Data Protection Centre/Microsoft 365/Microsoft 365 Retention Policy and Retention Label: A Complete Guide

Microsoft 365 Retention Policy and Retention Label: A Complete Guide

21 Jan 2022

12 min read

Anju George

This article explores how an administrator can configure Microsoft 365 retention policies and labels to automatically retain or delete data, and why it should not be used as a backup solution.

1. What are retention policies and labels in Microsoft 365?

Retention policies and labels are used to prevent permanent deletion of Microsoft 365 data such as Outlook emails, documents in SharePoint and OneDrive, or Teams messages. Retention policies and labels are a part of the Microsoft Compliance center that can be used to govern critical information. Retention policies and labels help organizations to:

Comply proactively with industry regulations and internal policies which require data to be retained for a minimum period

Reduce risk of litigation or a security breach by permanently deleting content that is no longer needed

Share knowledge effectively within the organization and ensure that users work only with current and relevant content

Retention settings can be configured for the following scenarios:

Retain-only: Retain content forever or for a specified period

Delete-only: Permanently delete content after a specified period

Retain and then delete: Retain the content for a specified period and then permanently delete it

Click here to learn about subscription and licensing requirements to use retention labels and policies.

2. How retention settings work with content in place

When you assign retention settings to content, the content remains in its original location. If someone edits or deletes this content included in the retention policy, a copy of the content is automatically retained.

For SharePoint and OneDrive sites: The copy is retained in the Preservation Hold library.

For Exchange mailboxes: The copy is retained in the Recoverable Items folder.

For Teams and Yammer messages: The copy is retained in a hidden folder named SubstrateHolds which is a subfolder within the Exchange Recoverable Items folder.

Pro tip

Data in the Preservation Hold Library counts against your SharePoint storage quota. The total SharePoint storage limit per organization is set at 1TB plus 10GB x number of licensed Microsoft 365 users in your tenant. If you exceed the limit, you will have to purchase additional storage priced at $200/month/TB. To save on storage costs while retaining data, you can opt for a third-party cloud backup solution, like SysCloud.

To learn how retention works for each of the Microsoft applications, refer to the following articles:

Admin’s Guide to Teams Data Retention

A Guide to Exchange Online Retention Policies, MRM, and Holds

Admin’s Guide to Microsoft SharePoint Data Retention

A Guide to OneDrive for Business Data Retention

3. Microsoft 365 retention policy vs. retention label

As already mentioned, retention settings can be assigned to your content using retention policies or retention labels. An administrator can either use one of these methods or combine both.

A retention policy is used to assign retention settings at a container (site or mailbox) level whereas a retention label is used to assign retention settings at an item (folder, email, or document) level. For example, if all emails in a mailbox need to be retained for five years, it is easier to use a retention policy on the entire mailbox than to apply the same retention label on all the emails. However, if some emails in that mailbox need to be retained for ten years and some for five, then we need to apply retention labels at the item level.

Retention settings from retention labels travel with the content if it is moved to a different location within your Microsoft 365 tenant. On the other hand, retention policies are bound to the content containers, and apply only to the content within. In addition, retention labels have the following capabilities that retention policies do not support:

Start the retention period from when the content was labeled or based on an event, in addition to the age of the content or when it was last modified

Use trainable classifiers to identify the content to label

Apply a default label for SharePoint documents

Support disposition review for the content before it is permanently deleted

Mark the content as a record in the label settings, and always have proof of disposition when the content is deleted at the end of its retention period

To compare retention capabilities for retention policies and retention labels, refer to the comprehensive table provided by Microsoft.

4. How to create and apply Microsoft 365 retention labels

4.1. How to create a retention label

Note: To create and configure retention labels, one needs to be a global administrator or a compliance administrator.

To create a retention label, follow the steps below:

Step 1: In the Microsoft 365 compliance center, navigate to the Information Governance tab under Solutions. Click on Create a label.

office 365 retention label-create a label

In the pop-up dialog box, type the name and description of the label you want to create.

office 365 retention label - name and description

Step 2: Define the retention label settings according to your needs. You can define how long the data needs to be retained, when to start the retention, and what to do once the retention period is over. Learn more about each setting.

microsoft 365 retention labels - retention settings

Step 3: Review the details of the label and click Create label.

