Dela via


Learn about records management

Microsoft 365 licensing guidance for security & compliance

A records management system, also known as records and information management, is a solution for organizations to manage regulatory, legal, and business-critical records. Records management for Microsoft Purview helps you achieve your organization's legal obligations, provides the ability to demonstrate compliance with regulations, and increases efficiency with regular disposition of items that are no longer required to be retained, no longer of value, or no longer required for business purposes.

Use the following capabilities to support your records management solution for Microsoft 365 data:

  • Label items as a record. Create and configure retention labels to mark items as a record that can then be applied by users or automatically applied by identifying sensitive information, keywords, or content types.

  • Migrate and manage your retention requirements with file plan. By using a file plan, you can bring in an existing retention plan to Microsoft 365, or build a new one for enhanced management capabilities.

  • Configure retention and deletion settings with retention labels. Configure retention labels with the retention periods and actions based on various factors that include the date last modified or created.

  • Start different retention periods when an event occurs with event-based retention.

  • Review and validate disposition with disposition reviews and proof of records deletion.

  • Export information about all disposed items with the export option.

  • Set specific permissions for records manager functions in your organization to have the right access.

Using these capabilities, you can incorporate your organization's retention schedules and requirements into a records management solution that manages retention, records declaration, and disposition, to support the full lifecycle of your content.

In addition to the online documentation, you might find it useful to download a deck with FAQs from a records management webinar. The recording of the actual webinar is no longer available.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Records

When an item is declared a record by using a retention label:

  • Restrictions are placed on the item in terms of what actions are allowed or blocked.

  • Additional activities about the item are logged.

  • You have proof of disposition when the item is deleted at the end of their retention period.

You use retention labels to mark items as a record, or a regulatory record. The difference between these two are explained in the next section. You can either publish those labels so that users and administrators can manually apply them to items, or for labels that mark items as a record, you can auto-apply those labels.

By using retention labels to declare records, you can implement a single and consistent strategy for managing records across your Microsoft 365 environment.

Compare restrictions for what actions are allowed or blocked

Use the following table to identify what restrictions are placed on items as a result of applying a standard retention label, and retention labels that mark items as a record or regulatory record.

A standard retention label has retention settings and actions but doesn't mark items as a record or a regulatory record.

Note

For completeness, the table includes columns for a locked and unlocked record, which is applicable to SharePoint and OneDrive, but not Exchange. The ability to lock and unlock a record uses record versioning that isn't supported for Exchange items. So for all Exchange items that are marked as a record, the behavior maps to the Record - locked column, and the Record - unlocked column is not relevant.

Action Retention label Record - locked Record - unlocked Regulatory record
Edit contents Allowed Blocked Allowed Blocked
Edit properties, including rename Allowed Allowed 1 Allowed Blocked
Delete Allowed 2 Blocked Blocked Blocked
Copy Allowed Allowed Allowed Allowed
Move within container 3 Allowed Allowed Allowed Allowed
Move across containers 3 Allowed Allowed if never unlocked Blocked Blocked
Open/Read Allowed Allowed Allowed Allowed
Change label Allowed Allowed - container admin only Blocked Blocked
Remove label Allowed Allowed - container admin only Blocked Blocked

Footnotes:

1 Editing properties for a locked record is allowed by default but can be blocked by a tenant setting in the Microsoft Purview portal or the Microsoft Purview compliance portal. Depending on the portal you use:

2 Deleting labeled items in SharePoint and OneDrive can be blocked as a tenant setting in the Microsoft Purview portal or the Microsoft Purview compliance portal. Depending on the portal you use:

When you apply a standard retention label to a list item that has a document attachment, that document doesn't inherit the retention settings and can be deleted from the list item. In comparison, if that retention label marked items as a record or regulatory record, the document attachment would inherit the retention settings and couldn't be deleted.

3 Containers include SharePoint sites, OneDrive accounts, and Exchange mailboxes.

Important

The most important difference for a regulatory record is that after it is applied to content, nobody, not even a global administrator, can remove the label.

Retention labels configured for regulatory records also have the following admin restrictions:

  • The retention period can't be made shorter after the label is saved, only extended.
  • These labels aren't supported by auto-labeling policies, and must be applied by using retention label policies.

In addition, a regulatory label can't be applied to a document that's checked out in SharePoint.

Because of the restrictions and irreversible actions, make sure you really do need to use regulatory records before you select this option for your retention labels. To help prevent accidental configuration, this option is not available by default but must first be enabled by using PowerShell. Instructions are included in Declare records by using retention labels.

Validating migrated records

If you're migrating files to SharePoint or OneDrive and your organization needs to manage these items as records, you might need to validate that the files haven't been altered and retain their immutability status. For example, you're using a migration solution and need to meet the chain of custody requirements. Typical file properties and methods often used for this type of validation, such as file size or file hash, might not be sufficient because SharePoint automatically updates the metadata for a file when it's uploaded.

Instead, to validate your migrated files, you can use the value of the vti_writevalidationtoken property, which is a base64-encoded XOR hash of the file before it is modified by SharePoint. Use the following steps:

  1. Generate the XOR hash of the original file by using the QuickXorHash algorithm. For more information, see the QuickXorHash Algorithm code snippet.

  2. Base64-encode the XOR hash. For more information, see the Base64Encode method documentation.

  3. After the file is migrated, retrieve the value of the vti_writevalidationtoken property from the uploaded file.

  4. Compare the value generated in step 2 with the value retrieved in step 3. These two values should match. If they do, you've validated that the file hasn't changed.

Configuration guidance

See Get started with records management. This article has information about subscriptions, permissions, and links to end-to-end configuration guidance for records management scenarios.