An in-depth review of records management in Microsoft 365
Historically, records management was never easy with SharePoint Server on-premises. The built-in functionality was difficult to understand and use for daily compliance needs.
Microsoft has certainly come a long way with their long-awaited arrival of Microsoft 365 (M365) Records Management.
This year, Microsoft overhauled records management in M365, which centrally manages retention in SharePoint Online, Exchange, OneDrive, and M365 groups. It’s time to assess the strengths and weaknesses of Microsoft 365, and if it’s up for the task of records management.
The interface
At first glance, the interface for managing your file plan is in-line with modern philosophies of SharePoint. That is, it follows the model of a flat hierarchy, and tagging items with metadata.
A flat structure is provided for a file plan. Each record category is created as a Retention Label, which is then tagged with information about it. This tagging enables grouping and sorting by function/department, category, and subcategory:
In order to experience the full features of M365 records management, you need an E5 license, which allows you to:
declare documents as records;
apply event triggered retention;
use trainable classifiers to automatically apply retention and;
provide proof of disposition after the disposition of the document.
Conversely, with an E3 license:
You can still |
But, you cannot |
Create retention labels |
Use these labels to declare documents as records to avoid deletion and modification |
Use automatic pattern matching to auto apply labels |
Use trainable classifier to detect a type of content and auto apply labels |
Use single staged time driven retention |
Use event triggered retention to perform case management |
Process documents through disposition |
Get a proof of disposition |
Let’s dive deeper into M365 Records Management’s capabilities!
1. Migrate and manage retention requirements with a file plan
M365 Records Management allows you to create one (1) file plan per tenant in a flat hierarchy, with the option to upload your current file plan by using their template in CSV format and upload tool.
If you are a large corporation with multiple file plans for each company, you can get creative with assigning the Function/Department and Reference ID to each retention label, or perhaps each company already has a separate M365 tenant with its own file plan.
For organizations that follow a large file plan with hundreds of nested categories you might be surprised to find you only end up with a handful of retention labels in M365. By using a flat hierarchy, only the bottom level record categories that content is actually classified against are created, helping record managers focus on the record categories that matters.
2. Establish retention and deletion policies within the record label
The retention label (or record label) defines the record category for each type of content, along with its retention schedule. You can create labels within the M365 environment that are not specifically for retention purposes, but once you turn on “Retention”, it allows you to define retention and disposition periods based on time or event.
Example scenarios you can create with M365 retention labels:
Keep for 7 years after created date, and then review for disposition
Keep for 7 years after an event, such as a contract expired, then review for disposition (E5 license only)
Declare as a record and keep permanently
Convenience/transitory documents automatically deleted after 2 years without review
As you can see, each retention label can only have one (1) single stage retention period. In our experience, most organizations require multi-staged retention that is triggered based on a change in document status, such as from Open to Closed, or Active to Expired.
This can be achieved in M365 RM by using event-driven retention (see #4 below) as long as you have E5 licensing. If your organization has E3 licenses, you can still create multiple stages of retention by creating multiple retention labels to represent each stage. For example, creating an Open Events label and a Closed Events label, or an Active Contracts and an Expired Contracts label. You can then apply the Open or Active label when the item is first created, and then switch the label automatically with Power Automate to Closed Events or Expired Contracts when the metadata status changes. Stay tuned for a follow up blogpost on this!
3. Label Content as a record (E5 only)
This feature creates and publishes retention labels that mark content as a record, which allows:
Immutable items, which means that it can't be modified or deleted; however, metadata about the document can still be modified
Additional activities about the item are logged
Proof of disposition when they are deleted at the end of their retention period
Note that once a retention label has been assigned to classify content as a record, that retention label cannot be edited or deleted after it has been created.
4. Trigger event-based retention (E5 only)
This is another feature only available to E5 licenses, where retention is calculated based on when a specific type of event occurs.
This capability is similar to case management, where we manage the lifecycle of documents saved in different sites and libraries, as long as they are tagged with the same Asset ID.
