Microsoft 365 Retention Policies: A Practical Guide for MSPs
Data retention is a compliance nightmare for most organizations. They must keep certain information for regulatory and legal requirements, yet delete other data to reduce storage costs and minimize exposure. Meanwhile, users save everything they’ve ever received, and IT teams struggle to enforce retention without disrupting business operations.
Microsoft 365 retention policies automate this process. But their configuration is unintuitive, and mistakes can lead to compliance violations or unintended data deletion.
This guide walks MSPs through implementing effective retention policies for email, documents, and Teams conversations. By the end, you’ll understand retention strategy, configuration mechanics, and how to explain this to clients.
Why Retention Policies Matter
Compliance Requirements:
- Healthcare (HIPAA) requires 6-year retention of patient communications
- Financial services (GLBA) mandate 6-7 year retention of transaction records
- Legal firms must retain client files per ethical obligations
- GDPR requires deletion of personal data when no longer needed
- SOC 2 audits examine retention documentation
Storage and Cost:
- Average M365 mailbox contains 50,000+ emails (10-20 GB)
- Inactive data drives storage costs and backup complexity
- Retention policies automatically archive or delete old content
- Reduces eDiscovery scope and associated costs
Risk Management:
- Old data is liability in lawsuits and regulatory investigations
- Breach impact is smaller if irrelevant data has been deleted
- Ransomware attackers target long-term data for leverage
- Employee departures create stale data and security risks
Audit and eDiscovery:
- Defined retention policies support audit demonstrations
- Legal holds take precedence, allowing targeted preservation
- Automatic deletion reduces eDiscovery scope and costs
- Compliance-ready documentation eases regulatory reviews
Retention vs. Legal Hold: The Critical Distinction
Understanding the difference between retention policies and legal holds is fundamental.
Retention Policies:
- Automatically delete content after a defined period
- Apply to all users in a location (mailbox, site, Teams channel)
- Non-negotiable once configured (users can’t override)
- Used for routine data lifecycle management
Legal Holds:
- Preserve content indefinitely, overriding retention policies
- Applied to specific users or locations
- Triggered by litigation, investigation, or audit
- Content is retained but can’t be modified or deleted
Critical Rule: When a legal hold is active on a user or location, retention policies do not delete content even after the retention period expires. The legal hold takes precedence.
Core Retention Policy Concepts
Retention Period and Actions
A retention policy defines:
- What to retain: Email, documents, Teams messages, etc.
- How long: 30 days, 90 days, 7 years, indefinitely
- What happens: Delete automatically, move to archive, or apply label
The Lifecycle
- Creation: Content is created or modified (this date triggers retention period)
- Retention Period: Time elapses per policy
- Expiration: Retention period ends
- Action: Content is automatically deleted or moved to archive
- Permanent Deletion: Deleted content is permanently removed after 93 days in Recoverable Items
Deletion vs. Archiving
Retention Policies Can:
- Automatically delete content after X days (hard delete)
- Move content to archive after Y days, then delete after Z days (soft delete)
- Keep content indefinitely without deletion
- Apply retention labels for granular control
Important: Deleted content goes to the Recoverable Items folder, where it persists for 93 days before permanent deletion. This provides a safety window for recovery if deletion was unintended.
Implementing Retention Policies for Exchange Online
Email is the most common retention use case. Exchange Online retention policies are straightforward to implement.
