Have you heard about Adaptive Scopes? It’s a new Microsoft Information Governance and Records Management (IG/RM) feature now in Public Preview (refer to Roadmap ID 70578). I’m really excited about this new feature because I think it addresses many of the challenging retention scenarios I see with customers looking to apply IG/RM controls at scale across their tenant.
User Adaptive scopes will help organizations apply retention controls across their environment for a select group of users in a flexible, targeted, and automated way. Click To TweetMicrosoft’s recent webinar provides walk-thru demos of the new Adaptive Scope feature for several common use-case scenarios. Check it out: mipc.eventbuilder.com/event/45703
A few key things about adaptive scopes to understand:
- They are scopes, not policies
- They are referenced when publishing either retention policies or retention label policies
- There will now be 2 types of scopes:
- Static (what we’ve had up until now)
- Adaptive (new)
- There are 3 types of adaptive scopes:
- User | based on Azure AD attributes
- Site | based on SharePoint site properties
- Microsoft 365 Group | based on Azure AD attributes
Check out my Collection of posts to demonstrate how to use Adaptive Scopes to address common retention requirements I see in the field. Each post in the collection will demonstrate how to use an Adaptive Scope in a slightly different way.
This is the third post in the collection.
The Retention Requirement ask for this post:
“Automatically retain all Executives’ emails and OneDrive files for 10 years, then put thru a disposition review before deletion. The solution must accommodate users moving in and out of executive roles, including temporary assignments.”
To accomplish this, I’ll automatically apply a retention label to Executives’ emails and OneDrive files by combining two features:
- a User Adaptive Scope (to dynamically identify Executives)
- an auto-apply Retention Label Policy (to automatically apply a retention label to their content)
Until now, this could have been accomplished by knowing who the executives were and then including them in the retention label policy for the duration of their executive role. As you can imagine, ensuring the list of Executive users was kept up-to-date in the policy was often a burdensome task.
Enter Adaptive scopes! They eliminate this burden by dynamically scoping who the retention label will be applied to based on an Active Directory attribute, in this case an attribute to identify an executive. Taking it one step further, and combining an adaptive scope with an auto-apply retention label policy, opens up a world of possibilities to apply retention labels in a scalable, flexible, automated, and targeted way.
Here are the high-level steps to make this happen:
- Identify the Azure AD attribute(s) and value(s) for identifying the users you want “in scope”
- Create the User Adaptive Scope
- Create the Retention Label
- Create the auto-apply Retention Label Policy with the Adaptive Scope and Retention Label
- Wait and View the end result
Let’s dig in.
Step 1: Identify the Azure AD Attribute(s) and Value(s)
For this retention requirement, I need to target Executives only. In this tenant, I have a well-governed process for keeping the tenant’s Azure Active Directory up-to-date (do you?) and, because of this, I can rely on and leverage the Job title attribute to indicate who is in an executive role at any point in time.
In this walk-thru, I’ll determine a user is an executive if he/she has one of these 2 executive Job titles: CEO or CFO. (In the real world, this list will likely be longer and/or may require a more complex query to identify an Executive, but you get the point)
Here’s the Azure Active Directory account list from my (small) tenant where 2 of the 5 users are in an Executive role: Joanne Klein and Susan Smith
In a larger tenant, I recommend validating your filters before building your scope. Depending on the user attributes you’re using, you can use Azure AD PowerShell (Get-AzureADUser) or Exchange Online PowerShell (Get-Recipient) to test your filter. In my example, Job Title is a filterable property on the User Object in Azure AD so I’ll use it to filter on my job title values:
Get-AzureADUser | Where-Object {$_.JobTitle -eq ‘CEO’ -or $_.JobTitle -eq ‘CFO’}
Note: not only should you include the complete list of Job titles associated with executives, it may be a good idea to also include any temporary Executive job title assignments as well, such as CEO-Interim.
Now that I’m confident the filter is right, I’m ready to move on to the next step to create an Executive User Adaptive Scope.
Step 2: Create the User Adaptive Scope
You’ll see the Adaptive scopes tab in 2 places in the Compliance Center: within Information governance and within Records management. Two important things to know about this:
- whichever place you create the adaptive scope, it will appear in both places once saved
- the adaptive scopes can be used in both retention policies and retention label policies
In this post, I’ll be working in the Records management feature to build and auto-apply a retention label so I navigate to Records Management… Adaptive scopes:
The Adaptive scope I created is called Executive Employees.
Because we are scoping Executive users in our organization, this adaptive scope has a type of Users:
From the earlier step, I’m filtering on 2 Job titles: CEO and CFO. You can use either the simple query builder as I’ve done below or the Advanced query builder if your query is more advanced.
For advanced queries, any filterable property in OPATH can be used in this query. (I have not validated all properties however). You can validate your query using the Get-Recipient cmdlet.
Once you save the Adaptive scope, it takes a bit of time to process before you will see the filtered users matching the Job Title query (Executives in my case). Within a day, the 2 executive users were included in the scope when I clicked the Scope details button to view the Executive Employees (image below). Please know the Adaptive scope can be used immediately when publishing a retention policy or label policy.
Step 3: Create the Retention Label
Nothing new in this step. I create a retention label called Executive set to retain for 10 years and then go thru a disposition review. Here is the final summary page:
Step 4: Create the auto-apply Retention Label Policy
Once the Executive retention label is created, I need to ensure it’s applied to all executives’ emails and OneDrive files. To do this in an automated way (we don’t want to rely on Executives to manually apply a retention label to their emails and files), I’ll leverage both the User Adaptive Scope from above and an auto-apply Retention Label policy called Executive Label Policy.
There are 3 key configuration steps in the label policy…
The first step is defining the correct condition for auto-applying the label – nothing has changed in this step. I’m using a size condition as well as a contenttype condition to catch all content across both emails and files.
