Section 9 – Manage data retention in Microsoft 365 workloads

Posted by Harri Jaakkonen Posted on 10/03/2024
Posted in Azure, Microsoft Purview, Security, Study guide

First of all if you don’t have E5, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs.

Governing Your Data with Microsoft

Keep what’s important, delete the rest:

  • Data Lifecycle Management (DLM): Organize, store, and classify data to keep what you need and delete what you don’t.
  • Records Management: Automate retention for legal and business-critical records, ensuring their immutability.

Key benefits:

  • Simplified administration: Manage data consistently across Microsoft 365 and beyond with centralized policies.
  • Automated efficiency: Reduce manual effort with organization-wide, self-acting governance policies.
  • Flexible control: Customize retention with triggers (e.g., employee departure) and assign reviewers for end-of-retention decisions.

Create and apply retention policies for SharePoint and OneDrive

FeatureSupported ContentUnsupported ContentNotes
Retention PolicyAll files in document libraries (including automatically created ones)List items (except for system lists)Applicable to active and archived SharePoint sites.
Does not apply to organizing structures (libraries, lists, folders).
Requires indexed SharePoint sites for application.
Excluding items from search results doesn’t affect retention settings.
Retention LabelAll files in document libraries (including automatically created ones)List items (except for system lists)Applicable to active and archived SharePoint sites. Can exclude specific libraries using queries with auto-apply policies.
Does not apply to organizing structures (libraries, lists, folders).
Requires indexed SharePoint sites for application.
Excluding items from search results doesn’t affect retention settings.
Retention Label (Only)All files at the root level (not in a folder)Applicable to active and archived SharePoint sites.
Can exclude specific libraries using queries with auto-apply policies.
Does not apply to organizing structures (libraries, lists, folders).
Requires indexed SharePoint sites for application.
Excluding items from search results doesn’t affect retention settings.

Additional Notes on Retention Label Behavior with Document Attachments:

Label TypeAttachment Inheritance
StandardNo inheritance, can be labeled separately
RecordInherits settings if not already labeled

Preservation Hold Library in SharePoint and OneDrive

Purpose:

  • Stores copies of files for compliance reasons when:
    • Retention policy or label is applied.
    • User modifies or deletes a file subject to retention.
  • Not intended for user interaction (editing, deleting, moving).
  • Accessed through compliance tools (eDiscovery).

Functionality:

  • Copies original content upon:
    • User modifying a file subject to retention (policy or record label).
    • User deleting any file subject to retention.
  • Periodically deletes content from the library:
    • After 30 days in the library.
    • If content is:
      • Older than configured retention period.
      • Not awaiting legal review.
  • Applies to:
    • Existing content when retention settings are applied.
    • New content added to a site with a retention policy.
    • All versions of a file (if versioning is enabled).

User Interactions:

  • Users cannot delete:
    • Library, list, folder, or site subject to retention.
    • Labeled item unless:
      • Records management setting allows deletion (configurable).
      • Item is unlocked (for record labels marking items as records).

Content Paths:

  • Retain and Delete:
    • Modified content: Preserved in PHL and original location (until deletion by timer job).
    • Deleted content: Preserved in PHL only.
  • Retain Only:
    • Modified/deleted content: Preserved in PHL (original location not affected).
  • Delete Only:
    • Content deleted from original location and not preserved in PHL.

Retain and delete time frame

To ensure better data protection and avoid accidental data loss, content from the Preservation Hold library will no longer be permanently deleted directly. Instead, all content previously subject to permanent deletion will now be sent to the second-stage Recycle Bin, providing an additional opportunity for recovery if needed.

See here for the guidance on creating Retention policies

Automatically retain or delete content by using retention policies
Use a retention policy to efficiently keep control of the content that users generate with email, documents, and conversations. Keep what you want and get rid of what you don’t.

And here for M365 Copilot

Learn about retention for Microsoft Copilot for Microsoft 365
Learn about Microsoft 365 retention policies that apply to Microsoft Copilot for Microsoft 365 so you can automatically retain or delete Copilot messages for your organization.

Content Retention When Users Leave the Organization

SharePoint:

  • No impact: Content created by a departing user remains accessible due to SharePoint’s collaborative nature, unlike personal storage like OneDrive or mailboxes.

