Collaboration workloadsSecurity and complianceIntermediate39 min read

What Is Retention policy? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A retention policy tells your computer systems how long to keep files, emails, or records. It helps prevent clutter and ensures you don't delete something too early. Many companies use these policies to follow laws and save storage space. Think of it like a set of rules for how long you keep old paperwork before shredding it.

Common Commands & Configuration

New-RetentionCompliancePolicy -Name "Finance 7 Year Policy" -ExchangeLocation FinanceDept@contoso.com -SharePointLocation https://contoso.sharepoint.com/sites/Finance

Creates a new retention policy in Exchange Online PowerShell targeting the Finance department's mailbox and SharePoint site. Used when deploying a compliance policy for a specific business unit with long-term data retention requirements.

This cmdlet appears in MS-102 and SC-900 labs. Tests the ability to scope a retention policy to specific locations rather than the entire tenant. Candidates must remember that -ExchangeLocation accepts email addresses, not display names.

Set-RetentionCompliancePolicy -Identity "Finance 7 Year Policy" -AddExchangeLocation "user@contoso.com" -RemoveExchangeLocation "olduser@contoso.com"

Modifies an existing retention policy to add or remove specific mailboxes. Useful when users move between departments or leave the organization. This incremental change avoids recreating the entire policy.

Exam questions often require modifying a policy without impacting other members. The -AddExchangeLocation and -RemoveExchangeLocation parameters are tested to ensure incremental updates are possible.

New-RetentionComplianceRule -Name "Delete After 3 Years" -Policy "Finance 7 Year Policy" -RetentionDuration 1095 -RetentionRetentionAction Delete

Creates a retention rule within the existing policy that permanently deletes items after 1095 days (3 years). This is the rule that defines the actual retention period and disposal action.

The RetentionDuration parameter expects days, not months or years. The RetentionRetentionAction can be Delete, Keep, or KeepAndDelete. This distinction is a common exam trick in SC-900.

Get-RetentionCompliancePolicy -Identity "Finance 7 Year Policy" | Format-List Name, ExchangeLocation, SharePointLocation, Mode

Displays detailed information about a specific retention policy, including which locations are covered and the current mode (Enforce, Audit, or PendingDeletion). Used for auditing and troubleshooting policy application.

The Mode property is critical: 'Enforce' means the policy is active, 'Audit' means it only logs without enforcement. The CISSP exam tests this as a control implementation concept.

Search-Mailbox -Identity user@contoso.com -SearchQuery 'subject:"Quarterly Report"' -TargetMailbox admin@contoso.com -TargetFolder "DiscoverySearch" -LogLevel Full

Searches a specific mailbox for items matching a query and copies results to an admin mailbox. This is used during eDiscovery investigations after retention policies have preserved the data.

This cmdlet is deprecated in newer Exchange versions, but still tested in older exam scenarios. Candidates should know that modern eDiscovery uses the Compliance center instead.

Set-Mailbox -Identity user@contoso.com -LitigationHoldEnabled $true -LitigationHoldDuration 365

Enables litigation hold on a user mailbox for 365 days, overriding any retention policy deletion actions. This ensures all mailbox content is preserved for legal purposes.

A frequent exam scenario: a user leaves the company but must have their mailbox preserved for a court case. The LitigationHoldDuration overrides shorter retention policies.

Start-ManagedFolderAssistant -Identity user@contoso.com

Triggers the Managed Folder Assistant to process retention policies immediately for a specific mailbox. Normally runs every 7 days, but this command forces an immediate evaluation for troubleshooting.

The assistant is the background service that applies retention tags and moves items based on policy. Understanding this timing is important for MS-102 and AZ-104 exam troubleshooting questions.

Retention policy appears directly in 83exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on MS-102. Practise them →

Must Know for Exams

Retention policy appears across many IT certification exams because it is a core concept in data governance, compliance, and storage management. Understanding how retention policies work in specific platforms is often tested directly or indirectly.

For AWS SAA (Solutions Architect Associate), you must know S3 lifecycle policies and Object Lock. Questions often ask how long to keep backup versions or how to comply with regulatory requirements using S3 features. You need to differentiate between transition actions and expiration actions.

For ISC2 CISSP, retention policy is part of the Data Lifecycle domain. Questions focus on legal requirements, records management, and the difference between retention and preservation. You must understand that a retention policy defines the minimum and maximum time data is kept, and that legal holds override deletion.

For CompTIA Security+ and CySA+, retention policy is covered under data governance and compliance. Questions may ask about the purpose of retention policies, typical retention periods for different data types (e.g., PII, financial records), and how they relate to data classification.

For Microsoft exams (MD-102, MS-102, MS-900, AZ-104, SC-900), retention policies are a major topic in Microsoft 365 Compliance and Azure storage. SC-900 focuses on compliance policies in M365. MS-102 dives into advanced retention and legal holds. AZ-104 covers Azure Backup retention and lifecycle management. Expect scenario-based questions where you choose the correct retention period or action for a specific compliance requirement.

Exam questions typically present a scenario: a company must keep financial records for 7 years, cannot destroy them before 7 years, but wants to minimize storage costs. The correct answer often involves a retention policy with an archive tier and a deletion action at 7 years. Another common pattern: an organization wants to prevent users from deleting critical files for a litigation hold, the answer is a retention policy with preservation lock.

