Create and configure retention policies

Microsoft 365 licensing guidance for security & compliance.

Use a retention policy to decide proactively whether to retain content, delete content, or both - retain and then delete the content.

A retention policy lets you do this very efficiently by assigning the same retention settings for content by location, at a site or mailbox level. If you're not sure whether to use a retention policy or a retention label, see Retention policies and retention labels.

For more information about retention policies and how retention works, see Learn about retention policies and retention labels.

Before you begin

The global admin for your organization has full permissions to create and edit retention policies. If you aren't signing in as a global admin, see Permissions required to create and manage retention policies and retention labels.

Create and configure a retention policy

Although a retention policy can support multiple locations, you can't create a single retention policy that includes all the supported locations:

  • Exchange email
  • SharePoint site
  • OneDrive accounts
  • Microsoft 365 groups
  • Skype for Business
  • Exchange public folders
  • Teams channel messages
  • Teams chats
  • Yammer community messages
  • Yammer private messages

If you select the Teams or Yammer locations when you create a retention policy, the other locations are automatically excluded. Therefore, which instructions to follow depend on whether you need to include the Teams or Yammer locations:

When you have more than one retention policy, and when you also use retention labels, see The principles of retention, or what takes precedence? to understand the outcome when multiple retention settings apply to the same content.

Retention policy for Teams locations

  1. From the Microsoft 365 compliance center, select Policies > Retention.

  2. Select New retention policy to start the Create retention policy wizard, and name your new retention policy.

  3. For the Choose locations to apply the policy page, select one or both of the locations for Teams: Teams channel message and Teams chats.

    For Teams channel messages, message from standard channels but not private channels are included. Currently, private channels aren't supported by retention policies.

    By default, all teams and all users are selected, but you can refine this by selecting the Choose and Exclude options.

  4. For Decide if you want to retain content, delete it, or both page of the wizard, specify the configuration options for retaining and deleting content.

    You can create a retention policy that just retains content without deleting, retains and then deletes after a specified period of time, or just deletes content after a specified period of time. For more information, see Settings for retaining and deleting content on this page.

  5. Complete the wizard to save your settings.

For more information about retention policies for Teams, see Retention policies in Microsoft Teams from the Teams documentation.

Additional retention policy needed to support Teams

Teams is more than just chats and channel messages. If you have teams that were created from a Microsoft 365 group (formerly Office 365 group), you should additionally configure a retention policy that includes that Microsoft 365 group by using the Microsoft 365 Groups location. This retention policy applies to content in the group's mailbox, site, and files.

If you have team sites that aren't connected to a Microsoft 365 group, you need a retention policy that includes the SharePoint sites or OneDrive accounts locations to retain and delete files in Teams:

  • Files that are shared in chat are stored in the OneDrive account of the user who shared the file.

  • Files that are uploaded to channels are stored in the SharePoint site for the team.

Tip

You can apply a retention policy to the files of just a specific team when it's not connected to a Microsoft 365 group by selecting the SharePoint site for the team, and the OneDrive accounts of users in the Team.

It's possible that a retention policy that's applied to Microsoft 365 groups, SharePoint sites, or OneDrive accounts could delete a file that's referenced in a Teams chat or channel message before those messages get deleted. In this scenario, the file still displays in the Teams message, but when users select the file, they get a "File not found" error. This behavior isn't specific to retention policies and could also happen if a user manually deletes a file from SharePoint or OneDrive.

Retention policy for Yammer locations

Note

Retention policies for Yammer are rolling out in preview. If you don't yet see the new locations for Yammer, try again in a few weeks.

To use this feature, your Yammer network must be Native Mode, not Hybrid Mode.

  1. From the Microsoft 365 compliance center, select Policies > Retention.

  2. Select New retention policy to create a new retention policy.

  3. For Decide if you want to retain content, delete it, or both page of the wizard, specify the configuration options for retaining and deleting content.

    You can create a retention policy that just retains content without deleting, retains and then deletes after a specified period of time, or just deletes content after a specified period of time. For more information, see Settings for retaining and deleting content on this page.

    Do not select Use advanced retention settings because this option isn't supported for Yammer locations.

