Auditing Retention Labels in Office 365

Reading Time: 5 minutes

You’ve worked hard to set up Office 365 Retention labels in your tenant and users are busy applying them to content they’re working on… or are they? How will you know what’s going on in lists and libraries across your tenant? Unless retention labels are being automatically applied to content (requires Office 365 E5 license), the setting of retention labels all comes down to the person sitting in front of the keyboard.

This post will show some ways you can monitor Retention labels across your tenant. Your organization’s information/records management team(s) may want to proactively monitor the outputs across all of these channels.

Tip: There are several ways you can minimize the reliance on end-users having to know which retention label to apply:

  • Set default retention labels where/when you can at the list/library/folder level
  • Use the auto-apply feature to automatically set a retention label based on conditions or sensitive information types (if you have an E5 license)
  • when the capability comes to Microsoft Flow to automatically set a retention label (on roadmap), use this where/when it makes sense (set it based on another piece of metadata)
  • apply a retention policy at the site level eliminating the need for a retention label in the first place

Ways to monitor retention labels:

  1. Data Governance Dashboard
  2. Label Activity Explorer (E5 only)
  3. Content Search
  4. Audit log

Data Governance Dashboard

This is an extensive dashboard highlighting numerous aspects of Retention Labels across the Exchange, SharePoint, and OneDrive for Business workloads in your tenant. You can find this under the Data Governance menu option in the Security & Compliance Center. (Docs link: View the data governance reports)

DataGovernanceDashboardMenu

It’s comprised of 7 individual reports:

  • 1 – How labels were applied. Either manually or auto-applied.
  • 2 – the percentage of labels classified as records and non-records
  • 3 – the top 5 labels in your tenant for usage

DataGovernanceDashboard-LabelsApplied

  • 4 – who the top users are applying the labels (I’m in a tenant of one so only 1 user!)
  • 5 – graph of where labels were applied across workloads over past 90 days

DataGovernanceDashboard-TopLabels

  • 6 – identifies how many file/folder label changes there were
  • 7 –  if using disposition reviews, shows how many are pending across workloads

DataGovernanceDashboard-RiskyLabels

By clicking the Top 5 labels report, you can view the summarized details of labels across your tenant. Remember, this is over the past 90 days.

DataGovernanceDetailedReport


Label Activity Explorer

If you have an Office 365 E5 subscription, you can view a graph of the labels applied across your tenant as well as the supporting detail for each on the Label Activity Explorer. You can find this under the Data Governance menu option in the Security & Compliance Center. (Docs link: View label activity for documents)

LabelActivityExplorerMenu

There are several ways to view the data: by file and folder activity/changes, by workload, whether they were applied manually or by the system, and by user. You can export the results to a csv file for further analysis.

The top part of the explorer is a graphical representation of what was applied by label. At the time of this writing, you are only able to see 7 days of activity history.

LabelActivityDashboardGraphic

The bottom part of the explorer is the detailed labels applied across all workloads. You can click each one for more detail including a link to the document:

LabelActivityDashboardDetails


Content Search

You can use Content search to query against a retention label by searching against the ComplianceTag property across all workloads. Check out another post of mine where I show an example of using Content Search to find content tagged with a specific retention label: Where’s my Office 365 Retention Label applied? Here is an example of search results for a retention label Joanne Label 3 showing results from 4 different workloads:

ContentSearchResultsAcrossAlllocations

Once the search case is created, you can reference it by name (or ID) to automate the refresh of the results by the PowerShell cmdlet Start-ComplianceSearch. The results can be exported for further analysis. In the PowerShell window below, I have 2 search cases in my tenant and I’m refreshing the results on the one set up to return all items labeled with Joanne Label 1. I’m not aware of a PowerShell cmdlet to export the results – you would have to do this manually thru the Content Search UI once the results were updated.PowerShellComplianceSearch


Audit Log

Filter the list of activities in the Audit log to find the 2 activities relating to retention labels: Changed compliance policy label and Deleted Record Compliance policy label. Leave the site URL blank to search across all sites in your tenant or enter a URL if you want to search within a specific SharePoint site.
Audit Retention Labels

The returned audit results will display details about the file, who changed it, when it was changed, and both the source (before) and destination (after) label name in each audit log entry. You can export the results to a csv file for further analysis.