Step 4: After creating the label, you can choose to publish it immediately, set an auto-apply rule to a specific type of content, or save it and publish it later.

microsoft 365 retention label - when to publish

After creating retention labels, you need to publish them. Retention labels can be published to different locations, depending on what the retention label does. When you publish retention labels, they are included in a retention label policy that makes them available for admins and users to apply to content.

The following diagram visualizes how retention labels, retention label policies, and publish locations are related.

retention labels, labels policies, and publish locations

As the above diagram shows:

A single retention label can be included in multiple retention label policies. Also, a single retention label policy can include multiple retention labels (except auto-apply retention label policies which can include only a single label).

Retention label policies specify the locations to publish the retention labels. The same location can be included in multiple retention label policies.

Note: Retention labels can also be created using PowerShell.

4.2. How to create a retention label policy to publish retention labels

To create a retention label policy to make the labels available in Microsoft apps, follow the steps below:

Step 1: In the Microsoft 365 compliance center, navigate to the Information Governance tab under Solutions. Under Label policies, click on Publish labels.

microsoft retention label policy - publish labels

Step 2: In the pop-up dialog box which lists all the labels available for publishing, select the ones you want to publish.

office 365 retention label policy - select labels

Step 3: Choose if you want the policy to be static or adaptive. Learn more about policy scopes for retention.

scope of microsoft retention label policy

Step 4: If you chose Adaptive in Step 3: Click on Add scopes and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the scope types added. Click here to learn more about adaptive scope types, available locations and attributes, and how to configure an adaptive scope.
If you chose Static in Step 3: Choose the locations where you want to apply the selected retention labels.

select publish locations for retention label

Step 5: Add a name and description to the policy and review the details.

name and description for retention label policy

The selected retention labels will be published. For OneDrive and SharePoint locations, published labels are typically available to apply within one or two days. For Exchange and Microsoft 365 Group locations, it can take up to seven days for the published retention labels to appear for users in Outlook (the mailbox should have at least 10 MB of data).

The following diagrams illustrate how retention labels work:

1) Labels that need to be applied manually:

2) Labels that are auto-applied:

office 365 retention labels - auto apply

When you edit a retention label or retention label policy, and the label or policy has already been applied to content, the updated settings will be automatically applied to this content as well as any newly identified content.

Note:

Once a retention label or label policy is created and saved, the following settings cannot be changed: names for retention labels and their policies, the scope type (adaptive or static), the retention settings except the retention period, and the option to mark items as a record. If the retention period is based on when the items were labeled, the retention period cannot be changed either.

You can only delete retention labels that are not currently included in any retention label policies, that are not configured for event-based retention, or that do not mark items as regulatory records.

4.3. How to apply published retention labels

Once the retention labels are published, these can be applied in different Microsoft applications.

1. End users, as well as administrators, can manually apply retention labels from Outlook and Outlook on the web, OneDrive, SharePoint, and Microsoft 365 Groups.

Learn how to apply retention labels in Outlook and Outlook on the web.

Learn how to apply retention labels in OneDrive and SharePoint.

When you publish retention labels to Microsoft 365 Groups location, the retention labels appear in the corresponding SharePoint team site, where one can apply retention labels similar to how they are applied for SharePoint documents.

2. Administrators can apply a default retention label to all content in a SharePoint library, folder, or document set. Learn how to do this.

3. Retention labels can be automatically applied to emails by creating rules in Outlook. Learn how to do this.

Note:

An email or document can have only a single retention label applied to it at a time.

After retention labels are applied to content, content search can be used to find all items that have a specific retention label applied.

Even though the main purpose of retention labels is to retain or delete content, they can also be used to simply classify content without turning on any retention actions. For this, you need to choose the option “Don’t retain or delete items” while configuring retention settings for the label (Step 2 under How to create a retention label). For example, you can create and apply a retention label with no actions, and then use that label to find the content later.

A retention label can also be used as a condition in a DLP (Data Loss Prevention) policy. To learn more about how to use a retention label as a condition in DLP policy, click here.

5. How to create a Microsoft 365 retention policy

Note: A global administrator or a compliance administrator alone can create or configure retention policies.

To create a retention policy, follow the steps below:

Step 1: Open the Compliance admin center and navigate to the Information governance section.
Step 2: Select Retention policy-> New retention policy. Enter a name and description.

Step 3: Choose the scope (adaptive or static) for the retention policy. Learn more about policy scopes for retention.

