SharePoint Online and ODFB Site Deletion Policies
I was asked to recommend site deletion policies for a client's Office 365 tenant, in addition to methods of house-keeping for ODFB and Office 365 groups. My first thought was SharePoint Site Deletion Policies. as this was the method employed for SharePoint on-site. However, after completing the research, I now believe Office 365 Retention Policies are the best path forward, as these work with not only SharePoint Online, OneDrive for Business and Office 365 Groups, but also Exchange Online.
Read on to learn more:
Retention Policies
Volume and complexity of data is increasing daily – email,
documents, instant messages, and more. Effectively managing or governing this
information is important because of the need to:
- ·
Comply
proactively with industry regulations and internal policies that require content
be retained for a minimum period of time – for example, the Sarbanes-Oxley Act
might require retention of certain types of content for seven years.
- ·
Reduce
risk in the event of litigation or a security breach by permanently
deleting old content that is no longer required to keep.
- ·
Help organizations
to share knowledge effectively and be more agile by ensuring that users
work only with content that’s current and relevant to them.
A retention policy in Office 365 can help achieve all of
these goals. Managing content commonly requires two actions:
1.
Retaining
content so that it can’t be permanently deleted before the end of the retention
period.
2.
Deleting
content permanently at the end of the retention period.
A retention policy can:
·
Decide proactively whether to retain content, delete content, or both
– retain and then delete the content.
·
Apply a
single policy to the entire organization or just specific locations or
users.
·
Apply a
policy to all content or just content meeting certain conditions, such as
content containing specific keywords or specific types of sensitive
information.
Retention Policies with Content In-Place
When including a location such as a site or mailbox in a
retention policy, the content remains in its original location. People can
continue to work with their documents or mail as if nothing’s changed. But if
they edit or delete content that’s included in the policy, a copy of the
content as it existed when the policy was applied, is retained.
For sites, a copy of the original content is retained
in the Preservation Hold library
when users edit or delete it; for email and public folders, the copy is
retained in the Recoverable Items
folder. These secure locations and the retained content are not visible to most
people. With a retention policy, people do not even need to know that their
content is subject to the policy.
v Skype content is stored in Exchange,
where the policy is applied based on message type (email or conversation).
v A
retention policy applied to an Office
365 group includes both the group mailbox and site.
OneDrive Accounts and SharePoint Sites
A retention policy is applied at the level of a site. When including
a SharePoint site or OneDrive account in a retention policy, a Preservation
Hold library is created, if one doesn’t already exist. The Preservation Hold
library is only visible to site collection administrators.
When content is changed, or deleted in a site with a
retention policy for the first time since the policy was applied the content is
copied to the Preservation Hold Library and allows for the change of the
original content. New content (added
after policy is applied) isn’t copied to the Preservation Hold library the
first time it’s edited, only when it’s deleted. To retain all versions of a
file, turn on versioning.
After a retention policy is assigned to a OneDrive account
or SharePoint site, content can follow one of two paths:
- If the content is modified or deleted during the
retention period, a copy of the original content as it existed when the
retention policy was assigned is created in the Preservation Hold library.
There, a timer job runs periodically and identifies items whose retention
period has expired, and these items are permanently deleted within seven
days of the end of the retention period.
- If the content is not modified or deleted during
the retention period, it’s moved to the first-stage Recycle Bin at the
end of the retention period. If a user deletes the content from there or
empties this Recycle Bin (also known as purging), the document is moved to the second-stage
Recycle Bin. A 93-day retention period spans both the first- and second-stage
recycle bins. At the end of 93 days, the document is permanently deleted
from wherever it resides, in either the first- or second-stage Recycle Bin.
v The
Recycle Bin is not indexed and therefore searches do not find content there.
This means that an eDiscovery hold can't locate any content in the Recycle Bin to
hold it.
Document Versions and Retention Policies
If a document is deleted from a site that’s being retained
and document versioning is turned on for the library, all versions of the deleted document are retained.
If document versioning isn’t turned on and an item is
subject to several retention policies, the version that’s retained is the one
that’s current when each retention
policy takes effect. For example, if version 27 of an item is the most
recent when the site is retained the first time, and version 51 is the most
recent when the site is retained the second time, versions 27 and 51 are
retained.