OneDrive:

  • Retention settings apply: Files with assigned retention policies or labels remain subject to those settings even after the user leaves.
  • Continued access and discovery: During the retention period, these files retain:
    • Sharing permissions: Existing access for other users remains unchanged.
    • Searchability: Content remains discoverable through tools like Content Search and eDiscovery.
  • Deletion after retention: Upon reaching the designated period, if the settings include deletion:
    • Content moves to Recycle Bin: Files are not permanently deleted but moved to the Site Collection Recycle Bin.
    • Limited access: Only admins can access the Recycle Bin for potential recovery.

Copilot:

  • Mailbox deletion: If a user’s Microsoft 365 account is deleted, their Copilot messages subject to retention are stored in an inactive mailbox.
  • Retention policy: These messages remain subject to the same retention policy applied before the mailbox was inactivated.
  • eDiscovery access: The contents of the inactive mailbox, including Copilot messages, are still discoverable through eDiscovery searches.

Create and apply retention policies for Microsoft 365 groups

Microsoft 365 Groups: Key Points

  • Purpose: Foundational service for collaborative work across Microsoft 365.
  • Function: Provides shared resources (e.g., mailbox, calendar, document library) to a group of users.
  • Permission management: Automatic, based on group membership.
  • Group creation: Limited to global admins, user admins, and group admins in the Microsoft 365 admin center.
  • Delegated admins: Cannot create or manage groups.

You can open the Retention policies from https://purview.microsoft.com/datalifecyclemanagement/retention


Impact of Deleting a Microsoft 365 Group with Retention Policy

Scenario:

  • A Microsoft 365 group has a retention policy (static or adaptive) applied.
  • The group is then deleted from Microsoft Entra ID.

Consequences:

  • SharePoint site:
    • Preserved: Remains active and managed by the retention policy (Microsoft 365 Group mailboxes & sites location).
    • Access: Existing user access remains unchanged. New permissions require SharePoint management.
    • Exclusion from policy: Currently not possible due to deleted group reference.
    • Policy release: Contact Microsoft Support (e.g., via Microsoft 365 Admin Center) to release the policy from the site if needed.
  • Group mailbox:
    • Becomes inactive: Retains functionality but cannot receive new emails.
    • Retention: Remains subject to the applied retention policy (similar to SharePoint site).
    • Reference: See “Inactive mailboxes in Exchange Online” for more information.

Create and apply retention policies for Teams

These mailboxes are, listed by their RecipientTypeDetails attribute:

  • UserMailbox: These mailboxes store message data for Teams private channels and cloud-based Teams users.
  • MailUser: These mailboxes store message data for on-premises Teams users.
  • GroupMailbox: These mailboxes store message data for Teams standard channels.
  • SubstrateGroup: These mailboxes store message data for Teams shared channels.

Retained with Teams Retention Policies:

  • Text content of messages (chats, channels, private channels)
  • Video clips
  • Embedded images
  • Tables
  • Hypertext links
  • Links to other Teams messages and files
  • Card content
  • Participant names (chats and private channels)
  • Team name and message title (channel messages, if provided)
  • Call data records (system-generated meeting/call metadata)
  • Some control messages (same types as Microsoft Teams Export APIs)

Not Retained with Teams Retention Policies:

  • Code snippets
  • Recorded voice memos (Teams mobile client)
  • Thumbnails
  • Announcement images
  • Reactions (emoticons)
  • Emails used with Teams
  • Files used with Teams (separate retention policies apply)
  • Teams meeting recordings and transcripts from user chats (separate user OneDrive policy needed)

Teams Message Retention Summary

Edited/Deleted Messages:

  • Copied/Moved to SubstrateHolds folder during retention period.
  • Deleted messages not immediately moved (wait up to 21 days).
  • Permanently deleted after retention period and next timer job (1-7 days).

Non-Deleted & Edited Messages:

  • Moved to SubstrateHolds folder after retention period expires (1-7 days delay).
  • Permanently deleted from SubstrateHolds after at least 1 day and next timer job (1-7 days).

Create and apply retention policies for Viva Engage (Yammer)

What’s Retained and What’s Not

Retained with Viva Engage Retention Policies:

  • Text content of messages (user messages, community messages, storyline posts)
  • Hypertext links
  • Links to other Viva Engage messages

Not Retained with Viva Engage Retention Policies:

  • Reactions (emoticons)
  • Files used with Viva Engage (separate retention policies apply)

Viva Engage Retention and eDiscovery

Searchable Messages:

  • Messages remain searchable by eDiscovery tools until permanently deleted from the SubstrateHolds folder.

