Categories

In this article

  • Retention policies and labels in Microsoft 365
  • How retention settings work with content in place
  • Retention policy vs. retention label
  • Create and apply Microsoft 365 retention labels
  • Create a Microsoft 365 retention policy
  • Preservation Lock to restrict changes
  • The principles of retention
  • Limitations of using retention policies & labels as a backup solution

Microsoft 365 Retention Policy and Retention Label: A Complete Guide

21 Jan 2022
12 min read

This article explores how an administrator can configure Microsoft 365 retention policies and labels to automatically retain or delete data, and why it should not be used as a backup solution.

retention policies and labels flowchart

1. What are retention policies and labels in Microsoft 365?

Retention policies and labels are used to prevent permanent deletion of Microsoft 365 data such as Outlook emails, documents in SharePoint and OneDrive, or Teams messages. Retention policies and labels are a part of the Microsoft Compliance center that can be used to govern critical information. Retention policies and labels help organizations to: 
Comply proactively with industry regulations and internal policies which require data to be retained for a minimum period 
Reduce risk of litigation or a security breach by permanently deleting content that is no longer needed 
Share knowledge effectively within the organization and ensure that users work only with current and relevant content 
Retention settings can be configured for the following scenarios: 
  • Retain-only: Retain content forever or for a specified period 

  • Delete-only: Permanently delete content after a specified period 

  • Retain and then delete: Retain the content for a specified period and then permanently delete it 

Click here to learn about subscription and licensing requirements to use retention labels and policies. 

2. How retention settings work with content in place

When you assign retention settings to content, the content remains in its original location. If someone edits or deletes this content included in the retention policy, a copy of the content is automatically retained. 
  • For SharePoint and OneDrive sites: The copy is retained in the Preservation Hold library. 

  • For Exchange mailboxes: The copy is retained in the Recoverable Items folder. 

  • For Teams and Yammer messages: The copy is retained in a hidden folder named SubstrateHolds which is a subfolder within the Exchange Recoverable Items folder. 

3. Microsoft 365 retention policy vs. retention label

As already mentioned, retention settings can be assigned to your content using retention policies or retention labels. An administrator can either use one of these methods or combine both.  
A retention policy is used to assign retention settings at a container (site or mailbox) level whereas a retention label is used to assign retention settings at an item (folder, email, or document) level. For example, if all emails in a mailbox need to be retained for five years, it is easier to use a retention policy on the entire mailbox than to apply the same retention label on all the emails. However, if some emails in that mailbox need to be retained for ten years and some for five, then we need to apply retention labels at the item level. 
Retention settings from retention labels travel with the content if it is moved to a different location within your Microsoft 365 tenant. On the other hand, retention policies are bound to the content containers, and apply only to the content within. In addition, retention labels have the following capabilities that retention policies do not support: 
  • Start the retention period from when the content was labeled or based on an event, in addition to the age of the content or when it was last modified 
  • Apply a default label for SharePoint documents 
  • Mark the content as a record in the label settings, and always have proof of disposition when the content is deleted at the end of its retention period 

To compare retention capabilities for retention policies and retention labels, refer to the comprehensive table provided by Microsoft. 

4. How to create and apply Microsoft 365 retention labels

4.1. How to create a retention label

To create a retention label, follow the steps below:

office 365 retention label-create a label
In the pop-up dialog box, type the name and description of the label you want to create.

office 365 retention label - name and description
  • Step 2: Define the retention label settings according to your needs. You can define how long the data needs to be retained, when to start the retention, and what to do once the retention period is over. Learn more about each setting.

microsoft 365 retention labels - retention settings
  • Step 3: Review the details of the label and click Create label.

office 365 retention label - review
  • Step 4: After creating the label, you can choose to publish it immediately, set an auto-apply rule to a specific type of content, or save it and publish it later.

microsoft 365 retention label - when to publish

After creating retention labels, you need to publish them. Retention labels can be published to different locations, depending on what the retention label does. When you publish retention labels, they are included in a retention label policy that makes them available for admins and users to apply to content. 

