M365 Retention Policies: Automating Data Governance and Compliance
Master Microsoft 365 retention policies to automate data governance, ensure compliance, and mitigate legal risks without relying on manual user intervention.
In a modern enterprise, data sprawl is an inevitability. Between Teams chats, SharePoint libraries, and endless OneDrive syncs, your organization is likely sitting on a mountain of digital liability.
As a security engineer, I’ve seen the same story play out too many times: a legal discovery request hits, or a compliance audit is triggered, and suddenly everyone is scrambling because data was either deleted too soon or—more commonly—kept for far too long.
A retention policy isn’t just another checkbox in Microsoft 365; it’s your primary defense against accidental data loss and legal over-exposure. It ensures that critical information is preserved for the required period and, just as importantly, that old data is purged when it no longer serves a business or legal purpose.
Stop relying on users to manage their own data. They won't. Here is how to enforce it at the tenant level.
Step 1: Access Microsoft Purview Compliance Portal
First, head over to the Microsoft Purview Compliance Portal.
You’ll need an account with Compliance Administrator or Retention Management permissions. If you’re getting "Access Denied," check your RBAC roles in the Microsoft 365 admin center first.
Step 2: Navigate to Retention Policies
In the left navigation pane, look for Data Lifecycle Management. Depending on your license and UI version, this might still be labeled as Information Governance.
Inside that menu, click on Retention Policies.
Step 3: Create a New Retention Policy
Click + New retention policy to start the wizard.
- Name: Be descriptive. Use something like
Corp-7-Year-Standard-Retention. - Description: Use this to document the "why"—e.g., "Complies with regulatory requirement XYZ for financial record keeping."
Step 4: Choose Locations
Select where this policy should apply. You can go broad or surgical:
- Exchange email: Apply to all mailboxes or specific high-risk users.
- SharePoint sites: Critical for project documentation.
- OneDrive accounts: Often the most overlooked area of data sprawl.
- Microsoft Teams: Essential for capturing chat and channel history.
Step 5: Configure Retention Settings
This is where the actual logic happens. Decide on the action Microsoft 365 should take:
Retention Options:
- Retain items for a specific period: (e.g., 7 years).
- Delete items after a specific period: Useful for "right-to-be-forgotten" scenarios.
- Retain and then delete: The gold standard for most compliance needs.
- Do nothing: Only recommended if you just want to ensure data exists but don't care about purging.
Start the clock based on:
- When the item was created (Standard for most policies).
- When it was last modified (Best for active working documents).
Step 6: Review and Submit
Double-check your logic. Applying a "Delete" policy to the wrong SharePoint site is a fast way to have a very bad Monday. Review the summary and click Submit.
Step 7: The Propagation Period
Retention policies are not instantaneous. In a large tenant, expect it to take up to 24 hours for the policy to propagate and for the "invisible" folders to start populating.
What happens to the data?
Once active, the system works in the background:
- SharePoint & OneDrive: Deleted or modified items are moved to the Preservation Hold Library.
- Exchange: Content is held in the Recoverable Items folder (sub-folder of the mailbox, invisible to users).
- Teams: Messages are preserved in a hidden compliance storage area accessible only via eDiscovery tools.
Final Thoughts
A well-designed retention policy is invisible to your end-users but invaluable to your legal team. It reduces risk, ensures compliance, and brings order to the chaos of modern collaboration. Configure it correctly once, and let the platform handle the heavy lifting of data governance.