Microsoft 365 – Records Management vs. Information Governance
Intelogy’s Rob Bath explains
I’m sure some of you will have seen Microsoft’s announcement1 last week that their Records Management solution has been released for general availability so I thought it would be worth putting together an overview of how this compares to some of the other retention capabilities within Microsoft 365.
I’ve previously blogged about the (then ‘work in progress’) Records Management solution last summer. If you missed it, take a look here.
Microsoft has been investing a lot of effort over the past 12 months into porting functionality from their legacy ‘Office 365 Security and Compliance Center’ into the new, separate ‘Microsoft 365 Security Center’ and ‘Microsoft 365 Compliance Center’. As part of this process, existing records management and retention features have been moved across and have found new homes within the new Compliance Center.
As the dust beings to settle, we are starting to see how functionality will be structured within the Compliance Center. Last week’s announcement of the launch of the Records Management Solution sees Microsoft separating their Information Governance features from their Records Management features, both of which are now provided as two distinct, if partially overlapping, tools.
So, let’s take a closer look at the new features and what can be found within these two solutions:
The Information Governance area grants access to the following tools:
What is a Retention Label?
Retention Labels are one of the data governance features that you can find within the Microsoft 365 Compliance Center. They are used to make sure that the documents and emails that your organisation need to keep hold of cannot be deleted, while at the same time getting rid of much of the low value (junk) content that is clogging up your storage.
If your organisation isn’t already using Retention Labels you’re missing out – why not get in touch with Intelogy today to find out how we can help you?
This tool provides the ability to create and maintain Retention Labels which can be used to classify content across Exchange email, Office 365 groups, OneDrive and SharePoint. Users cannot delete content that has been tagged with a retention label until the end of the retention period, at which point the items are either automatically deleted, or subject to a disposition review.
Users with premium licences (Office 365 E5/A5; Office 365 Advanced Compliance; Microsoft 365 E3/A3/E5/A5; Microsoft 365 compliance or Microsoft 365 Information Protection and Governance) can also take advantage of the ability to automatically apply retention labels to content
- Label Polices
It’s best to think of Label Policies as a way to associate different parts of Microsoft 365 with a collection of Retention Labels. Effectively, with Label Polices you can group together a sub-set of your labels, allowing you to only expose classifications in relevant areas of your tenancy.
I find Import a rather unusual tool to find within the Information Governance area. Functionally this tool allows you to import Outlook .PST files into Microsoft 365. The thinking behind this seems to be to empower Information Management professionals to import email archives, so that these files can be subject to the benefits provided by some of Microsoft 365’s other Compliance features, including eDiscovery, holds, retention and data subject requests.
Retention Policies can be found within the Retention section of Information Governance. Retention Polices allow you to apply a broad-brush blanket single retention period to all of the content stored in entire sites or inboxes. Invisible to users, Retention Policies ensure deleted content is retained for the duration of the retention period.
When the retention period ends, Retention Policies allow you to choose to automatically delete the content, but unlike Retention Labels, Retention Policies do not allow you to route content for disposition review.
‘Archive’ provides the ability to enable or disable archive mailboxes for specific users. When enabled, the given users will receive an Archive folder in Outlook, providing them with additional space for storing their mail. The Archive tool can be used in conjunction with Exchange retention policies (not to be confused with the Microsoft 365 Compliance Center’s Retention Policies mentioned above), which can be used to move older content into the archive folders.
While I can see some synergies, both the Archive and the Import tools feel a little lost in the Information Governance area. Perhaps it’s just me, but I feel these are functions that will often be more useful to an IT team than to people working in Compliance or Governance.
Given that both Retention Labels and Retention Policies can both be found within the Information Governance area, what exactly can be found within the new Records Management solution?
- File Plan
The File Plan area provides an alternative location for creating Retention Labels. That’s right, you can create Retention Labels in two separate locations in the Microsoft 365 Compliance Center. However, it’s important to note that there are a couple of key functional differences.
Firstly, the File Plan tool allows you to download your Retention Labels into a csv, edit them and reimport them. I can see this tool being quite useful when managing large file plans, but be warned, it might prove a little tricky to make sure you get the formatting accurate before you will be able to successfully upload your labels.
Secondly, the File Plan tool provides you with the ability to categorise your Retention Labels with ‘File Plan Descriptors’. These seem to provide the ability to tag and sort your labels, which I can see being quite useful if you have hundreds of labels to maintain. However, File Plan Descriptors do feel like they are still work in progress, for example, I can’t yet see how you can remove any of the out of the box descriptors that are provided by Microsoft (if anyone has found a way, please get in touch to let me know!)
Finally, and far more importantly, Retention Labels created in the Records Management solution can be used to make content immutable. You see, when creating Retention Labels in the Records Management solution you have access to an additional check box that is not available when creating Retention Labels via the Information Governance area:
Hang on, haven’t we seen this before?
