Compliance Management Part 2 : Retention Policies with Data Classification
Published Aug 13 2018 02:37 PM 4,874 Views

Classifying your Data

Office 365 Labels can be used to classify documents and emails by declaring them a record and assigning retention and deletion policies.  Labels are configured in the Classification section of the Security and Compliance Center.  


There are two steps to creating labels.  The first step is to create the label, giving it a Name, Description and retention settings.  The second step is to publish the label as a policy and applying it to users and groups, making it available to be applied to the content.  


Retention vs. Deletion

Retention: There are some considerations to be made when setting up a retention policy.  Do you want to automatically delete content when the retention period is up or should you set up a disposition review process or should you just leave the content, knowing that it was maintained for the required length of time?  If you choose to set up a disposition process you will need to specify the individuals or distribution email address for those that need to be notified of items to review.  Learn more about disposition reviews.


Deletion: When it comes to deleting content, its really simple.  Specify the number of days, months or years from the date the content was created or modified and the content will be deleted.  No review process is made available for this configuration.   


Label Retention SettingsLabel Retention Settings



Labels can be published to the following locations, however, I would expect this list to grow as Products are added to the O365 Suite: Exchange Email, SharePoint Sites, OneDrive accounts and Office 365 Groups.  Each location can be configured granularly to include or exclude specific recipients, sites, accounts or groups. This is extremely helpful when testing a label/policy before making it available across the organization.  


Publish Label: Choose locationsPublish Label: Choose locations


Data Governance: Retention

Another option to setup Retention outside of Labels and Label Policies is to configure retention policies within the Data Governance area in the Security and Compliance Center.   You will notice from the screenshot below that there are a few additional locations made available.   This is due to the nature of the content that does not allow for labels to be applied.   Such as Team chats or channel messages.  

Policies for Teams cannot be combined with any other locations.  It's also worth noting that Teams chats have a minimum deletion setting of 30 days.  If you try to set any shorter you will receive the following message.  "At this time, creating a policy to delete Teams content that's less than 30 days old is not supported. If you want this policy to apply to Teams content, specify a retention period that's equal to or more than 30 days."


There are also two advanced options under the Settings for retention:

  1. Detect content that contains specific words or phrases
    • Choosing this option allows you to enter the set of words or phrases along with the standard retention options.
  2. Detect content that contains sensitive information
    • Choosing this option will take you to a page where you can select the type of sensitive information (like we configured in the DLP policy) to apply the retention rule along with the standard retention options.  Like the DLP policy in the previous blog, this sensitive information rule can be configured for accuracy to minimize false positives.  


Data Governance: Retention SettingsData Governance: Retention Settings


Check out the Complete Overview of Retention Policies and Applying Retention Policies to Mailboxes in Exchange for more details.


Version history
Last update:
‎Jul 12 2019 01:49 PM
Updated by: