top of page

The Ultimate Guide to Mastering Data Lifecycle Management with Microsoft Purview: Part 3



Introduction

Welcome to Part 3 of my series on data lifecycle management! If you haven’t had a chance to check out the previous parts, here they are: Part 1, Part 2.

In this section of the blog, I’ll be covering the core uses of Microsoft Purview Data Lifecycle Management, including a breakdown of its benefits and key features. We’ll explore the differences between Adaptive and Static policy scopes, discuss support for Administrative Units, and walk through the setup process for creating retention policies. Additionally, I’ll guide you on managing retention exceptions, auto-applying retention labels, updating and deleting retention labels, and locking policies.


It's worth noting that this overview only scratches the surface of data lifecycle management. Given the various limitations, considerations, and nuances involved, I might consider a separate series focused solely on these aspects in the future. Let me know if you’d be interested in a deep dive into these limitations and implementation tips!


Table of contents


Microsoft Purview Data Lifecycle Management

Microsoft Purview Data Lifecycle Management (previously known as Microsoft Information Governance) enables you to retain essential content while removing unnecessary data. This approach supports compliance, meets regulatory standards, and mitigates business risks, such as reducing your attack surface. It also saves on storage costs by eliminating stale data.


You can apply retention policies organisation-wide (e.g., all mailboxes or SharePoint sites) or to specific groups (e.g., certain departments). For individual exceptions, like legal documents needing longer retention, use retention labels that users can apply manually or automatically based on content.

Retention labels are also key for Adaptive Protection and insider risk management, where the system automatically applies the appropriate label and policy. For managing high-value records, use retention labels with Records Management, not just Data Lifecycle Management.


Adaptive and static policy scopes

Before creating a retention policy, you need to determine if you want to use an adaptive or static scope:

Adaptive scope: Requires creating one or more adaptive scopes based on dynamic queries that run daily against attributes (e.g., job title). This type automatically includes users or content that matches the criteria.

Static scope: Applies broadly to all instances or specific locations by manually selecting them. You must update it manually for changes, like new users or departments.


Below table illustrates the advantages and limitations of adaptive and static policy scopes:

 

Adaptive Scopes

Static Scopes

Advantages

Dynamic flexibility: Automatically updates based on user or content attributes, making it easier to manage policies as organisational structures change.

Powerful targeting: Tailor policies to specific groups, such as geographic regions or job titles, without maintaining separate user groups.

Fewer policies needed: Reduce complexity by applying to multiple locations (e.g., Teams, Viva Engage) within a single policy.

Supports inactive mailboxes: Allow retention settings for inactive users, which static scopes don't.

Resilience against organisational changes: Adjusts dynamically to user role changes, reducing the need for manual updates.

Simplicity: Easier to configure if you want to apply policies to all instances, or a specific few that don’t change frequently.

Support for certain locations: Some workloads, like Skype for Business and Exchange public folders, only support static scopes.

 

Limitations

Complex configuration limits: Attribute and query lengths are capped (e.g., 10,000 characters or 100 attributes per scope).

No Preservation Lock: You cannot apply Preservation Lock with adaptive scopes, which prevents policy changes.

Manual updates: Must be updated manually whenever users or locations change, which adds administrative overhead.

Limited targeting: Cannot dynamically adjust based on attributes like adaptive scopes do, requiring more maintenance.

Support for Administrative Units

Microsoft Purview Data Lifecycle Management supports the use of administrative units configured in Microsoft Entra ID. This allows you to restrict data management tasks based on organisational boundaries, making it easier to delegate responsibilities. You can assign administrative units to members of custom role groups, such as those in Microsoft Purview Records Management. This restricts administrators to managing only the users within their designated administrative units.


Both adaptive and static scopes support administrative units, but it's important to note that administrative units cannot be used for SharePoint sites or Exchange public folders since they are limited to users and groups.


Limitations

Retention labels: Currently, retention labels do not support administrative units.

Restricted administrators: While restricted administrators can create and view adaptive scopes for all units using PowerShell, they are limited in other ways, such as:

o They cannot import PST files using the network upload feature.

o They cannot manage Exchange legacy features like retention policies or journalling rules.

o They only see policies relevant to users within their assigned administrative units.

Inactive mailboxes: These cannot be included in retention policies tied to administrative units. To manage inactive mailboxes, administrators must have unrestricted access and select the "Full directory" option.


Setup process for creating retention policies

Here's a side-by-side comparison of the setup process for creating retention policies for Microsoft Teams and Copilot versus Exchange, SharePoint, OneDrive, Microsoft 365 Groups, and Skype for Business:

Retention Policy Steps

Teams and Copilot

Exchange, SharePoint, OneDrive, M365 Groups, Skype for Business

1. Sign in and Navigate to Retention Policies

Go to Microsoft Purview admin portal > Solutions > Data Lifecycle Management > Policies > Retention Policies.

Go to Microsoft Purview admin portal > Solutions > Data Lifecycle Management > Policies > Retention Policies.

2. Create a New Retention Policy

Click on "New retention policy" and name your policy.

Click on "New retention policy" and name your policy.

3. Assign Administrative Units (if applicable)

If using administrative units, select one or more to restrict the policy to specific users. If not, choose "Full directory."

