The following is provided from Microsoft Security and Compliance blogs at TechCommunity:
With the introduction of Unified Retention & Retention Labels in the Security and Compliance, many customers have questions on the differences between Unified Retention, Retention Labels and MRM retention, configurable parameters and other common scenarios.
Retention or Unified Retention
Retention or Unified Retention is available in Office 365 Security and Compliance portal.
Unified retention policy in Office 365 can help you achieve all these goals. Managing content commonly requires two actions:
- Retaining content so that it can’t be permanently deleted before the end of the retention period.
- Deleting content permanently at the end of the retention period.
With a retention policy, you can:
- Decide proactively whether to retain content, delete content, or both – retain and then delete the content.
- Apply a single policy to the entire organization or just specific locations or users.
- Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information.
SCC Retention provides true retention, you can use a single SCC retention policy to perform both deletion and retention and at the same time a single policy can be applied across different workloads.
For more details, refer Overview of Retention Policies
Retention Labels.
Retention Labels is available in Office 365 Security and Compliance portal.
Retention labels in Office 365 can help you take the right actions on the right content. With retention labels, you can classify data across your organization for governance, and enforce retention rules based on that classification.
With retention labels, you can:
- Enable people in your organization to apply a retention label manually to content in Outlook on the web, Outlook 2010 and later, OneDrive, SharePoint, and Office 365 groups. Users often know best what type of content they’re working with, so they can classify it and have the appropriate policy applied.
- Apply retention labels to content automatically if it matches specific conditions, such as when the content contains:
- Specific types of sensitive information.
- Specific keywords that match a query you create.
- The ability to apply retention labels to content automatically is important because:
- You don’t need to train your users on all of your classifications.
- You don’t need to rely on users to classify all content correctly.
- Users no longer need to know about data governance policies – they can instead focus on their work.
- Apply a default retention label to a document libraryin SharePoint and Office 365 group sites, so that all documents in that library get the default retention label.
- Implement records management across Office 365, including both email and documents. You can use a retention label to classify content as a record. When this happens, the label can’t be changed or removed, and the content can’t be edited or deleted.
Retention setting in Labels and Unified Retention is same. A single retention labels policy to perform both deletion and retention and at the same time a single policy can be applied across different workloads.
There are different ways to monitor the usage of Retention Labels using Data Governance Dashboard, Label Activity Explorer (Available with E5 only), Content Search, Audit log
For more details, refer Overview of Retention Labels
Messaging Records Management (MRM)
Messaging Records Management aka Retention Policy is available in Exchange on-premises as well as in Exchange online and available in Exchange Admin Center (EAC).
You can use retention policies to enforce basic message retention for an entire mailbox or for specific default folders. Although there are several strategies for deploying MRM, here are some of the most common:
- Remove all messages after a specified period.
- Move messages to archive mailboxes after a specified period.
- Remove messages based on folder location.
- Allow users to classify messages.
- Retain messages for eDiscovery purposes.
When you implement MRM policies that remove messages from mailboxes after a specified period it also retains them in the Recoverable Items folder for In-Place eDiscovery purposes, even if the messages were deleted by the user or another process.
In Exchange Server and Exchange Online, MRM is accomplished through the use of retention tags and retention policies.
- Assigning retention policy tags (RPTs) to default folders, such as the Inbox and Deleted Items.
- Applying default policy tags (DPTs) to mailboxes to manage the retention of all untagged items.
- Allowing the user to assign personal tags to custom folders and individual items.
Messaging Record Management policy itself doesn’t perform any retention You need to use a time-based In-Place Hold or Litigation Hold to preserves messages that were deleted for long period of time than the Single Item Recovery period.
In this post, we will be referring Messaging Records Management (MRM) as EAC based Retention.
For more details, refer Messaging records Management
Next, we will answer some of the frequently asked questions around Retention Policies in the SCC and EAC.
Deletion and Retention options for Retention. What do they really do?
While creating Unified Retention policy or Retention Labels, the settings below, may not be as clear for some customers. Let’s take a deeper look;
Option: “Yes, I want to retain”
This option means retain content in user’s mailbox (mail folders and Recoverable Items folder) wherever they are located for specified x days/months/years. You also get an option to retain them forever. This setting also applies to content in folders in archive mailbox and its Recoverable items folders.
Content deleted from user’s mail folders will be moved to Recoverable items folder and content which is already existing in Recoverable items folder (when policy is applied), will be retained for x days/months/years. In short retention will make sure that the content will not be purged completely from the mailbox for specified number of days/months/years
What happens to content when the retention period for emails is expired? It depends on what’ option is selected next;
“Do you want us to delete it after this time?”
If “Yes” is selected, MFA does the job of cleaning the expired contents from user’s mail folders and from the Recoverable items folders. This also includes expired content in archive mailbox and its recoverable items folders.
If “No” is selected, Managed Folder Assistant (MFA) will not clean the expired content (move to recoverable items folder) which exists in user’s mailbox folders. But the expired content in Recoverable items folder older than Single Item recovery period (14 days) will be cleaned, provided there is no other hold applied to this mailbox to retain the content longer.
