GitBit
Sign Up

Creating and managing data retention to conform to compliance

Retention policies and retention labels are ways to keep data even after it has been deleted by the user. In short, it will keep the data for as long as the retention policy says to keep the data. It replaces backing up your file server and journaling your emails from an on-premises environment. Don't worry users can still delete documents and emails and even clear their recycle bins / empty their deleted items folder. But users will be able to restore the items still and admins can still perform content searches and retrieve the information. It will probably make more sense to simply jump in and review the settings as we see them.

What's a retention policy?

A retention policy is used to keep all the emails or documents in a particular location. That location can be virtually anything in Microsoft 365. For example, you can create a retention policy to keep all the emails in your entire environment or all the emails in a particular mailbox. No user interaction is required. A retention policy can be used to protect virtually every piece of data stored in Microsoft 365.

What locations can a retention policy protect?

Retention policies can be used to capture all the content in a certain location. For example, you can use retention policies

  • Exchange mailboxes: Retention policies can be used to protect exchange mailboxes. It can be used to retain the emails in all the mailboxes.

How to create a retention policy

1. Go to the Compliance admin center > Data lifecycle management > Retention policies. Click New retention policy.

New retention policy

2. Give your retention policy and name. For example, All files and emails. Optionally give it a description. Click Next.

Name your retention policy

3. On the Choose the type of retention policy to create​ page, click Static. Click Next.

Choose the type of retention policy to create​

4. On the next page click on the following locations: Exchange email, SharePoint sites, OneDrive accounts, Microsoft 365 Groups, Skype for Business, and Exchange public folder. Click Edit next to Skype for Business. Choose all your users. Click Done. Click Next.

Choose locations to apply the policy

5. On the Decide if you want to retain content, delete it, or both page, click Do nothing. Click Next.

Decide if you want to retain content, delete it, or both

6. Click Submit.

A few notes

First, did you notice we didn't select Teams or Yammer? That's because a retention policy that covers Yammer or Teams can't cover anything else. Go back and try to make a policy for Teams and then for Yammer.

Next, did you notice we had to manually add the users for Skype for Business? That's because there's no "cover all" for Skyper for Business. What happens if you add a new user to your tenant? You guessed it, you'll need to update the retention policy. Since Skype for Business is essentially dead anyway you may just want to simply ignore it too. It's up to you.

Did you also notice the include / exclude Edit buttons for each location where we applied the policy? By default, most locations will include all locations. But what if you need a retention policy to include only certain users? Or to exclude certain sites. Well, the include / exclude is exactly where you do it.

Another thing, take note of the time the item is retained. That means even if a user deletes the content before that time expires an admin can restore the content. But after the time expires the content will either be deleted automatically (if that's what you selected) or can be deleted and not restored.

Finally, when two conflicting policies are applied to the same content you'll need to know which one wins. Retention always takes precedence over deletion. If you have two policies one with a retain for 3 years and another for delete after 1 year the files will be retained for 3 years. Next, the longest retention policy wins. So if you have two policies one that retains for 1 year and another that remains for 3 years the policy with retains for 3 years wins.

Choose locations to apply the policy

Retention labels

Just like Information governance labels, retention labels are a powerful way to protect certain emails and documents. Just like information governance labels, there are two parts to retention labels. The labels and the policies. Let's jump in and start creating one.

1. Go to Compliance admin center > Data lifecycle management > Labels > Create a label.

Create a retention label

2. Name the label "Delete after 7 years". Set the description to "Automatically delete the content after 7 years". Click 

Name your retention label

3. Verify the retention period is set to 7 years. Set Start the retention period based on When items were last modified. Verify Delete items automatically is set. Click Next.

Define retention settings

4. Click Create label. Then click Done.

5. Click Next > Next > Next.

6. Set the Name to Delete after 7 years policy. Click Next.

Name your policy

7. Click Submit.

Skip the 24-hour delay and use your labels immediately

So you just published a retention label or maybe you made a change to a label and you need to make the label available immediately. What do you do? Have no fear, PowerShell is here!

1. Open PowerShell as an admin.

2. If you haven't connected to Exchange Online via PowerShell on this computer before perform the following: Run the following command in PowerShell: "Install-Module ExchangeOnlineManagement". If prompted to install NuGet click Y then enter. When prompted to Install from the 'PSGallery' click A then enter.

Install-Module ExchangeOnlineManagement

3. Run the following command in PowerShell: "Connect-ExchangeOnline". Enter your global admin username and click Next. Enter your password and click Sign in. If MFA is required, complete the MFA.

Connect-ExchangeOnline

4. Run the following PowerShell Command: "Get-Mailbox -ResultSize unlimited | ?{$_.Name -notlike "DiscoverySearchMailbox*"} | %{ Start-ManagedFolderAssistant $_.UserPrincipalName }"

Note: If you only need to publish the labels to one user immediately you can use "Start-ManagedFolderAssistant UPN" and replace UPN with the user's sign-in name

Start-ManagedFolderAssistant

5. Wait a couple of minutes and close and re-open your Office app.

How to apply a retention label to a document

As far as I know, you need to use the web browser. If you know how to apply a retention label to a document using the installed version of the Office suite let me know!

