This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through:
Create your Records Management Policy
Test your Records Management Policy
It is presumed that you already have a Sensitive Information Type that you want to use in your Records Management policy. For the purposes of this document, I will use a copy of the U.S. Social Security Number (SSN) called “U.S. SSN – Numbers Only” that I created in Part 1 of this blog series.
This document does not cover any other aspect of Microsoft E5 Compliance, including:
Sensitive Information Types
Exact Data Matches
Data Protection Loss (DLP) for Exchange, OneDrive, Devices
Microsoft Cloud App Security (MCAS)
Advanced eDiscovery (AeD)
It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).
If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows.
If you send data outside of the company, you want to be sure only the assigned Recipient can open and see the data.
There are no additional definitions relevant to this blog.
Governance Label vs Sensitive Label
Governance Label – This label will track the retention policy of file or email.
Sensitive Label – This label will track the who can access the file or email and whether or not it is encrypted.
Information Governance vs Records Management
Information Governance – provides the ability to do records (file/email) retention at a location level (mailbox/SharePoint Site/OneDrive).
Records Management – allows for more granular records (file/email) retention both at a location level and a manual level
If you are having issues seeing your label, please refer to the following taken from the appendix link related to creating retention labels and applying them in applications.
“If you publish retention labels to SharePoint or OneDrive, those labels typically appear for end users to select within 1 day. However, allow up to 7 days.
If you publish retention labels to Exchange, it can take up to 7 days for those retention labels to appear for end users, and the mailbox must contain at least 10 MB of data”
I will be I testing with a Word file named “1-MB-Test-SSN-1-MIG”. This stands for 1MB file with SSN information for Microsoft Records Management (retention) testing.
You will need a test user with test files in OneDrive.
Create and Publish a Label
Go to Records Management – File plan
Click the plus sign and Create a label
Name and Description – I will call my label and its descriptions the same “1-Day-manual-delete”. When you have a name and description you like, click Next.
Define file plan descriptors for this label – Because we are creating this label to attach to official organization records, this section will allow you to choose either an existing department, category, sub category, authority type, and provision/citation. You can also create your own titles for each of these fields. Please note that you do not required to enter information into any of these fields, but doing so will help your records management. Click Next when you ready.
Define Retention Settings – I will change my retention from the default of 7 years to Custom of 1 day. Under the section labeled Duration Period, select Mark Items as Records. Go to the section marked At the end of the Retention Period select Do Nothing. For everything else, leave them at the default and click Next.
Review what you have configured. Click Create Label when you are satisfied. Then click Done.
This will then take you into the Create retention label wizard. On the first screen, you already have a label, so accept the default and click Next.
You will now need to chose the label you want to publish. This will populate with the label you just created. Click Next.
Now you can select which locations to apply this label. I will change to the accept the default of “Let me chose specific locations. Then I will deselect SharePoint sites and Microsoft 365 Group. For email I am only going to select the mailboxes of my test users (admin and Pradeep). I only have one OneDrive account. So I will accept for OneDrive. When you are ready click Next.
Give the policy a name and description. I will give it the same name as the label “1-Day-Manual-Record-Delete”. When you have what you want, click Next.
Review your Policy, and if you have what you want, click Submit. Then click Done.
Note it will take 1 up to 1 day for labels to be available to end users.
Testing Records Management Policy
I will be performing out testing against a file in OneDrive. Open your test user’s OneDrive and select a file. In the upper-right corner, choose Open the details pane icon
Browse down to Apply label and select your retention label
Your email or file are now locked for one day. If you try and delete your file, you will receive a message similar to the following”
You have now completed your base-line testing of Records Management and Retention. If you wish to do more with your testing, feel free to do so, or contact your Microsoft Account Manager to find assistance.
You can now proceed to the next part of this blog.
Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.