Using Security & Compliance Center to manage retention policies
Today I want to discuss retention policies, which can be administered via the Security & Compliance admin center in Microsoft 365 / Office 365. Retention policies exist to protect and/or purge (delete) certain types of information. Some organizations have very strict archive and retention policies that they must maintain data due to legal/compliance bodies or other corporate policies. For example, in some industries it is necessary to keep certain sets of information for at least 5, 7 or 10 years. So even if a user deletes something from their inbox, for example, we want to be able to retain that information and search for it later, using eDiscovery.
Other organizations have retention policies that say anything older than a certain time frame should not be kept at all.
When working with the Security & Compliance Center in general, I would recommend Office 365 E3 or Microsoft 365 Business subscriptions, both of which are priced at $20.00/user/month at the time of this writing–these subscriptions both contain a very similar and robust set of security and compliance management feature sets.
Let’s take a look.
Find the Security & Compliance link under Admin centers from the left menu.
Under Data governance, pick Retention.
Simply choose Create. You will start by giving it name, and proceeding. By way of example only, we will build a policy that retains content for 5 years from the date it was last modified, and then deletes it thereafter. Keep in mind that your own situation could be completely different.
Now, you can begin to build your new policy. Notice for example, that while you can setup to retain, retain and delete, or, not to require any specific period of retention, and just delete content older than a certain time frame, as well. Be sure you understand your own organization’s requirements before implementing your options.
Next you can choose specific locations to which this policy applies–notice that it can be configured across all the services within Office 365.
However, it should be noted, at the time of this writing, it is not possible to create a policy that will ALSO apply to content in Teams. For whatever reason, when you select Teams channels and chats, it will automatically deselect all other locations for you. Therefore, it may be necessary to build Teams-specific policies alongside your other services (at least for now).
Finally, review the policy settings one more time before you Create this policy.
This is a very basic example, but it should demonstrate what is possible, and reveal how easy it is getting to manage what might otherwise become a nightmare, across such a large array of applications and data locations. So you might ask: what happens if two policies conflict with one another? Let’s say you have one policy that protects data for 5 years, and another one that says to delete data after two years. Remember: preservation always wins in these cases–so the data would be kept for 5 years because it is protected. After that time-frame passes, it would be deleted, even if the five year policy did not include instructions to delete the information after that time period. Why? Because of the two-year deletion policy: it is after all, still older than two years.
Best of luck navigating your own archiving and retention requirements–figuring out what exactly is required for your business, as well as what is possible, is often the hardest part–but implementing it is now a breeze.
Comments (8)
Hello Alex. As always, well done article. Have a few questions for you.
What you are describing above – is it the same as Compliance Management – Retention and Retention Tags capability? I created a Retention Policy and edited some Tags here, but when I check out what you mention in the Security and Compliance option, these policies do not show up. If they are not the same, which one then do we/should we use, or do we need both? It’s a bit confusing.
Second question is, with the Retention Policy in place, I have it running on several users to In-Place Archive any emails from a mailbox that are two years or older. It seems to do some of it, but I notice on the accounts that I still see emails older then two years still in the mailbox. I’ve made sure the policy is enabled on the mailboxes with In-Place Archive on, and I ran the manual command to run ManagedFolderAssistant in PS. Same result. Archives some old emails, but certainly does not pick up all of them.
All email is on cloud, but environment is hybrid 2013 server between Ex2008 and cloud using AD Connect for account and password syncs. The on prem Ex2008 is all but unused at this point and will be retired soon. The Exchange Online plans are Plan 2, so In Place archiving should be working.
Any thoughts are appreciated.
Many thx
DG
You know, I personally like using the security and compliance center because I can apply these policies across all software/services in Office 365, and manage them centrally. If you just want to manage Exchange online with some tags and polices, then that can still be done in the EAC for now. If you have specific rules for Exchange to move certain items into archive or deleted folder clear-out for example, then you can get more granular in the EAC using tags. But for retention & deletion across all the 365 data–this can’t be beat for its simplicity. Sorry it took me some time to get to these–I see you submitted this comment a couple of times while waiting for my reply. I have not had the same issue that you describe with the two year tag not working.
Hi Alex thank you very much for article.
Is it possible to use retention policy in security and compliance to retain and delete the emails, and EAC to archive the older emails to archive mailbox (two policy each from EAC and SAC).
Because in security and compliance, we don’t have option to archive the older emails to archive mailbox.
Thanks.
I agree–I would love to see them add this option to the Security & Compliance center, but right now that is still the EAC. So yes, that is correct–you can create some in SAC for retention/deletion and the others in EAC for now. Maybe they will migrate this to SAC someday also–we’ll keep watching.
Thank You Alex, for your quick and very useful comment.
Can you please also mention the way to check the retention policy on the mailbox?
When i check, it shows only the retention policy, that is applied from EAC to move to archive mailbox and few personal tags, but nothing about the retention policy created in SAC to retain the email for 7 years and do nothing.
Thank You.
I believe the place to see what is applied where is just in the SAC center, under the retention polices. When you select a policy to edit it, you can see the locations it is applied to, and it allows you to pick specific recipients or just apply to all mailboxes. I do not believe there is visibility from EAC on this.
I have found some interesting things with retention policies in S&C.
– For Exchange, the mailboxes never need to have had a license. For example, you might migrate a mailbox from Exchange on-prem, never assign an Exchange Online license, and the policy will apply.
– There is no way to very that a mailbox has a policy applied (that I have found, and a call to Microsoft confirmed this). The only sure fire way is to delete the AD account (in a federated environment). If there is no retention policy the mailbox will be soft deleted. If there is a retention policy it will turn into an Inactive mailbox (e.g. Get-Mailbox -IncludeInactiveMailbox “Joe User” | fl *inactive*).
Once a mailbox is inactive, you know that the policy has applied and that the data will be retained. But it seems pretty risky, someone could remove you policy and suddenly all your inactive mailboxes disappear. Yes you can put on a retention lock but that is a one way ticket. I think a seperate retention policy with e.g. 1 year which is locked is a good idea, and then another for your actual requirement e.g. 6 years.
I agree with this. I have also thought that it would be nice to have a policy where we had the option to lock it “for a period of time.” Whether it was just an honest admin mistake or a nefarious attack–if I were targeting an organization and I discovered they were using retention policies the first thing I would do after gaining admin and before initiating some damage for ransom or whatever, would be to remove the policy. But if there were a year lock on that, chances are the compromise would be discovered before the lock ended.