Managing email records in M365
Updated: Sep 6, 2020
Some emails may be records that should be captured and retained, and Microsoft recommends that you use retention policies and retention labels instead of the old Retention tags and retention policies, also known as messaging records management (MRM).
I have below summarized how to manage email records in Microsoft 365 (M365) based on Microsoft resources and our experience with implementing this at large regulated companies.
The key to excellent records management is automated records management. We at Infotechtion help organizations design automation strategies for information governance based on process, content, job role, history, etc. The last resort is to ask users to manually identify, capture, and classify emails as records.
The new Microsoft Records Management can now be used to manage email records. By using retention labels to declare records, you can implement a single, consistent records-management strategy across your Microsoft 365 environment. In Exchange, items labeled as a record is immutable until its final deletion. When an Exchange item is labeled as a record, four things happen:
The item can't be permanently deleted.
The item can't be edited.
The label can't be changed.
The label can't be removed.
You can also apply a retention label to a folder. If a folder is labeled as a record, and you move an item into the folder, the item is labeled as a record. If you move the item out of the folder, the item remains labeled as a record.
After retention labels are assigned to content, either by users or auto-applied, you can use content search in the Compliance Center to find all content that's classified with a specific retention label.
In Exchange Online, when a retention policy is applied to a user's mailbox, all of the user's content will be retained based on the criteria of the policy. Retention policies can ensure that an organization retains electronic communications, but those policies can be modified. By placing a Preservation Lock on a retention policy, an organization ensures that the policy cannot be modified.
To help you plan the management of email records, see the following:
If you want to set retain and delete actions for Exchange or Microsoft 365 Groups: Create and configure retention policies
If you want to allow admins and users manually apply a set of retain and delete actions for documents and emails: Create retention labels and apply them in apps
If you want to let users automatically apply a retention label to emails by using Outlook rules: Create retention labels and apply them in apps
If you want to automatically apply a set of retain and delete actions to documents and emails: Apply a retention label to content automatically
Create and configure retention policies
Use a retention policy to decide proactively whether to retain content, delete content or both - retain and then delete the content.
The Exchange email location supports retention for users' email, calendar, and other mailbox items, by applying retention settings at the level of a mailbox. The following mail items are included: Mail messages (includes drafts) with any attachments, tasks and calendar items when they have an end date and notes. Contacts, and any tasks and calendar items that don't have an end date are not included. Other items stored in a mailbox, such as Skype and Teams saved messages, aren't included with this location since these items have their own retention locations.
Even though a Microsoft 365 group has an Exchange mailbox, a retention policy that includes the entire Exchange email location won't include content in Microsoft 365 group mailboxes. To retain content in these mailboxes, select the Office 365 groups location. To retain or delete content for a Microsoft 365 group (formerly Office 365 group), use the Office 365 groups location. A retention policy applied to a Microsoft 365 group includes both the group mailbox and site.
Auto-apply policies based on rules
In Outlook, you can create rules to apply a retention label. For example, you can create a rule that applies a specific retention label to all messages sent to or from a specific distribution group.
In Exchange, auto-apply retention labels are applied only to messages newly sent (data in transit), not to all items currently in the mailbox (data at rest).
Auto-apply policies based on keywords, searchable properties, or sensitive information types
You can apply a retention policy only to content that meets specific conditions, and then take retention actions on just that content. You can refine your query by using search operators like AND, OR, and NOT. Support for adding searchable properties (for example, subject:) is coming soon.
You can also apply a retention policy only to content that contains specific types of sensitive information. For example, you can choose to apply unique retention requirements only to content that contains personal information, such as taxpayer-identification numbers, social security numbers, or passport numbers.
Advanced retention for sensitive information doesn't apply to Exchange public folders since this don't support sensitive information types. Also, auto-apply retention labels for sensitive information types and trainable classifiers apply to all mailboxes; you can't select specific mailboxes.
Auto-apply policies based on trainable classifiers
You can use built-in trainable classifiers or create your own based on the sample items. A classifier learns how to identify a type of content by looking at hundreds of examples of the content you're interested in classifying. You start by feeding it examples that are definitely in the category. Once it processes those, you test it by giving it a mix of both matching and non-matching examples. The classifier then makes predictions as to whether any given item falls into the category you're building. You then confirm its results, sorting out the positives, negatives, false positives, and false negatives to help increase the accuracy of its predictions. When you publish the trained classifier, it sorts through items in locations like Exchange and classifies the content.
The built-in classifiers include Resumes, SourceCode, Targeted Harassment, Profanity, and Threat:
Apply a retention policy to an entire organization or specific locations
One of the most powerful features of a retention policy is that it can apply to locations across Microsoft 365, including:
Microsoft 365 groups
Exchange public folders
You can also apply a retention policy to specific users or specific Microsoft 365 groups.
Other important features of an org-wide retention policy include:
There is no limit to the number of mailboxes or sites the policy can include.
For Exchange, any new mailbox created after the policy is applied will automatically inherit the policy.
Create retention labels and apply them in apps
For those locations that you are not able to automate the management of email records in M365, you can rely on users manually applying retention labels for records management. You can also apply retention labels to folders, in which case all items in the folder automatically get the same retention label, except for items that have had a retention label applied explicitly to them.
This is how this looks for users when using the Outlook desktop client:
This is how this looks for users when using Outlook on the web:
As with Outlook on the web, you can also apply retention labels to folders.
When you publish retention labels to Microsoft 365 groups (formerly Office 365 groups), the retention labels appear in both the group site and group mailbox in Outlook on the web. The experience of applying a retention label to content is identical to that for email and documents.
To retain content for a Microsoft 365 group, use the Office 365 groups location. Even though a Microsoft 365 group has an Exchange mailbox, a retention policy that includes the entire Exchange location won't include content in Microsoft 365 group mailboxes.
Use Preservation Lock to comply with regulatory requirements
Some organizations might need to comply with rules defined by regulatory bodies such as the Securities and Exchange Commission (SEC) Rule 17a-4, which requires that after a retention policy is turned on, it cannot be turned off or made less restrictive. Preservation Lock ensures your organization can meet such regulatory requirements because it locks a retention policy so that no one—including the administrator—can turn off the policy, delete the policy, or make it less restrictive.
When a retention policy is locked:
No one can it turn off
Locations can be added but not removed
Content subject to the policy can't be modified or deleted during the retention period
You can extend a retention period but not decrease it
In summary, a locked retention policy can be increased or extended, but it can't be reduced or turned off.
Feel free to contact us if you want to run a proof-of-concept for managing email records in M365, or if you need help with the automation of the entire configuration and deployment process for managing emails as records. A proof-of-concept will help you test the value of Office 365 Compliance features.
Screenshots are courtesy of Microsoft.