  4. For the Choose locations page, select Let me choose specific locations. Then toggle on one or both of the locations for Yammer: Yammer community message and Yammer private messages.

    By default, all communities and users are selected, but you can refine this by specifying communities and users to be included or excluded.

    For Yammer private messages:

    • If you leave the default at All, Azure B2B guest users are not included.
    • If you select Choose user, you can apply a retention policy to external users if you know their account.
  5. Complete the wizard to save your settings.

For more information about how retention policies work for Yammer, see Learn about retention for Yammer.

Additional retention policies needed to support Yammer

Yammer is more than just community messages and private messages. To retain and delete email messages for your Yammer network, configure an additional retention policy that includes any Microsoft 365 groups that are used for Yammer, by using the Microsoft 365 Groups location.

To retain and delete files that are stored in Yammer, you need a retention policy that includes the SharePoint sites or OneDrive accounts locations:

  • Files that are shared in private messages are stored in the OneDrive account of the user who shared the file.

  • Files that are uploaded to communities are stored in the SharePoint site for the Yammer community.

It's possible that a retention policy that's applied to SharePoint sites or OneDrive accounts could delete a file that's referenced in a Yammer message before those messages get deleted. In this scenario, the file still displays in the Yammer message, but when users select the file, they get a "File not found" error. This behavior isn't specific to retention policies and could also happen if a user manually deletes a file from SharePoint or OneDrive.

Retention policy for locations other than Teams and Yammer

Use the following instructions for retention policies that apply to any of these services:

  • Exchange: Email and public folders
  • SharePoint: Sites
  • OneDrive: Accounts
  • Microsoft 365 groups
  • Skype for Business
  1. From the Microsoft 365 compliance center, select Policies > Retention.

  2. Select New retention policy to start the Create retention policy wizard, and name your new retention policy.

  3. For the Choose locations page, toggle on or off any of the locations except the locations for Teams. For each location, you can leave it at the default to apply the policy to the entire location, or specify includes and excludes.

    Information specific to locations:

  4. For Decide if you want to retain content, delete it, or both page of the wizard, specify the configuration options for retaining and deleting content.

    You can create a retention policy that just retains content without deleting, retains and then deletes after a specified period of time, or just deletes content after a specified period of time. For more information, see Settings for retaining and deleting content on this page.

  5. Complete the wizard to save your settings.

Configuration information for Exchange email and Exchange public folders

The Exchange email location supports retention for users' email, calendar, and other mailbox items, by applying retention settings at the level of a mailbox.

For detailed information about which items are included and excluded when you configure retention settings for Exchange, see What's included for retention and deletion

Note that even though a Microsoft 365 group has an Exchange mailbox, a retention policy that includes the entire Exchange email location won't include content in Microsoft 365 group mailboxes. To retain content in these mailboxes, select the Microsoft 365 Groups location.

The Exchange public folders location applies retention settings to all public folders and can't be applied at the folder or mailbox level.

Configuration information for SharePoint sites and OneDrive accounts

When you choose the SharePoint sites location, the retention policy can retain and delete documents in SharePoint communication sites, team sites that aren't connected by Microsoft 365 groups, and classic sites. Team sites connected by Microsoft 365 groups aren't supported with this option and instead, use the Microsoft 365 Groups location that applies to content in the group's mailbox, site, and files.

Although the retention policy is applied at the site level, only documents have retention settings applied to them. For detailed information about what's included and excluded when you configure retention settings for SharePoint and OneDrive, see What's included for retention and deletion.

When you specify your locations for SharePoint sites or OneDrive accounts, you don't need permissions to access the sites and no validation is done at the time you specify the URL on the Edit locations page. However, the SharePoint sites that you specify are checked that they exist at the end of the wizard. If this check fails, you see a message that validation failed for the URL you entered, and the wizard won't create the retention policy until the validation check passes. If you see this message, go back in the wizard to change the URL or remove the site from the retention policy.

To specify individual OneDrive accounts to include or exclude, the URL has the following format: https://<tenant name>-my.sharepoint.com/personal/<user_name>_<tenant name>_com

For example, for a user in the contoso tenant that has a user name of "rsimone": https://contoso-my.sharepoint.com/personal/rsimone_contoso_onmicrosoft_com

To verify the syntax for your tenant and identify URLs for users, see Get a list of all user OneDrive URLs in your organization.

