Records management with Microsoft Purview – Part 2: Getting started & requirements

In my previous blog post I gave a little background information about record management and retention. In this blog post we will focus on getting started with records management using Microsoft Purview.

One solution is to use retention labels to mark items as records. This not only helps you implement a consistent strategy for managing records across your Microsoft 365 environment but also ensures that the item is treated according to the retention label policy.

Retention labels can be manually applied by users or administrators, or auto-applied to items marked as a record. When a retention label is applied to an item, it restricts certain actions that can be taken on the item and logs additional activities about the item. This helps you keep track of who has access to the item and what actions are taken on it.

By using retention labels to declare records, you can also ensure that you have proof of disposition when the item is deleted at the end of its retention period. This is especially important when it comes to regulatory records.

Implementing a single and consistent strategy for managing records across your Microsoft 365 environment is crucial for effective records management. By using retention labels, you can achieve this goal and ensure that your organization is compliant with legal and regulatory requirements.

In the end you will start using retention labels to mark items as a record, or a regulatory record. However there are some limitations and restrictions when using either of the two. A link to the limitations of either record can be found here: https://learn.microsoft.com/en-us/microsoft-365/compliance/records-management?view=o365-worldwide#compare-restrictions-for-what-actions-are-allowed-or-blocked

The most important difference for a regulatory record is that after it is applied to content, nobody, not even a global administrator, can remove the label.

Prepare & getting started

To get started with records management and retention within Microsoft Purview, you so have some requirements that should be met. These are listed below.

Licenses
You will need the appropriate licenses to make sure you are able to use the services you require. Now not all retention and record requirements are equal. So it is always good to have a look at the list of options you would require and then match that to the licenses and their available options. A full list of licenses and their features can be found here: https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-data-lifecycle-management–microsoft-purview-records-management

Permissions
When it comes to managing records and maintaining compliance, it’s important to ensure that the right people have access to the right tools and resources. In the case of Microsoft Purview, members of your compliance team who are responsible for records management need permissions to the compliance portal.

By default, the tenant admin (global administrator) has access to this location and can grant access to compliance officers and other team members without giving them all the permissions of a tenant admin. To grant limited administration permissions, we recommend adding users to the Records Management admin role group. This grants permissions for all features related to records management, including disposition review and verification.

For a read-only role, you can create a new role group and add the View-Only Record Management role to this group. This role is ideal for users who need to view information related to records management but do not need to make changes or updates to the system.

It’s important to note that these permissions are required only for creating, configuring, and applying retention labels that declare records, as well as managing disposition. The person configuring these labels doesn’t require access to the content itself.

Granting the right permissions to your compliance team is crucial for effective records management and maintaining compliance with legal and regulatory requirements. By following these recommendations for Microsoft Purview, you can ensure that your team has the access they need to manage records while maintaining security and control over your organization’s data.

Powershelll

By default, the retention label option to mark content as a regulatory record is not displayed in the retention label wizard. To enable this option, you can run a PowerShell command after connecting to the Office 365 Security & Compliance PowerShell( https://learn.microsoft.com/en-us/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell). The command is:

Set-RegulatoryComplianceUI -Enabled $true

This setting takes effect immediately, and you will now see the option to mark content as a regulatory record in the retention label wizard.

If you decide later on that you no longer want to see this option, you can hide it again by running the same cmdlet but with the false value:

Set-RegulatoryComplianceUI -Enabled $false

Once you have enabled the option to mark content as a regulatory record, you can create a retention label from the Records Management solution in the Microsoft Purview compliance portal. This label can now be used to mark items as records or regulatory records, and can be applied to SharePoint or OneDrive documents and Exchange emails as needed.

By using retention labels to declare records and regulatory records, you can implement a consistent strategy for managing records across your Microsoft 365 environment. With the added option to mark content as a regulatory record, you can ensure that you are meeting all necessary compliance requirements.

Auditing
Retention and records management are crucial for organizations to manage their data efficiently, comply with regulations, and reduce legal risks. However, it’s also important to have an audit logging and monitoring system in place to ensure that the data is being managed and retained as required.

Fortunately, Microsoft provides default audit logging and monitoring capabilities to help organizations keep track of actions related to retention and records management. Here are a few actions that are audited:

  • Enabling the regulatory record option for retention labels in the Retention policy: This action can be found in the retention label activities section of the audit log. It helps organizations track when the regulatory record option was enabled for retention labels.
  • Changed retention label for a file (SharePoint items): This audit event is found in the File and page activities section and is for retention labels that mark items as records, regulatory records, or that are standard retention labels. It helps organizations track when a retention label was applied or changed for a file.
  • Labeled message as a record (Exchange items): This audit event is found in the Exchange mailbox activities section and is for retention labels that mark items as records or regulatory records. It helps organizations track when a retention label was applied to an email message.

Having an audit logging and monitoring system in place is critical for effective retention and records management. It provides organizations with a clear understanding of how their data is being managed and helps identify any areas for improvement. With Microsoft’s default audit logging and monitoring capabilities, organizations can rest assured that their retention and records management activities are being tracked and recorded accurately.

What’s next?


Now that you are al prepared and ready to go, we can start working on some examples and use cases to get your first retention labels in place.

Please note that this blog is part of a series on Records management using the Microsoft Purview platform.