Auditing Retention Labels in Office 365

Reading Time: 5 minutes

You’ve worked hard to set up Office 365 Retention labels in your tenant and users are busy applying them to content they’re working on… or are they? How will you know what’s going on in lists and libraries across your tenant? Unless retention labels are being automatically applied to content (requires Office 365 E5 license), the setting of retention labels all comes down to the person sitting in front of the keyboard.

This post will show some ways you can monitor Retention labels across your tenant. Your organization’s information/records management team(s) may want to proactively monitor the outputs across all of these channels.

Tip: There are several ways you can minimize the reliance on end-users having to know which retention label to apply:

  • Set default retention labels where/when you can at the list/library/folder level
  • Use the auto-apply feature to automatically set a retention label based on conditions or sensitive information types (if you have an E5 license)
  • when the capability comes to Microsoft Flow to automatically set a retention label (on roadmap), use this where/when it makes sense (set it based on another piece of metadata)
  • apply a retention policy at the site level eliminating the need for a retention label in the first place

Ways to monitor retention labels:

  1. Data Governance Dashboard
  2. Label Activity Explorer (E5 only)
  3. Content Search
  4. Audit log

Data Governance Dashboard

This is an extensive dashboard highlighting numerous aspects of Retention Labels across the Exchange, SharePoint, and OneDrive for Business workloads in your tenant. You can find this under the Data Governance menu option in the Security & Compliance Center. (Docs link: View the data governance reports)

DataGovernanceDashboardMenu

It’s comprised of 7 individual reports:

  • 1 – How labels were applied. Either manually or auto-applied.
  • 2 – the percentage of labels classified as records and non-records
  • 3 – the top 5 labels in your tenant for usage

DataGovernanceDashboard-LabelsApplied

  • 4 – who the top users are applying the labels (I’m in a tenant of one so only 1 user!)
  • 5 – graph of where labels were applied across workloads over past 90 days

DataGovernanceDashboard-TopLabels

  • 6 – identifies how many file/folder label changes there were
  • 7 –  if using disposition reviews, shows how many are pending across workloads

DataGovernanceDashboard-RiskyLabels

By clicking the Top 5 labels report, you can view the summarized details of labels across your tenant. Remember, this is over the past 90 days.

DataGovernanceDetailedReport


Label Activity Explorer

If you have an Office 365 E5 subscription, you can view a graph of the labels applied across your tenant as well as the supporting detail for each on the Label Activity Explorer. You can find this under the Data Governance menu option in the Security & Compliance Center. (Docs link: View label activity for documents)

LabelActivityExplorerMenu

There are several ways to view the data: by file and folder activity/changes, by workload, whether they were applied manually or by the system, and by user. You can export the results to a csv file for further analysis.

The top part of the explorer is a graphical representation of what was applied by label. At the time of this writing, you are only able to see 7 days of activity history.

LabelActivityDashboardGraphic

The bottom part of the explorer is the detailed labels applied across all workloads. You can click each one for more detail including a link to the document:

LabelActivityDashboardDetails


Content Search

You can use Content search to query against a retention label by searching against the ComplianceTag property across all workloads. Check out another post of mine where I show an example of using Content Search to find content tagged with a specific retention label: Where’s my Office 365 Retention Label applied? Here is an example of search results for a retention label Joanne Label 3 showing results from 4 different workloads:

ContentSearchResultsAcrossAlllocations

Once the search case is created, you can reference it by name (or ID) to automate the refresh of the results by the PowerShell cmdlet Start-ComplianceSearch. The results can be exported for further analysis. In the PowerShell window below, I have 2 search cases in my tenant and I’m refreshing the results on the one set up to return all items labeled with Joanne Label 1. I’m not aware of a PowerShell cmdlet to export the results – you would have to do this manually thru the Content Search UI once the results were updated.PowerShellComplianceSearch


Audit Log

Filter the list of activities in the Audit log to find the 2 activities relating to retention labels: Changed compliance policy label and Deleted Record Compliance policy label. Leave the site URL blank to search across all sites in your tenant or enter a URL if you want to search within a specific SharePoint site.
Audit Retention Labels

The returned audit results will display details about the file, who changed it, when it was changed, and both the source (before) and destination (after) label name in each audit log entry. You can export the results to a csv file for further analysis.


My thoughts…

Once retention labels are deployed across a tenant, it will take a concerted, planned effort by the Office 365 Administrators and Information Management teams to set up and assign the appropriate permissions for the above auditing features based on the tenant subscription. Also, this will be an additional task placed on the Information Management team to not only audit, but also follow-up with any remediation required for labels being applied incorrectly.

As of the time of this writing, 2 things important to know:

  • the reports only go back 90 days. If you need more, you’ll have to export the audit data to another location for longer-range auditing
  • some of the auditing capabilities are only available in an Office 365 E5 subscription

Thanks for reading.

-JCK

4 comments

  1. Please can you clarify, if a label is applied based on the ‘default’ label on a library or folder whether this is shown on the dashboard, explorer, etc. and, if so, whether this is shown as automatic or manual or something else. I’m struggling to see labels applied in this way. Thanks

    1. Hi Keith,
      I’ve tested this and as far as I can see if you’ve defaulted a library (or folder) with a label and then upload documents into it, they will NOT appear on the label activity explorer. It appears that the manual ones and any that have been auto-applied (by configuring the auto-apply capability) will appear. The same appears to hold true for the data governance dashboard. This is not extensive testing however – just what I’ve observed thru my own tenant. You may want to go back to Microsoft for a definitive answer on this one.

      -JCK

  2. You make the point that E5 licenses are needed for auto application of labels and for use of the label explorer –
    We are planning a mix of E3 and E5 licenses – skewed more to E3 as our baseline. We are hearing that we may be able to use an uplift license of “Advanced Data Governance” to get access to these more advanced features / capabilities atop the E3 licenses. Have you heard anything like this?

    1. I don’t know what the license is called but yes, you can purchase a separate add-on license for advanced DG capabilities without going full-on E5. Contact your MSFT TAM for exact details for your org though.
      -JCK

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.