Skip to Content
ComplianceRetention RecordsRecords Management

Records Management

Manage the complete lifecycle of your organization’s records from creation through final disposition. Declare records, apply retention schedules, and maintain compliance with regulatory requirements for record keeping.

Note: Full records management features require Microsoft 365 E5 or E5 Compliance. Basic retention is available with E3.

Records Lifecycle

  1. Create — Content created in Microsoft 365
  2. Classify — Apply retention label to content
  3. Declare — Mark content as a record
  4. Retain — Hold for required retention period
  5. Dispose — Review and delete when retention expires

Record Types

Record

Content declared as a record cannot be modified or deleted by users. Only admins can unlock, and all changes are versioned.

  • Locked from editing
  • Deletion blocked
  • Version history preserved
  • Can be unlocked by admin

Regulatory Record

Strictest protection for regulatory compliance. Even admins cannot unlock or delete until retention period expires.

  • Immutable — no modifications
  • Cannot be unlocked
  • Label cannot be removed
  • For SEC 17a-4, FINRA compliance

Retention Triggers

  • When Created — Retention period starts when content is created. Common for transactional records like purchase orders.
  • When Last Modified — Retention starts on last modification date. Use for documents that are updated over time like policies.
  • When Labeled — Retention starts when label is applied. Useful for manual classification scenarios.
  • Event-Based — Retention starts when an event occurs (e.g., contract expires, employee leaves). Requires event trigger.

Disposition Review

When retention period ends, items can be reviewed before final disposition:

  • Pending — Awaiting review
  • Approved — Ready for deletion
  • Extended — Retention extended

Review Process

  1. Items enter disposition review queue
  2. Reviewers examine items and decide action
  3. Approved items are permanently deleted
  4. Extended items get new retention period
  5. Proof of disposition is recorded

Common Scenarios

  • Financial Records (SOX) — Retain financial statements, audit reports, and supporting documents for 7 years. Use regulatory record for immutability.
  • Employee Records — Retain personnel files for duration of employment plus 7 years. Use event-based trigger on termination date.
  • Contracts — Retain for contract duration plus 6 years. Use event-based trigger on contract expiration.
  • Healthcare Records (HIPAA) — Retain patient records for 6 years from creation or last effective date. Regulatory records for audit compliance.

Reports

  • Label Activity — Track which labels are applied, by whom, and where. Identify classification gaps.
  • Disposition — Items pending review, approved, extended. Volume over time. Reviewer workload.
  • Records Declared — How many items declared as records. Breakdown by location and label.
  • Policy Matches — Items matching auto-labeling policies. Review for accuracy.

Best Practices

  • Create a file plan first — Map your records requirements before implementing in Microsoft 365
  • Use auto-labeling where possible — Reduce manual effort with auto-labeling based on content or location
  • Enable disposition review — Human review before deletion provides defensibility
  • Document regulatory citations — Link retention requirements to specific regulations for audit

API Reference

  • GET /api/compliance/records-management/file-plan — Get file plan structure
  • GET /api/compliance/records-management/labels — List retention labels
  • GET /api/compliance/records-management/disposition — Get items pending disposition
  • POST /api/compliance/records-management/events — Trigger retention event
  • GET /api/compliance/records-management/reports — Get records management reports
Last updated on
File PlanRetention Labels