Step 1: Plan Your Retention Schedule
Before configuring, document your retention requirements by content type:
| Content Type | Retention Period | Reason |
|---|---|---|
| General business email | 3-7 years | Business need and compliance |
| Employee communications | 1-2 years | General business history |
| Spam and newsletters | 30-90 days | No business value |
| Compliance-sensitive (HR, legal) | 7+ years | Regulatory requirement |
| Customer communications | 5-10 years | Legal and audit trail |
Step 2: Configure in Microsoft 365 Admin Center
Navigate: Data Governance > Retention > New Policy
-
Name and Description:
- Name: “Exchange Online Email Retention - 7 Years”
- Description: “Retains all Exchange Online email for 7 years per business requirement”
-
Decide Locations:
- Mailboxes (Exchange Online)
- Public Folders
- Microsoft Teams
- SharePoint sites
- OneDrive accounts
- Yammer
-
Configure Retention Settings:
- Action: “Keep and then delete”
- Retain items for: 7 years
- Automatically delete items: Check box
-
Apply Filters (Optional):
- Include or exclude specific content types
- Example: Exclude Teams messages, only apply to email
-
Review and Create:
- Verify settings are correct
- Submit policy
- Policy becomes active immediately (may take 24-48 hours to apply)
Step 3: Advanced Configuration with Retention Labels
For granular control, use retention labels instead of blanket policies:
Create Labels in Data Governance > Retention > Labels:
Label 1: “Keep 3 Years”
- Retain for: 3 years
- Action: Delete
Label 2: “Keep 7 Years”
- Retain for: 7 years
- Action: Delete
Label 3: “Legal Hold - Keep Indefinitely”
- Retain for: Indefinitely
- Action: Keep
Label 4: “Delete Immediately”
- Retain for: 1 day
- Action: Delete
Publish Labels:
- Publish to all users
- Users can manually apply labels to emails
- Email defaults to policy unless user selects a label
- Provides flexibility for sensitive or important items
Step 4: Communicate Changes to Users
Users will notice automatic deletion of old emails. Prepare them:
Email Template:
Subject: Email Retention Policy Change
Starting [date], we’re implementing an email retention policy to protect data security and comply with regulatory requirements.
What this means:
- Email older than 7 years will be automatically deleted
- Emails deleted go to Recoverable Items for 93 days (can still be recovered)
- Drafts and unsent items are not affected
- You can manually apply retention labels to keep important emails longer
What you should do:
- If you have important emails older than 7 years, move them to a SharePoint library or archive folder
- Apply retention labels to compliance-sensitive or legally important items
- Contact IT with questions
Questions? Reply to this email or contact [IT Support].
Retention for SharePoint and OneDrive
Document retention in SharePoint Online and OneDrive requires different configuration.
SharePoint Retention Considerations
Files in SharePoint:
- Retention policies apply to the document location (site), not files
- All files in a site follow the same retention rule
- Files are moved to the site recycle bin upon deletion
- Users can restore from recycle bin within 93 days
Configuration Steps
- Navigate: Data Governance > Retention > New Policy
- Select Location: SharePoint sites
- Choose Sites: Specific sites or all sites
- Configure Retention:
- Retain for: 7 years (or compliance requirement)
- Action: Delete
- Optional: Apply retention labels to specific document libraries
Best Practice: Multi-Tier Retention
Implement tiered retention for different SharePoint content:
Active Library (Project Work):
- Retention: 3 years
- Purpose: Keep current and recent project files
Archive Library (Completed Projects):
- Retention: 7 years
- Purpose: Retain for compliance and historical reference
Compliance and Legal:
- Retention: 10 years
- Purpose: Regulatory and litigation requirements
Retention for Teams and Yammer
Chat retention is often overlooked but critical for compliance.
Teams Message Retention
Teams messages follow the same retention policy as the team’s site (SharePoint). Configure separately for Teams-specific needs:
- Navigate: Data Governance > Retention > New Policy
- Select Location: Microsoft Teams
- Choose Teams: Specific teams or all teams
- Configure:
- Retain for: 1-2 years for general channels
- Retain for: 7 years for compliance channels
- Action: Delete
Important: Deleted Teams messages are also sent to Recoverable Items for 93 days.
