10 Mar Practical Information Lifecycle Management in Microsoft 365
Overview:
As organizations increasingly embrace Microsoft Office 365 to meet their content and collaboration needs, information governance and records management professionals are challenged with applying lifecycle management policies within SharePoint Online, Teams, OneDrive for Business, Outlook, and integrated apps in a consistent and sustainable manner.
This presentation explains Office 365’s out-of-the-box records management capabilities, and describes the tools and processes needed to implement effective lifecycle management.
Learn:
- Office 365 capabilities and extensibility to support records management
- Common implementation challenges with their corresponding workarounds and solutions
Practical Information Lifecycle Management in Microsoft 365
Presented By Renu Hall
Renu:
Hi everyone, and thank you for joining me today for this session on practical Information Lifecycle Management in Microsoft 365. My name is Renu Hall, I am the Director of Technology Consulting at Access Sciences. And while my background is in software engineering, I have a personal passion for the user experience and usability and a lot of experience in the area of information governance.
It seems that often when it comes to lifecycle management, however, it’s a battle between usability and governance, it seems we have to sacrifice one for the sake of the other. So, I see both sides of the coin and this presentation on practical lifecycle management strives to show how to balance these two competing priorities.
So, why are we talking today about Microsoft 365 Lifecycle Management? Well, it’s becoming increasingly apparent that organizations need to apply information governance in Microsoft 365. With the pandemic last year, and so many organizations moving to 365 primarily for collaboration, taking advantage of the Teams platform, over 90% of organizations use this platform today. In addition, through those collaboration activities, information is being created and generated the needs to be protected and governed like all information assets.
It’s also becoming increasingly clear that you can’t really rely on end users to be able to classify and move content out of the 365 platform and into other systems of record without increasing your risk of things slipping through the cracks there.
And then lastly, if you don’t take action, everything created by users in Microsoft 365 lives forever by default. So, in order for content to get disposed over time, something needs to be done and action needs to be taken. Well, what and how?
That is often considered a bit of a rollercoaster ride when it comes to the IG community, because capabilities on the platform vary constantly. They’re always being modified and also they differ from one version to the other. So, we talk about the capabilities that are available on the platform today, as well as I tried to point out what’s different from one version to the other and how things are changing with the direction is that Microsoft is going in.
Okay, so I tell you the slide the inconvenient truth. I think organizations often move forward with their information lifecycle management programs without actually establishing a solid information architecture. And unfortunately, it doesn’t matter what approach you take, what tool you purchase, without this, no approach is going to be successful, and everything is going to seem highly impractical.
What do we mean by information architecture? Well, that comprises essentially of these elements. You have to have a good understanding of your organization’s IT strategy and landscape. You have to know what all the systems are that are in play, so that you can guide users on the ultimate question of what goes where. You can’t have content in multiple places the same type of content in multiple places, so you do have to provide some guidance, otherwise users will decide for themselves and the chaos that results is something that you will have to clean up afterwards.
Enterprise taxonomy is a key element of an information architecture. This is the consistent naming standards, the terms that users have developed within the organization to organize and search for their content. You develop this at the enterprise level and then you can also localize this for different functional areas, but you have to have a good understanding of the terms and vocabulary that’s used in the organization so that you can use that in order to apply logic and rules to the way you organize content.
Thirdly, lifecycle management is simply impossible without a solid information retention schedule. And you cannot implement something that’s 2,000 rows long. You need to have something that’s practically by which I mean not more than 200 items in retention schedule and something that can be easily implemented no matter what the system.
Oftentimes, the complexity and retention schedules can be simplified when it comes to implementing something practical if organization is willing to make some compromises favoring usability over an exact retention for every possible record type for example. Security model is a crucial to protecting information as appropriate for its risk profile. And that’s part and parcel of lifecycle management is applying those rules so that information is protected, and only those who need access or if you’re following a no harm to know model only those to which there is no risk if you expose that information will have access to that information.
And lastly, you can never underestimate the importance of change management. A solid behavior change management program needs to be thought of from the beginning in terms of communicating and building awareness for the program, but then following through with ongoing support as well as training. Many issues with your lifecycle management and programs or technology programs in general, when implemented, come down to just a lack of understanding, a lack of training, not knowing how to use the tool as designed when you roll out new systems and processes. So, you can never underestimate how important that is, although a lot of organizations do leave it behind when they’re building systems.
This conversation about information architecture, as I said, is a difficult one to have with organizations because most rollouts of SharePoint and Teams have happened in a far from well governed manner. It’s been a haphazard adoption and the resulting content is far from organized. So, it may seem that it’s impossible to corral that sprawl and disarray. But it is quite doable and we have helped dozens of organizations work through that restructuring, if you will. And that involves a partnership between IT, the IG information governance team, as well as a business to make sure that requirements meet their needs.