Deletion Communication:

  • Upon retention expiry, messages are moved to SubstrateHolds and marked for deletion in both the Viva Engage service and client app.
  • Short delays might occur due to communication or caching, causing users to see messages they shouldn’t.

Inter-Organizational Retention:

  • When a message is deleted due to one user’s retention policy, it disappears for all conversation participants, even if they have:
    • Longer or no retention policies assigned.
  • For such users, copies of the message:
    • Remain in their mailboxes.
    • Stay searchable by eDiscovery.
    • Are deleted by another relevant retention policy.


Viva Engage: Users and Retention

Default Policy:

  • Applies to internal users within your organization, not external users.

Applying to External Users:

  • Manually specify their accounts using the “Edit” option for included users.

Azure B2B Guest Users:

  • Currently not supported.

User Leaving the Organization:

  • Their Viva Engage messages subject to retention are stored in an inactive mailbox.
  • Messages remain subject to the applied retention policy.
  • Content is discoverable through eDiscovery.

User Files:

  • Refer to the equivalent section for SharePoint and OneDrive.

Important Note

Selecting Users for Retention Policy:

  • When choosing users for the “Viva Engage user messages” location using the “Edit” option, you might see guests and non-mailbox users.
  • Do not select these users as retention policies are not designed for them and will not function correctly.

Create and apply retention policies for Exchange Online

What can be retained in Exchange using retention policies

Supported:

  • Mail messages: received, drafts, and sent (including attachments)
  • Tasks: with an end date
  • Notes:

Partially Supported:

  • Calendar items:
    • Supported for retention policies (with end date)
    • Not supported for retention labels

Unsupported:

  • Contacts
  • Tasks and calendar items: without an end date
  • Other mailbox items: Skype and Teams messages (use their own retention policies)

Additional Notes:

  • Mailboxes need at least 10 MB of data for retention settings to apply.
  • Retention labels can only be published to mailboxes that meet the size requirement.

Deleted and Expired Items in Exchange Mailboxes

When an item is:

  • Modified or permanently deleted: (SHIFT+DELETE or Deleted Items)
    • It’s moved (copied for edits) to the Recoverable Items folder.
    • A timer job periodically checks this folder and permanently deletes expired items within 14-30 days (configurable).
  • Not modified or deleted during its retention period:
    • The same timer job periodically checks all mailbox folders.
    • Expired items are permanently deleted within 14-30 days (configurable) after the retention period ends.

Note: The default retention period for the Recoverable Items folder is 14 days, but it can be extended up to 30 days.

User Leaves Organization and Mailbox Retention

Scenario:

  • A user departs.
  • Their mailbox has a retention policy applied.
  • User’s Microsoft 365 account is deleted.

Outcome:

  • Mailbox becomes inactive.
  • Content remains subject to the existing retention policy.
  • Content remains discoverable through eDiscovery.

Important Note:

  • Inactive mailboxes are not automatically deleted even after data is permanently deleted or the retention period expires.
  • An Exchange admin must manually delete the inactive mailbox when retention settings no longer apply.

Apply mailbox holds in Exchange Online

Mailbox Retention Hold: Pause, But Don’t Stop

Placing a mailbox on retention hold does not delete emails, but it pauses the automatic deletion based on retention policies. This is useful for temporary situations like user vacations.

During hold:

  • Users can still access and modify their mailbox.
  • Deleted items exceeding the retention period disappear from search results.

For legal holds and permanent preservation, use:

  • Litigation Hold: Preserves all mailbox content.

Remember, retention hold is temporary, and emails will be deleted after the hold is lifted and the retention period expires.

Place a mailbox on retention hold in Exchange Online
Placing a mailbox on retention hold suspends the processing of a retention policy or managed folder mailbox policy for that mailbox. Retention hold is designed for situations such as a user being on vacation or away temporarily.

Comparing In-Place Hold and Litigation Hold in Exchange

In-Place Hold:

  • Granular control: Allows precise hold based on specified criteria (queries).
  • Multiple holds: Enables placing multiple, independent holds on a mailbox.