Step 4: If you chose Adaptive in Step 3: Click on Add scopes and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the scope types added. Click here to learn more about adaptive scope types, available locations and attributes, and how to configure an adaptive scope.
If you chose Static in Step 3: In the Locations page, select the locations to be included in the retention policy.

office 365 retention policy - select locations

Step 5: Configure the retention settings according to your organization’s requirements.
You can choose to:
    - Retain the content for a specific period or forever
    - Retain for a specific period and then delete the content
    - Delete the content after a specific period

office 365 retention policy - configure retention settings

Step 6: Review the settings and click Submit. Your new retention policy will be created.

It can take up to seven days for the retention policy to be applied.

microsoft 365 retention policy to take effect

6. Preservation Lock to restrict changes to retention policies and retention label policies

Preservation Locks can be used to restrict changes to retention policies and retention label policies. A Preservation Lock locks a retention policy or retention label policy so that no one—including a global admin—can turn off the policy, delete the policy, or make it less restrictive. Preservation Locks can be enabled only via PowerShell; enabling this feature is not available in the UI to prevent accidental configuration. Learn how to lock a retention policy or retention label policy using PowerShell

7. The principles of retention: What takes precedence

Unlike retention labels, more than one retention policy can be applied to the same content. Additionally, the same content can also be subject to a retention label. In such situations where an item can be subject to multiple retention settings that could conflict with each other, the outcome is determined by the principles of retention.

Here is a flowchart by Microsoft that shows how retention conflicts are resolved using the principles of retention. This will help to determine which policies take precedence over the others so that administrators do not have to worry about one policy setting overwriting the others.

office 365 retention policy: principles of retention

To learn more about how retention conflicts are resolved along with relevant examples, refer to the Microsoft documentation.

8. Limitations of using Microsoft 365 retention policies and labels as a backup solution

While the native retention settings offered by Microsoft are helpful in retaining your data for regulatory compliance, they do not serve as a backup solution. Many organizations believe that they can leverage Microsoft retention policies and retention labels to back up critical data. This is a dangerous misconception that can place a company’s data at risk. Here are the limitations associated with using retention policies and labels as an alternative to backup:

Retained data counts towards your Microsoft 365 storage quota. Each user has a limited storage available. If you delete data to stay within the storage limit, the deleted data cannot be recovered.
Retention policies and legal holds are part of the Microsoft Compliance Center which is only available in senior E3 and E5 plans, that are priced higher than Microsoft (Office) 365 Business plans.
Retention policies and labels do not cover all the data within Microsoft 365 apps: - For SharePoint and OneDrive: SharePoint membership permissions, sharing and access permissions, and site themes and related settings are not retained. - For Exchange Online: Calendar items, tasks that do not have an end date configured, and themes and related settings are not retained
A maximum of 10,000 policies can be included in a tenant. This maximum number includes the different policies for retention, and other policies for compliance such as policies for DLP, information barriers, eDiscovery holds, and sensitivity labels. Within this 10,000 policies limit, there are also limits on the maximum number of policies for retention per workload:
-Exchange (any configuration): 1,800
-SharePoint or OneDrive: (all sites automatically included): 13
-SharePoint or OneDrive (specific locations included or excluded): 2,600
There are also limits on the maximum number of items per policy. Learn more
Unlike third-party cloud backup tools, retention policies and retention labels lack automated recovery features. In the event of data loss, retained data can only be exported offline and need to be restored manually. Restoring a large amount of data will require a lot of manual effort and time.
Data belonging to deleted user accounts are not retained, so if you need to retain data of employees who left the company, you must continue paying Microsoft for the user licenses.

9. Conclusion

Retention policies and labels provided by Microsoft are necessary for proactive regulatory compliance, to reduce the risk of litigation or security breaches, and to ensure that users work with only current and relevant content. Nevertheless, they are not designed for the purpose of backup and restore, and therefore, have serious limitations as a backup solution. Third-party cloud backup applications like SysCloud are better options to back up your Microsoft 365 data.

SysCloud Backup for Microsoft 365 provides automated, secure cloud backup for all your Microsoft 365 apps - Exchange Online, OneDrive, People, SharePoint, Teams, OneNote, Planner, Stream, Whiteboard, Public Folders, and Archived Mailboxes. With SysCloud, administrators can easily recover from accidental deletions or ransomware attacks and identify compliance gaps in the backup archives.

Start enjoying faster and easier backups, today

Avoid costly data retention gaps and minimize time to recovery with SysCloud's cloud backup.Start 30-Day Free Trial