Microsoft 365 Retention Policies: A Practical Guide for MSPs

Compliance
April 06, 20269 min read

Microsoft 365 Retention Policies: A Practical Guide for MSPs

Data retention is a compliance nightmare for most organizations. They must keep certain information for regulatory and legal requirements, yet delete other data to reduce storage costs and minimize exposure. Meanwhile, users save everything they’ve ever received, and IT teams struggle to enforce retention without disrupting business operations.

Microsoft 365 retention policies automate this process. But their configuration is unintuitive, and mistakes can lead to compliance violations or unintended data deletion.

This guide walks MSPs through implementing effective retention policies for email, documents, and Teams conversations. By the end, you’ll understand retention strategy, configuration mechanics, and how to explain this to clients.

Why Retention Policies Matter

Compliance Requirements:

  • Healthcare (HIPAA) requires 6-year retention of patient communications
  • Financial services (GLBA) mandate 6-7 year retention of transaction records
  • Legal firms must retain client files per ethical obligations
  • GDPR requires deletion of personal data when no longer needed
  • SOC 2 audits examine retention documentation

Storage and Cost:

  • Average M365 mailbox contains 50,000+ emails (10-20 GB)
  • Inactive data drives storage costs and backup complexity
  • Retention policies automatically archive or delete old content
  • Reduces eDiscovery scope and associated costs

Risk Management:

  • Old data is liability in lawsuits and regulatory investigations
  • Breach impact is smaller if irrelevant data has been deleted
  • Ransomware attackers target long-term data for leverage
  • Employee departures create stale data and security risks

Audit and eDiscovery:

  • Defined retention policies support audit demonstrations
  • Legal holds take precedence, allowing targeted preservation
  • Automatic deletion reduces eDiscovery scope and costs
  • Compliance-ready documentation eases regulatory reviews

Retention vs. Legal Hold: The Critical Distinction

Understanding the difference between retention policies and legal holds is fundamental.

Retention Policies:

  • Automatically delete content after a defined period
  • Apply to all users in a location (mailbox, site, Teams channel)
  • Non-negotiable once configured (users can’t override)
  • Used for routine data lifecycle management

Legal Holds:

  • Preserve content indefinitely, overriding retention policies
  • Applied to specific users or locations
  • Triggered by litigation, investigation, or audit
  • Content is retained but can’t be modified or deleted

Critical Rule: When a legal hold is active on a user or location, retention policies do not delete content even after the retention period expires. The legal hold takes precedence.

Core Retention Policy Concepts

Retention Period and Actions

A retention policy defines:

  1. What to retain: Email, documents, Teams messages, etc.
  2. How long: 30 days, 90 days, 7 years, indefinitely
  3. What happens: Delete automatically, move to archive, or apply label

The Lifecycle

  1. Creation: Content is created or modified (this date triggers retention period)
  2. Retention Period: Time elapses per policy
  3. Expiration: Retention period ends
  4. Action: Content is automatically deleted or moved to archive
  5. Permanent Deletion: Deleted content is permanently removed after 93 days in Recoverable Items

Deletion vs. Archiving

Retention Policies Can:

  • Automatically delete content after X days (hard delete)
  • Move content to archive after Y days, then delete after Z days (soft delete)
  • Keep content indefinitely without deletion
  • Apply retention labels for granular control

Important: Deleted content goes to the Recoverable Items folder, where it persists for 93 days before permanent deletion. This provides a safety window for recovery if deletion was unintended.

Implementing Retention Policies for Exchange Online

Email is the most common retention use case. Exchange Online retention policies are straightforward to implement.

