Create and configure retention policies

Microsoft 365 licensing guidance for security & compliance.

Use a retention policy to manage the data for your organization by deciding proactively whether to retain content, delete content, or retain and then delete the content.

A retention policy lets you do this very efficiently by assigning the same retention settings at the container level to be automatically inherited by content in that container. For example, all items in SharePoint sites, all email messages in users' Exchange mailboxes, all channel messages for teams that are used with Microsoft Teams. If you're not sure whether to use a retention policy at the container level or a retention label at the item level, see Retention policies and retention labels.

For more information about retention policies and how retention works in Microsoft 365, see Learn about retention policies and retention labels.

Note

The information on this page is for compliance administrators. If you are not an administrator and want to understand how retention policies have been configured for the apps that you use, contact your help desk, IT department, or administrator. If you're seeing messages about retention policies in Teams chats and channel messages, you might find it helpful to review Teams messages about retention policies.

Before you begin

The global admin for your organization has full permissions to create and edit retention policies. If you aren't signing in as a global admin, see Permissions required to create and manage retention policies and retention labels.

Create and configure a retention policy

Although a retention policy can support multiple services that are identified as "locations" in the retention policy, you can't create a single retention policy that includes all the supported locations:

  • Exchange email
  • SharePoint site
  • OneDrive accounts
  • Microsoft 365 groups
  • Skype for Business
  • Exchange public folders
  • Teams channel messages
  • Teams chats
  • Teams private channel messages
  • Yammer community messages
  • Yammer user messages

If you select the Teams or Yammer locations when you create a retention policy, the other locations are automatically excluded. This means that the instructions to follow depend on whether you need to include the Teams or Yammer locations:

When you have more than one retention policy, and when you also use retention labels, see The principles of retention, or what takes precedence? to understand the outcome when multiple retention settings apply to the same content.

Retention policy for Teams locations

  1. From the Microsoft 365 compliance center, select Policies > Retention.

  2. Select New retention policy to start the Create retention policy configuration, and name your new retention policy.

  3. For the Choose locations to apply the policy page, select any or all of the locations for Teams:

    • Teams channel message: Messages from standard channel chats and standard channel meetings, but not from private channels that have their own policy location.
    • Teams chats: Messages from private 1:1 chats, group chats, and meeting chats.
    • Teams private channel messages: Messages from private channel chats and private channel meetings.

    By default, all teams and all users are selected, but you can refine this by selecting the Edit options to configure a retention policy for specific inclusions or exclusions. However, before you change the default, be aware of the following consequences for a retention policy that deletes messages when it's configured for includes or excludes:

    • For group chat messages and private channel messages, because a copy of messages are saved in each user's mailbox who are included in the chat, copies of messages will continue to be returned in eDiscovery results from users who weren't assigned the policy.
    • For users who weren't assigned the policy, deleted messages will be returned in their Teams search results but won't display the contents of the message as a result of the permanent deletion from the policy assigned to users.
  4. For Decide if you want to retain content, delete it, or both page, specify the configuration options for retaining and deleting content.

    You can create a retention policy that just retains content without deleting, retains and then deletes after a specified period of time, or just deletes content after a specified period of time. For more information, see Settings for retaining and deleting content on this page.

  5. Complete the configuration to save your settings.

For guidance when to use retention policies for Teams and understand the end user experience, see Manage retention policies for Microsoft Teams from the Teams documentation.

For technical details about how retention works for Teams, including what elements of messages are supported for retention and timing information with example walkthroughs, see Learn about retention for Microsoft Teams.

Known configuration issues

  • Although you can select the option to start the retention period when items were last modified, the value of When items were created is always used. For messages that are edited, a copy of the original message is saved with its original timestamp to identify when this pre-edited message was created, and the post-edited message has a newer timestamp.

  • When you select Edit for the Teams channel messages location, you might see Microsoft 365 groups that aren't also teams. Don't select these groups.

  • When you select Edit for the Teams chats location, you might see guests and non-mailbox users. Retention policies aren't designed for these users, so don't select them.

Additional retention policy needed to support Teams

Teams is more than just chats and channel messages. If you have teams that were created from a Microsoft 365 group (formerly Office 365 group), you should additionally configure a retention policy that includes that Microsoft 365 group by using the Microsoft 365 Groups location. This retention policy applies to content in the group's mailbox, site, and files.

