O365 Groups Tidbit - Compliance in O365 Groups (Retention policies)
I think we can all agree that compliance in any technology is important in todays world, and I believe that with Groups this becomes very important since they are used everywhere in O365. So let’s take a quick look at Retention policies as part of your Compliance plan in O365.
NOTE: You will probably need to work with your security team and legal team as you design these policies, make sure you have the right info before designing these policies.
- Classification Labels are a method to mark content for specific treatment. They are published by administrators, and then applied to content by users or automated fashion.
- Retention policies allow you to keep or delete certain data on a specified schedule
- Locations are what you are applying the policy against.
Bringing it all together (How to configure a policy):
- Log into O365 admin portal, go to Admin centers and click on Security & Compliance
- Select Data Governance then click on Retention
- To create label click on Create, this will start a wizard to gather all data that is needed
- In the first screen of the wizard you must provide a name for your end users you can also provide if you want a description
- In the second screen you need to provide your retention policy, the default is 7 years based on Create date and no delete. You can do some really cool things if you use Advance retention settings so you should check that out.
- In the third screen you select the location that the labels will be published to and thus the content that can have policies applied. Default is to locations Exchange, SharePoint, OneDrive, and O365 Groups
- In the final screen you review the policy and then click Create this policy
Things to think about:
- It will take up to 24 hours to apply policies and publish labels once you create/modify.
- Retention policies can be modified….kinda. You can change many of the settings but you cannot change the intent of the policy, this means that while I can change how long the data is retained I cannot change how it is retained (Delete vs Keep). The reason for this is consistency which brings comfort, if an admin changes a policy from 1 day to 1 week nobody cares but go from keep content to delete and all of a sudden people are panicking and wondering were that policies was applied.
- There is a limitation on Retention policies you can have 10 Org level policies and 1,000 non-org level policies, the difference between the two is if you choose to apply the policy to all locations in your tenant (Org level) or specific locations (Non-org level).
- Use of Preservation lock should be limited! While in theory it sounds great to use, you are limited in modifications you can make and cannot disable the policy. This setting is meant for times when you are working in highly regulated environments, this setting can disrupt activities like tenant merges or even leaving O365 if that is a requirement.