Lead Image © stokkete, 123RF.com

Lead Image © stokkete, 123RF.com

Retention labels in Office 365

Keeping Order

Article from ADMIN 58/2020
The Office 365 Security & Compliance Center provides a unified interface for managing policies and security settings, including retention labels, which specify how data is handled for compliance with internal policies, data protection laws, and tax legislation.

The Office 365 Security & Compliance Center (OSCC) serves up numerous functions through a uniform URL that were previously scattered throughout the Office 365 world [1]. Although OSCC works with all Office 365 plans, not all features are supported by all plans [2]. Most of the functions I will look at here are available starting in enterprise plan E3, but some of them start from E5.

Microsoft is in the process of splitting the OSCC into two centers: the Compliance Center and the Security Center, each with their own ports of entry [3] [4]. These centers offer more functions and are more clearly arranged. However, OSCC offers the most features under one roof.

Authorizations Structure

The global admin has access to all centers, but you have to grant access to other accounts first – typically for employees who are responsible for compliance or corporate security. You can assign these people the required authorizations with a high level of granularity. The OSCC link bar has a Permissions item at the top that shows the assignable roles; clicking on them lets you edit the role and add the corresponding members. It is interesting that even a global administrator is not allowed to do everything. For example, although you can start a global search with electronic discovery (eDiscovery ), you only see the result set for the search, not the content. Only members of the eDiscovery Manager role group, which is not populated by default, can read this content. You can find more information about authorizations and eDiscovery online [5].

Compliance is not a primary task for administrators, and it's conceivable that a technical employee like an admin is the wrong person for the job. Ideally, you would want to introduce the Compliance Manager role, which may or may not be someone from IT. Implementing compliance rules and perhaps even monitoring them are typical tasks for an IT administrator, but that's about it. Defining the rules typically is an interdisciplinary sectional task for a Compliance Manager, who liaises between all departments or process stakeholders with data that is subject to compliance. The Compliance Manager drafts the rules, whereas IT implements them and monitors them jointly with the Compliance Manager.

For proper administration, managing rules for an enterprise (think data hygiene) can be a full-time job. Unfortunately, many companies have given too little consideration to this task thus far, although this situation is likely to change because of legal regulations and increases in attacks. If you do not yet have a person with responsibility for compliance, you might want to start setting up an appropriate team as soon as possible.


Each information item in Office 365 can be assigned a label that is defined by an internal policy. Automatic actions are then linked to this label. A label can only contain one option at any given time (Figure 1). For example, if you have multiple policies for deleting documents or email, only one policy is applied to a document or email at any time. At the same time, the document could have a second label (e.g., Confidentiality ). At any time you can change the labels, provided you have the appropriate authorization. Labels can also be assigned automatically, and functions can examine the content of documents or email and react to them.

Figure 1: This retention label specifies that this element is kept in the enterprise for 10 years and is then automatically deleted.

OSCC also contains many functions from other services that are related to security and compliance. One example is tracking email from Exchange; others will follow, says Microsoft. Basically, the functions in the center can be roughly divided into four areas: security, data hygiene, reports/notifications, and search. These functions go hand in hand and support each other. For example, automatic deletion or archiving of elements based on a label can be both a security function and, in the area of data hygiene, ensure a lower volume of data in the system overall. Because the scope of the functions in OSCC is enormous, I will only deal with the features for automatic storage and deletion in this article.

Retention Labels and Events

A retention label relates to the life cycle of a document or email as it is created, released, changed, deleted, or archived. An email is sent or received and deleted or archived. You can react to most events and assign a corresponding label.

It is also possible to react to events within an organization – for example, when an employee leaves. When this happens, all documents the employee has created and that do not yet have a label can be tagged automatically for deletion years later. A retention label can be assigned manually or automatically. A manually assigned retention label for specific end-user content cannot be replaced by an automatically assigned label, which requires an E5 plan. As when using other functions in the OSCC, the assignment of labels requires a precise definition of the processes in an organization.

Retention labels is found under the Classification tab of OSCC. If you are familiar with SharePoint, you may already have worked with document locking (Record management ) and policies based on the life cycle of content types. However, these options are no longer available in SharePoint Online. Instead, these and other options are now available in OSCC in the form of retention labels. The process by which you make retention labels available to people who want to classify content comprises two steps: create the retention labels, then publish them to the sites you select through policies.

To create a retention label, go to Classifications | Labels in OSCC and click on the Create a label button. In the panel that appears, enter a unique and meaningful name for the new retention label. You can then also enter one description for administrators and another for users. Click Next (the list on the left is apparently only for navigation). On the next page, you can enter retention plan descriptors for a File plan . From this data, labels can be automatically applied to content. If you do not plan to do this, you can leave the fields blank.

Things start to get interesting on the Label settings page. By default, the Retention item is disabled; you might simply want to label an element without any further action. Perhaps you have a workflow that evaluates the labels once a day and then initiates its own actions. In this example, however, I want to activate retention. You have several options, and some of them have layers of submenus. The first option Retain the content lets you set a time period or ensure, among other things, that elements that have been tagged with this label can no longer be deleted permanently, although from the user's point of view, such an item is deleted. Internally, however, it will be moved to a folder that is not visible to the user (for email) or to a separate directory (SharePoint or OneDrive). Note that containers with items for retention cannot be deleted. For example, it is not possible to remove a site collection or mailbox if it contains items whose retention period has not expired.

If the Trigger a disposition review option is enabled (previously only available for SharePoint and OneDrive content), the email address you specify will receive a message before final deletion. An appropriate authority can then decide whether or not the item should be deleted. If you receive no response to the email, the item will be deleted at the end of the specified period. For this process, it is recommended that you use a service account and not a user account. This account must of course be a member of the appropriate groups. Only a service account can be assigned rules and routed in Exchange. Because even a global admin is not allowed to read what will be deleted, the service account and the corresponding employees must belong to the appropriate groups. The second option Don't retain the content. Just delete it if it's older than is simple and does exactly what it says.

The item Retain or delete the content based on is a separate item, even if it does not appear to be on the page. This section is where you specify when the time limits start to run. The first three items in this drop-down menu are clear, but the last item is rather complex. As already mentioned, you can react to an event within an organization. From the drop-down, select an event then click Choose an event type . Note that this option is not always available, the dialog will inform you accordingly. If you have not yet created an event type, click on Create new: Event type . Assign a name such as Employee left and finish the event type. Select the newly created event type and add it. What exactly this event type does is defined later in another dialog.

As a last resort, you can classify an element as a data record. Elements that are labeled in such a way can be neither deleted nor changed. However, the metadata can still be edited, which means that the classification can be changed again later, allowing the content to be deleted or changed. Once you have selected all the settings, review them and then complete the process.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=