If you have team sites that aren't connected to a Microsoft 365 group, you need a retention policy that includes the SharePoint sites or OneDrive accounts locations to retain and delete files in Teams:

  • Files that are shared in chat are stored in the OneDrive account of the user who shared the file.

  • Files that are uploaded to channels are stored in the SharePoint site for the team.

Tip

You can apply a retention policy to the files of just a specific team when it's not connected to a Microsoft 365 group by selecting the SharePoint site for the team, and the OneDrive accounts of users in the Team.

It's possible that a retention policy that's applied to Microsoft 365 groups, SharePoint sites, or OneDrive accounts could delete a file that's referenced in a Teams chat or channel message before those messages get deleted. In this scenario, the file still displays in the Teams message, but when users select the file, they get a "File not found" error. This behavior isn't specific to retention policies and could also happen if a user manually deletes a file from SharePoint or OneDrive.

Retention policy for Yammer locations

Note

Retention policies for Yammer are in preview and currently do not inform users when messages are deleted as a result of a retention policy.

To use this feature, your Yammer network must be Native Mode, not Hybrid Mode.

  1. From the Microsoft 365 compliance center, select Policies > Retention.

  2. Select New retention policy to create a new retention policy.

  3. For the Choose locations to apply the policy page, toggle on one or both of the locations for Yammer: Yammer community message and Yammer user messages.

    Important

    Although you can create a retention policy for just Yammer user messages, a retention policy for this location can delete community messages from the Yammer app for all community members.

    If you choose this option and the retention policy will be configured to delete user messages, make sure you understand this implication. For more information, see How retention works with Yammer.

    By default, all communities and users are selected, but you can refine this by specifying communities and users to be included or excluded.

    For Yammer user messages:

    • If you leave the default at All, Azure B2B guest users are not included.
    • If you select Edit for the Included column, you can apply a retention policy to external users if you know their account.
  4. For Decide if you want to retain content, delete it, or both page, specify the configuration options for retaining and deleting content.

    You can create a retention policy that just retains content without deleting, retains and then deletes after a specified period of time, or just deletes content after a specified period of time. For more information, see Settings for retaining and deleting content on this page.

  5. Complete the configuration to save your settings.

For more information about how retention policies work for Yammer, see Learn about retention for Yammer.

Additional retention policies needed to support Yammer

Yammer is more than just community messages and private messages. To retain and delete email messages for your Yammer network, configure an additional retention policy that includes any Microsoft 365 groups that are used for Yammer, by using the Microsoft 365 Groups location.

To retain and delete files that are stored in Yammer, you need a retention policy that includes the SharePoint sites or OneDrive accounts locations:

  • Files that are shared in private messages are stored in the OneDrive account of the user who shared the file.

  • Files that are uploaded to communities are stored in the SharePoint site for the Yammer community.

It's possible that a retention policy that's applied to SharePoint sites or OneDrive accounts could delete a file that's referenced in a Yammer message before those messages get deleted. In this scenario, the file still displays in the Yammer message, but when users select the file, they get a "File not found" error. This behavior isn't specific to retention policies and could also happen if a user manually deletes a file from SharePoint or OneDrive.

Retention policy for locations other than Teams and Yammer

Use the following instructions for retention policies that apply to any of these services:

  • Exchange: Email and public folders
  • SharePoint: Sites
  • OneDrive: Accounts
  • Microsoft 365 groups
  • Skype for Business
  1. From the Microsoft 365 compliance center, select Policies > Retention.

  2. Select New retention policy to start the Create retention policy configuration, and name your new retention policy.

  3. For the Choose locations to apply the policy page, toggle on or off any of the locations except the locations for Teams. For each location, you can leave it at the default to apply the policy to the entire location, or specify includes and excludes.

    Information specific to locations:

  4. For Decide if you want to retain content, delete it, or both page, specify the configuration options for retaining and deleting content.

    You can create a retention policy that just retains content without deleting, retains and then deletes after a specified period of time, or just deletes content after a specified period of time. For more information, see Settings for retaining and deleting content on this page.

  5. Complete the configuration to save your settings.

Configuration information for Exchange email and Exchange public folders

The Exchange email location supports retention for users' email, calendar, and other mailbox items, by applying retention settings at the level of a mailbox. Shared mailboxes are also supported.

