Creating and managing data retention to conform to compliance

Retention policies and retention labels are ways to keep data even after it has been deleted by the user. In short, it will keep the data for as long as the retention policy says to keep the data. It replaces backing up your file server and journaling your emails from an on-premises environment. Don't worry users can still delete documents and emails and even clear their recycle bins / empty their deleted items folder. But users will be able to restore the items still and admins can still perform content searches and retrieve the information. It will probably make more sense to simply jump in and review the settings as we see them.

What's a retention policy?

A retention policy is used to keep all the emails or documents in a particular location. That location can be virtually anything in Microsoft 365. For example, you can create a retention policy to keep all the emails in your entire environment or all the emails in a particular mailbox. No user interaction is required. A retention policy can be used to protect virtually every piece of data stored in Microsoft 365.

What locations can a retention policy protect?

Retention policies can be used to capture all the content in a certain location. For example, you can use retention policies

  • Exchange mailboxes: Retention policies can be used to protect exchange mailboxes. It can be used to retain the emails in all the mailboxes.

How to create a retention policy

1. Go to the Compliance admin center > Data lifecycle management > Retention policies. Click New retention policy.

New retention policy

2. Give your retention policy and name. For example, All files and emails. Optionally give it a description. Click Next.

Name your retention policy

3. On the Choose the type of retention policy to create​ page, click Static. Click Next.

Choose the type of retention policy to create​

4. On the next page click on the following locations: Exchange email, SharePoint sites, OneDrive accounts, Microsoft 365 Groups, Skype for Business, Exchange public folder. Click Edit next to Skype for Business. Choose all your users. Click Done. Click Next.

Choose locations to apply the policy

5. On the Decide if you want to retain content, delete it, or both page, click Do nothing. Click Next.

Decide if you want to retain content, delete it, or both

6. Click Submit.

A few notes

First, did you notice we didn't select Teams or Yammer? That's because a retention policy that covers Yammer or Teams can't cover anything else. Go back and try to make a policy for Teams and then for Yammer.

Next, did you notice we had to manually add the users for Skype for Business? That's because there's no "cover all" for Skyper for Business. What happens if you add a new user to your tenant? You guessed it, you'll need to update the retention policy. Since Skype for Business is essentially dead anyway you may just want to simply ignore it too. It's up to you.

Did you also notice the include / exclude Edit buttons for each location where we applied the policy? By default, most locations will include all locations. But what if you need a retention policy to include only certain users? Or to exclude certain sites. Well, the include / exclude is exactly where you do it.

Another thing, take note of the time the item is retained. That means even if a user deletes the content prior to that time expiring an admin can restore the content. But after the time expires the content will either be deleted automatically (if that's what you selected) or can be deleted and not restored.

Finally, when two conflicting policies are applied to the same content you'll need to know which one wins. Retention always takes precedence over deletion. If you have two policies one with a retain for 3 years and another for delete after 1 year the files will be retained for 3 years. Next, the longest retention policy wins. So if you have two policies one that retains for 1 year and another that remains for 3 years the policy with retains for 3 years wins.

Choose locations to apply the policy

Retention labels

Just like Information governance labels, retention labels are a powerful way to protect certain emails and documents. Just like information governance labels, there are two parts to retention labels. The labels and the policies. Let's jump in and start creating one.

1. Go to Compliance admin center > Data lifecycle management > Labels > Create a label.

Create a retention label

2. Name the label "Delete after 7 years". Set the description to "Automatically delete the content after 7 years". Click 

Name your retention label

3. Verify the retention period is set to 7 years. Set Start the retention period based on When items were last modified. Verify Delete items automatically is set. Click Next.

Define retention settings

4. Click Create label. Then click Done.

5. Click Next > Next > Next.

6. Set the Name to Delete after 7 years policy. Click Next.

Name your policy

7. Click Submit.

Skip the 24-hour delay and use your labels immediately

So you just published a retention label or maybe you made a change to a label and you need to make the label available immediately. What do you do? Have no fear, PowerShell is here!

1. Open PowerShell as an admin.

2. If you haven't connected to Exchange Online via PowerShell on this computer before perform the following: Run the following command in PowerShell: "Install-Module ExchangeOnlineManagement". If prompted to install NuGet click Y then enter. When prompted to Install from the 'PSGallery' click A then enter.

Install-Module ExchangeOnlineManagement

3. Run the following command in PowerShell: "Connect-ExchangeOnline". Enter your global admin username and click Next. Enter your password and click Sign in. If MFA is required, complete the MFA.

Connect-ExchangeOnline

4. Run the following PowerShell Command: "Get-Mailbox -ResultSize unlimited | ?{$_.Name -notlike "DiscoverySearchMailbox*"} | %{ Start-ManagedFolderAssistant $_.UserPrincipalName }"

Note: If you only need to publish the labels to one user immediately you can use "Start-ManagedFolderAssistant UPN" and replace UPN with the user's sign-in name

Start-ManagedFolderAssistant

5. Wait a couple of minutes and close and re-open your Office app.

How to apply a retention label to a document

As far as I know, you need to use the web browser. If you know how to apply a retention label to a document using the installed version of the Office suite let me know!

1. Open OneDrive in the browser. Click the checkbox next to the file name. Click the I in the top right corner. Scroll down until you see Apply label and click the dropdown. Click Delete after 7 years.

Apply a retention label to a document

How to apply a retention label to an email

You can apply retention labels to emails in Outlook! Let's take a look.

1. Right-click the email you want to protect. Click Assign Policy > Delete after 7 years.

Apply retention label to email