Retention in SharePoint Online: The WHAT

Reading Time: 9 minutes

[Updated October 25, 2020] Included announcements from Ignite 2020 | What’s new in Microsoft Information Governance and Records Management:

  • Regulatory Record label.  Currently in Public Preview.
  • Microsoft Teams Meeting recordings (if stored in SP, ODfB)
  • Yammer Community/Private messages

There are many things to consider when applying retention to your SharePoint Online content, and each decision you make will have follow-on effects to be aware of. I’m writing 4 posts to highlight 4 key questions to answer when configuring Office 365 retention and will identify some pros and cons of decisions surrounding each:

This post is the second in the series, Retention in SharePoint Online: The Where, What, How, and When, and answers the all-important “WHAT” question:


I think the image below sums up the retention scenario across Microsoft 365. Knowing you need it is only scratching the surface (which is partly what this blog post series is addressing)…

Iceberg image


Let’s answer “The WHAT”…

You know you need to apply retention, however now you need to decide what type of retention to apply. At the end of the day, ALL types apply retention, however they accomplish it in very different ways. The decision you make on the type of retention feature to leverage has an impact on several things and can matter a great deal as you’ll soon see. I’ll cover 5 options I’ve seen used in the field. As an organization, you will likely use every one of these techniques across your tenant to cover off your complete retention requirements:

 


Retention Policy

An end-user is not aware a retention policy is in effect when they’re collaborating and working with their content. Preserved content is held in a special hidden library on a SharePoint site called the Preservation Hold Library (PHL) only visible to site collection administrators (including Office 365 Group owners). This library is discoverable by an eDiscovery search, a Data Subject Request search, a Content Search from the Compliance Center, and a SharePoint search from a site collection administrator of the site it’s in.

It’s a mechanism used to ensure you’re compliant in retaining content for as long as you should and/or deleting content as soon as you should.

A Retention Policy can do 4 things:

  • retain content forever
  • retain content for a period of time
  • retain for a period of time and then automatically delete
  • delete content automatically after a period of time

The “period of time” referenced above can be based on either:

  • since the document was created
  • since the document was last modified

Important to understand… a retention policy applies to the content within the container, not the container itself. For example, if you had a retention policy configured to delete documents 5 years after the last modified date, the documents would automatically be deleted after 5 years, however the folder they may have existed in, the library they’re a part of, and the site they’re housed within do NOT get deleted. In this example, the folder, library, and site are the “containers” and would remain after the retention period has been reached.

Retention Policies can be published to all, individual, or selected:

  • SharePoint sites (Communication sites, Team sites not backed by a Group, Classic sites)
  • Office 365 Groups (Team sites backed by a Group)
  • Microsoft Team Chats
  • Microsoft Team Channel conversations (Standard Channels only for now)
  • Microsoft Teams meeting recordings **Ignite 2020 announcement
  • OneDrive for Business sites
  • Exchange mailboxes
  • Yammer (Community messages and Private messages) **Ignite 2020 announcement

What this means is a lot of planning needs to go into which of the above workloads you will want to publish your retention policies to.

You should consider using a retention policy if:

  • you have regulatory and/or business requirements to ensure all/some content in a container is retained for a specific period of time/deleted after a period of time
  • you do not have a requirement to review content prior to deletion
  • you want to curb the “keep everything forever” mindset
  • you want to apply a “catch-all” retention for anything that doesn’t have a more granular retention requirement
  • you want to apply retention without the end-user’s involvement or knowledge
  • you need to retain/delete Microsoft Teams chats and/or Teams channel conversations (currently retention labels cannot do this) for a specific period of time. You can publish different policies to Teams chats versus Teams channel conversations.

Retention Labels (Regular, Record, Regulatory Record)

Many things are common across regular, record, and regulatory record retention labels. To shorten the post, I’ll indicate what is common to all types of labels with a ALL prefix, specify what is unique to regular retention labels with a REGULAR ONLY prefix, what is unique to record retention labels with a RECORD ONLY prefix, and what is unique to regulatory record retention labels with a REGULATORY ONLY prefix.

Link: Compare restrictions for what actions are allowed or blocked. This option is currently in Public Preview and currently can only be enabled via PowerShell:

Here’s a link to a Sway where I summarize the capabilities across the 3 types of Retention Labels (for the best viewing experience, expand the Sway to full-screen):

ALL: A retention label is visible to an end-user on their files thru the SharePoint and Teams UI. The Retention label column can be added to any SharePoint list/library view.

Retention label library view

ALL: When a retention label is applied, you won’t see this change reflected in a document’s version history, however the retention label applied will show in the Compliance details for a document, the action will be audited in the Office 365 audit log, and will be visible in the Label activity explorer:

Retention Label name in Compliance DetailsLabel Activity ExplorerCompliance Tag in Audit log

ALL: A Retention Label can do one of these 5 things:

  • retain content forever
  • retain content for a period of time
  • retain for a period of time and then automatically delete
  • retain for a period of time and then go thru a disposition review for further action
  • ensure content is deleted automatically after a period of time

ALL: The “period of time” referenced above can be based on different things… more things than a retention policy:

  • since the document was created (age of the document)
  • since the document was last modified
  • since the document was labeled
  • since an event happened

ALL: Retention labels can be published to all, individual or selected:

  • Exchange email (shows under Assign Policy… with the complete list under More Retention Policies – see image)
  • SharePoint sites (shows in the details pane under Apply retention label heading)
  • OneDrive accounts (shows in the details pane under Apply retention label heading)
  • Office 365 Groups (applies to the Exchange Group mailbox and the SharePoint site)
  • Microsoft Teams meeting recordings (if stored in SP, ODfB) **Announced at Ignite 2020

This slideshow requires JavaScript.