Ultimately, this approach also builds trust and a sustainable partnership between these three entities which is what you need in order to sustain a system at an enterprise scale such as Microsoft 365. So, what will be cover today in our agenda? We’re going to look at, as I mentioned, the current capabilities on the platform. We look at not just what it does, but what it doesn’t do, sort of limitations and challenges. I’ll go through a quick demo of what that looks like on the current platform as configured. And then we will have some questions.
Okay, so when you look at current capabilities for lifecycle management, this in essence is the way I think about that process. So, we move from defining the retention or lifecycle management rules, which is essentially the retention rules. This responsibility is typically that of the information governance team, the RIM team, records and information management team within organizations. They define the retention rules, typically within a schedule maintained within Excel for example or a retention management system.
Once you have the rules, you need to apply the rules to content within the 365 platform. And this can be an activity that either you allow end users to perform or you can make this a design time activity. So, when you’re rolling out the system, or the sites or libraries, you’re applying the retention rules to that location. Therefore, when end users drop content into those locations in the inherits to retention rules, as opposed to leaving it on them to select the retention category for content.
Finally, there’s also a system automated way, which is called auto labeling or dynamic labeling. And this is a way to apply retention rules to content based on certain classifications of information, keywords and metadata properties. So, a nice, sophisticated way of applying retention in a more granular fashion.
Once you have the rules in place, how do you go about executing retention? Well, when content comes up for disposition, when it has expired, someone needs to take action on the content. This could be the IG Team. This needs to be the IG Team within the organization, this is not an IT function. And then the other option, of course, is that you can just delete it when it comes up for expiration there is no review required.
And then finally, how do you know that lifecycle management is being executed correctly, labeling is happening, what kinds of content have been labeled? Et cetera. There are tools in the platform that can help you monitor user activities as well as compliance with these different rules. So, we’re going to look at this in two phases within this presentation, two parts.
The first one is defined and apply. The second is execute and monitor. The first part I cover in some detail in the presentation. But the second part we will switch over to the demo at that point because it’s a lot easier to show rather than to describe some of those tasks.
Okay, so at this point I would ask you to think about your Microsoft 365 solution, and what licensing or subscription you currently own on the platform. And this is, of course, a per user license. So, you may either be on an Enterprise or Government level three subscription, or you may have purchased some advanced compliance licenses. Some organizations have put in place third party IG solutions on top of the Microsoft 365 platform. And in other cases, they’ve gone one tear up to Enterprise Five or G5 Government Five subscription. And in some cases also procure third party solutions that play on top of that solution.
The final category of courses, is if you don’t know, that’s fine too. Often tines though folks within the information governance community need to work with IT and fully understand the capabilities and the licensing model that they have purchased because the services are different between these and in order to fully maximize or leverage the information licenses management capabilities you need to know what’s available with the subscription that you have and whether or not you need to upgrade or purchase something additional in terms of additional licenses.
Okay, so with that, let’s move into the define and apply phase. How do you go about creating the rules and applying the rules to content? In order to do that, first of all, you have to have a good understanding of how content is organized or where it’s stored within the 365 platform.
This image is the logical architecture for Microsoft Teams and related services as of January 2021. I like this image, even though it was built to describe how Teams is deployed. I like this image because it does address a lot of the concerns that organizations have with this new accelerated rollout of Teams that happened in 2020. And the concern that how do I manage content in Teams now this? This is a whole new set of storage locations, and I’ll have to apply retention to those.
So, I think this image explains how all that ties together and let’s walk through that. So, at the very top, you’ll see this level here is the Team’s application and all the functionality that it brings. So, when you have one on one chat, or group chats, or ad hoc group chats, or meetings, or call, or make calls, all of that information actually gets stored into user mailboxes of the people who are participating in these collaboration sessions within Exchange Online.
If you move to the next area files that are shared in Teams meetings or chat, or conversations, or ad hoc conversations, those files are actually stored in the OneDrive for Business for the user who shared the files. And then thirdly, the actual Team element within the Teams application is built on top of the Office 365 group construct, and information that’s shared as part of a Team within the channel, for example, the chats are actually stored channel messages are actually stored within group mailboxes again, in Exchange Online. Similar information goes to Planner, which is really behind the scenes still Exchange Online. And then any files that are shared within the Team site that is provisioned as part of a Team, the content is actually stored within the Team site, which ultimately resides in SharePoint Online.
So, all that to say, the advent of Teams doesn’t bring a whole new set of problems, you’re still focused on the same locations that you had to apply information lifecycle management to before, OneDrive for Business, SharePoint Online, Exchange Online. So, if you focus on these three elements, you will make a big dent in the way you manage content across this platform.