Retaining content for a specific period of time
Retain content indefinitely or for a specific number of
days, months, or years. Alternatively, retention policies can also simply
delete old content without retaining it.
v The
duration for how long content is retained is calculated from the age of the content, not from
when the retention policy is applied.
v Choose
whether the age is based on when the content was created or (for
OneDrive and SharePoint) when it was last modified.
Applying a Retention Policy to an Entire Organization or Specific Locations
Easily apply a retention policy to an entire organization,
entire locations, or only to specific locations or users.
Org-wide policy
One of the most powerful features of a retention policy is
that by default it applies to locations across Office 365, including:
ü
Exchange email
ü
SharePoint sites
ü
OneDrive accounts
ü
Office 365 groups (applies to content in the
group’s mailbox, site, files, OneNote, and Team conversations. Support for
content in Planner, Yammer, and CRM is coming soon.)
ü
Exchange public folders
v There
is no limit to the number of mailboxes or sites the policy can include.
v For
Exchange, any new mailbox created after the policy is applied will
automatically inherit the policy.
v Limit
of 10 org-wide policies and entire-location policies combined per tenant.
Entire Locations
Include or exclude an entire location, such as Exchange
email or OneDrive accounts. Like an org-wide policy, if a policy applies to any
combination of entire locations, there is no limit to the number of mailboxes
or sites the policy can include.
v Limit
of 10 org-wide policies and entire-location policies combined per tenant.
Inclusions or Exclusions
Apply a retention policy to specific users, Office 365
groups, or locations.
However, note that the following limits exist for a
retention policy that includes or excludes over 1,000 specific users:
- Retention policies can contain no more than
1,000 mailboxes and 100 sites.
- A Tenant can contain no more than 1,000 such
retention policies.
- Retention
wins over deletion. Suppose that one retention policy says to delete
Exchange email after three years, but another retention policy says to retain
Exchange email for five years and then delete it. Any content that reaches
three years old will be deleted and hidden from the users’ view, but still
retained in the Recoverable Items folder until the content reaches five years
old, when it will be permanently deleted.
- The
longest retention period wins. If content’s subject to multiple policies
that retain content, it will be retained until the end of the longest retention
period.
- Explicit
inclusion wins over implicit inclusion. This means:
- The shortest deletion period wins. Similarly, if content’s subject to multiple policies that delete content (with no retention), it will be deleted at the end of the shortest retention period.
- If a label with retention settings is manually assigned by a user to an item, such as an Exchange email or OneDrive document, that label takes precedence over both a policy assigned at the site or mailbox level and a default label assigned by the document library. For example, if the explicit label says to retain for ten years, but the policy assigned to the site says to retain for only five years, the label takes precedence. Note that auto-apply labels are considered implicit, not explicit, because they’re applied automatically by Office 365.
- If a retention policy includes a specific location, such as a specific user’s mailbox or OneDrive for Business account, that policy takes precedence over another retention policy that applies to all users’ mailboxes or OneDrive for Business accounts but doesn’t specifically include that user’s mailbox.
SharePoint Online and OneDrive for Business
Note that if any of the eDiscovery holds have been used for
the purpose of data governance, instead use a retention policy for proactive
compliance. Use a hold created in the Security & Compliance Center only for
eDiscovery.
Retention Policies Override Information Management Policies
In SharePoint sites,
information
management policies may be used to retain content. If a retention policy
created in the Security and Compliance Center is applied to a site that already
uses content type policies or information management policies for a list or
library, those policies are ignored while the retention policy is in effect.
Summary
A single retention policy can easily apply to an entire
organization and locations across Office 365, including Exchange Online,
SharePoint Online, OneDrive for Business, and Office 365 groups.
There are several other features that have previously been
used to retain or delete content in Office 365. These are listed below. These
features will continue to work side by side with retention policies and labels
created in the Security & Compliance Center. But moving forward, for data
governance, best practice is to use a retention policy or labels instead of these
features. A retention policy is the only feature that can both retain and
delete content across Office 365.
Ü BEST PRACTICE - To retain or delete content
anywhere in Office 365, best practice is to use a retention policy.