Fixing your retention policies: How do we get started?
Written by Connor Dean | Modern Workplace Specialist
Identifying if your policies are a problem
Many organisations disregard their retention policies, typically implementing policies that target too broad of a scope and likely retain everything for longer than necessary.
This needs to be fixed! Likely the issues aren't seen straight away, some occur in a few months, some take years to reveal themselves.
If you have any policy to retain information indefinitely, and it also is scoped to a full category, then you have a problem.
Your biggest issue you will see first is to do with Exchange, emails build up quickly over time and the retained items are hidden from view for a normal user (only complicated PowerShell can uncover the truth, even the Exchange Admin Centre doesn't help you out much).
Where do I find my policies?
Ensure you have valid permissions for these actions we will perform.
Ideally you would be a purview administrator and within purview it is recommended that you have the Compliance Administrator admin role group assigned.
Start by logging into https://purview.microsoft.com.
Under your Solutions tab, you can select Data Lifecycle Management and you're then greeted a new area.
As you can see, I have a Demo - Retain Everything to show how most orgs retain their data. It's configured to keep all Exchange, SharePoint, OneDrive and MS365 Group mailboxes & Sites indefinitely.
Ideally, we should have these separated!
Creating new individual policies
Creating new policies is easy, I will demonstrate a new Exchange Policy below. As mentioned, Exchange should ideally not be keeping items indefinitely but if you're in a transitional period then maintaining the existing settings can then help to test separately.
Start by clicking New Policy, then providing a Name and Description.
Then, choose your retention type. It's likely for now you will stick with Static.
Next, choose your retention settings, in this case I would select only Exchange Mailboxes and we can then add some exclusions so then you can create a testing policy on the side.
With Exchange selected, choose Edit under Excluded. This typically will only show user mailboxes however you can also search for Shared Mailboxes, which we shall do. All that is needed is to check on the mailbox to select it and click Done.
Before we finish the policy, configure your retention, ideally mimic your old policy for now so then we can test with a separate policy later.
Finally, submit the policy and you're done!
What about testing with another policy
Similar to our previous policy, create a new one. However, when you reach the point of scoping to your desired resource, ensure that you set Included to be your desired mailbox and leave the rest.
Then configured your new retention for testing, in my case I want to retain only for 7 days (bear in mind this is a test mailbox, on a production mailbox I'd recommend looking at a longer period).
If you're removing items then a disclaimer is shown.
Allow yourself some time to test the policies, see what cleans up and monitor impact. It may be wise to conduct a review of the data, such as setting a tag or an alert rather than deleting immediately so you can verify what would be impacted.
If you need to understand the rules of retention, and how Microsoft decides what takes precedence then the below image is very useful.
In summary
This quickly goes through separating out policies, some recommendations in how to handle testing and some details around what to look out for.
A deeper dive into policies, scoping and testing will likely be published in the future.
