Retention Policies

Configure data retention across Microsoft 365 workloads. Retention policies ensure content is kept for compliance requirements and automatically deleted when no longer needed.

Note: If a retention policy says to retain and another says to delete, content is retained. This principle ensures regulatory compliance takes precedence over cleanup operations.

Retention Policy List

Creating a Retention Policy

1. Policy Name and Description

Use descriptive names that indicate purpose and scope: “7-Year Financial Records Retention” or “90-Day Email Cleanup”

2. Choose Locations

Select which workloads to apply the policy:

• Exchange Email — User mailboxes, shared mailboxes
• Exchange Public Folders — Public folder content
• SharePoint Sites — Sites, document libraries
• OneDrive Accounts — User OneDrive files
• Microsoft 365 Groups — Group mailbox and site
• Teams Channel Messages — Standard and private channels
• Teams Chats — 1:1 and group chats
• Yammer — Community messages and files

3. Retention Settings

• Retain items for a specific period — Keep content for X days/months/years from creation, modification, or labeling
• Retain items forever — Never automatically delete. Use for permanent records
• Only delete items older than — Delete content after X period. Use for cleanup policies

4. After Retention Period

• Delete items automatically — Permanent deletion after period
• Trigger disposition review — Manual review before deletion
• Do nothing — Only retain, no automatic deletion

Policy Types

Static Policy

Apply to all content in selected locations. Simple to configure and manage. Use for organization-wide retention requirements.

Example: Retain all Exchange email for 7 years

Adaptive Policy (Preview)

Dynamically apply based on user or content attributes. Policy scope updates automatically as users join/leave or attributes change.

Example: Retain OneDrive for users in Finance department for 10 years

Common Scenarios

• Regulatory Compliance (SEC 17a-4) — Retain all broker-dealer communications for 7 years with immutable storage. Use preservation lock to prevent policy modification.
• GDPR Data Minimization — Delete personal data after processing purpose is complete. Combine with retention labels for specific data types.
• Email Hygiene — Delete email older than 2 years to reduce mailbox sizes and storage costs. Exclude from legal hold users.
• Teams Chat Cleanup — Delete Teams chats after 90 days. Critical for managing storage and reducing data sprawl.

Exclusions and Inclusions

Include Specific

• Specific mailboxes or users
• Specific SharePoint sites
• Specific M365 Groups
• Specific Teams

Exclude Specific

• Executive mailboxes
• Legal hold sites
• Archive locations
• Service accounts

Policy Conflicts

When multiple policies apply to the same content:

1. Retention wins over deletion — If any policy says retain, content is kept
2. Longest retention wins — If multiple retention periods, longest applies
3. Explicit wins over implicit — User-specific policy beats org-wide
4. Shortest deletion wins — For deletion-only policies, shortest period applies

Preservation Lock

For regulatory requirements like SEC 17a-4:

Warning: Irreversible. Once locked, policy cannot be disabled or deleted. Retention period cannot be shortened. Locations cannot be removed from policy. Only Microsoft Support can remove (with regulatory approval).

Monitoring and Reporting

• Policy deployment status across locations
• Items pending deletion
• Items under retention hold
• Policy sync errors
• Disposition review queue

API Reference

• GET /api/compliance/retention-policies — List all retention policies
• POST /api/compliance/retention-policies — Create new retention policy
• PUT /api/compliance/retention-policies/:id — Update retention policy
• GET /api/compliance/retention-policies/:id/status — Get policy deployment status
• DELETE /api/compliance/retention-policies/:id — Delete retention policy (if not locked)