User Adaptive Scope and Auto-apply Retention Label Policy Walk-thru

Reading Time: 7 minutes

Have you heard about Adaptive Scopes? It’s a new Microsoft Information Governance and Records Management (IG/RM) feature now in Public Preview (refer to Roadmap ID 70578). I’m really excited about this new feature because I think it addresses many of the challenging retention scenarios I see with customers looking to apply IG/RM controls at scale across their tenant.

Microsoft’s recent webinar provides walk-thru demos of the new Adaptive Scope feature for several common use-case scenarios. Check it out: mipc.eventbuilder.com/event/45703

A few key things about adaptive scopes to understand:

  • They are scopes, not policies
  • They are referenced when publishing either retention policies or retention label policies
  • There will now be 2 types of scopes:
    • Static (what we’ve had up until now)
    • Adaptive (new)
  • There are 3 types of adaptive scopes:
    • User | based on Azure AD attributes
    • Site | based on SharePoint site properties
    • Microsoft 365 Group | based on Azure AD attributes
User Adaptive scopes will help organizations apply retention controls across their environment for a select group of users in a flexible, targeted, and automated way. Click To Tweet

Check out my Collection of posts to demonstrate how to use Adaptive Scopes to address common retention requirements I see in the field. Each post in the collection will demonstrate how to use an Adaptive Scope in a slightly different way.

This is the third post in the collection.

The Retention Requirement ask for this post:

“Automatically retain all Executives’ emails and OneDrive files for 10 years, then put thru a disposition review before deletion. The solution must accommodate users moving in and out of executive roles, including temporary assignments.”

To accomplish this, I’ll automatically apply a retention label to Executives’ emails and OneDrive files by combining two features:

  • a User Adaptive Scope (to dynamically identify Executives)
  • an auto-apply Retention Label Policy (to automatically apply a retention label to their content)

Until now, this could have been accomplished by knowing who the executives were and then including them in the retention label policy for the duration of their executive role. As you can imagine, ensuring the list of Executive users was kept up-to-date in the policy was often a burdensome task.

Enter Adaptive scopes! They eliminate this burden by dynamically scoping who the retention label will be applied to based on an Active Directory attribute, in this case an attribute to identify an executive. Taking it one step further, and combining an adaptive scope with an auto-apply retention label policy, opens up a world of possibilities to apply retention labels in a scalable, flexible, automated, and targeted way.

Here are the high-level steps to make this happen:

  1. Identify the Azure AD attribute(s) and value(s) for identifying the users you want “in scope”
  2. Create the User Adaptive Scope
  3. Create the Retention Label
  4. Create the auto-apply Retention Label Policy with the Adaptive Scope and Retention Label
  5. Wait and View the end result

Let’s dig in.


Step 1: Identify the Azure AD Attribute(s) and Value(s)

For this retention requirement, I need to target Executives only. In this tenant, I have a well-governed process for keeping the tenant’s Azure Active Directory up-to-date (do you?) and, because of this, I can rely on and leverage the Job title attribute to indicate who is in an executive role at any point in time. 

In this walk-thru, I’ll determine a user is an executive if he/she has one of these 2 executive Job titles: CEO or CFO. (In the real world, this list will likely be longer and/or may require a more complex query to identify an Executive, but you get the point)

Here’s the Azure Active Directory account list from my (small) tenant where 2 of the 5 users are in an Executive role: Joanne Klein and Susan Smith

In a larger tenant, I recommend validating your filters before building your scope. Depending on the user attributes you’re using, you can use Azure AD PowerShell (Get-AzureADUser) or Exchange Online PowerShell (Get-Recipient) to test your filter. In my example, Job Title is a filterable property on the User Object in Azure AD so I’ll use it to filter on my job title values:

Get-AzureADUser | Where-Object {$_.JobTitle -eq ‘CEO’ -or $_.JobTitle -eq ‘CFO’}

Note: not only should you include the complete list of Job titles associated with executives, it may be a good idea to also include any temporary Executive job title assignments as well, such as CEO-Interim.

Now that I’m confident the filter is right, I’m ready to move on to the next step to create an Executive User Adaptive Scope.


Step 2: Create the User Adaptive Scope

You’ll see the Adaptive scopes tab in 2 places in the Compliance Center: within Information governance and within Records management. Two important things to know about this:

  • whichever place you create the adaptive scope, it will appear in both places once saved
  • the adaptive scopes can be used in both retention policies and retention label policies

In this post, I’ll be working in the Records management feature to build and auto-apply a retention label so I navigate to Records Management… Adaptive scopes:

 

The Adaptive scope I created is called Executive Employees.