Yammer Message Retention
Similar process for Yammer communities:
- Navigate: Data Governance > Retention > New Policy
- Select Location: Yammer
- Configure: Retention period per business need
- Note: Yammer retention is separate from email/SharePoint
Common Retention Mistakes to Avoid
Mistake 1: One-Size-Fits-All Retention
Applying the same retention period to all content ignores compliance nuances.
Fix: Create separate policies for:
- General business email (3-5 years)
- Compliance-sensitive content (7+ years)
- Transient content like newsletters (90 days)
Mistake 2: Not Planning for Legal Holds
Implementing retention without legal hold procedures creates litigation risk.
Fix: Document how legal holds will be applied when litigation occurs:
- Identify who manages legal holds (Legal, Compliance)
- Create process for applying holds to relevant mailboxes
- Train on legal hold compliance and scope
Mistake 3: Insufficient Recycle Bin Management
Users rely on recycle bins to recover accidentally deleted emails.
Fix:
- Configure recycle bin retention to 93 days (maximum)
- Document recovery process for users
- Create IT procedure for bulk recovery if needed
Mistake 4: Missing Compliance-Sensitive Content
Failing to identify and protect regulatory content creates audit failures.
Fix:
- Work with Compliance/Legal to identify content requirements
- Create longer retention periods for sensitive categories
- Document retention requirements for audit readiness
Mistake 5: Poor User Communication
Surprising users with automatic deletion of old emails creates complaints.
Fix:
- Announce retention policies 30 days before implementation
- Provide clear examples of what will be deleted
- Offer retention labels for exceptions
- Create FAQ and knowledge base articles
Retention Labels and Manual Controls
For organizations needing flexibility, retention labels allow users to control retention:
Create Label Choices:
- “Keep 1 Year” (general business email)
- “Keep 3 Years” (project-related)
- “Keep 7 Years” (compliance-sensitive)
- “Archive (Never Delete)” (important items)
User Experience:
- Users right-click email/document
- Select “Apply Retention Label”
- Choose appropriate label
- Item is retained per label rule
Benefits:
- Users control retention of important items
- Reduces exceptions and manual requests
- Balances compliance with user needs
- Creates audit trail of retention decisions
Testing and Rollout
Never deploy retention policies without testing:
Test Phase (Week 1-2)
- Small User Group: Enable policy for 10-20 test users
- Monitor: Check if policy applies correctly
- Verify Deletion: Confirm items are deleted per schedule (may take 24-48 hours)
- Collect Feedback: Ask test users about user experience
Rollout Phase (Week 3-8)
-
Staged Deployment:
- Week 3: 25% of users
- Week 4: 50% of users
- Week 5: 75% of users
- Week 6: 100% of users
-
Monitor Compliance:
- Track policy application via audit logs
- Monitor support tickets for issues
- Verify deletion is occurring
-
Communicate Throughout:
- Remind users in week 1
- Provide FAQ in week 3
- Brief management in week 2
- Plan optional training sessions
Monitoring and Optimization
After deployment, monitor and refine:
Monthly Review:
- Check how many items are being deleted
- Verify policy is applying to all users
- Monitor Recoverable Items size
- Track user questions and complaints
Quarterly Adjustment:
- Analyze deletion patterns
- Adjust retention periods if needed
- Add exceptions or legal holds if required
- Review compliance audit results
Annual Audit:
- Validate retention meets current compliance requirements
- Document policy changes for compliance file
- Review legal hold procedures
- Plan for upcoming requirement changes
Ready to Master Retention for Your Clients?
Retention policies are often the missing piece in client security and compliance programs. Most organizations have no formal retention policy, creating compliance risk and storage bloat.
By implementing effective retention policies for your clients, you:
- Reduce their storage costs and backup complexity
- Improve compliance readiness for audits
- Minimize data breach exposure
- Create audit evidence of information governance
- Differentiate your MSP through compliance expertise
Ready to assess your Microsoft 365 security posture? Run a free security assessment at 365 Security Assessment to ensure your retention policies are configured correctly and supporting your compliance program.