Well yes, Retention Labels have had this function for several years now. This isn’t a new capability that’s been added, it’s actually a capability that has been removed from the Information Governance area.
In fact, the only scenario I can think of where making content immutable when it is labelled is using default Retention Labels on an archive. This would mean that content moved into a specific location could be automatically converted into a record as soon as it enters the library. This, however, feels to me a bit like the old legacy EDRM systems, where files needed to be moved into a separate system for archival – something that sounds great on paper, but tends to rely heavily on having staff who are well-versed in information management.
In my experience, most organisations want to be able to label content when it is created, then trigger immutability later (perhaps based on an event or a date) – something that is only possible with Retention Labels if immutability is applied to content at a later time via PowerShell (and not via the ‘Use label to classify content as a “Record”’ checkbox).
- Label Polices
As far as I can tell, Label Polices are functionally identical in both the Records Management and Information Governance areas. Irrespective of where they are created, Label Policies are used to associate groups of labels with specific sites and inboxes.
Event-driven retention is a great way of setting up a trigger for the start of retention periods. Requiring one of the premium licences (Office 365 E5/A5; Office 365 Advanced Compliance; Microsoft 365 E3/A3/E5/A5; Microsoft 365 compliance or Microsoft 365 Information Protection and Governance), events allow you to start retention periods when things change in your organisation. For example, you could have an event that fires when a project closes, which automatically starts retention on all content that has been associated with the given project.
As you can probably imagine, event-driven retention takes a bit of leg-work to set up – planning for the events really needs to be central to the architecture of your content’s structure and classification – however, the outcome can be lead to really compliant solutions that dispose of content in alignment with regulation/legislation.
[I’m now wondering why I’ve not yet put together a detailed blog covering how useful this could be – expect one over the next week or so!]
Providing the location for undertaking disposition reviews, this area is an essential component of most records management solutions that use Retention Labels. The Disposition tab provides a summary of how many items are currently awaiting disposition review for each Retention Label. Selecting a given Retention Label provides two reports:
- Pending Dispositions – which details items that have currently passed the end of their retention periods and is currently awaiting review
- Disposed items – which previously listed items that have been approved for deletion, but which hadn’t yet been actually deleted. However, Microsoft’s updated documentation2 states that “Items that are shown in the Disposed Items tab for record labels are kept for up to 7 years after the item was disposed”. If I’m reading this right then it’s really exciting as Microsoft is finally providing a step towards proof of disposition within Microsoft 365.
By far the most significant aspect of the new Records Management solution for me is the step towards providing proof of disposition. This was certainly the single largest gap in the Microsoft 365 retention story, and I can’t wait to get my hands on this new feature. This was the number one question I’ve been asked pretty much every time I’ve presented to the Information Management community – so I’m delighted to now have a great answer to provide.
With regards to the overall architecture of the Information Governance and Records Management solution, I have to admit I’m still a little bit confused by the way that functionality has been separated. I see Records Management as part of Information Compliance, so personally feel both should be stored in a single part of the Microsoft 365 Compliance Center.
Everything in the Records Management area fits well together providing a tidy retention solution. However, the Information Governance area seems a little disjointed, providing a combination of both retention features mixed together with some largely unrelated Exchange import/archival capabilities. I’m equally confused by why Retention Policies are now the only part of the Microsoft 365 retention picture that are not located within the Records Management solution.
In their FAQ’s, Microsoft explains the differences between the two solutions as follows: “While our Information Governance solution focuses on providing a simple way to keep the data you want and delete what you don’t, the Records Management solution is geared towards meeting the record-keeping requirements of your business policies and external regulations. This will be the only location where you can create record labels or take advantage of some of our more advanced processes such as disposition review”.
Certainly, all of Microsoft’s ongoing investment into records management within Microsoft 365 will continue to enhance the features provided within the Compliance Center. While Microsoft hasn’t yet announced that they will disable legacy approaches to records management (e.g In Place and Record Centers), it would certainly be worth any organisations still relying on these features to start to plan for adopting Retention Labels and Policies.
Intelogy boasts some of the foremost authorities in delivering exceptional Microsoft 365 information governance solutions. One of a handful of organisations to have been selected by Microsoft as providing ‘preferred’ Content Services, Intelogy can ensure that you get the most out of Microsoft 365’s Compliance and Security features.
Need help or looking for guidance – don’t hesitate to get in touch!
1. Announcing general availability of Records Management, Roberto Yglesias, Microsoft, https://techcommunity.microsoft.com/t5/security-privacy-and-compliance/announcing-general-availability-of-records-management/bc-p/1352293#M1447, sourced 30/04/2020.
2. Disposition of records, Microsoft Docs., https://docs.microsoft.com/en-gb/microsoft-365/compliance/disposition?view=o365-worldwide#how-long-until-disposed-content-is-permanently-deleted, sourced 05/05/2020.