Okay, so let’s move forward with how do you apply what retention mechanisms are there and how do you apply them? There’s a lot of terms that we’re going to cover. Let’s start first of all with retention policies. Retention policy, as the icon indicates, is a umbrella policy for applying retention across many areas within the Microsoft 365 platform. But you can use that in combination with retention labels.
Retention labels allow you to apply retention at a more granular level. So, you can apply both policies and labels to the same content. I’ve left Content Type IM Policies in here because you can use that instead of retention labels only within the SharePoint space. However, this is technology that was supported in prior versions, SharePoint on-Prem for example, and Microsoft does recommend phasing that out and moving towards using the combination of policies and labels. But I will cover all three of these in the next few slides.
So, again, to summarize, you may use retention policies in addition to labels. If you use retention policies in addition to Content Type IM Policies, the IM policies will actually be ignored. How does it resolve between having multiple rules applying to content? The system will pick always retention wins over deletion rules. The longest retention period wins among competing retention policies, an explicit such as retention label wins over an implicit which is a more broad category. And then if there’s multiple deletion rules in place, the shortest deletion rule we win. Of course, litigation hold trump all of this.
If there’s a hold on content, the disposition processes are halted. And I will describe that as we move forward in more detail. I’m not going to cover holds in this presentation. But just be aware that none of this will take place when a hold is applied to content, content will not be disposed.
Okay, so let’s talk specifically about retention policies. So, we talked about the umbrella retention policies. What are the options available for applying retention using a policy? Well, they’re broad, like we mentioned. You can either retain content for a period or you can delete after a period, or you can both retain and delete.
You can trigger the retention period or deletion based on the date something was created, or the date that something was last modified. So, last modified plus three years for example, is I’ve seen a good example of a lifecycle management with broad retention policy that’s applied to content sitting in user’s OneDrive. So, it’s personal information that will be deleted after three years.
It has very broad scope, it’s available in OneDrive for Business, SharePoint Online Exchange Online, Teams, channel messages and one on one group chats. Skype for Business, if you’re still using this, if your organization is still using this, you need to move to Teams as soon as possible. I’m not sure if this is even still supported anymore, but it is being phased out.
Retention policies are also available for Yammer. And then for Office 365 Groups, Groups are more than what you see in Teams. So, it is available to apply retention to Groups. So, how do you go about applying retention policies? Well, in the Microsoft 365 Compliance Center, the administrative compliance center, if you look at the section term information governance, you will see the retention policies listed there and you can edit these here.
Typically, IT doesn’t like to give access to the compliance center or any part of the administrator center for that matter to anyone other than folks in the IT organization. However, information governance professionals within your organization need to partner with IT and gain access to the compliance center because there are several roles that need to be played that are more appropriate for IG professionals as opposed to IT professionals. So, you need the appropriate access to perform those functions.
Some things to note other than this high level, so for example, at OneDrive for Business, you can select a user or all users or no users. You can select a site, but nothing more granular than this level of control, you can’t specify anything within that construct. It’s all or nothing when it comes to broad retention policies.
There is no disposition review. When it comes up for deletion, it’s gone. And then be aware that once you apply a retention policy to the platform, it’ll take about a day for the policies to take effect within the locations that you’ve applied them. Finally, retention policies are not visible to end users. They’re not aware that a policy is an effect on any categories of information.
Know that retention policies are best used for long-term ongoing lifecycle management, this is not the mechanism to be used for litigation holds, that is actually performed in the compliance center again, through use of eDiscovery case management. So, this will not be the way to do something for investigation or litigation. This is more for the broad, ongoing, long-term exploration of data that is no longer a business value to the organization. So, again, it’s a summary, it’s broad retention by category of content and at the very broad level that you can specify.
So, now let’s look at Content Type IM policies. I know organizations are still using these mechanisms for applying retention and they were effective, they have been effective. We’ve used these to deploy retention within the Office 365 platform. However, as I stated earlier, Microsoft is moving to encourage organizations to move to using labels instead of Content Type IM Policies.
What could you do with these policies which is content information management policies? You have the option to retain for a period, delete after a period. It did support multi-stage retention, which was nice. We can have a first stage that does performs a particular activity, then it moves to a second stage and perform some other activity.
The days that you could trigger these activities off of was based on the creation date for the information or the date last modified. And you can also leverage any date property that’s associated with that content type. So, this is a nice way to use basically, event based triggers for example, the contract expiration date, the execution date, a employee termination date. Once that date was populated, that could be the trigger for the applying a retention stage.
