eDiscovery and Retention in Office 365

Reading Time: 3 minutes

This post will demonstrate how to use a retention policy defined in the Office 365 Security and Compliance Center’s Data Governance section to ensure you remain compliant with your organization’s regulatory requirements. I’ll demonstrate this by showing how content covered by the policy, even if deleted by an end-user, is discoverable in an eDiscovery request.

Setup Retention Policy

Retention Policy

For this fictitious example, imagine our organization requires us to keep all event-related material for 1 year before it’s deleted. (Maybe not a realistic example, but simple enough to demonstrate how this works) To do this, we need to create a retention policy in the Data governance section of the Security and Compliance Center. The important thing to know about a retention policy defined here is an end-user will still be able to add/change/delete content on the site while the policy is in effect. However, all of those changes are being tracked in a hidden location.

The location? The Preservation Hold library.

To carry on with our example, we define the retention policy with a retention period of 1 year and publish it (apply it) to our Events SharePoint Group. (image)

End-user works with content

An end-user creates a new document in the Events Group titled ‘SharePoint Conference 2018 notes.docx‘ and makes several edits. The end-user experience is no different than it would be working in a site with no policy applied. During this time, no content is added to the Preservation Hold library. The image below is the version history of the document capturing all changes:



Now, the end-user decides to delete the above document. There is nothing in the retention policy preventing them from doing this and the document is deleted.



Preservation Hold Library

Immediately upon deletion, the following entries are written to the Preservation Hold library. (If the library didn’t exist prior to this, it would be automatically provisioned)


Important thing to notice: each version of the document is written as a separate document in this library. This is a critical detail particularly if this document becomes part of an eDiscovery case in Office 365.

eDiscovery Search results

To demonstrate how eDiscovery works with the Preservation Hold library, let’s continue our example and imagine there was a litigation case where we were required to return all documents in our tenant for anything relating to “SharePoint Conference 2018”. To do this, we would create an eDiscovery case and enter that phrase as the Search query keyword. Lo and behold, all 6 results from the Preservation Hold library are returned:



Wrap it up

If you are required to retain certain information in your tenant for a specified period of time, a retention policy is a feature you can use to do this. It allows the end-user to continue working in their site while still retaining the information for regulatory reasons. These types of policies are invisible to the end-user and can be used in tandem with retention label policies which are controlled and visible by an end-user as a label. Together they apply different types of retention across all Office 365 workloads.

Thanks for reading.


Credit: Photo by Jeroen den Otter on Unsplash

One comment

  1. Always a pleasure to read something written by someone who knows the subject matter so well that they can explain themselves intelligibly. Thank you

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.