Step 1: Plan Your Retention Schedule

Before configuring, document your retention requirements by content type:

Content Type Retention Period Reason
General business email 3-7 years Business need and compliance
Employee communications 1-2 years General business history
Spam and newsletters 30-90 days No business value
Compliance-sensitive (HR, legal) 7+ years Regulatory requirement
Customer communications 5-10 years Legal and audit trail

Step 2: Configure in Microsoft 365 Admin Center

Navigate: Data Governance > Retention > New Policy

  1. Name and Description:

    • Name: “Exchange Online Email Retention - 7 Years”
    • Description: “Retains all Exchange Online email for 7 years per business requirement”

  2. Decide Locations:

    • Mailboxes (Exchange Online)
    • Public Folders
    • Microsoft Teams
    • SharePoint sites
    • OneDrive accounts
    • Yammer

  3. Configure Retention Settings:

    • Action: “Keep and then delete”
    • Retain items for: 7 years
    • Automatically delete items: Check box

  4. Apply Filters (Optional):

    • Include or exclude specific content types
    • Example: Exclude Teams messages, only apply to email

  5. Review and Create:

    • Verify settings are correct
    • Submit policy
    • Policy becomes active immediately (may take 24-48 hours to apply)

Step 3: Advanced Configuration with Retention Labels

For granular control, use retention labels instead of blanket policies:

Create Labels in Data Governance > Retention > Labels:

Label 1: “Keep 3 Years”

  • Retain for: 3 years
  • Action: Delete

Label 2: “Keep 7 Years”

  • Retain for: 7 years
  • Action: Delete

Label 3: “Legal Hold - Keep Indefinitely”

  • Retain for: Indefinitely
  • Action: Keep

Label 4: “Delete Immediately”

  • Retain for: 1 day
  • Action: Delete

Publish Labels:

  • Publish to all users
  • Users can manually apply labels to emails
  • Email defaults to policy unless user selects a label
  • Provides flexibility for sensitive or important items

Step 4: Communicate Changes to Users

Users will notice automatic deletion of old emails. Prepare them:

Email Template:

Subject: Email Retention Policy Change

Starting [date], we’re implementing an email retention policy to protect data security and comply with regulatory requirements.

What this means:

  • Email older than 7 years will be automatically deleted
  • Emails deleted go to Recoverable Items for 93 days (can still be recovered)
  • Drafts and unsent items are not affected
  • You can manually apply retention labels to keep important emails longer

What you should do:

  • If you have important emails older than 7 years, move them to a SharePoint library or archive folder
  • Apply retention labels to compliance-sensitive or legally important items
  • Contact IT with questions

Questions? Reply to this email or contact [IT Support].

Retention for SharePoint and OneDrive

Document retention in SharePoint Online and OneDrive requires different configuration.

SharePoint Retention Considerations

Files in SharePoint:

  • Retention policies apply to the document location (site), not files
  • All files in a site follow the same retention rule
  • Files are moved to the site recycle bin upon deletion
  • Users can restore from recycle bin within 93 days

Configuration Steps

  1. Navigate: Data Governance > Retention > New Policy
  2. Select Location: SharePoint sites
  3. Choose Sites: Specific sites or all sites
  4. Configure Retention:
    • Retain for: 7 years (or compliance requirement)
    • Action: Delete
  5. Optional: Apply retention labels to specific document libraries

Best Practice: Multi-Tier Retention

Implement tiered retention for different SharePoint content:

Active Library (Project Work):

  • Retention: 3 years
  • Purpose: Keep current and recent project files

Archive Library (Completed Projects):

  • Retention: 7 years
  • Purpose: Retain for compliance and historical reference

Compliance and Legal:

  • Retention: 10 years
  • Purpose: Regulatory and litigation requirements

Retention for Teams and Yammer

Chat retention is often overlooked but critical for compliance.

Teams Message Retention

Teams messages follow the same retention policy as the team’s site (SharePoint). Configure separately for Teams-specific needs:

  1. Navigate: Data Governance > Retention > New Policy
  2. Select Location: Microsoft Teams
  3. Choose Teams: Specific teams or all teams
  4. Configure:
    • Retain for: 1-2 years for general channels
    • Retain for: 7 years for compliance channels
    • Action: Delete

Important: Deleted Teams messages are also sent to Recoverable Items for 93 days.

Yammer Message Retention

Similar process for Yammer communities:

  1. Navigate: Data Governance > Retention > New Policy
  2. Select Location: Yammer
  3. Configure: Retention period per business need
  4. Note: Yammer retention is separate from email/SharePoint

Common Retention Mistakes to Avoid

Mistake 1: One-Size-Fits-All Retention

Applying the same retention period to all content ignores compliance nuances.

