SharePoint Online and ODFB Site Deletion Policies
I was asked to recommend site deletion policies for a client's Office 365 tenant, in addition to methods of house-keeping for ODFB and Office 365 groups. My first thought was SharePoint Site Deletion Policies. as this was the method employed for SharePoint on-site. However, after completing the research, I now believe Office 365 Retention Policies are the best path forward, as these work with not only SharePoint Online, OneDrive for Business and Office 365 Groups, but also Exchange Online.
Read on to learn more:
Volume and complexity of data is increasing daily – email, documents, instant messages, and more. Effectively managing or governing this information is important because of the need to:
- · Comply proactively with industry regulations and internal policies that require content be retained for a minimum period of time – for example, the Sarbanes-Oxley Act might require retention of certain types of content for seven years.
- · Reduce risk in the event of litigation or a security breach by permanently deleting old content that is no longer required to keep.
- · Help organizations to share knowledge effectively and be more agile by ensuring that users work only with content that’s current and relevant to them.
A retention policy in Office 365 can help achieve all of these goals. Managing content commonly requires two actions:
1. Retaining content so that it can’t be permanently deleted before the end of the retention period.
2. Deleting content permanently at the end of the retention period.
A retention policy can:
· Decide proactively whether to retain content, delete content, or both – retain and then delete the content.
· Apply a single policy to the entire organization or just specific locations or users.
· Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information.
Retention Policies with Content In-Place
When including a location such as a site or mailbox in a retention policy, the content remains in its original location. People can continue to work with their documents or mail as if nothing’s changed. But if they edit or delete content that’s included in the policy, a copy of the content as it existed when the policy was applied, is retained.
For sites, a copy of the original content is retained in the Preservation Hold library when users edit or delete it; for email and public folders, the copy is retained in the Recoverable Items folder. These secure locations and the retained content are not visible to most people. With a retention policy, people do not even need to know that their content is subject to the policy.
OneDrive Accounts and SharePoint Sites
A retention policy is applied at the level of a site. When including a SharePoint site or OneDrive account in a retention policy, a Preservation Hold library is created, if one doesn’t already exist. The Preservation Hold library is only visible to site collection administrators.
When content is changed, or deleted in a site with a retention policy for the first time since the policy was applied the content is copied to the Preservation Hold Library and allows for the change of the original content. New content (added after policy is applied) isn’t copied to the Preservation Hold library the first time it’s edited, only when it’s deleted. To retain all versions of a file, turn on versioning.
After a retention policy is assigned to a OneDrive account or SharePoint site, content can follow one of two paths:
- If the content is modified or deleted during the retention period, a copy of the original content as it existed when the retention policy was assigned is created in the Preservation Hold library. There, a timer job runs periodically and identifies items whose retention period has expired, and these items are permanently deleted within seven days of the end of the retention period.
- If the content is not modified or deleted during the retention period, it’s moved to the first-stage Recycle Bin at the end of the retention period. If a user deletes the content from there or empties this Recycle Bin (also known as purging), the document is moved to the second-stage Recycle Bin. A 93-day retention period spans both the first- and second-stage recycle bins. At the end of 93 days, the document is permanently deleted from wherever it resides, in either the first- or second-stage Recycle Bin.
Document Versions and Retention Policies
If a document is deleted from a site that’s being retained and document versioning is turned on for the library, all versions of the deleted document are retained.
If document versioning isn’t turned on and an item is subject to several retention policies, the version that’s retained is the one that’s current when each retention policy takes effect. For example, if version 27 of an item is the most recent when the site is retained the first time, and version 51 is the most recent when the site is retained the second time, versions 27 and 51 are retained.
Retaining content for a specific period of time
Retain content indefinitely or for a specific number of days, months, or years. Alternatively, retention policies can also simply delete old content without retaining it.
Applying a Retention Policy to an Entire Organization or Specific Locations
Easily apply a retention policy to an entire organization, entire locations, or only to specific locations or users.
One of the most powerful features of a retention policy is that by default it applies to locations across Office 365, including:
ü Exchange email
ü SharePoint sites
ü OneDrive accounts
ü Office 365 groups (applies to content in the group’s mailbox, site, files, OneNote, and Team conversations. Support for content in Planner, Yammer, and CRM is coming soon.)
ü Exchange public folders
Include or exclude an entire location, such as Exchange email or OneDrive accounts. Like an org-wide policy, if a policy applies to any combination of entire locations, there is no limit to the number of mailboxes or sites the policy can include.
Inclusions or Exclusions
Apply a retention policy to specific users, Office 365 groups, or locations.
However, note that the following limits exist for a retention policy that includes or excludes over 1,000 specific users:
- Retention policies can contain no more than 1,000 mailboxes and 100 sites.
- A Tenant can contain no more than 1,000 such retention policies.
- Retention wins over deletion. Suppose that one retention policy says to delete Exchange email after three years, but another retention policy says to retain Exchange email for five years and then delete it. Any content that reaches three years old will be deleted and hidden from the users’ view, but still retained in the Recoverable Items folder until the content reaches five years old, when it will be permanently deleted.
- The longest retention period wins. If content’s subject to multiple policies that retain content, it will be retained until the end of the longest retention period.
- Explicit inclusion wins over implicit inclusion. This means:
- If a label with retention settings is manually assigned by a user to an item, such as an Exchange email or OneDrive document, that label takes precedence over both a policy assigned at the site or mailbox level and a default label assigned by the document library. For example, if the explicit label says to retain for ten years, but the policy assigned to the site says to retain for only five years, the label takes precedence. Note that auto-apply labels are considered implicit, not explicit, because they’re applied automatically by Office 365.
- If a retention policy includes a specific location, such as a specific user’s mailbox or OneDrive for Business account, that policy takes precedence over another retention policy that applies to all users’ mailboxes or OneDrive for Business accounts but doesn’t specifically include that user’s mailbox.
SharePoint Online and OneDrive for Business
· Holds created for eDiscovery in the Security & Compliance Center (eDiscovery hold)
· Holds created in the eDiscovery Center (eDiscovery hold)
· Document deletion policies (Deletion only)
· In place records management (Retention)
· Site closure and deletion policies (Deletion only)
· Information management policies (Deletion only)
Note that if any of the eDiscovery holds have been used for the purpose of data governance, instead use a retention policy for proactive compliance. Use a hold created in the Security & Compliance Center only for eDiscovery.
Retention Policies Override Information Management Policies
In SharePoint sites, information management policies may be used to retain content. If a retention policy created in the Security and Compliance Center is applied to a site that already uses content type policies or information management policies for a list or library, those policies are ignored while the retention policy is in effect.
A single retention policy can easily apply to an entire organization and locations across Office 365, including Exchange Online, SharePoint Online, OneDrive for Business, and Office 365 groups.
There are several other features that have previously been used to retain or delete content in Office 365. These are listed below. These features will continue to work side by side with retention policies and labels created in the Security & Compliance Center. But moving forward, for data governance, best practice is to use a retention policy or labels instead of these features. A retention policy is the only feature that can both retain and delete content across Office 365.
Ü BEST PRACTICE - To retain or delete content anywhere in Office 365, best practice is to use a retention policy.
Source: Overview of retention policies