The following diagram visualizes how retention labels, retention label policies, and publish locations are related. 

retention labels, labels policies, and publish locations
As the above diagram shows: 

A single retention label can be included in multiple retention label policies. Also, a single retention label policy can include multiple retention labels (except auto-apply retention label policies which can include only a single label). 

Retention label policies specify the locations to publish the retention labels. The same location can be included in multiple retention label policies. 

4.2. How to create a retention label policy to publish retention labels

To create a retention label policy to make the labels available in Microsoft apps, follow the steps below:

microsoft retention label policy - publish labels
  • Step 2: In the pop-up dialog box which lists all the labels available for publishing, select the ones you want to publish.

office 365 retention label policy - select labels

scope of microsoft retention label policy
  • Step 4: If you chose Adaptive in Step 3: Click on Add scopes and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the scope types added. Click here to learn more about adaptive scope types, available locations and attributes, and how to configure an adaptive scope. 

    If you chose Static in Step 3: Choose the locations where you want to apply the selected retention labels. 

select publish locations for retention label
  • Step 5: Add a name and description to the policy and review the details.

name and description for retention label policy

review retention label policy
The selected retention labels will be published. For OneDrive and SharePoint locations, published labels are typically available to apply within one or two days. For Exchange and Microsoft 365 Group locations, it can take up to seven days for the published retention labels to appear for users in Outlook (the mailbox should have at least 10 MB of data). 
The following diagrams illustrate how retention labels work: 
1) Labels that need to be applied manually: 

office 365 retention labels

2) Labels that are auto-applied

office 365 retention labels - auto apply
When you edit a retention label or retention label policy, and the label or policy has already been applied to content, the updated settings will be automatically applied to this content as well as any newly identified content.

4.3. How to apply published retention labels

Once the retention labels are published, these can be applied in different Microsoft applications. 
1. End users, as well as administrators, can manually apply retention labels from Outlook and Outlook on the web, OneDrive, SharePoint, and Microsoft 365 Groups. 

Learn how to apply retention labels in Outlook and Outlook on the web

Learn how to apply retention labels in OneDrive and SharePoint

When you publish retention labels to Microsoft 365 Groups location, the retention labels appear in the corresponding SharePoint team site, where one can apply retention labels similar to how they are applied for SharePoint documents. 

2. Administrators can apply a default retention label to all content in a SharePoint library, folder, or document set. Learn how to do this

3. Retention labels can be automatically applied to emails by creating rules in Outlook. Learn how to do this

Even though the main purpose of retention labels is to retain or delete content, they can also be used to simply classify content without turning on any retention actions. For this, you need to choose the option “Don’t retain or delete items” while configuring retention settings for the label (Step 2 under How to create a retention label). For example, you can create and apply a retention label with no actions, and then use that label to find the content later.

A retention label can also be used as a condition in a DLP (Data Loss Prevention) policy. To learn  more about how to use a retention label as a condition in DLP policy, click here.

5. How to create a Microsoft 365 retention policy

To create a retention policy, follow the steps below:
  • Step 1: Open the Compliance admin center and navigate to the Information governance section.

  • Step 2: Select Retention policy-> New retention policy. Enter a name and description.

create microsoft 365 retention policy

microsoft 365 retention policy - scope
  • Step 4: If you chose Adaptive in Step 3: Click on Add scopes and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the scope types added. Click here to learn more about adaptive scope types, available locations and attributes, and how to configure an adaptive scope.  

    If you chose Static in Step 3: In the Locations page, select the locations to be included in the retention policy. 

office 365 retention policy - select locations
  • Step 5: Configure the retention settings according to your organization’s requirements. 

    You can choose to: 
        - Retain the content for a specific period or forever 
        - Retain for a specific period and then delete the content 
        - Delete the content after a specific period 

office 365 retention policy - configure retention settings
  • Step 6: Review the settings and click Submit. Your new retention policy will be created.

