M365 Records Management Guide

There are several technologies that work together in Microsoft 365 that helps you manage the lifecycle of your data and documents. In this article, we’ll start with an overview of these and when to use which one, followed by a deep dive into records management and some very powerful features on offer.

Knowing what you have is the first step

Discovering the data you have and where there’s sensitive information that you need to protect is the first step. If it isn’t enabled, make sure to enable Office 365 audit logging in your tenant. It can take several hours until audit data starts showing up so do this ahead.

As part of what Microsoft calls “know your data” you can explore what you have stored in Exchange Online, SharePoint Online and OneDrive for Business before creating any policies or making any changes (apart from enabling auditing). In the Microsoft 365 compliance portal, click on Data classification and the Overview tab will show you the number of sensitive documents stored in any of the online locations (on-premises data will be included here in a coming update if you deploy the AIP Scanner – see below).

Overview in Data Classification

The Content explorer tab on the other hand will give you more than just overview statistics, it’ll let you dig into this data. Note that you need permissions not part of the default Global Administrator role to see this data, as well as at least one license of Office 365 E5, M365 E5 or one of the Advanced Compliance E5 / Advanced Threat Intelligence E5 add-ons. Accounts with Content Explorer List viewer can see the number of sensitive documents in each repository and individual document names but NOT their content, whereas an account that also has Content Explorer Content viewer can see the content of each document. Be very careful with assigning these permissions as these administrators are able to access sensitive data.

 

Content Explorer in Data Classification

Information Protection

Once you have some idea of the sensitivity of the documents that are stored in your tenant it’s time to apply protection to it. This is done through Sensitive Information Types (SIT) labelling and policies. Currently, Microsoft has 152 built-in different SITs that you can build policies around, covering many different types of PII from different countries in the world.

If you have in-house sensitive data types you can build your own SIT (essentially a regex with supporting keywords and information). For more complex document types you can use trainable classifiers (in preview), a machine learning model that you train to recognize a particular type of document (European Contracts for example).

Using SITs you then build policies that label the email, Office document, PDF, image or another type of document that contains one or more examples of sensitive information. You can further add headers, footers or watermarks to sensitive documents and control permissions for accessing the document, no matter how it’s shared, using built-in encryption.

To scan, label and optionally protect on-premises documents in SharePoint (2013+) and file shares you can use the Azure Information Protection (AIP) scanner.

Sensitive Information Types in M365

Usage of SITs and policies require M365 E3 or E5 licensing, auto labelling requires M365 E5, as does trainable classifiers and the AIP scanner.

Data Loss Prevention

In addition to protecting sensitive data, you probably also want to make sure it’s not shared with the wrong people accidentally. This is the job of Data Loss Prevention (DLP) which relies on the same SITs to give users warning when they’re about to share credit card numbers with an external user via email for instance. Recently (November 2020) DLP protection was extended to Windows 10 endpoints, providing a powerful option for controlling data sharing everywhere (particularly useful now that many of us are working from home).

One big “philosophical” difference between Microsoft’s Information Governance solutions and third-party solutions is that Microsoft manages data “in place”, other solutions create copies of the data in separate repositories, adding extra cost and complexity.

Need to retain data for seven years and ensure it doesn’t get deleted? Create a retention policy and even if users try to delete emails or documents, they will be available for the seven years. Need to ensure that only these three people can access this sensitive Word contract, even if they try to share it with someone else? Use Information Protection to apply permissions to the document and encrypt it – ensuring that only the right people have access to it. Need to ensure that these finalized legal contracts are retained for ten years and not tampered with – use Records Management and keep them where they’re stored, secure in the knowledge that they can’t be altered.

Retention

Sometimes you have data that isn’t sensitive and thus doesn’t fall into what you’d use Information Protection or DLP for, but you have a business or regulatory need to retain the data for a certain number of years. Both SharePoint and Exchange have built-in tech for this (a leftover from when they were on-premises server solutions) but the newer, unified approach in Office 365 lets you retain data, no matter where it’s stored.