You can treat records and non-records differently, apply different rules based on that category. And then you can also schedule an action to take place continuously during a stage until the next phase or the next stage is activated. Content types by the very nature are hierarchical for better or for worse, you can have a whole content type hierarchy, where you inherit properties from a parent content type. But hierarchies tend to be brittle, you want to make a change. And now you have to inadvertently change several in child content types, for example. So, it has its advantages and disadvantages, but it did support hierarchies.
Now, here’s the limiting factor, of course, the scope. It only works in SharePoint Online within the listed libraries where you have applied the content types, and how do you apply that? That is a design time activity, where the admin who’s setting up the list of libraries will associate a content type or multiple content types with that listed library. And that way when users drop content in there, it either inherits the default content type or they can select if there’s multiple content types to apply.
Just a note for end users, Content Type IM Policies are visible to end users. When they select the context menu, the compliance menu option on the context menu, they can see what IM policies are applied, what the stages are.
One disadvantage is that there isn’t a disposition report per se. When items come up, there isn’t a way to look at items coming up for disposition, they automatically get deleted and you can see the items after the fact but if you need a disposition report, that needs to be a custom built report and we have done those for organizations as well to bridge that gap, the need to be able to review content before it is actually disposed.
So, in summary, Content Type IM Policies are a good way to apply granular retention in SharePoint Online. If you’re on an Enterprise Three or G3, Government Three licensing, that is the best way to apply event driven retention. However, keep in mind the path forward is to move to using retention labels. And we have also converted IM policies to labels for organizations that see supported migration path and that can be easily done. So, if you’re using content types, more power to you, you need content types. You can overtime replace the IM policies associated with content types with retention labels.
Okay, so let’s look at labels since this is the be all and end of how we apply retention at a granular level in M365. There’s of course a few more options than we saw with the previous couple of mechanisms. You can either retain for a period or you can specify forever. You can either delete after a period or retain and then delete with the option of the disposition review. So, this is now you can see items coming up for disposition. The caveat here is that unless someone takes action within the disposition review, nothing ever gets disposed. So, you have to take an action in order to start deleting content.
You can also just classify information, so not particularly taken action but labeling is used to just classify information and apply rules based on those labels. The kinds of date triggers that you have, you have created and modified date like we saw in earlier mechanisms. But you also have this third event date type, which is the date that the label was applied to the content.
And this can be used to apply event driven retention, if either the end user or a process automation populates or basically labels the content on the particular date that the event occurred. And that will then trigger event base retention.
If you have an Enterprise Five, or G5 Government Five license, retention labels also support event types. And event types are a mechanism to trigger event base retention, not just in one library or one site but across the platform. It’s a very powerful mechanism to remove content of different content types in different locations based on a particular event triggering, and I’ll show you that in a little bit.
You can apply labels to designate non-records, in which case you can pretty much change anything about the item except for the name, of course, which creates a new item. In the case of records, there are more restrictions on what you can edit. But you can still edit attributes. And there’s the concept of advanced versioning, wherein you can designate for records, you can lock a record and unlock a record.
And by unlocking your record, it puts a copy of that document as it was at that time into a separate location known as a preservation hold library. And then you can make changes put in a new version of the document for example. And this is a great way to manage active records. So, employee personnel files or policies where they are records but you don’t want to update them over time and add new versions. So, that advanced versioning gives you that flexibility with the records.
Regulatory records are another mechanism for organizations that have very strict regulatory requirements. And in this case, regulatory records cannot be modified or altered by anyone including the SharePoint admin. Whereas in the case of records administrators have the ability to either delete or move records that have been labeled as such. So, this really locks it down for organizations that need those controls.
Where can you apply retention labels? You can apply them in OneDrive for Business, SharePoint Online, Exchange Online and apply them to Office 365 Groups. You can specify as I mentioned, the user, the site level or the group, but with the application of… You apply labels to these different locations using a label policy. And a label policy is one of two kinds.
Either you’re using it to publish the label to each of these locations and allowing end users or your site designer to apply that label to a library or list or document. Or, as I mentioned, if you have that E5 license, you can take advantage of the auto apply capabilities of labels, wherein the policy will find all content that either meets the set of keyword match requirements or matches a set of sensitivity information requirements or matches a trainable classifier. And this is a glimpse of the artificial intelligence capabilities available in M365.
Wherein you can train a classifier an entity to recognize documents of a certain type based on certain characteristics of the documents, so you don’t have to specify the rules, you just show it a few samples of a certain kind and it will then recognize that type of information. And that’s basically a classifier. So, you can use a classifier in order to apply labels. So, as you can see, this is very powerful to find documents matching certain conditions and apply very specific policies to it.