My thoughts…

Once retention labels are deployed across a tenant, it will take a concerted, planned effort by the Office 365 Administrators and Information Management teams to set up and assign the appropriate permissions for the above auditing features based on the tenant subscription. Also, this will be an additional task placed on the Information Management team to not only audit, but also follow-up with any remediation required for labels being applied incorrectly.

As of the time of this writing, 2 things important to know:

  • the reports only go back 90 days. If you need more, you’ll have to export the audit data to another location for longer-range auditing
  • some of the auditing capabilities are only available in an Office 365 E5 subscription

Thanks for reading.

-JCK

12 comments

  1. Please can you clarify, if a label is applied based on the ‘default’ label on a library or folder whether this is shown on the dashboard, explorer, etc. and, if so, whether this is shown as automatic or manual or something else. I’m struggling to see labels applied in this way. Thanks

    1. Hi Keith,
      I’ve tested this and as far as I can see if you’ve defaulted a library (or folder) with a label and then upload documents into it, they will NOT appear on the label activity explorer. It appears that the manual ones and any that have been auto-applied (by configuring the auto-apply capability) will appear. The same appears to hold true for the data governance dashboard. This is not extensive testing however – just what I’ve observed thru my own tenant. You may want to go back to Microsoft for a definitive answer on this one.

      -JCK

  2. You make the point that E5 licenses are needed for auto application of labels and for use of the label explorer –
    We are planning a mix of E3 and E5 licenses – skewed more to E3 as our baseline. We are hearing that we may be able to use an uplift license of “Advanced Data Governance” to get access to these more advanced features / capabilities atop the E3 licenses. Have you heard anything like this?

    1. I don’t know what the license is called but yes, you can purchase a separate add-on license for advanced DG capabilities without going full-on E5. Contact your MSFT TAM for exact details for your org though.
      -JCK

  3. Nice article. I’ve been trying to work out the license model to understand implication of E1 vrs E3 around retention but the messaging seems mixed. Most stuff I’ve seen says for advanced retention based on classifications needs E5 but to create and manually apply labels I can’t see if its E1 or E3.

    From this first MS article I take it to read E1 is fine for manual policies https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center

    These articles seems to suggest you need E3 https://www.avepoint.com/blog/office-365/office-365-labels/ https://products.office.com/en-gb/business/compare-more-office-365-for-business-plans

    1. Hi Raymond, I don’t profess to be a license expert. This question is best asked to Microsoft directly.
      -JCK

  4. Have you managed to gather info about your question ? I have a very similar question as I have a mix of licences and Microsoft is very bad in documenting its capabilities per licences.
    Let´s assume an employee X is assigned Office365 E3 – supports labelling
    and employee Y is assigned Office365 E1/F1, etc – Does not support labeling
    What happends if X has assigned strictly confidential label for a document that Y wants to access ?

  5. Let´s assume an employee X is assigned a licence that supports labelling
    and employee Y is assigned a licence that does not support labeling
    What happends if X has assigned strictly confidential label for a document that Y wants to access ?

    1. Hi,
      I’d recommend you ask Microsoft this question. I’ve never run into this situation and I don’t know.
      -JCK

  6. Hi Joanne,

    Is there a way to prevent a contributor from changing a label on folder / document?
    Also if a folder or a document has a label applied, what happens if someone removes the label and deletes the content? Will it be moved to the preservation hold?

    Regards,
    Ramana

    1. Hi Ramana, unless a retention label marks the document a record, there is no way to prevent a contributor from changing or removing a label.

      It will only go to a preservation hold library if you have either an electronic hold or a retention policy (different than a label policy) published to that site.A retention label published to a site (this is called a label policy) does not create a preservation hold library. In this case, it would go to the first-stage recycle bin.
      JCK

  7. Thanks for the clarification Joanne.
    I had another doubt, when we setup a retention policy and if we want this restricted to certain site collections, is there any limits around the number of site collection that a policy can be applied to? Like if I wanted to apply a policy to around 2000+ site collections and NOT the whole tenant would that be possible or are there are limits / boundary conditions that would prevent me from doing so

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.