Microsoft 365, information governance & retention

In our discussions with our customers, one of the most common questions that arise is “Do I need to back up my Office 365 data?”.

While this blog is not written to answer that question, my next post might attempt to, one of the key services in the Microsoft 365 platform to reduce or remove the requirement for a 3rd party back solution is retention.

Information Governance

According to the Microsoft documentation:

Information Governance helps organizations manage their risk through discovering, classifying, labelling, and governing their data. Information Governance lets organizations meet business and regulatory requirements as well as reduce their attack surface by providing retention and deletion capabilities across their Microsoft 365 and third-party data.

In clearer English, retention allows us to tag our content to ensure that critical data is secured from deletion for a specified period of time, and/or deleted automatically based on a rule we can define. We often discuss retention as (part of) an alternative to a backup solution though the approach is different, i.e., ensuring that our critical data cannot be deleted, as opposed to being able to recover it when it has been.

Retention configuration and administration is part of the Compliance Administration Centre and is located within the Information Governance section of the 365 Administration Portal. Like much of the Security and Compliance area of 365, this has been under considerable development over the last couple of years. Considering the fact that retention is two separate tools, probably developed independently by two distinct teams in Microsoft, it can mean that the configuration can seem a little confusing at first. The two tools have almost the same options in terms of the retention settings available but are applied to content in a different way and behave differently when handling the lifecycle of documents.

The two tools, both now configured in the same section of the Administration Centre, are called Retention Policies and Retention Labels. The key features of each are:

Retention Policies

• Can be published to most areas of 365 such as Exchange, SharePoint, OneDrive, 365 groups, Skype for Business, Teams and Yammer. (Though not all at the same time, publishing to Teams excludes any other option).
• A policy defines a retention setting and a set of locations. While a location may have multiple policies in effect, only one can take effect, so we need to know the principles of retention to understand the end result.
• Once published to a location, the policy is transparent to users and is applied automatically, no user interaction is required.
• Can retain (prevent deletion) or delete content based on creation or editing dates.
• Retained content that is deleted by users appears to be removed but is in fact moved to a separate location from which it cannot be removed until released by the policy.
• Recovering specific items, especially when large quantities have been deleted, can be complex.

Retention Labels

• Multiple labels can be defined, each with an individual configuration of retention which has a few more options than a retention policy.
• Labels can be grouped together and published to some areas of 365, currently, only Exchange, SharePoint, OneDrive and 365 groups are possible. Publishing labels, essentially applying a set of labels to a set of locations creates a Label Policy, not to be confused with a Retention Policy.
• Any location can have many labels published to it.
• Users can choose labels manually and apply them to content in the location where they are published, however for a compliant information governance process to work, labels should be applied automatically.
• Content protected by a label cannot be deleted, users attempting this will receive a pop-up message informing them that the content is protected by a label.
• Users can manually change labels or remove them unless the label is designated as protected, in which case only a more secure label can be applied, not a less secure one.

Over the last couple of years, the focus of the Microsoft development teams has been primarily on the Unified Labelling system, of which retention labels are a key component. We can also see that many components of Retention Policy management have the older legacy user interface. While it is almost certain that retention policies will be updated further, it is likely that the newer Unified Labelling systems are the future with regard to information governance.

Principals of Retention

If a situation arises where content is subjected to two different rules, the principles of retention determine the outcome. These are tested in order until a result can be applied.

1. Retention wins over deletion.
2. The longest retention period wins.
3. Explicit wins over implicit for deletions (a label applied to a document will win over a policy applied to a site).
4. The shortest deletion period wins.

License Requirements

All Office and Microsoft 365 SKUs include components of both retention services, though there are major differences in the potential application, particularly with labels. The following list is not exhaustive but covers the major features and license requirements for each.

For the full list of license options see the Microsoft documentation here.

A3

• Automatically apply labels for sensitive information types.
• Automatically apply labels for keywords.
• Automatically apply labels for content type.
• Automatically apply labels for metadata values.
• Start the retention period based on a custom event, for example, commence a 5-year retention of a board members mailbox after they leave the organisation.
• Declare an item as a record, which in effects make the item immutable for the entire retention period.
• Allow disposition reviews of items when their retention period ends.

SharePoint Syntex Add-On SKU

• Automatically apply labels based on AI trained classifiers.

This recently released service is clearly an indication of the future of data classification. For more details see the Microsoft documentation here.

Note: The Microsoft documentation clearly states that these features require an A3 license. Blogs and presentations often discuss this discrepancy, yet they appear to be fully available in an A1 subscription. Whether this fact will continue in the future is unknown.

Information Governance can only succeed if the process is automated, and the truth is, asking users to remember to label their content appropriately is not reliable enough. Historically, labelling automatically would only work well in a well architected document management system as structured data was an essential prerequisite. The arrival of AI and machine learning with trainable classifiers will almost certainly allow retention-based Information Governance to identify content no matter where it is and how it is tagged with metadata, therefore simplifying the process for administrators.

Recommendations

For organisations looking at implementing Information Governance using retention in Microsoft 365, our recommendations and key points are:

1. Define your information governance policy. It might seem obvious, but still comes up in consultancy sessions. You cannot implement a policy if you have not defined what it is first.
2. Keep it simple. A policy with 100s of permutations is going to be unworkable.
3. Start small. Target the most important content first.
4. Structure your data. Automation is effective and getting better all the time, but even the best implementation is going to struggle if all your data is effectively thrown into a large bucket.
5. Increasing regulation is making Information Governance ever more essential. It cannot be avoided for ever, and it is going to cost money, either through uplifting license costs or resource for implementation and management.
6. It is going to affect users, while automation and technology can minimise that, as always, we need to remember that this is also a people management problem. Training and transparency are key.