Keep in mind the label policies depending on whether you published it can take up to about a day to be available for end users to consume. And if you’re using the auto apply or dynamic labels, that takes about seven days to show up and with the content starts to get the labels being applied to them. So, you have to be a little bit patient with that when you use the auto apply mechanism.
So, just keep in mind, the disposition review that is available when you specify retention and deletion with this decision review gives you the ability to go ahead and delete or extend the duration, so basically defer the disposition date, or even relabel it to recategorize it and follow another retention rule.
Retention labels are visible to end users. So, they can see that something has a particular label. And whether it’s a record or not, those fields are all visible to end users. So, it’s much more transparent as to what’s happening from a records perspective.
I think one of the big hurdles for organizations is dealing with a flat structure for retention labels, there’s not really a hierarchy, there’s not an inheritance. Basically, every stage that you specify for IM policy has to be a new label. So, you have to organize your file plan using very good naming standards, and I’ll show you some examples of this.
Keep in mind also the delays, the one day and seven day delays in actually applying the labels onto your content. So, again, retention label is the de facto mechanism for applying granular retention with that broad scope that we talked about in M365.
So, as a summary, that was a lot of information that we covered. So, this chart should help to put things in those big buckets so that you can apply them and retain that information. So, if you look at the first bucket here, email files that are stored in OneDrive for Business and the SharePoint sites, the collaboration sites or Team sites. How do you go about applying lifecycle management?
You can take advantage of a retention policy. For each of these to have some broad application, and you can also apply retention labels. However, I would recommend using retention labels really only within the SharePoint sites and encouraging your end users to move content that is considered business records into the SharePoint sites where they can be more easily consumed by other users, rather than encouraging them to keep it within Outlook or OneDrive for Business and applying labels into those locations.
But this is again, something that your organization needs to determine and determined based on usability and your own compliance requirements. This next batch here, Teams for one on one or group conversations, the chat messages and meeting summaries and call information, as well as if you use a shares files within those one on one and group conversations at the meeting recordings. You can apply lifecycle management using retention policies, so there are broad retention policies that can be applied.
Until recently meeting video recordings used to go to Stream however, that has now been modified and it will appear in the OneDrive for Business location of the person who is doing the recording. So, again, those broad retention policies can be applied to that content.
Finally, when you talk about the team’s Team itself, the Team construct, the channel chat messages, Teams calls and Teams channel meeting summaries, as well as the shared files. These can also be again secured from a Lifecycle Management perspective using retention policies. Teams also has a concept known as the Office 365 group expiration policy, for which you need an Azure P1, it’s an advanced administrative license. But you could specify a group expiration policy for a Team if you know that it’s there for just a very short period of time, a defined period for example, the quarterly meeting or the annual potluck.
If you know you only need it for 30 days, 60 days, or 90 days, you can specify an expiration policy and everything to do with that Team will disappear after that time and the grace period which is about 30 days. So, down to Teams and shared files, as we mentioned, that’s in SharePoint. This follows the same rule as sites that just regular collaboration sites, not sites backing Teams. You apply retention policies and then we apply retention labels based on that more granular control as needed for certain types of information.
So, the things to note for retention labels. As I mentioned, it is a flat structure. So, you have to be a little creative in how you name your labels so that end users can recognize it, but also, the administrators can figure out how this is organized because you have one structure for the entire organization.
The best way to manage the file plan is really to build out your file plan using Excel, and then just use the file import mechanism to bring that file plan into Office 365. That’s the easiest way to make any quick modifications that you need to to the file plan rather than trying to modify it through the UI.
As I mentioned earlier, if you have multi-stage policies, you will need multi-labels that get applied one after the other. So, keep that in mind when you’re building out the file plan. Any retention schedule that is overly complex will be impossible to implement. So, keep it simple. Try to consolidate as much as possible 100 to 200 big buckets if you will, that’s manageable. We have implemented those, but when it gets into the thousands it becomes quite unwieldy.
Keep in mind there is only one permission level in to get access to the file plan. So, there isn’t a way to specify different labels for different departments, for example. Whoever has access can see and modify all the labels. So, you have to maintain that either as an individual or if you have a group, the group has that permission, and you’ll have to educate everyone on how to access and look for the labels that pertain to their particular functional area.
Again, as with labels, label policies also, we should name it with deliberation, apply the scope and the type of policy so that as you look at these later, you don’t get lost in the numbers. And then keep in mind also the one day to publish for labels and seven days to auto apply based on the dynamic labels or rules based application of labels.
Okay, so that’s I think, pretty much everything that you need to know about labels. Let’s move forward with how do you now execute lifecycle management? How do you dispose items? And then how do you monitor how lifecycle management is being applied across the platform? So, the main areas here to look at, I want to talk about disposition review, which is how you will execute the disposal of information. And then how do you monitor the information within the complaint center? These are functions available within the compliant center.
