You’ve worked hard to set up Office 365 Retention labels in your tenant and users are busy applying them to content they’re working on… or are they? How will you know what’s going on in lists and libraries across your tenant? Unless retention labels are being automatically applied to content (requires Office 365 E5 license), the setting of retention labels all comes down to the person sitting in front of the keyboard.
This post will show some ways you can monitor Retention labels across your tenant. Your organization’s information/records management team(s) may want to proactively monitor the outputs across all of these channels.
Tip: There are several ways you can minimize the reliance on end-users having to know which retention label to apply:
- Set default retention labels where/when you can at the list/library/folder level
- Use the auto-apply feature to automatically set a retention label based on conditions or sensitive information types (if you have an E5 license)
- when the capability comes to Microsoft Flow to automatically set a retention label (on roadmap), use this where/when it makes sense (set it based on another piece of metadata)
- apply a retention policy at the site level eliminating the need for a retention label in the first place
Ways to monitor retention labels:
- Data Governance Dashboard
- Label Activity Explorer (E5 only)
- Content Search
- Audit log
Data Governance Dashboard
This is an extensive dashboard highlighting numerous aspects of Retention Labels across the Exchange, SharePoint, and OneDrive for Business workloads in your tenant. You can find this under the Data Governance menu option in the Security & Compliance Center. (Docs link: View the data governance reports)
It’s comprised of 7 individual reports:
- 1 – How labels were applied. Either manually or auto-applied.
- 2 – the percentage of labels classified as records and non-records
- 3 – the top 5 labels in your tenant for usage
- 4 – who the top users are applying the labels (I’m in a tenant of one so only 1 user!)
- 5 – graph of where labels were applied across workloads over past 90 days
- 6 – identifies how many file/folder label changes there were
- 7 – if using disposition reviews, shows how many are pending across workloads
By clicking the Top 5 labels report, you can view the summarized details of labels across your tenant. Remember, this is over the past 90 days.
Label Activity Explorer
If you have an Office 365 E5 subscription, you can view a graph of the labels applied across your tenant as well as the supporting detail for each on the Label Activity Explorer. You can find this under the Data Governance menu option in the Security & Compliance Center. (Docs link: View label activity for documents)
There are several ways to view the data: by file and folder activity/changes, by workload, whether they were applied manually or by the system, and by user. You can export the results to a csv file for further analysis.
The top part of the explorer is a graphical representation of what was applied by label. At the time of this writing, you are only able to see 7 days of activity history.
The bottom part of the explorer is the detailed labels applied across all workloads. You can click each one for more detail including a link to the document:
Content Search
You can use Content search to query against a retention label by searching against the ComplianceTag property across all workloads. Check out another post of mine where I show an example of using Content Search to find content tagged with a specific retention label: Where’s my Office 365 Retention Label applied? Here is an example of search results for a retention label Joanne Label 3 showing results from 4 different workloads:
Once the search case is created, you can reference it by name (or ID) to automate the refresh of the results by the PowerShell cmdlet Start-ComplianceSearch. The results can be exported for further analysis. In the PowerShell window below, I have 2 search cases in my tenant and I’m refreshing the results on the one set up to return all items labeled with Joanne Label 1. I’m not aware of a PowerShell cmdlet to export the results – you would have to do this manually thru the Content Search UI once the results were updated.
Audit Log
Filter the list of activities in the Audit log to find the 2 activities relating to retention labels: Changed compliance policy label and Deleted Record Compliance policy label. Leave the site URL blank to search across all sites in your tenant or enter a URL if you want to search within a specific SharePoint site.
The returned audit results will display details about the file, who changed it, when it was changed, and both the source (before) and destination (after) label name in each audit log entry. You can export the results to a csv file for further analysis.
My thoughts…
Once retention labels are deployed across a tenant, it will take a concerted, planned effort by the Office 365 Administrators and Information Management teams to set up and assign the appropriate permissions for the above auditing features based on the tenant subscription. Also, this will be an additional task placed on the Information Management team to not only audit, but also follow-up with any remediation required for labels being applied incorrectly.
As of the time of this writing, 2 things important to know:
- the reports only go back 90 days. If you need more, you’ll have to export the audit data to another location for longer-range auditing
- some of the auditing capabilities are only available in an Office 365 E5 subscription
Thanks for reading.
-JCK