Retention policies are applied to content or data to make sure we do not delete it before a specified date. For example, a contract might need to be kept for seven years to comply with a regulation. We would first need to identify the document as a contract, and then apply the contract retention policy, which would ensure we keep the contract for seven years.
Generally, content or data is retained to comply with federal, state, or local laws. This requirement is often called a regulatory requirement. Content or data might also be retained for operational purposes because the organization determines there is value in keeping some content. Another reason for retention is for historical purposes. Some examples of historical value are historical evidence, memorialization, and research.
The other way that people use retention policies is to get rid of content or data. There is a risk with keeping data around past its useful lifetime. Retention policies can help to ensure we delete content promptly.
Office 365 ADG Retention policies can help with both keeping and delete content and data.
What is Advanced Data Governance?
There are three components of Advanced Data Governance (ADG): Labels, Retention, and Supervision. We first covered these components in our Using Advanced Data Governance Labels in Office 365 article, but here’s the definition for each component to refresh your memory.
Labels classify your information for governance purposes. Some examples would be labels for contract, employee review, or other types of information. A retention policy can also be associated with labels.
Retention policies ensure that you do not delete content prematurely. Once content has reached the end of its retention period, the content can be deleted, start an approval process for deletion, or it can do nothing.
Supervisions allow you to set policies that monitor email and 3rd party communications in your organization. You can specify people to review these communications.
There are two ways to retain content in Office 365: Label-based retention and retention policies. In this article, we are going to focus on ADG Retention Policies in Office 365. We have other articles focused on the basics of Office 365 labels and how Office 365 labels work in the real world, which covers label-based retention.
Who Has Access to Create Retention Policies?
Those that have specific permissions can create retention policies. You create them in the tenant admin area of Office 365, which is the area for performing administrative functions that will affect your entire organization. Within Office 365 tenant admin there is a portal called the Security and Compliance Center (SCC).
Your overall tenant admin will have access to the Security and Compliance Center by default. They can then grant permissions to people who only need access to the SCC. The permissions role needed is called the OrganizationManagement role group.
Members of the OrganizationManagement role group can also add additional members to the SCC.
How Do You Create an Office 365 Retention Policy?
There are three steps to create an Office 365 retention policy.
- Create the policy name and description.
- Configure the retention settings to define how long you would like to retain the content, and when you want to delete it.
- Choose the Office 365 locations where you will deploy the retention policy.
To create a retention policy, go to the Security and Compliance Center. Click on Data Governance, and then Retention. Next, select Labels from the box at the top. When you create a label, there are some fields you will need to complete.
On the first screen, you are required to choose a name for your policy. Optionally you can add a description, which will be seen by administrators.
Next, you will need to choose the settings for the retention policy. Here are the options available:
- Choose whether you want to retain content or delete it if it is older than a specified amount of time.
- If you choose to retain content, you can specify the duration of the retention period in days, months, or years. The other option is to retain content forever.
- The retention period can be triggered based on when the content was created or when it was last modified.
- After the end of the retention period is reached you can choose to delete content automatically or you can choose to do nothing. The process used to delete content depends on the location of the content. We will go into these specifics is the next article in this series. If you choose not to delete content automatically, all content will be left in place, and you will need to delete it manually.
- If you choose to just delete the content, you can specify the age of the content to be deleted in days, months, or years. We can trigger the date from when the content was created or when it was last modified.
- For example, you could choose to delete all content if it was created over ten years ago. However, once a deletion policy is applied it will delete the content without any additional warnings.
- This option doesn’t prevent content from being deleted. If users delete the content manually no additional copies of the content will be retained.
- The last option is around advanced retention settings. Advanced settings allow you to apply a retention policy based on specific words or phrases, or for sensitive information. We will dive deeper into these options in the next section. Note that at the time of publishing advanced settings do not work for Microsoft Teams chats or conversations.
Finally, you will need to set the location where the policy will be applied. You have two options:
- Apply policy only to content in Exchange email, public folders, Office 365 groups, OneDrive, and SharePoint documents. This retention policy is called an org-wide policy.
- Choose from specific Office 365 locations. This choice will apply the retention policy to content in the specified location. The only exception is for Skype. In this case, you need to also select up to 1,000 specific users where the policy will apply.
Please keep in mind that there is a limit of 10 org-wide and location-specific retention policies per tenant (organization). If you need to create additional policies try using the include / exclude, specific words and phrases, or sensitive information methods below.
You can also include or exclude users, sites, accounts, or groups from a retention policy. Some additional limits apply in this case.
- For Exchange Email, you cannot include or exclude more than 1,000 mailboxes per retention policy.
- For SharePoint, you cannot include or exclude more than 100 sites.
- In OneDrive, you can include or exclude up to 1,000 accounts.
- For Groups, you can include or exclude up 100 groups.
Also, note that there is a limit of 1,000 retention policies that have included or excluded criteria per tenant (organization).
Apply Office 365 Retention Based on Specific Words or Phrases
Instead of applying a retention policy based on an entire location, you can apply it to content that contains specific words or phrases. This method uses the Office 365 search index to find the content.
To do this, type in the word or phrase you would like to use to identify content for the retention policy. You can also use search operators, such as AND, OR, or NOT to further refine the search. Any content matching your criteria will have the retention policy applied.
Apply Office 365 Retention Based on Sensitive Information
The other option for applying retention is to use Data Loss Prevention (DLP) policies to identify sensitive content. This method allows you to automatically apply a retention policy using sensitive information types such as US social security numbers, bank account numbers, and health records.
DLP policies come as a pre-defined template from Microsoft that use a data pattern to determine sensitive information, or you can create your own template. For example, a US social security number is in the following format: ###-##-####.
The DLP policy looks for that format, and if it finds the pattern, the retention policy will be applied. There are also settings to set the sensitivity of data identification.
Please note that advanced retention based on a sensitive information type doesn’t work for Skype or Exchange public folders. For Exchange emails, it only works for messages that are sent or received after you have activated the policy, not to content that is in a user’s mailbox.
How Specific Office 365 Apps Apply Retention and Deletion
Now that we’d reviewed how retention and deletion policies are applied in Office 365 generally, our next article will focus on some of the exceptions and nuances that exist in specific apps, such as SharePoint, Microsoft Teams, and Exchange. Stay tuned for our next installment!