You can either look at the data classification dashboard, which monitors the application of policies, or you can search content by labels. And then you can of course, search within the audit logs for a numerous end user as well as administrator activities related to lifecycle management.
At this point, in this presentation, I’m not covering eDiscovery, or case management, litigation holds. That’s somewhat more advanced functionality, but we will cover that in a future presentation. So, let’s look at disposition.
What are the main activities within disposition? As soon as an item comes up for disposition, it has expired for its retention schedule and needs to be deleted. The individuals that you mentioned or the group members that you mentioned that were responsible for disposition review will receive an email with a link to the disposition review report in the compliance center.
When they access the report, they will see all the labels and associated content that’s pending disposition, and they will select a label to take action on the individual items that pertain to that label. And they can take the action of either going ahead and deleting it or extending it or relabeling it.
Finally, the disposition certificate. There is not a disposition certificate per se in Microsoft 365. But you can generate a proof of disposition. And that is by completing the disposition activities and then exporting the results into an Excel file and then maintaining that as the record of the disposition.
Some things to note, some of the limitations or challenges with disposition review. It is a single level disposition review, you can’t have multi-stage dispositions, like some organizations have tax review, legal review and then IG. You can only have one review, one stage. Everyone in that stage will get access to that and there isn’t a second stage. If you need something more custom, obviously, you need a custom solution, the out of the box disposition review will not work for you.
The single permission level to access all labels, just like in the file plan, there’s only one permission level on the disposition process also, whoever has access to the report has access to all the labels. So, again, this is a process of educating those you trust in your group to perform this activity. But it also allows to build a partnership within the business to enable IG coordinators for example, to actually execute that disposition review once you’ve educated them. It is one label at a time, so you just select a label and then look at all the items that pertain to that label. There isn’t a multi-label review.
And finally, although you can apply disposition in bulk per label, the proof of disposition report that I talked about is generated per label and for date range. So, you could say, everything disposed between January 1 and December 31st of a particular year, for this label, export that, that’s the report for that year, and so on for each label. So, it can get a little cumbersome based on the number of labels that you have.
Okay, so with that, I’m going to switch over to the demo. Like I said, some of these things will be easy to show. And maybe that’ll help explain some of the things I showed you in the presentation. We’ll show you how to define the retention rules, apply them, execute disposition and then monitor compliance with those policies, how activities are happening and then a quick glimpse into some future capabilities that are coming down the pipe for information lifecycle management.
Okay, with that, I’m going to switch over to my demo. What you’re looking at here is the intranet site, if you will, for a fictitious company known as Siphon. Siphon is a midstream oil and gas company. A content is organized by functional area, they have multiple assets that they manage in different locations across the US. And of course, they perform projects across those assets.
So, what I want to show you is really how does lifecycle management get executed within this environment. So, the first thing I mentioned was, when you apply labels there multiple ways to do labels. So, the easiest way if your information is separated into different libraries, is simply to apply the label as a default label on that particular location.
So, for example, within this library, the invoice’s library, I have applied a default label, which will apply to all items that are dropped into this library. So, if I look at the default label, I see that everything dropped in here attains the Siphon invoice label, and will be retained for one year. And you can also apply that after the fact and it will impact existing items if you choose to do that.
So, as you can see here, items in this invoice’s library, invoices typically they’re records on creation. Normally, when you receive an invoice, you don’t modify it, that is the record of what you receive. So, as soon as the item is dropped into this particular location, it will inherit the retention category.
So, let me just give you a quick example, I’m dropping in a sample invoice into the invoice’s library, you can see the item is being uploaded. That’s my sample invoice, it has immediately been declared a record, you can see that the retention label is Siphon invoice, and that the item is a record.
So, if I tried to delete this item now, you’ll notice that I cannot delete it because it’s been identified as a record. So, normally, users are not able to release the record labels. However, records administrators or site administrators could modify that if there was an error, for example, and remove the label so that it can be deleted. But that’s how you protect labels by applying that to a particular location. And that’s the simplest way to apply labels. But in normal business processes, it’s not as clean, it’s hard to separate records from non-records because they are created as a part of a business process. I’d like to show you that.
Also, the same concept can be used within Teams, as we mentioned earlier. Teams after all behind the scenes, it’s still SharePoint when it comes to how documents are stored. So, for example, this particular operations project team has two libraries. One is the files library, which is where all information that’s stored automatically gets the Siphon non-business record label applied. And then it’s provisioned through my Teams provisioning process to also have a project records library and this information, so I can switch to SharePoint to actually show you behind the scenes.
That information has the Siphon project label applied. So, as you can see, you can specify libraries that will be used by Teams. And you can apply the same labels that you applied in your regular communication sites or collaboration sites that are not associated with the Team.