It can take up to seven days for the retention policy to be applied.  

microsoft 365 retention policy to take effect

6. Preservation Lock to restrict changes to retention policies and retention label policies

Preservation Locks can be used to restrict changes to retention policies and retention label policies. A Preservation Lock locks a retention policy or retention label policy so that no one—including a global admin—can turn off the policy, delete the policy, or make it less restrictive. Preservation Locks can be enabled only via PowerShell; enabling this feature is not available in the UI to prevent accidental configuration. Learn how to lock a retention policy or retention label policy using PowerShell

7. The principles of retention: What takes precedence

Unlike retention labels, more than one retention policy can be applied to the same content. Additionally, the same content can also be subject to a retention label. In such situations where an item can be subject to multiple retention settings that could conflict with each other, the outcome is determined by the principles of retention.  
Here is a flowchart by Microsoft that shows how retention conflicts are resolved using the principles of retention. This will help to determine which policies take precedence over the others so that administrators do not have to worry about one policy setting overwriting the others.  

office 365 retention policy: principles of retention

To learn more about how retention conflicts are resolved along with relevant examples, refer to the Microsoft documentation.

8. Limitations of using Microsoft 365 retention policies and labels as a backup solution

While the native retention settings offered by Microsoft are helpful in retaining your data for regulatory compliance, they do not serve as a backup solution. Many organizations believe that they can leverage Microsoft retention policies and retention labels to back up critical data. This is a dangerous misconception that can place a company’s data at risk. Here are the limitations associated with using retention policies and labels as an alternative to backup:
  • Retained data counts towards your Microsoft 365 storage quota. Each user has a limited storage available. If you delete data to stay within the storage limit, the deleted data cannot be recovered.

  • Retention policies and legal holds are part of the Microsoft Compliance Center which is only available in senior E3 and E5 plans, that are priced higher than Microsoft (Office) 365 Business plans.

  • Retention policies and labels do not cover all the data within Microsoft 365 apps: - For SharePoint and OneDrive: SharePoint membership permissions, sharing and access permissions, and site themes and related settings are not retained. - For Exchange Online: Calendar items, tasks that do not have an end date configured, and themes and related settings are not retained

  • A maximum of 10,000 policies can be included in a tenant. This maximum number includes the different policies for retention, and other policies for compliance such as policies for DLP, information barriers, eDiscovery holds, and sensitivity labels. Within this 10,000 policies limit, there are also limits on the maximum number of policies for retention per workload: 
    -Exchange (any configuration): 1,800 
    -SharePoint or OneDrive: (all sites automatically included): 13 
    -SharePoint or OneDrive (specific locations included or excluded): 2,600 

    There are also limits on the maximum number of items per policy. Learn more 

  • Unlike third-party cloud backup tools, retention policies and retention labels lack automated recovery features. In the event of data loss, retained data can only be exported offline and need to be restored manually. Restoring a large amount of data will require a lot of manual effort and time.

  • Data belonging to deleted user accounts are not retained, so if you need to retain data of employees who left the company, you must continue paying Microsoft for the user licenses.

9. Conclusion

Retention policies and labels provided by Microsoft are necessary for proactive regulatory compliance, to reduce the risk of litigation or security breaches, and to ensure that users work with only current and relevant content. Nevertheless, they are not designed for the purpose of backup and restore, and therefore, have serious limitations as a backup solution. Third-party cloud backup applications like SysCloud are better options to back up your Microsoft 365 data.  

SysCloud Backup for Microsoft 365 provides automated, secure cloud backup for all your Microsoft 365 apps - Exchange Online, OneDrive, People, SharePoint, Teams, OneNote, Planner, Stream, Whiteboard, Public Folders, and Archived Mailboxes. With SysCloud, administrators can easily recover from accidental deletions or ransomware attacks and identify compliance gaps in the backup archives.  

In this article

  • Retention policies and labels in Microsoft 365
  • How retention settings work with content in place
  • Retention policy vs. retention label
  • Create and apply Microsoft 365 retention labels
  • Create a Microsoft 365 retention policy
  • Preservation Lock to restrict changes
  • The principles of retention
  • Limitations of using retention policies & labels as a backup solution
svg

Start enjoying faster and easier backups, today

Avoid costly data retention gaps and minimize time to recovery with SysCloud's cloud backup.Start 30-Day Free Trial
Certifications
Certifications