Microsoft Purview · Records Management
Records Management
Configure retention labels for records, file plans, and disposition reviews for formal records management programs with regulatory-grade immutability.
Scope: Organization-wide records management and file plan administration for legal/regulatory compliance
Permissions
- Retention Labels - Create and configure retention labels that mark content as records or regulatory records
- File Plan - Build and manage file plan with retention schedules and regulatory metadata (21 CFR Part 11, DoD 5015.2, ISO 15489)
- File Plan Descriptors - Configure file plan descriptors: function, category, subcategory, authority, provision/citation
- Disposition Review - Configure disposition review workflows with single or multi-stage approval
- Regulatory Records - Manage regulatory records with immutable protection (cannot edit, delete, or remove label)
- Record Versioning - Apply record versioning and declaration settings (locked vs unlocked records)
- Proof of Disposal - Configure proof of disposal settings for audit trail of permanent deletion
- Event-Based Retention - Set up event-based retention for contracts, employee lifecycle, product lifetime triggers
- Auto-Apply Labels - Configure auto-apply retention labels based on sensitive info, keywords, trainable classifiers
- Bulk Import/Export - Import and export file plan in bulk for retention schedule migration
- Record Unlocking - Manage record unlocking permissions (container admin only for locked records)
- Tenant Settings - Configure tenant-level record settings: property editing, label removal, version control
- Regulatory Declaration - Enable or disable regulatory record declaration option organization-wide
Common use cases
- Implementing formal records management programs compliant with DoD 5015.2, ISO 15489, MoReq2
- Meeting FDA 21 CFR Part 11 requirements for life sciences electronic records and signatures
- Managing retention schedules for SEC, FINRA, HIPAA, GDPR, FERPA regulatory compliance
- Coordinating multi-stage disposition review and approval processes for critical records
- Ensuring records are properly declared with immutable protection against tampering
- Meeting government or industry-specific records requirements with proof of disposal
- Implementing event-based retention for employee separations, contract expirations, product EOL
- Using record versioning to allow controlled updates to locked records in SharePoint/OneDrive
- Creating file plan structure with metadata for classification and retrieval
- Migrating legacy retention schedules from external systems via bulk import
Best practices
- Start with a comprehensive file plan before creating labels - use descriptors for organization
- Involve legal and compliance teams early in retention schedule design
- Use file plan metadata (function, category, authority, citation) for better governance
- Implement multi-stage disposition review for high-value or sensitive records
- Test disposition workflows in non-production before deploying organization-wide
- Document retention decisions and regulatory basis in file plan descriptors
- Train users on difference between records vs regulatory records (locked vs immutable)
- Regularly review and update retention schedules as regulations change
- Use event-based retention for lifecycle triggers (employee departure, contract end)
- Enable record versioning for collaborative scenarios where updates are needed
- Export file plan periodically for backup and audit purposes
- Coordinate with eDiscovery team before implementing disposition to avoid hold conflicts
- Use auto-apply labels with caution - over-declaring records increases storage costs
Security considerations
- Records cannot be deleted before retention period expires - immutable protection
- Regulatory records are completely immutable - cannot edit properties, delete, or remove label
- Incorrect record declaration can lead to premature destruction or excessive retention
- Disposition approval workflow prevents unauthorized deletion of business-critical content
- Proof of disposal provides audit trail for compliance with retention schedules
- Record labels cannot be removed once applied - test thoroughly before production deployment
- Coordinate with legal before implementing disposition to avoid spoliation risks
- Only container admins can unlock locked records - assign permissions carefully
- Event-based retention may retain indefinitely if event never triggers - monitor orphaned records
- File plan export may contain sensitive retention metadata - protect accordingly
Common questions
When should I assign the Records Management role?
Assign Records Management when you need to: Implementing formal records management programs compliant with DoD 5015.2, ISO 15489, MoReq2; Meeting FDA 21 CFR Part 11 requirements for life sciences electronic records and signatures; Managing retention schedules for SEC, FINRA, HIPAA, GDPR, FERPA regulatory compliance; Coordinating multi-stage disposition review and approval processes for critical records; and Ensuring records are properly declared with immutable protection against tampering. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Records Management role do?
The Records Management role grants permissions including: Retention Labels - Create and configure retention labels that mark content as records or regulatory records; File Plan - Build and manage file plan with retention schedules and regulatory metadata (21 CFR Part 11, DoD 5015.2, ISO 15489); File Plan Descriptors - Configure file plan descriptors: function, category, subcategory, authority, provision/citation; Disposition Review - Configure disposition review workflows with single or multi-stage approval; Regulatory Records - Manage regulatory records with immutable protection (cannot edit, delete, or remove label); and Record Versioning - Apply record versioning and declaration settings (locked vs unlocked records). See the Permissions section above for the full list.
What are the security risks of the Records Management role?
Key considerations when assigning Records Management: Records cannot be deleted before retention period expires - immutable protection; Regulatory records are completely immutable - cannot edit properties, delete, or remove label; Incorrect record declaration can lead to premature destruction or excessive retention; and Disposition approval workflow prevents unauthorized deletion of business-critical content. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.