So, this is, again, a simple way to separate records and non-records. But what happens in the case of coexistence, when you have records and non-records in the same library at the same time? It’s a little harder then to separate these out and you have to either ask end users to apply labels or you to come up with something a little bit smarter. And as I mentioned, a couple of mechanisms. One is the auto apply capability or dynamic labels. And this is available if you have the Enterprise Five or Government Five licensing.
But if you have just an E3 license, that solution is still possible to build that solution using Power Automate, just a workflow to trigger the application of metadata or the application of retention labels, all the API’s are fully exposed. And you can still implement it even if you don’t have any five license. But let me show you what that looks like.
So, client contracts. This is a concept that most people are very familiar with, you can simply apply one label to a contract because the contract goes through many stages. There are in progress contracts, there are contracts that are considered executed and then there are contracts that expire and you want to have different labels, depending on the stage that the contract is in. How do you do this without asking end users to also be familiar with the retention requirements?
Well, in this particular case, this solution has been built using an E3 subscription and a Power Automate solution. But the exact same thing can be done using dynamic labels. So, let me show you how this works. The end user is simply asked to change the contract status. And this is a business, it’s a familiar business task. I move it from an in progress contract to executed. And I expect that the stage, not only does the state change, it moves to executed.
So, in this particular case, there was no difference between retention for in progress and executed. But if I were to take an executed contract, and now move that into an expired stage, I would want the retention to change from an active in fourth contract to one that expired, which means basically, I want the item just to be retained for the period that’s required and then disposed.
So, as you can see, it’s sitting in the expired stage. And within a few seconds, you saw that the contract retention label went from Siphon contract to expired contract. This again, behind the scenes is a Power Automate solution. And that can be applied to different libraries to keep this from burdening end users with retention requirements, they just have to focus on the business need.
Power Automate is good at library level, it’s good for example, across projects where you have a template, and you can reapply that template to different libraries. But Power Automate, if you’re trying to do this across the enterprise at scale, you really want to move to an E5 license so you can take advantage of dynamic labeling.
So, just as an example here, similar example to what I showed you with contracts, if you look at the project’s application. So, let’s go back to my projects portal. You’ll see for example, in the project list, if I were to set the status of my project, so you can see I’ve got project statuses in planning, initiated, execution and closed state. Anytime I take a project and move it from executed, which is typically what project managers do, they convert that from an executed stage to a closed stage.
What I want at this point, so I can specify today’s date. Again, a very familiar activity for project managers specify the project date and not apply the label but really just apply the stage. So, let me find that attribute again. Here we go. I move from executed to closed. And you will see that so with that trigger, now the dynamic labeling capabilities in the platform will go into the application, find all documents that have been tagged With the Kankakee project, so I’m going to navigate into the Kankakee project. I think this is the one.
And you’ll see that I’ve got a template based organization, every project has a pretty much the same libraries in there. There’s the construction library, engineering and project management. And all items in here have the asset associated with the Kankakee asset name, as well as the project ID. And all of these items will over time, like I said, it takes a few days for this to push through will be identified and all of them set to a common label. For example, you could say project close documents. So, they have the same retention apply to them, keep it for 10 years and dispose.
So, that’s a really neat capability that you can take advantage of with dynamic labeling. And then with that, let me take you over to the compliance center. So, this is a bit of the behind the scenes. So, you saw how things look from an end user perspective, let’s look at what it looks like for the records management group. Okay, let me try to log in again.
And sometimes it acts up, it takes a few seconds. So, hopefully this will come up here quickly. So, the compliance manager dashboard gives you a high level overview not just of retention requirements, lifecycle management, but also your security, you risk profile and there’s many actions that you can take.
In this particular case, I’m going to go to the records management dashboard, because we’re focusing on items specific to file plans, retention and disposition. Here is my File plan. So, you can see on the dashboard quickly shows you the pending dispositions, and any labeling activity that’s happened over the last few days. So, I’m going to look at the File plan, which is how you organize labels.
So, remember, I mentioned that you want to name your labels and take advantage of the organizing structures that are available, such as the group function, category and subcategory. Otherwise, it’s easy to get lost within your labeling. And the file plans can be a couple of 100 lines long. So, take advantage of departmental naming and then be sure to name it in such a manner that if you’re expecting end users to apply, they know what they’re selecting.
But also, from your perspective, you fully describe what the label does, because it’s really hard to go back in and dig in and find out those so be deliberate when you name and organize your content, because this is how you would manage it. And I showed you the import and export I mentioned those, that’s how you would import an Excel file to create a file plan and export to make any modifications and reimport. So, that’s the labeling policies.
