Microsoft Purview · Records Management

Records Management

Configure retention labels for records, file plans, and disposition reviews for formal records management programs with regulatory-grade immutability.

Scope: Organization-wide records management and file plan administration for legal/regulatory compliance

Permissions

  • Retention Labels - Create and configure retention labels that mark content as records or regulatory records
  • File Plan - Build and manage file plan with retention schedules and regulatory metadata (21 CFR Part 11, DoD 5015.2, ISO 15489)
  • File Plan Descriptors - Configure file plan descriptors: function, category, subcategory, authority, provision/citation
  • Disposition Review - Configure disposition review workflows with single or multi-stage approval
  • Regulatory Records - Manage regulatory records with immutable protection (cannot edit, delete, or remove label)
  • Record Versioning - Apply record versioning and declaration settings (locked vs unlocked records)
  • Proof of Disposal - Configure proof of disposal settings for audit trail of permanent deletion
  • Event-Based Retention - Set up event-based retention for contracts, employee lifecycle, product lifetime triggers
  • Auto-Apply Labels - Configure auto-apply retention labels based on sensitive info, keywords, trainable classifiers
  • Bulk Import/Export - Import and export file plan in bulk for retention schedule migration
  • Record Unlocking - Manage record unlocking permissions (container admin only for locked records)
  • Tenant Settings - Configure tenant-level record settings: property editing, label removal, version control
  • Regulatory Declaration - Enable or disable regulatory record declaration option organization-wide

Common use cases

  • Implementing formal records management programs compliant with DoD 5015.2, ISO 15489, MoReq2
  • Meeting FDA 21 CFR Part 11 requirements for life sciences electronic records and signatures
  • Managing retention schedules for SEC, FINRA, HIPAA, GDPR, FERPA regulatory compliance
  • Coordinating multi-stage disposition review and approval processes for critical records
  • Ensuring records are properly declared with immutable protection against tampering
  • Meeting government or industry-specific records requirements with proof of disposal
  • Implementing event-based retention for employee separations, contract expirations, product EOL
  • Using record versioning to allow controlled updates to locked records in SharePoint/OneDrive
  • Creating file plan structure with metadata for classification and retrieval
  • Migrating legacy retention schedules from external systems via bulk import

Best practices

  • Start with a comprehensive file plan before creating labels - use descriptors for organization
  • Involve legal and compliance teams early in retention schedule design
  • Use file plan metadata (function, category, authority, citation) for better governance
  • Implement multi-stage disposition review for high-value or sensitive records
  • Test disposition workflows in non-production before deploying organization-wide
  • Document retention decisions and regulatory basis in file plan descriptors
  • Train users on difference between records vs regulatory records (locked vs immutable)
  • Regularly review and update retention schedules as regulations change
  • Use event-based retention for lifecycle triggers (employee departure, contract end)
  • Enable record versioning for collaborative scenarios where updates are needed
  • Export file plan periodically for backup and audit purposes
  • Coordinate with eDiscovery team before implementing disposition to avoid hold conflicts
  • Use auto-apply labels with caution - over-declaring records increases storage costs

Security considerations

  • Records cannot be deleted before retention period expires - immutable protection
  • Regulatory records are completely immutable - cannot edit properties, delete, or remove label
  • Incorrect record declaration can lead to premature destruction or excessive retention
  • Disposition approval workflow prevents unauthorized deletion of business-critical content
  • Proof of disposal provides audit trail for compliance with retention schedules
  • Record labels cannot be removed once applied - test thoroughly before production deployment
  • Coordinate with legal before implementing disposition to avoid spoliation risks
  • Only container admins can unlock locked records - assign permissions carefully
  • Event-based retention may retain indefinitely if event never triggers - monitor orphaned records
  • File plan export may contain sensitive retention metadata - protect accordingly

Official Microsoft Learn documentation →

Open the interactive RBACMap →