If using administrative units, select the units to restrict the policy. If not, choose "Full directory" to include SharePoint and Exchange public folders.

4. Choose Policy Type

Select either Adaptive or Static based on your needs. Ensure adaptive scopes are set up if using an adaptive policy.

Choose either Adaptive or Static policy based on your setup. Note: Adaptive policies do not support Exchange public folders or Skype for Business.

5. Select Locations

  • Adaptive Policies: Select appropriate adaptive scopes (e.g., Teams chats or Teams channel messages).

  • Static Policies: Choose from:

- Teams channel messages: Standard/shared channel chats and meetings.

- Teams chats and Copilot interactions: 1:1 chats, group chats, meetings, and Microsoft Copilot prompts/responses.

- Teams private channel messages: Private channel chats and meetings (cannot combine with other Teams locations).

  • Adaptive Policies: Select pre-created adaptive scopes and applicable locations (e.g., Exchange mailboxes, not SharePoint). * Static Policies: Toggle on/off desired locations: - Exchange mailboxes and public folders - SharePoint sites and OneDrive accounts - Microsoft 365 Group mailboxes & sites - Skype for Business - You can apply the policy to the entire location or specify includes and excludes.

6. Decide Retention Actions

Configure retention settings: - Retain indefinitely - Retain for a period, then delete - Delete after a specific period.

Configure retention settings:

- Retain

- Delete

- Retain and then delete after a specified time.

7. Complete and Save

Finalise your configuration and save the retention policy.

Finalise your settings and save the retention policy.

Known Configuration Issues

- Retention period always starts based on item creation date.

- Avoid selecting guests and non-mailbox users.

- Include call data records by selecting "Teams chats."

- Restricted admins cannot configure retention policies for SharePoint or Exchange public folders.

- Ensure the correct scope is chosen based on admin rights.

After submitting retention policies for workloads and label policies to auto-apply retention labels, allow up to 7 days for the retention settings to take effect on content.


Managing retention exceptions

Sometimes you may need to create retention labels for exceptions to your retention policies. Retention policies apply automatically to all items at the container level (e.g., SharePoint sites, user mailboxes), while retention labels apply to individual items, such as specific SharePoint documents or emails.

Before using retention labels, familiarise yourself with retention principles. Typically, retention labels extend the retention period for specific items beyond an applied policy or override automatic deletion at the end of the retention period. For example, if most SharePoint content is retained for three years, but certain contract documents must be retained for seven years, you can apply retention labels to these exceptions after assigning the general retention policy.


Auto-Applying Retention Labels

Retention labels can be automatically applied based on specific conditions, minimising the need for user intervention. This feature offers several advantages:

  • Users aren’t required to classify content, reducing reliance on them for correct classification.

  • It simplifies data governance, allowing users to focus on their tasks.

You can auto-apply labels when content lacks an existing label or contains sensitive information, keywords, or matches trainable classifiers. Additionally, labels can be applied to cloud attachments in SharePoint or OneDrive.


Auto-labeling Workflow:

  1. Create an auto-labeling retention policy.

  2. Run the policy in simulation mode and review results.

  3. Refine the policy if needed and rerun the simulation.

  4. Deploy the policy once satisfied.


Considerations for Simulation Mode:

  • Up to 30 simulation jobs can run every 12 hours.

  • Maximum of 100 item samples per mailbox.

  • Simulation results expire in seven days.


Updating and Deleting Retention Labels

Changes in configuration for auto-apply policies will be applied to both existing and new content. However, certain settings cannot be altered after creation, including the label name and retention settings (except the retention period).

To delete a retention label, ensure it meets these conditions:

  • Not included in any retention policy.

  • Not configured for event-based retention.

  • Not marking items as regulatory records.

If all conditions are met, you can delete a standard retention label even if applied to items.


Locking Policies

To prevent changes to retention policies, consider using Preservation Lock, which restricts modifications to retention policies and label policies.


Conclusion

In conclusion, Microsoft Purview Data Lifecycle Management provides powerful tools to help you retain necessary content and securely dispose of what’s no longer needed, streamlining compliance and reducing risks across your organisation. While this post offers an overview of key features and setup processes, it’s always wise to refer to Microsoft’s official documentation for the latest details on limitations, specific scenarios, and best practices. Staying informed on these can help ensure you’re implementing data lifecycle management effectively and in line with evolving compliance needs.


 




You are reading "The Ultimate Guide to Mastering Data Lifecycle Management with Microsoft Purview: Part 3"

2 Comments


Guest
Nov 08

Your post about Data Lifecycle Management is very interesting. I wanted to ask if a retention policy was created 7 days ago, but there hasn't been any effect on the emails yet, what should I check to ensure the policy is work? Because the status of policy is Enabled (Success) thank you

Like
welka2111
Nov 10
Replying to

Hey! Thanks for your feedback :) You can check if the policy has been applied using Get-Mailbox <username> | FL LitigationHoldEnabled,InPlaceHolds from Exchange Online PowerShell. Reference doc here: https://learn.microsoft.com/en-us/microsoft-365/compliance/ediscovery-identify-a-hold-on-an-exchange-online-mailbox?view=o365-worldwide

Like
bottom of page