Principles of Retention in Microsoft 365

Reading Time: 3 minutes

In Microsoft 365, there are 4 principles of retention to determine the retention and/or deletion outcome for a piece of content. For anyone implementing an overall information governance and records management program across Microsoft 365, it’s imperative to have an authoritative understanding of these principles.

The principles and the outcome they determine will guarantee you’re deleting content when you say you are and retaining content for as long as you’re required to meet your business, legal, and regulatory requirements.

This is important.

Over the past ~6 weeks, I’ve shared 6 scenarios to test your knowledge of the principles in an anonymous, fun compliance challenge. I had great response from the community (Thank you!!) and a wide array of answers and follow-up questions. This demonstrated to me the need for more clarity around the principles which I hope I can provide.

To prove this is not smoke and mirrors, I’ve validated each of my answers by setting up a Scenario Hub in a demo tenant with the 6 scenarios configured in separate Modern Communication sites (and Exchange mailboxes where they were involved):

Testing retention in Microsoft 365 can take days, weeks, or sometimes months to validate results. If you’re running tests of your own, my recommendation is to have a detailed plan before you start and then execute them in isolation to provide confidence in your results.

I’m now ready to start sharing the answers for the 6 scenarios. For all answers, I’ll use the diagram below to identify which Principle of Retention LEVEL determines the retention/deletion outcome for each piece of content:

A few things to keep in mind while using the Principles of Retention diagram:

3 Steps to take for EACH piece of content in the location…

Step 1: Create a list of all retention policies published to the location you’re evaluating (Exchange mailbox, SharePoint site, OneDrive account, Microsoft 365 Group, Teams chats/channel messages, Yammer messages) as well as any retention label that may be applied to the item in the location. At the time of this writing (July 2021), retention labels cannot be used across all locations where a retention policy can be.

Example list for SharePoint site 1:

  • Retention Policy A set to retain for 2 years then delete and published to SharePoint site 1
  • Retention Policy B set to delete after 4 years and published to SharePoint site 1
  • Retention Label A set to retain for 7 years then delete and published to SharePoint site 1, applied to a document

Step 2: Start at LEVEL 1 of the Principles of Retention. Compare the list items from Step 1 against each other using LEVEL 1’s principle. If there’s a “winner” at the LEVEL, the comparisons stop. If there’s a tie, proceed to LEVEL 2’s principle for the comparisons. Continue this pattern, proceeding to the next level until a “winner” is determined.

Step 3: Once you have a “winner”, it determines the retention and/or deletion outcome for the item.

Deletion Policy or Retention Policy?

If you’re getting started with retention features inside of Microsoft 365… whether a retention policy/retention label is configured to retain forever, only retain for a period of time, only delete after a period of time, or retain and then delete, they’re called retention policies/retention labels in the Microsoft 365 Compliance Center and NOT deletion policies/deletion labels.

I say this to highlight the point that even if it’s called a “Retention” policy, it may only be configured to delete something without having any kind of retention component.


Below are links to the original scenario questions and my “official” answers:

Thanks for joining in my fun Compliance challenge!

-JCK

One comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.