REGULAR AND RECORD: anyone with contribute permissions or above will be able to continue to edit the metadata without removing the regular or record retention label (or unlocking the record if it was a record retention label). These changes will be included in version history as if there wasn’t a retention label.

REGULATORY ONLY: once the label has been applied, neither the file contents nor the metadata can be changed, even by a site collection administrator or a global administrator.

REGULAR ONLY: Any user with at least the contribute permission level will be able to set, change, and remove a regular retention label from a document in a library.  There is no way of stopping this. This is why it’s important for end-users in your organization to understand the meaning and importance of retention labels for their content – they’re the front-line who will be seeing them and having the opportunity to change them.

RECORD ONLY: in the record label definition in Microsoft 365 Compliance Center, once the toggle to classify content as as a record for a label is selected and the retention label definition is saved, you CANNOT… I repeat… you CANNOT delete the retention label. You’ve been warned. 🙂

Retention label record

RECORD ONLY: when the record retention label is applied to content, an additional field opens up for the item/document called Record status allowing the end-user to unlock and lock a record.

Record status locked

RECORD AND REGULATORY: once a record label is applied to content in a library, an additional column can be added to views called Item is a record to indicate if a document has had a record label applied to it. You will also see a lock icon beside the filename. (image)

Lock icon

RECORD ONLY: a document declared a record cannot be deleted without first removing the record retention label.

RECORD ONLY: a Site Collection Administrator (including Office 365 Group owners) can remove a record retention label from a document, however a Group member does not have the permission to do so.

RECORD ONLY: by locking and unlocking the record, changes can continue to be made to the document content while preserving all versions of the record in a special folder called Records in a library on the site called Preservation Hold Library automatically provisioned for you. You will also see a new major version in version history each time it’s unlocked.

RECORD ONLY: anyone with contribute permission or above will be able to lock the document once it’s been unlocked by toggling the Record status to Locked.

This slideshow requires JavaScript.

REGULATORY ONLY: Once a regulatory record label has been defined, you CANNOT shorten the retention period, you can only extend it.

REGULATORY ONLY: A regulatory record label cannot be applied using auto-labeling policies. It can only be applied using a retention label policy.

REGULAR AND RECORD: You should consider a retention label (record or regular) if:

  • you require a disposition review before a document can be deleted
  • you require numerous retention options for content within 1 library (you can publish multiple retention labels, including regular and retention, to a site and then use them across all libraries on a site)
  • you want to apply different default retention to different libraries in the same site
  • you want the ability to apply default retention to all content within a specific folder
  • you want to allow an end-user with at least contribute permission level to change the retention label
  • you’ve trained end-users working with the content on what the retention labels mean 

RECORD ONLY: You should consider a record retention label over a regular retention label if:

  • you need to ensure there is a record stored for each time you change a document’s content for either regulatory or business requirements
  • you need to ensure the record is immutable (can’t be changed nor deleted)
  • you want to protect a document from being changed unless there is explicit action to do so (by unlocking the record) and this action is audit-able
  • you’ve trained the administrators of the site to know how to properly handle the records on their site

REGULATORY ONLY: You should consider a regulatory record retention label over a record retention label if:

  • you need to ensure the record is immutable (can’t be changed nor deleted) once the label is applied (even by an administrator)
  • you need to ensure the record can’t be moved to another location outside of the container (SharePoint site or OneDrive site) it currently lives in
  • you’ve trained information workers of the site to know how to properly handle regulatory records and they understand the behavior of the content once applied

A Combination

Many times you will need to use a combination of the above options to satisfy your complete retention requirements. Examples I’ve seen:

  1. Apply a retention policy to all OneDrive for Business sites to delete content 10 years past last modified date. Also publish a retention label to all OneDrives to keep forever/longer allowing end-users to manually apply the label to select content they don’t want deleted after 10 years. You must train end-users to understand this process. This technique has the benefit of controlling the content hoarders in your organization and encouraging staff to move content with long-term business value out of their OneDrive site and into a business team SharePoint site.
  2. Apply a retention policy to the Contract site to delete all content 5 years after contract expiry date. Also publish a retention label for contract exceptions to apply to individual contract documents you may want to retain for longer periods. Train contract administrators to know how and when to do this.
  3. Publish multiple retention labels to your collaboration sites (can include both regular and record retention labels) to cover off the type of content stored there. This allows you to default libraries/folders to specific retention labels as well as allows end-users to manually set (or automate the setting of) any retention label published to the site on any piece of content on the site as required.

You can have multiple retention policies published to the same location. You can also have multiple retention labels published to the same site as retention policies are published to. Because of this, the principles of retention are required to determine which retention/deletion duration will apply to any one piece of content:

PRECEDENCE

Reference: The Principles of Retention, or what takes precedence?


Thanks for sticking with me. I hope you found this helpful and I’d love to know if you have any other considerations you’ve come across when making the decision around WHAT type of retention feature to use to retain your content in Office 365.

So far in this series, I’ve covered where to store your retained content and what type of retention to apply once you put it there. In the next post, Retention in SharePoint Online: The “HOW”, I’ll answer all of the ways you can apply a retention policy/label to your content… there’s a lot of them!

-JCK

5 comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.