Note: I did initially try size>0 on its own however in my testing, this only applied the retention label on the Executives’ emails; it did not auto-apply the label on their OneDrive files. (Perhaps I didn’t wait long enough for that to completely finish its processing). I added an additional condition of contenttype shown in the image below to ensure the OneDrive files would be included as well. As I do more testing with this condition, I’ll come back and update this post with the other options you can use to apply a retention label to everything “in scope”.
Refer to the Keyword queries and search conditions link for conditions you can use based on locations.
The second step is to ensure I’m referencing an Adaptive rather than a Static scope:
…and then select the Executive Employees Adaptive scope built in the earlier step. You can see that once the scope is selected, the Exchange email and OneDrive accounts locations are selected by default. This is perfect since we want to apply the retention label to Executives’ emails and OneDrive files.
The third step in the label policy configuration is selecting the label to auto-apply… in our case, the Executive retention label:
Once the retention label policy is submitted and its status changes to Enabled(Success), the actions configured by the auto-apply policy begin to apply the Executive retention label on emails and OneDrive files for the users identified in the Executive Employees adaptive scope.
Remember… auto-applying a retention label can take up to 7 days so patience is required.
Step 5: Wait and View the end result
Let’s check out Susan Smith’s (our CFO) content to see if it’s been labeled:
Susan’s mailbox items have been labeled including all Inbox items, Sent items, and Deleted items (unless there was another retention label already applied to the document). Because this is a retention label that is *only* auto-applied, the retention label will not appear in the dropdown if you were to manually apply a retention label. (Select message… select 3 dots… Assign policy)
Susan’s OneDrive files have had the Executive retention label applied (unless there was another retention label already applied to the document):
Closing thoughts…
There is tremendous value in this model to scope retention in a flexible, scalable, automated, and targeted way. Combining an auto-apply label policy with an adaptive scope is a very powerful combination.
Thanks for reading.
-JCK
Hi Joanne, thanks for these really useful posts about adaptive scopes. Do you have any advice over how to handle/prevent retrospective label assignment? For example, let’s say a person is temporarily promoted to CEO-Interim. Only the email from their time in this role should be labelled ‘Executive’. How can we ensure that this is the case, and the person’s inevitable email backlog from their previous role is not included? The only thing I can think of is to ensure that the previous email already has a label, suggesting there should be adaptive scopes set up for all job titles. Thanks!
Hi Michael, great question! I have to think on this one for a bit. At first blush, I don’t have a great answer… I see where you’re going with your suggestion but I need to spend some more time thinking thru the scenario. One thought… have a separate policy for each interim position to apply the label with a date condition. You could get very specific in that way. Interim appointments aren’t using the adaptive scope feature in that case.
-JCK
Hi Joanne, thanks very much for the reply! Yes, the date condition sounds useful here, and I can see that it wouldn’t make sense to use adaptive scopes for that case.
Hi Joanne. We’re investigating the use of adaptive scopes for auto-applying labels to users in different roles as you laid out. However, Microsoft’s documentation (https://docs.microsoft.com/en-us/microsoft-365/compliance/identify-a-hold-on-an-exchange-online-mailbox?view=o365-worldwide#identifying-mailboxes-on-hold-because-a-retention-label-has-been-applied-to-a-folder-or-item) says the following:
Whenever a user applies a retention label that’s configured to retain content or retain and then delete content to any folder or item in their mailbox, the ComplianceTagHoldApplied mailbox property is set to True. When this happens, the mailbox is considered to be on hold, as if it was placed on Litigation Hold or assigned to a Microsoft 365 retention policy. When the ComplianceTagHoldApplied property is set to True, the following things may occur:
– If the mailbox or the user’s user account is deleted, the mailbox becomes an inactive mailbox.
– You aren’t able to disable the mailbox (either the primary mailbox or the archive mailbox, if it’s enabled).
– Items in the mailbox may be retained longer than expected. This is because the mailbox is on hold and therefore no items are permanently deleted (purged).
It’s the 3rd bullet that concerns us, since it appears to state that as long as there are any items labeled to be retained, say, 10 years, no items with a shorter retention can be purged. We’re planning to test this, but I wondered if you already had seen anything that would confirm or refute Microsoft’s documentation. Thanks!
Our Microsoft POC clarified that, although all items – whether they have a label or not – will go to the Purges folder in the Recoverable Items folder once purged from Deletions and will remain there for the ‘RetainDeletedItemsFor’ value of days (default of 14 days; can be modified up to 30 days). Then the labeled items are moved to the DiscoveryHolds folder to wait out the rest of their retention time and the non-labeled items are, in fact, purged.
I believe they will be clarifying their documentation accordingly.
Thanks for the reply Peter. Apologize for my tardy response – I was at a conference. I have also confirmed this behavior with the product group. Really appreciate you verifying this.
Thanks alot Erica for coming back to me
To be more specific, I have a quick question on this topic, we are looking to use Adaptive Scopes for OneDrive Retention so that they can increase the retention period for selected users based on their AD properties such as role or department.
Would this work for leavers when their AD account is deleted? I can’t see any documentation which makes it clear if it would continue to apply the longer retention period (applied by the adaptive scope targeting AD properties) or default back to the company-wide retention period.?
Hi Remon,
If the retention policy is applied to the user’s OneDrive via an Adaptive scope and their content is being retained before they leave, when the user leaves the organization, “any files that are subject to a retention policy or has a retention label will remain subject to the retention settings for the duration of the retention period specified in the policy or label.”
Link: https://learn.microsoft.com/en-us/microsoft-365/compliance/retention-policies-sharepoint?view=o365-worldwide#when-a-user-leaves-the-organization
-Joanne