliance regulations.
Thanks for reading.
-JCK
This is EXCELLENT detailed information and VERY Timely for us at NGC. Thank you so much for drilling into this. We are looking hard at rolling out Teams (Groups) and it would be so wonderful and deeply appreciated if you did something just along these lines – but applied specifically to the GROUPS selection. We find the governance and preservation (and conversely deletion) of the Teams content in things like 1 to 1 chats, conversation channels and the like very confusing right now! I suspect others may have similar concerns too… Thanks for sharing and hoping to hear more from you!
Excellent read! I never heard of this Preservation Hold Library but this article give enough information.
Once a retention policy is created and published to a site, is there no need to apply that policy to the document libraries? will the policy automatically apply to sites it’s published to?
Hi Ian,
Once a Retention policy is published to a site, it automatically covers all libraries on the site. Changes/deletions will go into the preservation hold library. This differs from a Label policy where once it’s published to a site, its labels are available to be used on any document in any document library. If you want a default label, you have to explicitly set it at a library level though.
Hope that helps!
-JCK
if preservation lock is applied across all mail, then how does a financial institution handle right to be forgotten clause within GDPR as nothing can be deleted from the mail?
The technical answer is those two requirements are at odds with each other and can’t work together. Unless the preservation lock is for a regulatory requirement stronger than GDPR, then you shouldn’t do it as it will prevent deletion. This is more a regulatory/legal question than a technical question so reach out to them.
JCK
Hi Joanne, in your blog you have mentioned there is a 2 year wait period before a file can be deleted, does this include from preservation library folder? When I have tried to delete them, it says I do not have the permission. I have an office account from university and I don’t have access to the computers from the original campus anymore. Many thanks.
Hi Joanne, I have recently discovered a preservation library folder in my Office account given by my university. I can’t seem to delete any of my text files that is located in the preservation library folder and I don’t have access to the original computers at the campus location anymore. Is there a way to delete my files and to prevent any future files saved into the library folder? Thanks.