Purview Data Lifecycle Management:
Use Data Retention to Reduce Risk
In the past few months, I have discussed the first three foundational elements of Microsoft Purview Compliance:
- Use Purview Content Explorer searches to identify where sensitive data exists in your tenant,
- Use Purview Data Loss Prevention (DLP) policies to prevent sensitive data from being shared outside the organization, and
- Use Sensitivity Labels to identify and protect sensitive data files.
Today, I will cover the final pillar—governing your data using Purview Data Lifecycle Management to define retention policies and labels to enforce your retention policies.
These retention controls give you the ability to both broadly and granularly define how and/or when data should be automatically retained or deleted per organizational policy.
The Risk of Stale Data
Stale sensitive data takes up a significant amount of space in most organizations, and the file retention method of “keep everything forever” is certainly the most common. It is easy to keep enormous amounts of electronic data, and it is often far easier to justify paying for extra storage than to get people to spend time defining their true retention needs and then cleaning up the old data manually.
There is a significant (and almost hidden?) risk to this approach… What happens when there is a breach?
Stale sensitive data does not provide any real value to an organization, but it will certainly cost you if it is infiltrated. The scope of a breach, the number of records disclosed, and the amount of reporting and remuneration to impacted parties is likely to be far, far larger than if only required data was in the environment at the time of a security event. It will make the cost of the effort to clean house and delete unneeded data look small in comparison, plus the public relations damage may never be repaired.
Enter Purview Data Lifecycle Management…
Purview provides an elegant solution to this and can take over much of the attention and time that a manual retention process would require. Today, I will walk through a few common scenarios and features that are used to automate the retention of data in your Microsoft 365 tenant.
The example I will start with is a blanket corporate retention policy that dictates that all user OneDrive data is to be retained for 3 years for compliance purposes, but all OneDrive data will be deleted after 7 years to minimize stale data. I will develop on this scenario as we go through the exercise and show how to add more granular controls to that policy as it changes with business requirements.
Each of these steps contains different configuration options that determine what labels do and what impact will be seen by users. Of course, please exercise caution and please, only apply these in a test environment before making changes to a production environment.
Retention Policies vs. Retention Labels and Label Policies
To set the stage, Purview has two basic ways to apply retention and deletion settings to files and email:
This is a broad policy that defines basic retention settings, usually based on a location (OneDrive, a SharePoint folder, a Teams file store, etc.). Any files in that location will be acted upon the same way. If a file is moved to another location, the retention or deletion settings on the original location no longer applies to that file.
Retention Labels and Label Policies
Like sensitivity labels, you can create and publish retention labels that enforce specific requirements, publish those labels to groups, and then label individual files. These labels are connected to the files themselves, regardless of location. Retention and deletion rules are enforced on that file going forward no matter where it is stored.
Because the example policy above requires all OneDrive data to be retained and then deleted across the board, we will create two new location-based Retention Policies per the screenshots below, starting with the policy to retain all OneDrive files for 3 years:
And we will create a static policy, since the requirement only applies to data in OneDrive:
Select OneDrive as the location to apply the policy to:
And then select the retention period and deletion settings:
The policy described above will prevent OneDrive items from being deleted for 3 years. After 3 years, users can delete files as they wish.
Here is a subsequent retention policy to force deletion of files after 7 years to enforce the cleanup of stale data:
Again, choose a static policy:
Select OneDrive as the location:
And select the option to force delete items past a certain age:
Now, please note the Warning Message in the summary. Files older than 7 years in OneDrive will start to be deleted. (Please do not test this on your production tenant! You could lose data!):
Define and Publish a Label to Override the 7-Year Deletion Policy
Let’s evolve the requirements a bit. After much outcry from the Marketing Department, management has decided to allow people to manually label certain OneDrive documents, so those files are exempt from being automatically deleted. Let’s explore how to do that, and again, you’ll notice that this process is very similar to creating and publishing sensitivity labels:
Name the label something descriptive, as the users will see this description:
Define the retention settings:
Select the retention period and click Create:
The label is now defined and ready to be published by going to the Label Policies screen and then Publish Labels by doing the following:
Within a few days, users will see this label available in Microsoft Office to manually apply to any of their files in OneDrive. This is an effective way to provide people with the option to keep certain files (photos, phone lists, and similar) beyond the 7-year policy we configured earlier to delete any unlabeled data after 7 years.
Automatically Apply A Retention Label
Let’s evolve the requirement a bit further still. The CEO has become nostalgic and asked that all photos in OneDrive be automatically retained forever. The compliance team still wants all other kinds of files to be deleted after 7 years, and the Marketing Team wants to give people the option to keep any file forever if they choose. (And they say technology is complex…. 😊)
We can accomplish this with the same “Retain this OneDrive file forever” label, but configure an auto-labeling policy to automatically apply that label to files that have gif, jpg, or png file extensions. Here is the configuration:
Name the auto-labeling policy:
Select the option to label based on file properties:
Enter the list of file types that the label should apply to. This query screen uses KQL (Kusto Query Language).
Select a static retention policy type so you can scope it to only OneDrive:
Select OneDrive as the location for this auto-label policy to apply to:
Select the same label we configured earlier, since it provides retention forever:
And then decide to either test or run the auto-label policy:
Next Steps: Monitor, Gather Feedback, and Refine
Once your retention policies are active and published, you can use Activity Explorer (located under the Data Classification menu) to review any retention labeling activities.
We have now seen how to set up a label, configure retention policies, publish the label so people can apply them manually, and configure Purview to automatically label data that meet a specified criterion.
I used some simple examples in the exercise, but hopefully, you can see how this would extend into real-world requirements. Corporate policies that dictate retention schedules are required as a starting point on this journey to define what Purview can be configured to do. Comprehensive data retention programs require a lot of time and effort, but like most things, start small and expand as you go. Just like with sensitivity labeling: introduce this to a willing volunteer group, and closely monitor how labels are used while soliciting feedback from the people that are using them. You will need to tune and refine the labels and your approach over time.
If you want to learn more, my colleagues and I help clients with Purview and data governance planning, design, and retention programs all the time. Please reach out if you need some help!
Learn more about Microsoft Purview
Ready to govern your data with Microsoft Purview?
Contact our team of experts to get started!