Litigation Hold:

  • All-encompassing hold: Places the entire mailbox content on hold.
  • Optional duration: Allows setting a hold period for items based on their creation/receipt date.

Concurrent Holds:

  • Combined hold: If both holds are applied simultaneously without a duration for Litigation Hold, items are held indefinitely or until holds are removed.
  • Removing Litigation Hold: When Litigation Hold is removed but In-Place Holds remain, items matching the In-Place Hold criteria are held for their specified duration.

In essence, In-Place Hold offers greater flexibility for targeted holds, while Litigation Hold serves for encompassing legal holds. When used together, their behavior depends on the configured duration for Litigation Hold.

Placing a mailbox on In-Place Hold

In-Place Hold and Litigation Hold in Exchange Online
When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored information (ESI), including email that’s relevant to the case. This expectation often exists before the specifics of the case are known, and preservation is often broad. Organizations may need to preserve all email related to a specific article or all email for certain individuals. Depending on the organization’s electronic discovery (eDiscovery) practices, the following measures can be adopted to preserve email:

And how to disable In-place Hold

Remove an In-Place Hold in Exchange Online
An In-Place Hold preserves all mailbox content, including deleted items and original versions of modified items. All such mailbox items are returned in an In-Place eDiscovery search. When you place an In-Place Hold on a user’s mailbox on, the contents in the corresponding archive mailbox (if it’s enabled) are also placed on hold, and returned in a eDiscovery search.

Implement Exchange Online archiving policies

Default MRM Policy tags

What is it?

  • A pre-defined policy named “Default MRM Policy” that manages email lifecycles.
  • Automatically applied to:
    • New users in Exchange Online.
    • Mailboxes with newly created archives in on-premises environments.

Is it customizable?

  • Yes, you can change the policy applied to a user at any time.
NameTypeRetention age (days)Retention action
Default 2 years move to archiveDefault Policy Tag (DPT)730Move to Archive
Recoverable Items 14 days move to archiveRecoverable Items folder14Move to Archive
Personal 1 year move to archivePersonal tag365Move to Archive
Personal 5 year move to archivePersonal tag1,825Move to Archive
Personal never move to archivePersonal tagNot applicableMove to Archive
1 Week DeletePersonal tag7Delete and Allow Recovery
1 Month DeletePersonal tag30Delete and Allow Recovery
6 Month DeletePersonal tag180Delete and Allow Recovery
1 Year DeletePersonal tag365Delete and Allow Recovery
5 Year DeletePersonal tag1,825Delete and Allow Recovery
Never DeletePersonal tagNot applicableDelete and Allow Recovery

Manage Email Lifecycle in Exchange Online

  • Retention tags: Define how long to keep emails (e.g., delete after 7 years).
  • Retention policy: Group tags to apply specific retention settings to users.
  • Apply policy: Assign the policy to user mailboxes to enforce retention rules.

How to create policies

Create a Retention Policy in Exchange Online
In Exchange Online, you can use retention policies to manage email lifecycle. Retention policies are applied by creating retention tags, adding them to a retention policy, and applying the policy to mailbox users.

And to apply the policies

Apply a retention policy to mailboxes in Exchange Online
You can use retention policies to group one or more retention tags and apply them to mailboxes to enforce message retention settings. A mailbox can’t have more than one retention policy.

Configure preservation locks for retention policies and retention label policies

Currently, adaptive policy scopes don’t support Preservation Lock.

Securing Your Retention Policies

What it does:

  • Locks a retention policy or label, preventing any changes to its settings.
  • Applies to all users, including global admins.

Use cases:

  • Regulatory compliance: Ensures policies meet legal requirements and cannot be accidentally modified.
  • Rogue administrator protection: Secures policies from unauthorized alterations.

Locked policy limitations:

  • Cannot be disabled or deleted.
  • Locations (retention tags associated with the policy) can only be added, not removed.
  • Retention period can only be extended, not decreased.

How to enable?

Use Preservation Lock to restrict changes to retention policies
Use Preservation Lock with retention policies and retention label policies to help you meet regulatory requirements and safeguard against rogue administrators.

Recover retained content in Microsoft 365

SharePoint and OneDrive Deleted Items Retention

Standard Retention:

  • 93 days: Deleted items remain in the site Recycle Bin and the site collection Recycle Bin combined.