These are the, as I mentioned two ways to apply labels. One is using dynamic labeling, pushing out labels and applying them to information that meets specific criteria or publishing them to location so that either the site designer at design time can apply them to the libraries or end users may select the information and apply them. And this again, it applies not just in SharePoint, but also OneDrive, as well as Exchange within Outlook.
So, those are the policies I talked about event. This is that across the board event trigger. So, for example, when I close that Kankakee project, let’s see today’s date March 4th, 8:53 p.m. Yep, so this is the event that was triggered by my closing the Kankakee project. An event was triggered behind the scenes using Power Automate, and that will now go across all the content that’s associated with that particular project and apply the retention label so that information will be disposed over period when it is no longer business value.
Let’s look at the disposition review. So, this is pretty much the dashboard that records managers will focus on. The disposition review, as I mentioned, comes up one label at a time and you can see the items that are available or pending disposition, click on the little icon to bring up all the documents that are available for disposition. Clicking on one of them brings up, I don’t have a viewer for this particular drawing type. So, you can see that I can see the details about the document that need to be disposed and I can either approve disposal, relabel or as I mentioned earlier, extend by a period.
So, that’s how I take action on documents and yes, you can apply them in bulk per label. And once they’re disposed, they show up on the disposed items report. And from here, that’s that export that you can then do to have a proof of record that these items were disposed on a particular day. So, that is disposition review, the two items that I that you see here.
Let’s look at monitoring now, we talked about monitoring for activities associated with lifecycle management. The Content search capability allows you to find items and you can actually refine your search based on a particular compliance tag. So, I can say find me all items on my platform that have been labeled with the HR compliance tag, and I can see that there’s four items labeled. And you can export the results, export that content for further investigation if you will.
So, that was content search, and then finally, you can look at the audit log search. So, the audit log is a way to trace all activities that end users or administrators may perform over a certain duration for example for all users. So, for example I was looking for the last week for items that users may have taken action on. So, it always shows you the IP address that they impacted from or the performance actions from the user and specific labeling activities that they performed.
So, this is again, very powerful functionality. By default, audit retention keeps this data up to 90 days for E3 users and guest users, and up to a year by default for E5 users. So, be aware that you’ll have to run these reports and export them. Otherwise, they will disappear from the audit log.
Finally, I’ll end with the data classification dashboard. This is your big picture of how labels are being applied across the organization, you can see the different types of activities. You can drill down to see the activity explorer, who performed what activities related to labeling. And then there’s also the content explorer that shows you how content has been labeled over time.
So, here’s the different activities, you can specify what kind of activities you want to look at, who performed the activity across the different locations where you’re expecting in the SharePoint or if you’ve applied labels in other locations, what other locations you may be interested in.
So, these are the different monitoring capabilities that are available to monitor compliance with your information lifecycle management and labeling activities within the platform. With that, I’m going to switch back to close out with the presentation.
So, in this demo, hopefully you have seen with the presentation and the demo, you’ve got a good understanding of the capabilities on the Microsoft 365 platform as it relates to lifecycle management, and you have a glimpse of things that may be on the roadmap or the direction that Microsoft is going in, as well as you have a knowledge of some of the challenges that you might face in implementing this and what the workarounds might be.
If you want to find out more about this capabilities, lifecycle management, please go to the Access Sciences website, take advantage of the podcasts, blogs, case studies and webinars that are visible out there. And I’ve also provided some references to information that was used to create this presentation if you wanted to take a deeper dive into records management, information governance, all the specifics of retention.
And that is all that I wanted to share today. I do have one last thing that I have on the demo, that is just again, a glimpse of what is coming. So, for example, you might have heard about SharePoint Syntax. It’s a mechanism to building some artificial intelligence capabilities to define models to recognize information. So, the holy grail of information classification is that you take this burden completely off of end users. And the system automatically recognizes documents and can apply labels.
So, just an example of that. This is a model built by the Access Sciences technology team. If you look at we have a library set up that uses the Syntax model. So, a label can be applied based on it recognizing the documents. So, for example, I have various versions of my resume. Regardless of the format, it was able to recognize the document on dropping it in and apply the resume label and I’ve dropped in a few documents that have some of the markings of resumes, but don’t really have any resume content. And as you can see, the retention label was withheld, it recognized that the item was not a resume.
So, there’s a lot of neat capabilities coming along with Syntax that we’ve also been experimenting with. And we’re very excited about how that can help with the whole classification and lifecycle management that is such a burden for folks in Information Governance community, and those trying to manage the risk profile or footprint for their organization’s information assets.
So, with that, I leave you with just my personal contact information. If you have any further questions, please don’t hesitate to reach out. Thank you and I hope you enjoyed this presentation.