Get started with records management

Microsoft 365 licensing guidance for security & compliance.

Ready to start managing your organization's high-value content for legal, business, or regulatory obligations by using a records management solution in Microsoft 365? Use the following guidance to get started:

  1. Understand how retention and deletion works in Microsoft 365, and identify whether you need to use retention policies to supplement retention labels that manage documents and emails at the item level: Learn about retention policies and retention labels

    If necessary, create retention policies for baseline governance of data across Microsoft 365 workloads.

  2. Understand the records management solution and how retention labels can be used to allow or block actions when documents and emails are declared records: Learn about records management

  3. Create your file plan for retention and deletion settings and actions, and when items should be marked as records by importing an existing plan if you have one, or create new retention labels: Use file plan to create and manage retention labels

  4. Publish and apply your retention labels. Retention labels are reusable building blocks that can be used in multiple policies and can be incorporated into user workflows:

Tip

If you're migrating records to Microsoft 365 and need to validate that they haven't been altered, see Validating migrated records.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Subscription and licensing requirements

A number of different subscriptions support records management and the licensing requirements for users depends on the features you use.

To see the options for licensing your users to benefit from Microsoft Purview features, see the Microsoft 365 licensing guidance for security & compliance. For records management, see the Microsoft Purview Data Lifecycle Management & Microsoft Purview Records Management section for feature-level licensing requirements.

Permissions

Members of your compliance team who are responsible for records management need permissions to the Microsoft Purview portal or the Microsoft Purview compliance portal. By default, the tenant admin (global administrator) has access to this location and can give compliance officers and other people access without giving them all the permissions of a tenant admin. To grant permissions for this limited administration, we recommend that you add users to the Records Management admin role group. This role group grants permissions for all features related to records management, which include the permissions to create and manage adaptive policy scopes, and disposition review and verification.

For a read-only role, you can create a new role group and add the View-Only Record Management role to this group.

For instructions to add users to the default roles or create your own role groups, use the following guidance, depending on the portal you're using:

These permissions are required only to create, configure, and apply retention labels that declare records, and manage disposition. The person configuring these labels doesn't require access to the content.

Support for administrative units

Records management supports administrative units that have been configured in Microsoft Entra ID:

  • You can assign administrative units to members of role groups that are used with Microsoft Purview Records Management. Edit the Records Management role group or other role groups that support administrative units. From these role groups, select individual members, and then the Assign admin units option to select administrative units from Microsoft Entra ID. These administrators are now restricted to managing just the users in those administrative units.

  • You can define the initial scope of retention policies and retention label policies when you create or edit these policies. When you select administrative units, only the users in those administrative units will be eligible for the policy.

    Important

    Don't select administrative units for a retention label policy that you want to apply to SharePoint sites. Because administrative units support only users and groups, if you configure a retention label policy to use administrative units, you won't be able to select the locations for SharePoint sites.

  • Both adaptive scopes and static scopes support administrative units.

  • Additional impact for restricted administrators

    • Policy lookup: Restricted administrators will see policies only from users within their assigned administrative units
    • Disposition review and verification: Restricted administrators will be able to add reviewers only from within their assigned administrative units, and see disposition reviews and items disposed only from users within their assigned administrative units
  • Currently, retention labels and events don't support administrative units.

  • Currently, a restricted administrator can create and view adaptive scopes for all administrative units when they use PowerShell cmdlets.

  • Currently, inactive mailboxes aren't supported in a policy when you select one or more administrative units. To include inactive mailboxes in the policy, you must be an unrestricted administrator and select Full directory.

For more information about how Microsoft Purview supports administrative units, see Administrative units.

Common scenarios

Use the following table to help you map your business requirements to the scenarios that are supported by records management.

Tip

Need to comply with a specific industry regulation? Check Regulatory requirements for data lifecycle management and records management for regulation-specific guidance.

I want to ... Documentation
Declare a record Declare records by using retention labels
Update a record Use record versioning to update records stored in SharePoint or OneDrive
Let admins and users manually apply retain and delete actions for documents and emails:
- SharePoint
- OneDrive
- Outlook and Outlook on the web
Publish retention labels and apply them in apps
Let site admins set default retain and delete actions for all content in a SharePoint library, folder, or document set Publish retention labels and apply them in apps
Let users automatically apply retain and delete actions to emails by using Outlook rules Publish retention labels and apply them in apps
Let admins apply retain and delete actions to a Microsoft Syntex model, so that these settings are automatically applied to identified files in a SharePoint library Publish retention labels and apply them in apps
Automatically apply retain and delete actions to documents and emails Apply a retention label to content automatically
Automatically retain and delete Teams meeting recordings and their accompanying transcripts Apply a retention label to content automatically
Start the retention period when an event occurs, such as:
- Employees leave the organization
- Contracts expire
- End of product lifetime
Start retention when an event occurs
Do custom actions or integrate with other solutions at the end of the retention period Customize what happens at the end of the retention period
Restrict changes to policies to help meet regulatory requirements or safeguard against rogue administrators Use Preservation Lock to restrict changes to retention policies and retention label policies
Manage the lifecycle of different document types in SharePoint Use retention labels to manage the lifecycle of documents stored in SharePoint
Apply a retention label to a file when I receive an alert that content containing personal data is being stored or remains untouched for too long Investigate and remediate alerts in Privacy Risk Management
Make sure somebody reviews and approves before content is deleted at the end of its retention period Disposition reviews
Have proof of disposition for content that is permanently deleted at the end of its retention period Disposition of records
Monitor how and where retain and delete settings are applied to items Monitoring retention labels
Programamtically create retention labels, and manage events and event type retention triggers Microsoft Graph API for records management
Programmatically apply and manage retention labels in SharePoint and OneDrive Microsoft Graph API for retention labels in SharePoint and OneDrive:
- lock and unlock records
- set retention labels
- remove retention labels
- get metadata for retention labels

End-user documentation

If you're using retention policies for baseline data governance, they typically work unobtrusively in the background without user interaction. As a result, they need little documentation for users. Retention policies for Teams inform users when their messages have been deleted with a link to Teams messages about retention policies.

In comparison, retention labels have a UI presence in Microsoft 365 apps, so make sure you provide guidance for end users and your help desk before these labels are deployed to your production network. To help users apply retention labels in SharePoint and OneDrive, and information about unlocking records for editing, see Apply retention labels to files in SharePoint or OneDrive.

However, the most effective end-user documentation will be customized guidance and instructions you provide for the retention label names and configurations you choose. See the following page and downloads that you can use to help train your users: End User Training for Retention Labels.