When you apply the retention settings to All recipients, any inactive mailboxes are included. However, if you change this default and configure specific inclusions or exclusions, inactive mailboxes aren't supported and retention settings won't be applied or excluded for those mailboxes.

Additionally, resource mailboxes and Microsoft 365 group mailboxes are not supported for the All recipients default, or for specific inclusions or exclusions. For Microsoft 365 group mailboxes, select the Microsoft 365 Groups location instead.

If you do choose recipients to include or exclude, you can select distribution groups and email-enabled security groups. Behind the scenes, these groups are automatically expanded at the time of configuration to select the mailboxes of the users in the group. If the membership of those groups later change, an existing retention policy isn't automatically updated.

For detailed information about which mailbox items are included and excluded when you configure retention settings for Exchange, see What's included for retention and deletion.

The Exchange public folders location applies retention settings to all public folders and can't be applied at the folder or mailbox level.

Configuration information for SharePoint sites and OneDrive accounts

When you choose the SharePoint sites location, the retention policy can retain and delete documents in SharePoint communication sites, team sites that aren't connected by Microsoft 365 groups, and classic sites. Team sites connected by Microsoft 365 groups aren't supported with this option and instead, use the Microsoft 365 Groups location that applies to content in the group's mailbox, site, and files.

Although the retention policy is applied at the site level, only documents have retention settings applied to them. For detailed information about what's included and excluded when you configure retention settings for SharePoint and OneDrive, see What's included for retention and deletion.

When you specify your locations for SharePoint sites or OneDrive accounts, you don't need permissions to access the sites and no validation is done at the time you specify the URL on the Edit locations page. However, the SharePoint sites that you specify are checked that they exist at the end of the configuration. If this check fails, you see a message that validation failed for the URL you entered, and the configuration process won't create the retention policy until the validation check passes. If you see this message, go back in the configuration to change the URL or remove the site from the retention policy.

To specify individual OneDrive accounts to include or exclude, see Get a list of all user OneDrive URLs in your organization.

Note

When you specify individual OneDrive accounts to include or exclude, be aware that unless OneDrive accounts are pre-provisioned, the URL isn't created until a user accesses their OneDrive for the first time.

Also, the OneDrive URL will automatically change if there is a change in the user's UPN. For example, a name-changing event such as marriage. Or a domain name change to support an organization's rename or business restructuring. If the UPN changes, you will need to update the OneDrive URLs you specify here.

Configuration information for Microsoft 365 Groups

To retain or delete content for a Microsoft 365 group (formerly Office 365 group), use the Microsoft 365 Groups location. Even though a Microsoft 365 group has an Exchange mailbox, a retention policy that includes the entire Exchange email location won't include content in Microsoft 365 group mailboxes. Although the Exchange email location initially allows you to specify a group mailbox to be included or excluded, when you try to save the retention policy, you'll see an error that "RemoteGroupMailbox" is not a valid selection for the Exchange location.

By default, a retention policy applied to a Microsoft 365 group includes the group mailbox and SharePoint teams site. Files stored in the SharePoint teams site are covered with this location, but not Teams chats or Teams channel messages that have their own retention policy locations.

To change the default because you want the retention policy to apply to either just the Microsoft 365 mailboxes, or just the connected SharePoint teams sites, use the Set-RetentionCompliancePolicy PowerShell cmdlet with the Applications parameter with one of the following values:

  • Group:Exchange for just Microsoft 365 mailboxes that are connected to the group.
  • Group:SharePoint for just SharePoint sites that are connected to the group.

To return to the default value of both the mailbox and SharePoint site for the selected Microsoft 365 groups, specify Group:Exchange,SharePoint.

Configuration information for Skype for Business

Unlike other locations, you can't toggle the status of the Skype location on to automatically include all users. Instead, when you turn on that location, you must then select the Edit option to manually choose the users whose conversations you want to retain:

Edit Skype location for retention policies.

After you select this Edit option, in the Skype for Business pane you can quickly include all users by selecting the hidden box before the Name column. However, it's important to understand that each user counts as a specific inclusion in the policy. So if you include 1,000 users by selecting this box, it's the same as if you manually selected 1,000 users to include, which is the maximum supported for Skype for Business.