 

Because we are scoping Executive users in our organization, this adaptive scope has a type of Users:

From the earlier step, I’m filtering on 2 Job titles: CEO and CFO. You can use either the simple query builder as I’ve done below or the Advanced query builder if your query is more advanced. 

For advanced queries, any filterable property in OPATH can be used in this query. (I have not validated all properties however). You can validate your query using the Get-Recipient cmdlet.

Reference: Filterable properties for the Filter parameter

Once you save the Adaptive scope, it takes a bit of time to process before you will see the filtered users matching the Job Title query (Executives in my case). Within a day, the 2 executive users were included in the scope when I clicked the Scope details button to view the Executive Employees (image below). Please know the Adaptive scope can be used immediately when publishing a retention policy or label policy.


Step 3: Create the Retention Label

Nothing new in this step. I create a retention label called Executive set to retain for 10 years and then go thru a disposition review. Here is the final summary page:


Step 4: Create the auto-apply Retention Label Policy

Once the Executive retention label is created, I need to ensure it’s applied to all executives’ emails and OneDrive files. To do this in an automated way (we don’t want to rely on Executives to manually apply a retention label to their emails and files), I’ll leverage both the User Adaptive Scope from above and an auto-apply Retention Label policy called Executive Label Policy.

There are 3 key configuration steps in the label policy…

The first step is defining the correct condition for auto-applying the label – nothing has changed in this step. I’m using a size condition as well as a contenttype condition to catch all content across both emails and files.

Note: I did initially try size>0 on its own however in my testing, this only applied the retention label on the Executives’ emails; it did not auto-apply the label on their OneDrive files. (Perhaps I didn’t wait long enough for that to completely finish its processing). I added an additional condition of contenttype shown in the image below to ensure the OneDrive files would be included as well. As I do more testing with this condition, I’ll come back and update this post with the other options you can use to apply a retention label to everything “in scope”.

Refer to the Keyword queries and search conditions link for conditions you can use based on locations.

 

The second step is to ensure I’m referencing an Adaptive rather than a Static scope:

…and then select the Executive Employees Adaptive scope built in the earlier step. You can see that once the scope is selected, the Exchange email and OneDrive accounts locations are selected by default. This is perfect since we want to apply the retention label to Executives’ emails and OneDrive files.The third step in the label policy configuration is selecting the label to auto-apply… in our case, the Executive retention label:

Once the retention label policy is submitted and its status changes to Enabled(Success), the actions configured by the auto-apply policy begin to apply the Executive retention label on emails and OneDrive files for the users identified in the Executive Employees adaptive scope.

Remember… auto-applying a retention label can take up to 7 days so patience is required.


Step 5: Wait and View the end result

Let’s check out Susan Smith’s (our CFO) content to see if it’s been labeled:

Susan’s mailbox items have been labeled including all Inbox items, Sent items, and Deleted items (unless there was another retention label already applied to the document). Because this is a retention label that is *only* auto-applied, the retention label will not appear in the dropdown if you were to manually apply a retention label. (Select message… select 3 dots… Assign policy)

 

 

Susan’s OneDrive files have had the Executive retention label applied (unless there was another retention label already applied to the document):


Closing thoughts…

There is tremendous value in this model to scope retention in a flexible, scalable, automated, and targeted way. Combining an auto-apply label policy with an adaptive scope is a very powerful combination.

Thanks for reading.

-JCK

3 comments

  1. Hi Joanne, thanks for these really useful posts about adaptive scopes. Do you have any advice over how to handle/prevent retrospective label assignment? For example, let’s say a person is temporarily promoted to CEO-Interim. Only the email from their time in this role should be labelled ‘Executive’. How can we ensure that this is the case, and the person’s inevitable email backlog from their previous role is not included? The only thing I can think of is to ensure that the previous email already has a label, suggesting there should be adaptive scopes set up for all job titles. Thanks!

    1. Hi Michael, great question! I have to think on this one for a bit. At first blush, I don’t have a great answer… I see where you’re going with your suggestion but I need to spend some more time thinking thru the scenario. One thought… have a separate policy for each interim position to apply the label with a date condition. You could get very specific in that way. Interim appointments aren’t using the adaptive scope feature in that case.
      -JCK

      1. Hi Joanne, thanks very much for the reply! Yes, the date condition sounds useful here, and I can see that it wouldn’t make sense to use adaptive scopes for that case.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.