Retention and AIP Protected Documents

Leave a comment

This is a follow up to my previous post (Which Office 365 Retention Policy Should You Use?).

Before I jump in, I want to provide additional information on documents stored in my SharePoint site.

I configured Azure Information Protection labels and published them. Note that All Employees sub-label of Restricted label is configured with protection. I created several documents, applied these labels manually and automatically, and uploaded them to SharePoint.

AIP Labels2

After applying retention policies to these documents (my previous post), one thing I noticed after the retention policies automatically applied to these documents, two of my documents classified as ‘Restricted All Employees‘ have no policies applied to them.  I waited additional days thinking that I was just too impatient.  After several days, still nothing.

AIP RMS Enabled

I have always known that AIP protected documents are not viewable in Office Web Apps, but I couldn’t understand why retention policies were not able to apply to these documents.

After researching more on this behavior, I’ve learned that SharePoint is not able to index AIP protected documents.  Because of this there are no metadata available for the retention policies to query on these documents.

I hope this helps explaining why O365 retention and SharePoint don’t always give you the expected results.

Advertisements

Which Office 365 Retention Policy Should You Use?

1 Comment

As I started to work on applying retention policies to documents stored in SharePoint using Office 365 Security & Compliance Center, I was confused why the retention policies were not working as I had hoped.

My objective was to have retention policies automatically applied to documents stored in SharePoint without needing the end-user to select the correct retention policy. I created several labels and policies under Classifications, configured one of them to detect content that contains specific words or phrases, and set them to auto-apply to my SharePoint site.  It gave me a warning that it may take up to seven (7) days for the label to apply.

ClassificationsLabels2

I waited for seven days, but nothing showed up in my SharePoint site.

After a bit of digging I found that label policies created under Classifications only appear for users to manually select from SharePoint.

SharePointLabelPolicies2

Since this did not meet my objective, I deleted these label policies from O365 Security & Compliance Center.

After more research and testing, I found that in order to achieve my objective, I had to create the retention policies under Data Governance.

DataGovernanceRetention

Again, I had to wait.  But this time it only took one day for the policies to auto-apply.

AutoApplyRetentionPolicies

In summary, if you want users to manually select retention policy, use Label Policies under Classifications.  If you want an automated method, use Retention under Data Governance.  I hope this helps others who have tried to make sense of which retention policy method to use.