There are multiple capabilities within the Microsoft 365 suite that allows you to classify content. When looking at content classification, we need to look outside of SharePoint and ways we can build classifiers that work across workloads and types of content. That is what is possible using the retention and sensitivity label solutions in Microsoft 365.
When just working with just SharePoint, we have the built-in solutions of content types and columns but that is limited to just content stored in SharePoint. SharePoint also has the ability to manage records but this is functionality that hasn’t evolved with the rest of Microsoft 365.
With retention and sensitivity labels, they are not tied to just SharePoint and have newer use cases that you can take advantage of. With this new technology, there can be confusion about what each of these two solutions are and how you should be using them. In this 2-part series, I will break down the differences and provide go-forward guidance. This first post will help set the stage for why we need these types of classifications and what retention labels. In part 2, we will dive even deeper into sensitivity labeling in Microsoft 365 and a crawl-walk-run approach to get started.
Setting the landscape
Data governance within your enterprise is a requirement and whether you are already in Microsoft 365 or moving there now, it is time to start taking advantage of the solutions that are offered. If you aren’t preparing for managing data governance you may be swept under by the tidal waves of data, security & compliance changes we as enterprises need to handle.
Looking at statistics in the space is staggering. We are generating more data and accessing that data in more locations which then increases the chance of breach or being compromised in other ways.
- How are you maintaining security & compliance in Microsoft 365?
- Do you know if you have highly sensitive data that it is not easily able to be downloaded and uploaded to other cloud services?
- Do you have record and retention requirements through corporate or regulatory policies?
- Do you feel that you could be doing better?
The data governance suite is built to help you answer these questions. Retention and Sensitivity labels are core solutions within this suite.
Data Governance in Microsoft 365 – Retention & Sensitivity
The data governance suite is built to help you answer these questions. Retention Labels and Sensitivity labels are core solutions within this suite. Both labels fall under the umbrella of classifications but play two very different roles. When looking at the top level of Microsoft 365, we now have a unified approach to data governance.
As we know there are a lot of solutions in the Microsoft cloud and it is the vision to bring the management of security and compliance into centralized solutions and increase automation through intelligence. Emails in Exchange, documents in SharePoint and OneDrive and chats in Teams are the primary workloads to plan within your data governance plan for sensitivity and retention labeling.
Sensitivity labeling lives within the protection policies and retention labeling is part of the governance logical structure. We see two different teams internally owning each of these. The sensitivity labels normally are owned by the security or secops team while retention labels are managed by my compliance or information management team.
Why is data retention important? Keeping data longer than expected puts you at risk for discovery if there was an expectation it would be removed. If you remove data too soon, you may be non-compliant with policies or regulations.
Retention can be the concept of:
- Retain: keeping a piece of content for a period of time
- Retain & Delete: keep a piece of content and then delete it after a period of time
- Delete: force deletion of content after a period of time but do not force retaining it.
The most common type of retention I see is email-based retention based on a timed interval. For example, someone’s Inbox folder in Exchange could have a 60-day retention policy that deletes after 60 days. This doesn’t actually do a “retain” where it keeps all data for 60 days, but it will auto-delete content after the 60 days has occurred. This is the concept of a retention policy. Microsoft 365 uses both retention policies and retention labels. There is a principle of retention that is followed in Microsoft 365 which overall is that longest retention always wins.
Retention policies are broad and can spread applications such as:
- Delete all users OneDrive files after 7 years
- Retain all Teams chats and channels for 1 year
- Retain all files on a board member SharePoint site forever
Retention labels are specific to the content and can be manually or automatically applied such as:
- Financial contract to be retained for 7 years
- HR personnel file to be retained for 1 year after employee leaves
- Board meeting minutes to be held for 5 years
Different types of content require different types of retention to comply with internal policies or industry regulations. Contracts, tax forms, press materials, and personnel data are all examples of types of content that could require this. Retention labels in Microsoft 365 allow you to bring the classification of retention of content to the per content level.
There are existing features that have been used for retention-based data governance including things like; retention tags using MRM in Exchange, in-place records management and information management policies (IRM) in SharePoint. Retention labels are the evolution of these technologies and it is recommended to attempt to use the unified labels & policies where possible instead of the legacy features.
Different types of content require different types of retention to comply with internal policies or industry regulations. Contracts, tax forms, press materials, and personnel data are all examples of types of content that could require this. Retention labels in Microsoft 365 allow you to bring the classification of retention of content to the per content level. What this means is that a label is created in a single spot and then it can be applied per piece of content, like a document or email.
Retention labels can be applied:
- Manually by someone
- Automatically via the type of information or by default in a folder or document library. (Note: Automation requires enhanced licensing)
Retention labels are created by administrators and deployed via policies to containers or locations such as a SharePoint or OneDrive site collection.
Once available on something like a site collection, a user can use the metadata information panel to select the retention label for the file. This can only be done through the SharePoint, OneDrive or Exchange UI or by a system/automated process, and not within a file by an end-user.
Along with the more specific classification capabilities of labels, they can do 2 other things that generic retention policy cannot. They can trigger a disposition review at the end of a retention period and they can start retention at a different retention date such as when a label was applied. This type of functionality plays into the ability for retention labels to support a records management framework.
Retention labels as records
With retention labels, you can use them to classify content as a “Record” with a single checkbox. Be aware that this is a very powerful checkbox.
Once an item is declared as a record:
- The item can’t be permanently deleted or edited
- The label can’t be changed or removed
- Only site collection administrators in SharePoint can change a record label that was applied to a file
The record capabilities of retention labels are the evolution of the in-place records management and records center capabilities in SharePoint. A transition to this solution should begin to be planned if possible. There will not be an easy button for this migration but when you look at the longevity of records and long-term capabilities of the cloud it is logical to identify how this transition could occur.
Need to know for retention labels
- You cannot make a label required
- It can take up to a day for retention labels to appear for users on SharePoint sites
- It can take up to 7 days to appear in Exchange and the mailbox must contain at least 10 MB of data
- Auto-applied retention labels in Exchange are only applied to newly sent emails and not all items in the mailbox
- You can only have 1 retention label at a time
- Users can change retention labels unless it is a “Record”
- Auto-applied labels will not replace the manually assigned retention label
- Auto-application can occur via Keyword Query Language (KQL)
- You can apply labels via other tools such as PowerShell and Flow
- A retention policy cannot delete content that’s on hold for eDiscovery
- Moving a document with a retention label into a library with another default will not remove the old label
- Use the managed property ComplianceTag when working with search and retention labels
- Disposition review is only a single approval level, no complex disposition
- Retention labels can be used within a Microsoft Office 365 DLP policy
In Part 2 of this series about labeling in Microsoft 365, we will dive into Sensitivity labels and how they relate to retention labels. Then we will start breaking down some ideas on how to get started to utilize labeling in Office 365.
Valo Intranet makes it easy to have a beautiful site design straight out of the box! Want to learn how we can speed up your intranet project without sacrificing quality?