Records Management & Retention
Why organisations must keep data (and when they must delete it). Retention policies for broad rules, retention labels for specific items, and records management for legal-grade control.
Why does retention matter?
Think of your organisation’s data like paperwork in a filing cabinet.
Some papers you must keep for years — tax records, contracts, patient files. Throw them away too early and you break the law.
Other papers you should delete on schedule — old resumes, expired meeting notes. Keep them forever and you create a mountain of risk. If someone sues you, every document you kept is now discoverable.
Retention is the rulebook that says: keep this, delete that, and here is exactly when.
Nadia, the Compliance Officer at MedGuard Health, faces this daily. Healthcare regulations require patient records to be kept for at least 7 years. Privacy laws require deleting personal data once it is no longer needed. Getting either one wrong means fines, lawsuits, or both.
Retention policies: broad rules for entire locations
A retention policy is a wide net. You apply it to an entire location — all Exchange email, all SharePoint sites, all Teams chats — and it affects everything in that location.
What a retention policy does
| Setting | What happens |
|---|---|
| Retain only | Content is kept for the specified period. Nothing is deleted automatically. |
| Delete only | Content is deleted after the specified period. Nothing is preserved before that. |
| Retain then delete | Content is kept for the specified period, then automatically deleted when it expires. |
Where retention policies apply
Retention policies can target these Microsoft 365 locations:
- Exchange email — user mailboxes and shared mailboxes
- SharePoint sites — documents and list items
- OneDrive accounts — user files
- Teams channel messages — posts in standard and shared channels
- Teams chats — private messages and group chats
- Viva Engage (Yammer) — community messages and user messages
How Nadia uses retention policies at MedGuard Health
Nadia creates three retention policies:
- All email — retain 7 years then delete: Every mailbox across MedGuard keeps email for 7 years. After that, email is automatically purged.
- Teams chats — retain 3 years then delete: Clinical teams discuss patients in Teams. Those chats must be preserved for 3 years for audit purposes.
- SharePoint HR site — retain 5 years then delete: Employee records on the HR SharePoint site are kept for 5 years after the employee leaves.
Nadia did not need to tag individual items. The policies apply to everything in those locations automatically.
Retention labels: item-level precision
If retention policies are a wide net, retention labels are a sniper scope. You apply them to individual items — a specific document, a single email — to classify exactly how that item should be handled.
What makes labels different from policies
- Labels are applied to individual items (one document, one email)
- Users can apply labels manually, or labels can be applied automatically
- Labels can mark content as a record or a regulatory record
- A regulatory record is immutable — nobody can edit or delete it, not even an admin
Auto-apply labels
Instead of relying on users to label every document, Nadia can auto-apply labels based on:
| Method | How it works | Example |
|---|---|---|
| Sensitive information types (SITs) | Detects patterns like tax numbers, medical IDs | Auto-label any document containing patient health IDs |
| Keywords or queries | Matches specific words or KQL queries | Label any email containing “clinical trial” |
| Trainable classifiers | Machine learning models trained on content patterns | Detect and label documents that look like medical consent forms |
Exam tip: policies vs labels — know the difference
The exam loves asking when to use a policy versus a label. The rule is simple:
- Broad requirement across a location? Use a retention policy. Example: “Keep all email for 7 years.”
- Specific requirement for certain items? Use a retention label. Example: “This contract must be kept for 10 years.”
- Need to mark something as immutable? Only a retention label can do that (records and regulatory records).
Retention label policies: getting labels to users
Creating a label is not enough. You need a retention label policy to make it available:
| Method | How it works |
|---|---|
| Publish labels | Makes labels available for users to apply manually in Outlook, SharePoint, and OneDrive. Users choose the right label for each item. |
| Auto-apply labels | Automatically applies labels to content that matches conditions (SITs, keywords, or trainable classifiers). No user action required. |
Conflict resolution: retention wins
What happens when a retention policy says “delete after 3 years” but a retention label says “keep for 7 years”?
The most conservative action wins. In Microsoft Purview:
- Retention always wins over deletion. If any rule says keep, the content is kept.
- Longer retention wins over shorter retention. If one rule says 3 years and another says 7, the content is kept for 7.
- Explicit deletion wins over implicit deletion. An explicit delete action takes priority over content that just happens to have no retention rule.
This is a critical exam concept. The principle protects organisations from accidentally deleting content that is still legally required.
Retention policies vs retention labels
| Feature | Retention Policies | Retention Labels |
|---|---|---|
| Scope | Broad — applied to entire locations (all Exchange, all SharePoint) | Specific — applied to individual items (one document, one email) |
| Applied by | Admins configure, system enforces automatically | Admins publish, users or auto-apply rules apply to items |
| Can mark as record | No | Yes — record or regulatory record (immutable) |
| Granularity | Location level (all email in a mailbox) | Item level (this specific contract) |
| User involvement | None — users do not see or interact with the policy | Users can manually select and apply labels |
| Best for | Organisation-wide baseline retention rules | Specific compliance requirements on individual items |
Records management: legal-grade control
Records management goes beyond simple retention. When Nadia declares a document as a record, she is saying: “This item has legal or regulatory significance. It must follow strict lifecycle rules.”
What records management adds
| Capability | What it means |
|---|---|
| Declare records | Mark items as records. Records cannot be deleted until the retention period expires. |
| Regulatory records | The strictest level. Once labelled, the item cannot be edited, deleted, or relabelled — even by admins. |
| Disposition review | When a record reaches the end of its retention period, a reviewer must approve its deletion before it is permanently removed. |
| Proof of disposal | Auditable evidence that content was reviewed and deleted according to policy. |
Disposition review: the approval step
When a record expires, it does not just disappear. A disposition review places the item in a queue where a designated reviewer (like Nadia) decides:
- Approve disposal — the record is permanently deleted
- Extend retention — keep it longer
- Relabel — apply a different retention label
Scenario: MedGuard's patient consent forms
Dr. Torres, MedGuard’s CMO, says patient consent forms must be kept for 10 years after the last treatment date. At the end of the 10 years, someone must review each form before deletion.
Nadia’s setup:
- Creates a retention label called “Patient Consent — 10 Year” with a 10-year retention period
- Marks the label as a regulatory record (no one can tamper with signed consent forms)
- Enables disposition review so her compliance team reviews forms before deletion
- Auto-applies the label to all documents in the “Patient Consents” SharePoint library
Result: Consent forms are locked down, kept for exactly 10 years, and reviewed before permanent deletion. Full audit trail.
🎬 Video walkthrough
🎬 Video coming soon
Records Management & Retention — SC-900 Module 5
Records Management & Retention — SC-900 Module 5
~11 minFlashcards
Knowledge check
MedGuard Health needs to keep ALL email across the organisation for 7 years for regulatory compliance. They do not need to classify individual emails. What should Nadia configure?
Dr. Torres requires that signed patient consent forms cannot be edited or deleted by anyone — including IT administrators — for 10 years. Which feature should Nadia use?
A retention policy says 'delete Teams chats after 3 years.' A retention label on a specific chat thread says 'retain for 7 years.' What happens to that chat thread?