Exceptions:

  • Site collection storage quota exceeded: Oldest items are purged automatically.
  • Manual deletion by administrator: Items are permanently deleted.

Additional Notes:

  • Storage usage: Recycle Bin storage counts towards site collection storage quota and list view threshold.
  • Backups: SharePoint Online retains backups for 14 days after deletion.

Recovery options:

  • Within 93 days: Use Recycle Bins.
  • Within 14 days of final deletion: Contact Microsoft Support for backup restore.

Undelete a Team (M365 group) in Microsoft Teams

Restore the Associated Microsoft 365 Group:

Deleted Teams are linked to Microsoft 365 groups. Restoring the group brings back the corresponding Team, including:

  • Tabs
  • Standard channels
  • Private channels and their site collections

Timeframe for Restoration:

By default, deleted Microsoft 365 groups are soft-deleted, meaning they remain recoverable for 30 days.


Recovering Deleted Items in Exchange Online

Recovering Deleted Emails:

  • Admins: Use Single Item Recovery to restore messages purged by users or retention policies, as long as the deleted item retention period hasn’t expired.
  • Users: Recover non-purged items within the deleted item retention period. See:
    • Recover deleted items in Outlook for Windows
    • Recover deleted email messages in Outlook on the web

Retention Period:

  • Default: 14 days (adjustable up to 30 days)
  • Learn more: Change how long permanently deleted items are kept for an Exchange Online mailbox

Advanced Recovery:

  • Admins: Use In-Place eDiscovery to find and export deleted items to a PST file for users to restore. 
  • Standard M365 native data recovery allows restoration within 93 days of deletion.
  • Retention policies do not prevent permanent deletion after the designated retention period.

Closure

Flowchart to determine when an item will be retained or permanently deleted

Flowchart to determine when an item is retained or deleted
Use a flowchart to determine the outcome when an item in Microsoft 365 has multiple retention policies or a retention label and retention policies
  • Difference between Retention policy and a label
  • How PHL works in SharePoint and OneDrive
  • M365 Groups
    • Purpose: Foundational service for collaborative work across Microsoft 365.
    • Function: Provides shared resources (e.g., mailbox, calendar, document library) to a group of users.
    • Permission management: Automatic, based on group membership.
    • Group creation: Limited to global admins, user admins, and group admins in the Microsoft 365 admin center.
    • Delegated admins: Cannot create or manage groups.
  • Teams retention Policies work with:
    • Text content of messages (chats, channels, private channels)
    • Video clips
    • Embedded images
    • Tables
    • Hypertext links
    • Links to other Teams messages and files
    • Card content
    • Participant names (chats and private channels)
    • Team name and message title (channel messages, if provided)
    • Call data records (system-generated meeting/call metadata)
    • Some control messages (same types as Microsoft Teams Export APIs)
  • But not with:
    • Code snippets
    • Recorded voice memos (Teams mobile client)
    • Thumbnails
    • Announcement images
    • Reactions (emoticons)
    • Emails used with Teams
    • Files used with Teams (separate retention policies apply)
    • Teams meeting recordings and transcripts from user chats (separate user OneDrive policy needed)
  • Viva Engage retention work with
    • Text content of messages (user messages, community messages, storyline posts)
    • Hypertext links
    • Links to other Viva Engage messages
  • But not with these
    • Reactions (emoticons)
    • Files used with Viva Engage (separate retention policies apply)
  • Support for EXO
    • Mail messages: received, drafts, and sent (including attachments)
    • Tasks: with an end date
    • Notes
  • And what is partially
    • Calendar items
      • Supported for retention policies (with end date)
      • Not supported for retention labels
  • What is Unsupported
    • Contacts
    • Tasks and calendar items: without an end date
    • Other mailbox items: Skype and Teams messages (use their own retention policies)
  • Difference between In-Place Hold and Litigation Hold in Exchange
  • What are Default MRM Policy tags and how they are defined?

Currently, adaptive policy scopes don’t support Preservation Lock.

Phuuh, that was a long one! I tried a little bit different format this time, hopefully it worked for you all!

Link to main post

Exam cram for SC-400 – Administering Information Protection and Compliance in M365
Previously I did Study guides for SC-300, AZ-500, SC-100 and SC-200. So now it’s the turn for the Compliance part under the Security umbrella. See here for the previous Study guides. Exam cra…

Author: Harri Jaakkonen