Event banner
Event details
109 Comments
- Can you elaborate on how deletion policies work for objects other than files in a SPO site? According to the documentation a policy that deletes after x-years would be applicable to all objects, however experience shows, that it only really works for files. Other objects like list items seem to be not really affected by the policy.
Brendon LeeMicrosoft
Hey Sebastian! The documentation at this location explains this pretty well: https://docs.microsoft.com/en-us/microsoft-365/compliance/retention-policies-sharepoint?view=o365-worldwide#whats-included-for-retention-and-deletion Basically, list items (except those in system lists) can have labels applied to them, but are not affected by retention (container-based) policies.- Thanks Brendon, one quick follow up to this. How about SharePoint pages (.aspx files) under Site Pages. Would they be included in a retention policy?
- When labelled content is approved for deletion at the end of its retention period, are there ways of limiting the 93 days it spends in SharePoint Online's first- and second-stage recycle bins? For public organizations responsive to FOI requests, any content approved for disposition should ideally be destroyed promptly, or at least remain retrievable through eDiscovery while it awaits deletion. As I understand, the recycle bins cannot be searched using Core or Advanced eDiscovery.
- Brendon LeeHey Lian, Once the item is in the first or second stage recycle bins, you can purge them manually. You may be able to programmatically do this as well with PnP or SharePoint CSOM APIs. I would also recommend submitting a Design Change Request (DCR) through support to suggest that items are permanently deleted following a disposition review process.
- Can you please explain how the expiration status and date for an item with a retention label can be shown in a view for the library in SharePoint. i.e. is there a column that can be added to a view? Or is there a property that can be made searchable? Scenarios where this would be useful are users wanting to create views to see what content it due to be disposed soon. The information is visible if you click into the compliance details for an individual item. Or a custom search query to find all items due for expiration across multiple sites. This is different from using disposition review, which is likely to only be given to a limited number of users.
- Brendon LeeHey Dave! There's currently no out of the box way to do this. However, you could likely create a custom script or process to calculate the dates and then populate in a custom column. Other ways you could achive your use case would be to use one of the new features we have coming out soon: - https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=88827 This feature will allow you to apply a second label, which could give the user an indication that the item is ready to be deleted. - https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=88816 This feature could allow you to be able to configure a flow to email the user to warn that the item is nearing the end of it's retention period.
- I recently attended an M365 event organized by a non-MS group and we started the event with a discussion on Licences and what features are available to users/admins. May I suggest we start the AMA with this type of discussion to provide context (i.e. availability of MIG and RM) for businesses (small, medium, large) and users. I was made aware during the previous event that the type of License to acquire depends on usage and role (i.e. a Company can have a mix of Standard and E? type of licenses).
- EricaToelle
Hi! Thanks for the question. The functionality you can use depends on the license you own, rather than the size of the organization. You can find licensing information here:
- Information governance: Microsoft 365 guidance for security & compliance - Service Descriptions | Microsoft Docs
- Records management: Microsoft 365 guidance for security & compliance - Service Descriptions | Microsoft Docs
- isn't it also a security risk in share point to follow many websites because of your own tracking and telemetry of this data ?
- EricaToelleHi Volker - here is a link to our privacy policy for how Microsoft 365 tracks and handles data: https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/privacy-security-and-transparency
- is also not important if special electronic form transmission at authorities with contact form or DE-mail is sufficient.
- To address broader Government compliance needs for content marked as a record, we need to improve the ability to report on records. How can we get better access the record metadata?
- I agree with Alicja that stronger reporting is much needed. We've shared our requirements with our MS contact and I think he submitted some 'insight' tickets on our behalf so looking forward to seeing some improvements. We are a bit jelous of the reporting of MS Priva, it would be wonderful to have similar features for records management.
- EricaToelleThanks, Paloma - sending you a PM to get more information.
- EricaToelleHi Alicja! We are looking into how to the metadata stored for disposition purposes, and especially how to address Australia requirements. Additionally, we are releasing Graph APIs throughout 2022 so you can extend and customize our solutions. I'll follow up with you privately to make sure we capture your requirements. Thanks!
- Can sensitivity labels be used to trigger a MFA workflow, so that if a file is stored on a USB or mobile phone, that the document prompts for MFA (not a password) prior to opening? Can this be done using a partial categorisation of all organisational data (e.g. only labels manually classified as "Sensitive" trigger this workflow)?
- Roberto_YglesiasWe're not covering any MIP questions on this AMA but you can post on this link for that topic: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/bd-p/SecurityandCompliance
- I'm not sure how sensitivity labels will work with Security software (like Norton) which in my case triggers a Scan (device) popup message each time I insert my USB which I believe can be set to auto scan.
- I have created some sensitivity tags, but I am unsure how to tie a MFA triggers to content labelled with particular sensitivity tags (like always prompt for MFA before opening). I was looking for some help documentation on it, but could not find any. I think this feature was announced in one of the Microsoft conferences, but I cannot seem to find a tutorial or Microsoft documentation on how to implement it.
sepisatiWhy in the M365 E5 Compliance Product Terms (see: https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/EAEAS#ServiceSpecificTerms) the License prerequisite is O365 E3 + EMS E3, but the prerequisite for E5 Information & Governance/ E5 eDiscovery & audit/ E5 Insider Risk Manager is O365 E1 + EMS? Is there any technical reason why we need Office365 E3 for E5 Compliance to work that doesn't apply to the other licenses above mentioned?- EricaToelleHi Serena, I recommend this page for licensing information. https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance My understanding is that the pre-requisite for Microsoft 365 Compliance is Microsoft 365 E3 or Office 365 E3 + EMS E3. The pre-requisite for the stand-alone SKUs is access to SharePoint, OneDrive, and Exchange. Specifically, E5 IP&G also requires AIP P1 or EMS E3.
- Any insights into best practices when performing IP content scan jobs in Azure? Also, I see that Log Analytics for storing AIP audit logs are being deprecated. Is the data discovery preview going to be the future resource for hosting those runs?
- EricaToelle
Hi Kevin - we are not going to cover Information Protection/AIP in this AMA. I want to be sure you question gets answered, so I recommend posting it here: Security, Compliance, and Identity - Microsoft Tech Community
- Thanks Erica, moving question over to that channel. Any chance there's technical documentation (preferably an infographic) that delineates IG/IG features and IP? Thought information protection was a nested attribute of governance but that doesn't seem to be the case. Cheers
- How do you use recommend using labels in a government environment? For instance we have a finance branch in every department and a corporate finance department. We have to manage their finance records separately in order to maintain context and respond to litigation and Access to Information requests efficiently and accurately. We also need to we have unique disposition notices that the program area can review and approve. Thoughts?
- Roberto_YglesiasThere's already some great suggestions on this thread but a couple of other suggestions would be: - Create separate labels for each department so you can ensure you have flexibility for the future. - Use adaptive policy scopes to scope the labels publishing & auto-classification to the appropriate locations per department.
- You likely need a person whose job it is to review disposition notices on files and coordinate with the file owners and take action to dispose of those records when appropriate.
- From my experience, we implemented a parent-child relationship style of labelling for a specific department. Take Engineering which has specific disciplines (e.g. Civil, Mechanical, etc.). So Engineering-Corporate would be the parent and the disciplines would be the children. Taking the concept of Content Type Hub or Data Dictionary, we ID'd labels or metadata that would be "common" to all of Engineering (i.e. Corporate, regardless of discipline). Then specific labels are ID'd for each discipline. Later, other considerations may come into play in terms of policies, procedures, change control, constraints and scope of implementation. Identification is a good but time-consuming initial step.
