Microsoft Purview · Data Lifecycle Management
Retention Management
Create and manage retention policies and labels across Microsoft 365 to ensure compliance with data retention requirements.
Scope: Organization-wide retention policy and label management across all Microsoft 365 workloads
Permissions
- Retention Policies - Create and configure retention policies and retention labels
- Workload Settings - Apply retention settings to Exchange, SharePoint, OneDrive, Teams, Copilot interactions
- Auto-Labeling - Manage automatic labeling and user-published labels for manual application
- Event-Based Retention - Configure event-based retention for contract or project lifecycle triggers
- Adaptive Scopes - Configure adaptive scopes for dynamic policy targeting based on user attributes
- Label Analytics - Review retention label analytics and label application reports
- Exceptions - Manage exceptions, label overrides, and policy conflicts
- Copilot Retention - Configure retention for Microsoft 365 Copilot interactions and AI-generated content
- Disposition Review - Set up disposition review workflows for end-of-retention decisions
- Administrative Units - Manage administrative units for scoped retention policies
- Preservation Lock - Configure Preservation Lock for immutable regulatory retention
- Policy Monitoring - Monitor retention policy effectiveness and coverage
Common use cases
- Implementing regulatory retention requirements (SEC, FINRA, HIPAA, GDPR, CCPA)
- Managing corporate records retention schedules with automated enforcement
- Ensuring legal compliance for data retention and evidence preservation
- Automating lifecycle management for business documents and communications
- Retaining Microsoft 365 Copilot interactions per compliance requirements
- Managing retention for different regions using administrative units
- Implementing adaptive retention policies based on user department or location
- Configuring disposition review for end-of-retention decision workflows
Best practices
- Start with broader retention policies and refine with labels for specific exceptions
- Test retention policies with pilot groups before broad organization deployment
- Document retention schedules aligned with business, legal, and regulatory requirements
- Use Preservation Lock for regulatory compliance requirements requiring immutability
- Regularly review and update retention settings as regulations change
- Coordinate closely with legal, records management, and compliance teams
- Use adaptive scopes for dynamic content targeting based on user attributes
- Configure Copilot interaction retention carefully - balance compliance with user privacy
- Implement disposition review workflows for content requiring manual review before deletion
- Use administrative units to manage retention policies for different regions or divisions
- Monitor retention label analytics to ensure proper application and coverage
- Test event-based retention triggers thoroughly before production deployment
Security considerations
- Incorrect retention settings can result in premature data deletion and regulatory violations
- Preservation Lock cannot be disabled once applied - use with extreme caution
- Over-retention can increase storage costs and expand eDiscovery scope significantly
- Under-retention can violate regulations and destroy critical evidence
- Monitor for conflicts between retention policies and retention labels
- Adaptive scopes may inadvertently include or exclude users based on attribute changes
- Copilot interaction retention affects user privacy and AI usage transparency
- Administrative units require careful access control to prevent unauthorized changes
- Disposition review requires trusted reviewers with proper authorization
- Event-based retention triggers should be tested to avoid premature or delayed deletion
- Retention policy changes can take up to 7 days to fully propagate
Common questions
When should I assign the Retention Management role?
Assign Retention Management when you need to: Implementing regulatory retention requirements (SEC, FINRA, HIPAA, GDPR, CCPA); Managing corporate records retention schedules with automated enforcement; Ensuring legal compliance for data retention and evidence preservation; Automating lifecycle management for business documents and communications; and Retaining Microsoft 365 Copilot interactions per compliance requirements. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Retention Management role do?
The Retention Management role grants permissions including: Retention Policies - Create and configure retention policies and retention labels; Workload Settings - Apply retention settings to Exchange, SharePoint, OneDrive, Teams, Copilot interactions; Auto-Labeling - Manage automatic labeling and user-published labels for manual application; Event-Based Retention - Configure event-based retention for contract or project lifecycle triggers; Adaptive Scopes - Configure adaptive scopes for dynamic policy targeting based on user attributes; and Label Analytics - Review retention label analytics and label application reports. See the Permissions section above for the full list.
What are the security risks of the Retention Management role?
Key considerations when assigning Retention Management: Incorrect retention settings can result in premature data deletion and regulatory violations; Preservation Lock cannot be disabled once applied - use with extreme caution; Over-retention can increase storage costs and expand eDiscovery scope significantly; and Under-retention can violate regulations and destroy critical evidence. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.