Configuration information for Microsoft 365 Groups

To retain or delete content for a Microsoft 365 group (formerly Office 365 group), use the Microsoft 365 Groups location. Even though a Microsoft 365 group has an Exchange mailbox, a retention policy that includes the entire Exchange email location won't include content in Microsoft 365 group mailboxes. In addition, although the Exchange email location initially allows you to specify a group mailbox to be included or excluded, when you try to save the retention policy, you receive an error that "RemoteGroupMailbox" is not a valid selection for the Exchange location.

A retention policy applied to a Microsoft 365 group includes the group mailbox and SharePoint teams site. Files stored in the SharePoint teams site are covered with this location, but not Teams chats or Teams channel messages that have their own retention policy locations.

Configuration information for Skype for Business

Unlike Exchange email, you can't toggle the status of the Skype location on to automatically include all users, but when you turn on that location, you must then manually choose the users whose conversations you want to retain:

Choose Skype location for retention policies

When you select Choose user, you can quickly include all users by selecting the Select all box. However, it's important to understand that each user counts as a specific inclusion in the policy. So if you include 1,000 users by selecting the Select all box, it's the same as if you manually selected 1,000 users to include, which is the maximum supported for Skype for Business.

Be aware that Conversation History, a folder in Outlook, is a feature that has nothing to do with Skype archiving. Conversation History can be turned off by the end user, but archiving for Skype is done by storing a copy of Skype conversations in a hidden folder that is inaccessible to the user but available to eDiscovery.

Settings for retaining and deleting content

By choosing the settings for retaining and deleting content in your retention policy, your retention policy will have one of the following configurations for a specified period of time:

  • Retain-only

    For this configuration, choose Retain items for a specific period and At end of the retention period: Do nothing. Or, select Retain items forever.

  • Retain and then delete

    For this configuration, choose Retain items for a specific period and At end of the retention period: Delete items automatically.

  • Delete-only

    For this configuration, choose Only delete items when they reach a certain age.

Retaining content for a specific period of time

When you configure a retention policy, you choose to retain items for a specific number of days, months, or years. Or alternatively, retain the items forever.

When you configure a retention policy, you can choose to retain content indefinitely or for a specific number of days, months, or years. The retention period is calculated from the age of the content, not from when the retention policy is applied.

For the start of the retention period, you can also choose when the content was created or, supported only for files and the SharePoint, OneDrive, and Microsoft 365 Groups, when the content was last modified.

Examples:

  • SharePoint: If you want to retain items in a site collection for seven years after this content is last modified, and a document in that site collection hasn't been modified in six years, the document will be retained for only another year if it's not modified. If the document is edited again, the age of the document is calculated from the new last modified date, and it will be retained for another seven years.

  • Exchange: If you want to retain items in a mailbox for seven years, and a message was sent six years ago, the message will be retained for only one year. For Exchange items, the age is based on the date received for incoming email, or the date sent for outgoing email. Retaining items based on when it was last modified applies only to site content in OneDrive and SharePoint.

At the end of the retention period, you choose whether you want the content to be permanently deleted:

Retention settings page

Deleting content that's older than a specific age

A retention policy can both retain and then delete items, or delete old items without retaining them.

In both cases, if your retention policy deletes items, it's important to understand that the time period specified for a retention policy is calculated from the time when the item was created or modified, and not the time since the policy was assigned.

So before you assign a retention policy for the first time, and especially when that policy deletes items, first consider the age of the existing content and how the policy may impact that content. You might also want to communicate the new policy to your users before assigning it, to give them time to assess the possible impact.

A policy that applies to entire locations

When you choose locations, with the exception of Skype for Business, the default setting is All when the status of the location is On.

When a retention policy applies to any combination of entire locations, there is no limit to the number of recipients, sites, accounts, groups, etc., that the policy can include.

For example, if a policy includes all Exchange email and all SharePoint sites, all sites and recipients will be included, no matter how many. And for Exchange, any new mailbox created after the policy is applied will automatically inherit the policy.