To identify other holds on the mailbox, refer How to identify the type of hold placed on an Exchange Online mailbox
Option: “No just delete content that’s older than”
This option indicates delete content in user’s mailbox (users’ mail folders and Recoverable Items folder) which is older than configured x days/months/years, wherever it is located. This also includes content in folders in the archive mailbox and its Recoverable items folder.
With this option selected, expired content from user’s mail folders and Recoverable items will be deleted permanently (provided that there is no other hold configured to retain content for longer period.)
For more details refer Deleting content that’s older than a specific age
Let’s discuss some of the common scenarios.
Retain and Delete content in the entire mailbox.
If you are planning to use Unified Retention and your requirement is that the mailbox should not hold any content older than 1 year.
You can create a SCC Retention as shown below so that any data which is older than 1 year would be deleted from the user’s mail folders and Recoverable items folders.
This option makes sure than there is no content in the mailbox older than 1 year, both in users mail folder and Recoverable items folder, this also includes content in archive mailbox. The expired content is not immediately purged from the mailbox instead it is retained for some more days, it could be because other holds and because of DelayHoldApplied on the mailbox.
Retain the deleted content for a longer period.
If you are planning to use SCC Retention and your requirement is that the content from user’s mail folders older than 1 years needs to be deleted and the deleted content need to be retained for 7 years for eDiscovery or recovery.
One of the ways to achieved this is by creating two SCC Retention policies, one policy to delete email older than 1 year
Another policy to retain data for 7 years
How is the retention period specified calculated?
The retention period calculation for different types of items varies and is documented in below article.
For more details How retention age is calculated. This article applies both the EAC based retention and SCC Retention
Principles of retention.
A mailbox can have multiple Unified Retention or Retention Labels policies applied either implicitly or explicitly. At times in order to meet your compliance requirement, a given mailbox can be subjected to multiple policies, in such cases it’s important to understand which action take precedence, which is explained nicely using “Principles of retention”
For more detail on “Principles of retention” refer Overview of retention policies
Should I use the EAC based retention or SCC Retention?
It really depends on your retention requirements.
With introduction of auto-expanding archive feature, it is important that you move your old emails from primary mailbox to archive mailbox this includes emails from the user’s folders and Recoverable Items folder of primary mailbox, so that Primary mailbox doesn’t exceed the mailbox quota limits.
For auto-expanding archiving feature refer Auto-expanding archiving feature
Automate moving emails to the archive.
What if you want to automate moving emails older than 2 years from primary to archive, the only option to do this currently is using Default Policy tag or Personal tag in MRM 2.0 as these are the only retention tags which support move to archive action.
SCC Retention or even Retention Labels doesn’t provide us the same option of moving emails to archive mailbox. So, in this case EAC based retention is the only option (currently). This is probably the only advantage of using EAC based retention.
Does it mean that I can apply EAC based retention and SCC Retention to the same mailbox?
Yes, you can.
It’s important note that a given mailbox can have only one EAC based retention with multiple tags and at the same mailbox can have multiple SCC Retention policies and Retention labels policies.
I would recommend using EAC based retention to meet your archiving (mailbox) needs and SCC retention for your retention needs.
But what about emails in the Recoverable Items folder in Primary mailbox?
As Recoverable items has its own quota, in order to prevent it from being full, you can opt to archive emails from your primary mailbox’s recoverable items to archive mailbox’s recoverable items. There is a special tag called “Recoverable Items tag” in EAC based retention which only support the move to archive action can move emails from Recoverable items folder of Primary mailbox to Recoverable items folder of Archive mailbox.
So, if you are planning to use EAC based retention for archiving purpose and SCC retention to meet your retention needs, your sample policies should look as below.
With above EAC based retention policy in place, emails (as well as other items) older than 180 days in users mail folders will be moved to archive mailbox, at the same time deleted content in Recoverable items of Primary mailbox will be moved to Recoverable items of archive mailbox after 14 days.
Also, when you are planning to use SCC retention along with EAC based retention policy it is important to understand how precedence works in EAC based retention like;
- Default Policy tag (DPT) with move to Archive action always overwrites the Retention Policy tag (RPT) or the Personal tag (PT), when the age limit for retention of DPT is lower than of RPT or PT.
- Explicitly assign tag wins over an implicit tag
It’s important to plan your policies & test the policies on test mailboxes to understand the behavior.
Organizations share a common goal of having consistent approach to categorize, classify important content from its creation, retention and disposal. In achieving this goal it’s critical that administrators and Information Management teams carefully plan and test their data governance strategy.
Hope this post helps.
Big Thanks to Vikas Soundade (Support Escalation Engineer) for authoring this post and Linda Harrell (Supportability PM – Information Protection) & Bhalchandra Atre (Supportability PM – Exchange) for reviewing this post.
Related Posts
The above was provided from Microsoft Security and Compliance blogs at TechCommunity