1. Open OneDrive in the browser. Click the checkbox next to the file name. Click the I in the top right corner. Scroll down until you see Apply label and click the dropdown. Click Delete after 7 years.

Apply a retention label to a document

How to apply a retention label to an email

You can apply retention labels to emails in Outlook! Let's take a look.

1. Right-click the email you want to protect. Click Assign Policy > Delete after 7 years.

Apply retention label to email

Litigation Hold for mailboxes

Another way to retain email in a mailbox is using a litigation hold. The litigation hold will retain everything in the mailbox (including items deleted and modified). The litigation hold also retains the archive mailbox.

What licenses are required for litigation hold?

Exchange Online Plan 2 license is required to put a mailbox on litigation hold (or any license that contains the Exchange Online Plan 2 feature). You can also use an Exchange Online Archiving license to place a mailbox on litigation hold. Finally, Office 365 A1 licenses also contain the litigation hold license requirements.

How to place a mailbox on litigation hold

1. Open Exchange Online admin center. Click the display name of the user you want to enable litigation hold for. Go to Others > Manage litigation hold.

Manage litigation hold

2. Click the switch to On. Set the hold duration (if required) and click Save.

Setup litigation hold settings

How to find data across your entire Microsoft 365 tenant

So now that we are retaining everything, how do we find it? What if legal tells us they need all the emails with the word test in the body, how do we find it? There are two locations: content search and eDiscovery. Content search is for quick searches across your tenant. For example, if someone says they can't find an email and need it. Then you can use a content search. eDiscovery searches give you a bit more control. For example, you can set retention on eDiscovery results. Maybe you have a lawsuit with Contoso and need to retain any emails that talk about Contoso. We can do that with an eDiscovery case. Or maybe you need to give someone explicit access to the emails that discuss Contoso. We can do that with an eDiscovery case.

How to create an eDiscovery case

Go to Microsoft Purview admin center > eDiscovery > Standard. Click Create a case. Give the case a name and click Save. Then click on the Name of your new case.

Create an eDiscovery case

How to set up a hold

A hold is like a retention policy but it only keeps the data that matches certain criteria. In the example below we will create a hold for all emails that contain the word Test.

2. Click Hold > Create.

Create an eDiscovery hold

3. Name the hold New Hold. Click Next. Click the Exchange mailboxes to On. Click Choose users, groups, or teams. Click the checkbox next to Name. Click Done. Click Next.

Select the locations

Select the locations
4. Put the word Test in the keywords textbox. Click Next.

Keywords

5. Click Submit > Done.

Create a search

Now that we've created a hold that will keep all the emails that contain the word Test in them we can now move along to create a search. A search allows you to view and export content from Microsoft 365.

1. Click Searches > New search. Name the search New Search. Click Next.

New search

2. Click the Locations on hold radio box. Click Next.

Set the location to Locations on hold

3. Set the Keywords to Test. Click Next.

Set the search criteria

4. Click Submit > Done.

How to review the eDiscovery search

Now that we've created a hold and a search let's take a look at our results. Before we can preview the results we need to grant ourselves the preview permission.

How to grant yourself preview permissions

1. Go to Microsoft Purview admin center > Permissions > Microsoft Purview solutions roles. Click Create. Set the name to Preview results. Click Next. Click Choose roles > Add. Click the Preview checkbox. Click Add.

Choose roles

2. Click Done > Next > Choose members > Add. Select yourself from the list. Click Add.

Add members to new role

3. Click Done > Next > Create role group.

You may need to log out of the browser > close the browser > re-open the browser > Re-login to the admin center.

How to preview the results

1. Go to eDiscovery > Standard. Click the case you created earlier. Click Searches then click the search you created earlier. Click Review sample.

Preview the search results

Grant someone permission to the eDiscovery search

Now that we've created the eDiscovery hold and search let's grant someone access to the eDiscovery case. Once the other person has the access they'll be able to view and manage the eDiscovery case themselves. First, we need to assign the user the eDiscovery Manager role. Then we need to grant the user the permissions in the case.

1. Go to Microsoft Purview admin center > Permissions > Microsoft Purview solutions roles > eDiscovery Manager. Click Edit next to eDiscovery Manager.

Add members to eDiscovery Manager role

2. Click Choose eDisvoery Manager > Add. Click the member you want to grant permissions to. Click Add. Click Done > Save.

Select members to eDiscovery Manager role

3. Go to eDiscovery > Standard > Settings. Click Select (under Access & permissions). Click Add (under manage members). Click the person you want to add. Click Add > Exit.

Add permissions to the eDiscovery case

Alerting to compliance searches

Lastly, we are on to alerting. Since a search gives your admins the ability to view any emails or content in your organization you may want to set up alerts. That way you'll receive an email every time a search is started.

1. Go to Microsoft Purview admin center > Policies > Alert policies.

Open alert policies

2. Click New alert policy. Set the name to eDiscovery search started. Set the severity to Medium. Set the Category to Information governance. Click Next.

Create a new alert

3. Click the Activity is drop-down and enter eDiscovery search. Click An eDiscovery search was started or exported. Click Next.

Set the alert activity

4. on the "Decide if you want to notify people when this alert is triggered" page click Next. Click Finish.

Did you like the site?