A policy with specific inclusions or exclusions

Only if you use the optional configuration to scope your retention settings to specific users, specific Microsoft 365 groups, or specific sites, there are some limits per policy to be aware of:

  • Maximum numbers for a retention policy:
    • 1,000 mailboxes (user mailboxes or group mailboxes)
    • 1,000 Microsoft 365 groups
    • 1,000 users for Teams private chats
    • 100 sites (OneDrive or SharePoint)

These limitations are per policy, so if you need to use specific inclusions or exclusions that result in going over these numbers, you can create additional retention policies that have the same retention settings. See the next section for some example scenarios and solutions that use multiple retention policies for this reason. Multiple retention policies result in higher administrative overheads, so always challenge whether you really need inclusions and exclusions. Remember that the default configuration that applies to the entire location doesn't have any limitations, and this configuration choice might be a better solution than creating and maintaining multiple policies.

Tip

If do you need to create and maintain multiple retention policies for this scenario, consider using PowerShell for more efficient configuration.

There is also a maximum number of policies that are supported for a tenant: 10,000. However, for Exchange Online, the maximum number is 1,800. The maximum number includes retention policies, retention label policies, and auto-apply retention policies.

To use the optional configuration to scope your retention settings, make sure the Status of that location is On, and then use the links to include or exclude specific users, Microsoft 365 groups, or sites.

Warning

If you configure includes and then remove the last one, the configuration reverts to All for the location. Make sure this is the configuration that you intend before you save the policy.

For example, if you specify one SharePoint site to include in your retention policy that's configured to delete data, and then remove the single site, by default all SharePoint sites will then be subject to the retention policy that permanently deletes data. The same applies to includes for Exchange recipients, OneDrive accounts, Teams chat users etc.

In this scenario, toggle the location off if you don't want the All setting for the location to be subject to the retention policy. Alternatively, specify excludes to be exempt from the policy.

Examples of using inclusions and exclusions

The following examples provide some design solutions for when you can't specify just the location for a retention policy, and must take into account the limitations documented in the previous section.

Exchange example:

  • Requirement: In an organization that has over 40,000 user mailboxes, most users must have their email retained for 7 years but a subset of identified users (425) must have their email retained for only 5 years.

  • Solution: Create one retention policy for Exchange email with a retention period of 7 years and exclude the subset of users. Then create a second retention policy for Exchange email with a retention period of 5 years and include the subset of users.

    In both cases, the number included and excluded is below the maximum number of specified mailboxes for a single policy, and the subset of users must be explicitly excluded from the first policy because it has a longer retention period than the second policy. If the subset of users required a longer retention policy, you wouldn't need to exclude them from the first policy.

    With this solution, if anybody new joins the organization, their mailbox is automatically included in the first policy for 7 years and there is no impact to the maximum numbers supported. However, new users that require the 5 year retention period add to the include and exclude numbers, and this limit would be reached at 1,000.

SharePoint example:

  • Requirement: An organization has several thousand SharePoint sites but only 2,000 sites require a retention period of 10 years, and 8,000 sites require a retention period of 4 years.

  • Solution: Create 20 retention policies for SharePoint with a retention period of 10 years that includes 100 specific sites, and create 80 retention policies for SharePoint with a retention period of 4 years that includes 100 specific sites.

    Because you don't need to retain all SharePoint sites, you must create retention policies that specify the specific sites. Because a retention policy doesn't support more than 100 specified sites, you must create multiple policies for the two retention periods. These retention policies have the maximum number of included sites, so the next new site that needs retaining would require a new retention policy, irrespective of the retention period.

Updating retention policies

Some settings can't be changed after a retention policy is created and saved, which include:

  • The retention policy name and the retention settings except the retention period and when to start the retention period.

If you edit a retention policy and items are already subject to the original settings in your retention policy, your updated settings will be automatically applied to these items in addition to items that are newly identified.

Usually this update is fairly quick but can take several days. When the policy replication across your Microsoft 365 locations is complete, you'll see the status of the retention policy in the Microsoft 365 compliance center change from On (Pending) to On (Success).

Locking the policy to prevent changes

If you need to ensure that no one can turn off the policy, delete the policy, or make it less restrictive, see Use Preservation Lock to restrict changes to retention policies and retention label policies.