Be aware that Conversation History, a folder in Outlook, is a feature that has nothing to do with Skype archiving. Conversation History can be turned off by the end user, but archiving for Skype is done by storing a copy of Skype conversations in a hidden folder that is inaccessible to the user but available to eDiscovery.

Settings for retaining and deleting content

By choosing the settings for retaining and deleting content in your retention policy, your retention policy will have one of the following configurations for a specified period of time:

  • Retain-only

    For this configuration, choose Retain items for a specific period and At end of the retention period: Do nothing. Or, select Retain items forever.

  • Retain and then delete

    For this configuration, choose Retain items for a specific period and At end of the retention period: Delete items automatically.

  • Delete-only

    For this configuration, choose Only delete items when they reach a certain age.

Retaining content for a specific period of time

When you configure a retention policy, you choose to retain items for a specific number of days, months, or years. Or alternatively, retain the items forever.

When you configure a retention policy, you can choose to retain content indefinitely or for a specific number of days, months, or years. The retention period is calculated from the age of the content, not from when the retention policy is applied.

For the start of the retention period, you can also choose when the content was created or, supported only for files and the SharePoint, OneDrive, and Microsoft 365 Groups, when the content was last modified.

Examples:

  • SharePoint: If you want to retain items in a site collection for seven years after this content is last modified, and a document in that site collection hasn't been modified in six years, the document will be retained for only another year if it's not modified. If the document is edited again, the age of the document is calculated from the new last modified date, and it will be retained for another seven years.

  • Exchange: If you want to retain items in a mailbox for seven years, and a message was sent six years ago, the message will be retained for only one year. For Exchange items, the age is based on the date received for incoming email, or the date sent for outgoing email. Retaining items based on when it was last modified applies only to site content in OneDrive and SharePoint.

At the end of the retention period, you choose whether you want the content to be permanently deleted:

Retention settings page.

Deleting content that's older than a specific age

A retention policy can both retain and then delete items, or delete old items without retaining them.

In both cases, if your retention policy deletes items, it's important to understand that the time period specified for a retention policy is calculated from the time when the item was created or modified, and not the time since the policy was assigned.

So before you assign a retention policy for the first time, and especially when that policy deletes items, first consider the age of the existing content and how the policy may impact that content. You might also want to communicate the new policy to your users before assigning it, to give them time to assess the possible impact.

A policy that applies to entire locations

When you choose locations, with the exception of Skype for Business, the default setting is All when the status of the location is On.

When a retention policy applies to any combination of entire locations, there is no limit to the number of recipients, sites, accounts, groups, etc., that the policy can include.

For example, if a policy includes all Exchange email and all SharePoint sites, all sites and recipients will be included, no matter how many. And for Exchange, any new mailbox created after the policy is applied will automatically inherit the policy.

A policy with specific inclusions or exclusions

Be aware that if you use the optional configuration to scope your retention settings to specific users, specific Microsoft 365 groups, or specific sites, there are some limits per policy to be aware of. For more information, see Limits for retention policies and retention label policies.

To use the optional configuration to scope your retention settings, make sure the Status of that location is On, and then use the links to include or exclude specific users, Microsoft 365 groups, or sites.

Warning

If you configure includes and then remove the last one, the configuration reverts to All for the location. Make sure this is the configuration that you intend before you save the policy.

For example, if you specify one SharePoint site to include in your retention policy that's configured to delete data, and then remove the single site, by default all SharePoint sites will then be subject to the retention policy that permanently deletes data. The same applies to includes for Exchange recipients, OneDrive accounts, Teams chat users etc.

In this scenario, toggle the location off if you don't want the All setting for the location to be subject to the retention policy. Alternatively, specify excludes to be exempt from the policy.

Updating retention policies

Some settings can't be changed after a retention policy is created and saved, which include:

  • The retention policy name and the retention settings except the retention period and when to start the retention period.

If you edit a retention policy and items are already subject to the original settings in your retention policy, your updated settings will be automatically applied to these items in addition to items that are newly identified.

Usually this update is fairly quick but can take several days. When the policy replication across your Microsoft 365 locations is complete, you'll see the status of the retention policy in the Microsoft 365 compliance center change from On (Pending) to On (Success).

Locking the policy to prevent changes

If you need to ensure that no one can turn off the policy, delete the policy, or make it less restrictive, see Use Preservation Lock to restrict changes to retention policies and retention label policies.