Creating a retention label with a disposition review

There are both retention labels and retention policies and you can use them together for slightly different use cases. This is unlike Information Protection policies where you create the labels first and then the label policy is what makes them available for users to use.

Retention labels (but not Retention policies) can also optionally be used to label content as records for Records management. If an individual document has different and conflicting retention labels/policies applied to it there’s a workflow to determine how long it’ll be retained and when it’ll be deleted.

Records Management in M365

Now that you’ve seen the basics for identifying, protecting and managing the data you have in your business – let’s turn to records management. This is used to adhere to legal, regulatory and business needs to manage certain types of documents differently. It can be done manually by applying a retention label or based on the content using SITs, keywords or content types. You can control the retention period based on when the document was created, last modified or (unique to records) based on a particular event taking place, such as an employee leaving the company, a contract expiring or a particular product reaching a stage in its lifecycle. This makes it possible to build workflows around governing the retention of documents.

There are three types of restrictions that can be applied using records (plus the fourth, ordinary retention labels), Record – locked, Record – unlocked and Regulatory record. The last one is new, based on feedback from customers, and lets you lock/prevent any changes not only to the document content but also to its metadata, stops you moving the document to another location AND blocks the ability to change or remove the label. This is important where businesses have strict regulations to follow and must prove that documents are immutable once declared records. The locked/unlocked record types differ in whether they allow changes to the content or not.

If your business could benefit from Regulatory records be aware that you need to enable the feature for it to show up in the UI. Also be aware that if you do declare a document as a Regulatory record and you later want to remove the label you have to contact support – there’s no other way to do it (which is the point, to show auditors that the record really is immutable).

Records management has another feature – File plan. This is a structure similar to traditional (paper-based) records management and lets you add the business function/department, category (and optional subcategories), authority type and provision/citation to the plan.

Defining file plan descriptors for a label

Once created, File plans can be exported as CSV files and edited in Excel as well as imported back into M365 which comes in handy if you’re migrating from a legacy system or you need to import a large number of labels in one go. It’s also useful as you sit down with business stakeholders to figure out what documents should be treated as records and design the workflow around them.

This workflow can involve users declaring a record manually, which will work for small amounts of documents or as mentioned above, when a particular event happens. You can also attach retention labels automatically to documents, based on SITs, keywords or searchable properties of the documents, or trainable classifiers. Be aware that auto-apply retention labels can take up to seven days to apply.

To complete the lifecycle of your records you need to plan for the disposition of them at the end of their useful life. As we’ve seen, records management in M365 is intimately connected to retention labels which by definition configures how long different types of data should be kept.

Once time’s up you can have the information automatically deleted, just left where it is or trigger a disposition review. This last one requires the users who are going to perform it the Disposition Management role (not part of the Global Administrator role by default) and auditing has to be enabled. There’s also a Records Management role which doesn’t include the Disposition Management role today, but this role is changing in mid-December 2020 to now include the Disposition Management role overall.

Disposition reviews cover content in Exchange online mailboxes, SharePoint sites, OneDrive accounts and Microsoft 365 groups (Teams). Reviewers will receive an email notification on weekly basis and then use the Disposition tab in the Compliance Center to review the content, and either permanently delete it, extend the retention period or apply a different retention label.

Disposition options (courtesy of Microsoft)

Note that you can only define individual user accounts or mail-enabled security groups as reviewers and I recommend the latter because if you have a seven-year retention period you can’t guarantee that the people who were given the task that long ago are still around (although you can, of course, update the retention label with new reviewers as time goes on).

The licensing required to be able to declare records manually or automatically are M365 E5, E5 Compliance, E5 Information Protection and Governance, O365 E5, E5 Advanced Compliance.

Conclusion

Microsoft is improving the overall governance of information in Microsoft 365 and adding new features regularly to provide a holistic solution built into the platform. Managing records “in-place” is a good approach – are there documents in your business that you need this type of control over? If so – try out Records management to see if it fulfils your business OneDrive and regulatory requirements.