Use Preservation Lock to restrict changes to retention policies and retention label policies

Microsoft 365 licensing guidance for security & compliance.

Important

Currently, adaptive policy scopes don't support Preservation Lock.

Preservation Lock locks a retention policy or retention label policy so that no one—including a global admin—can turn off the policy, delete the policy, or make it less restrictive. This configuration might be needed for regulatory requirements and can help safeguard against rogue administrators.

When a retention policy is locked:

  • No one can disable the policy or delete it
  • Locations can be added but not removed
  • You can extend the retention period but not decrease it

When a retention label policy is locked:

  • No one can disable the policy or delete it
  • Locations can be added but not removed
  • Labels can be added but not removed

In summary, a locked policy can be increased or extended, but it can't be reduced or turned off.

Important

Before you lock a retention policy or retention label policy, it's critical that you understand the impact and confirm whether it's required for your organization. For example, it might be needed to meet regulatory requirements. Administrators won't be able to disable or delete these policies after the preservation lock is applied.

Configure Preservation Lock after you've created a retention policy, or a retention label policy that you publish or auto-apply.

Note

Locking a label policy doesn't prevent an administrator from reducing the retention period in a label that is included in the locked policy. That requirement, with other restrictions, can be met when you configure a label to mark items as a regulatory record.

How to lock a retention policy or retention label policy

You must use PowerShell if you need to use Preservation Lock. Because administrators can't disable or delete a policy for retention after this lock is applied, enabling this feature is not available in the UI to safeguard against accidental configuration.

All policies for retention and with any configuration support Preservation Lock.

  1. Connect to Security & Compliance Center PowerShell.

  2. Find the name of the policy that you want to lock by running Get-RetentionCompliancePolicy. For example:

    List of retention policies in PowerShell.

  3. To place a Preservation Lock on your policy, run the Set-RetentionCompliancePolicy cmdlet with the name of the policy, and the RestrictiveRetention parameter set to true:

    Set-RetentionCompliancePolicy -Identity "<Name of Policy>" –RestrictiveRetention $true
    

    For example:

    RestrictiveRetention parameter in PowerShell.

    When prompted, read and acknowledge the restrictions that come with this configuration by entering Y:

    Prompt to confirm that you want to lock a retention policy in PowerShell.

A Preservation Lock is now placed on the policy. To confirm, run Get-RetentionCompliancePolicy again, but specify the policy name and display the policy parameters:

Get-RetentionCompliancePolicy -Identity "<Name of Policy>" |Fl

You should see RestrictiveRetention is set to True. For example:

Locked policy with all parameters shown in PowerShell.

See also

Resources to help you meet regulatory requirements for information governance and records management