For example, when an employee leaves the organization, all the files associated to the employee can have retention started and disposition reached at the same time. This can happen whether they are saved in their Personnel file, Training site, or Complaints library, as long as the documents are tagged with the employee’s Asset ID.
The event trigger itself (employee leaving the organization) can be set manually by the records manager in the Compliance Centre, or automatically through REST API via Power Automate flows by integrating with your HR Management System.
5. Use label policies to publish labels
Once retention labels are created, just like content types created in a Content Type Hub, they need to be published through a Label Policy to be available in M365.
You can either publish retention labels to end-users, and have them apply labels manually to documents, which we don’t recommend, or have the label automatically applied to specific content with automatic pattern matching. Note that it may take up to seven days (!) for labels to automatically apply to content after you first publish the label through a policy.
Automatic pattern matching includes:
Keywords or metadata values, for example, Content Type is equal to “Invoice”. Note that SharePoint search only indexes the first 2 million characters of each file (approx. 700 pages single spaced) for keyword matching
Using previously identified patterns of sensitive information like social security, credit card or bank account numbers (Sensitive information type entity definitions)
Recognizing an item because it's a variation on a template (document finger printing)
Using the presence of exact strings (exact data match)
Furthermore, you can also specify where to publish these labels within the M365 environment.
6. Trainable Classifiers (E5 Only)
Another way to automatically apply Retention Labels in M365 is to use Trainable Classifiers.
A classifier learns how to identify a type of content by looking at hundreds of examples of the content you're interested in classifying. You start by feeding it examples that are definitely in the category. Once it processes those, you test it by giving it a mix of both matching and non-matching examples. The classifier then makes predictions as to whether any given item falls into the category you're building. You confirm its results, sorting out the positives, negatives, false positives, and false negatives to help increase the accuracy of its predictions.
When you choose the option for a trainable classifier, you select one of the built-in classifiers, or build your own custom classifier for invoices, contracts, etc. The built-in classifiers include:
Resumes
Source Code
Targeted Harassment
Profanity
Threat
Learn how to protect and manage the audit trail to meet regulatory compliance with Gravity MOAT.
7. Review and validate disposition with disposition reviews and proof of records deletion
When a document is ready for disposition, there are three (3) actions available:
Dispose – to permanently delete the item
Extend – to extend the retention period of the document
Tag – to apply a different retention label
You can bulk apply these three (3) actions or apply them individually to each document.
Unfortunately, there are no customization available to apply any other action than the three (3) mentioned above, thus you cannot design multiple levels of approval within the M365 records management system. However, you are able to export the documents in a CSV format to send to Directors and Managers to get a chance to review prior to the record managers disposing the documents.
8. Export information about all disposed items with the export option
Right after disposition, you can export the disposition information into a CSV file. However, information about the disposition is kept only with an E5 license. The information about the disposition is kept for up to seven (7) years after the item was disposed, with a limit of one (1) million items per record for that period.
The disposition information is exported without any metadata information, which is a good thing if the metadata contained sensitive information about the document.
Other things to note
Microsoft 365 Records Management only manages content that resides within your M365 tenant. However, you can import or archive third-party data from social media platforms, instant messaging platforms, and document collaboration platforms to be used with M365 Record Management.
In SharePoint Online, there is the ability to set default retention label in a library instead of using Column default value
Non-record Labels can be re-categorized manually, by PowerShell, or through a Power Automate flows
There is no physical records management in M365
Audit trail is available for one (1) year with an E5 license, and only 90 days with an E3 license
Summary
Microsoft has done a great job with its first offering of Records Management. However, it does require your organization to have E5 licenses to experience and take advantage of its full features.
On the other hand, if you already have or are thinking about getting E5, not only do you get access to all the features in Records Management, you also have access to Sensitivity Labels, Data Loss Prevention, Information Rights Management, and the full suite of Power Platform that integrates and compliments Records Management, which will help to keep you compliant within the M365 environment.
Get advice on the best information and records management tools and workflow for your organization and learn how to keep audit trails to stay compliant.