Fix: Create separate policies for:

  • General business email (3-5 years)
  • Compliance-sensitive content (7+ years)
  • Transient content like newsletters (90 days)

Mistake 2: Not Planning for Legal Holds

Implementing retention without legal hold procedures creates litigation risk.

Fix: Document how legal holds will be applied when litigation occurs:

  • Identify who manages legal holds (Legal, Compliance)
  • Create process for applying holds to relevant mailboxes
  • Train on legal hold compliance and scope

Mistake 3: Insufficient Recycle Bin Management

Users rely on recycle bins to recover accidentally deleted emails.

Fix:

  • Configure recycle bin retention to 93 days (maximum)
  • Document recovery process for users
  • Create IT procedure for bulk recovery if needed

Mistake 4: Missing Compliance-Sensitive Content

Failing to identify and protect regulatory content creates audit failures.

Fix:

  • Work with Compliance/Legal to identify content requirements
  • Create longer retention periods for sensitive categories
  • Document retention requirements for audit readiness

Mistake 5: Poor User Communication

Surprising users with automatic deletion of old emails creates complaints.

Fix:

  • Announce retention policies 30 days before implementation
  • Provide clear examples of what will be deleted
  • Offer retention labels for exceptions
  • Create FAQ and knowledge base articles

Retention Labels and Manual Controls

For organizations needing flexibility, retention labels allow users to control retention:

Create Label Choices:

  • “Keep 1 Year” (general business email)
  • “Keep 3 Years” (project-related)
  • “Keep 7 Years” (compliance-sensitive)
  • “Archive (Never Delete)” (important items)

User Experience:

  • Users right-click email/document
  • Select “Apply Retention Label”
  • Choose appropriate label
  • Item is retained per label rule

Benefits:

  • Users control retention of important items
  • Reduces exceptions and manual requests
  • Balances compliance with user needs
  • Creates audit trail of retention decisions

Testing and Rollout

Never deploy retention policies without testing:

Test Phase (Week 1-2)

  1. Small User Group: Enable policy for 10-20 test users
  2. Monitor: Check if policy applies correctly
  3. Verify Deletion: Confirm items are deleted per schedule (may take 24-48 hours)
  4. Collect Feedback: Ask test users about user experience

Rollout Phase (Week 3-8)

  1. Staged Deployment:

    • Week 3: 25% of users
    • Week 4: 50% of users
    • Week 5: 75% of users
    • Week 6: 100% of users

  2. Monitor Compliance:

    • Track policy application via audit logs
    • Monitor support tickets for issues
    • Verify deletion is occurring

  3. Communicate Throughout:

    • Remind users in week 1
    • Provide FAQ in week 3
    • Brief management in week 2
    • Plan optional training sessions

Monitoring and Optimization

After deployment, monitor and refine:

Monthly Review:

  • Check how many items are being deleted
  • Verify policy is applying to all users
  • Monitor Recoverable Items size
  • Track user questions and complaints

Quarterly Adjustment:

  • Analyze deletion patterns
  • Adjust retention periods if needed
  • Add exceptions or legal holds if required
  • Review compliance audit results

Annual Audit:

  • Validate retention meets current compliance requirements
  • Document policy changes for compliance file
  • Review legal hold procedures
  • Plan for upcoming requirement changes

Ready to Master Retention for Your Clients?

Retention policies are often the missing piece in client security and compliance programs. Most organizations have no formal retention policy, creating compliance risk and storage bloat.

By implementing effective retention policies for your clients, you:

  • Reduce their storage costs and backup complexity
  • Improve compliance readiness for audits
  • Minimize data breach exposure
  • Create audit evidence of information governance
  • Differentiate your MSP through compliance expertise

Ready to assess your Microsoft 365 security posture? Run a free security assessment at 365 Security Assessment to ensure your retention policies are configured correctly and supporting your compliance program.

retention policiesdata retentionemail retentioncompliance
Back to Blog