Simple Meaning

Imagine you have a filing cabinet at home. Over time, it fills up with bills, tax documents, school records, and old photos. You cannot keep everything forever because the cabinet has limited space. You also cannot throw everything away right away, because you might need a tax document from three years ago for an audit. A retention policy is like a rulebook that tells you exactly how long to keep each type of document before you are allowed to safely dispose of it.

In the digital world, companies face the same challenge but on a much larger scale. They have servers, cloud storage, email systems, and databases filled with data. Some data, like customer financial records, must be kept for a specific number of years by law. Other data, like old marketing emails, might be useless after a few months. A retention policy automates this decision-making process. It applies a label or tag to data based on its type, and then a timer starts ticking. When the timer runs out, the system can automatically archive the data (move it to cheaper storage), delete it, or apply another rule.

There is also a privacy and security angle. Keeping data longer than necessary increases the risk of that data being stolen or misused. If you have customer credit card numbers from 2015 that you no longer need, they are a liability. A retention policy helps you reduce that risk by ensuring old data is removed when it is no longer legally or operationally required. This is especially important for compliance with laws like GDPR or HIPAA, which require organizations to delete personal data after a certain period.

Retention policies are not just about deletion. They are about lifecycle management. Data goes through stages: creation, active use, infrequent access, and finally disposal. A retention policy defines the rules for each stage. For example, an email retention policy might keep all emails in the inbox for one year, then move them to an archive for two more years, and then delete them. This approach balances accessibility with storage costs and legal obligations.

a retention policy is a smart, automated way to manage digital clutter. It helps organizations stay compliant, save money on storage, and reduce security risks. Without it, companies either hoard data forever (costly and risky) or delete things too early (potentially illegal or operationally damaging).

Full Technical Definition

A retention policy is a configuration object within information lifecycle management (ILM) systems that defines the duration and disposition actions applied to data objects based on classification, metadata, or content. In IT infrastructure, retention policies are implemented at multiple layers: storage systems (file servers, object storage, SAN/NAS), application platforms (Microsoft 365, AWS S3, databases), email servers (Exchange, Gmail), and backup solutions (Veeam, Commvault). The core components include a scope (which data or location), a retention period (expressed in days, months, or years), and an action (delete, archive, or apply legal hold).

From a technical perspective, retention policies rely on timestamp metadata, typically creation date, last modified date, or a custom retention date. In Microsoft 365, for example, a retention policy is created in the Compliance Center and published to specific workloads: Exchange Online, SharePoint Online, OneDrive for Business, and Teams. The policy uses a background process called the Managed Folder Assistant (Exchange) or the retention processor to evaluate items periodically. When an item reaches its retention age, the system executes the configured action. If a legal hold is placed on the same item, the hold overrides deletion until the hold is removed.

In AWS S3, retention policies are implemented via S3 Object Lock or lifecycle policies. S3 Object Lock uses a retention mode (Governance or Compliance) and a retention period. In Compliance mode, even the root user cannot delete an object before the period expires. Lifecycle policies use rules with transitions (move to S3 Glacier) and expiration (permanent deletion). These policies are evaluated once per day by AWS and applied asynchronously.

For backup systems, retention policies govern how many restore points are kept. A common example is Grandfather-Father-Son (GFS) retention: daily backups kept for 7 days, weekly backups kept for 4 weeks, monthly backups kept for 12 months, and yearly backups kept for 7 years. This ensures restore points are available for compliance while managing storage space.

Database-level retention policies are often defined in SQL Server via backup retention settings or in cloud databases like Amazon RDS, where automated backups are retained for a configurable period (1-35 days). Transaction log retention is also critical for point-in-time recovery.

Compliance frameworks such as HIPAA, GDPR, SOX, and PCI DSS mandate specific retention minimums. For example, HIPAA requires medical records to be kept for 6 years from the date of creation or last use. A retention policy must be configured to enforce these minimums, and audit logs must prove that deletion did not occur before the period expired.

Technical implementation requires careful planning to avoid performance degradation. In large environments, applying a retention policy to millions of items can consume significant system resources. Throttling, progressive scanning, and indexing optimizations are common. Retention policies must be tested in a sandbox before production deployment because a misconfigured delete action can cause permanent data loss.

retention policy is a foundational element of data governance in IT. It involves automated rule engines, metadata evaluation, compliance integration, and careful lifecycle management. IT professionals must understand the specific implementation details for their platform of choice to design effective and safe retention strategies.

Real-Life Example

Think about a public library. The library has thousands of books, magazines, and newspapers. They cannot keep every item forever because the building has limited shelf space. They also cannot throw away a book the day after someone returns it, because another patron might want to borrow it next week. So the librarian creates a retention policy for different types of items. New bestsellers might be kept on the shelf for 3 months, then moved to the warehouse for another year, then donated or recycled. Magazines from last month are kept in the reading room for 60 days, then archived for 6 months, and then discarded. Rare historical documents are kept permanently and never thrown away.

Now map this to IT. The library shelves are like your company’s file servers or cloud storage. The librarian is the retention policy engine. The book categories are like data classifications (client contracts, internal memos, financial records). The shelf rules are the retention periods. The warehouse is an archive tier (cold storage). Donating or recycling is equivalent to deleting or moving to an archival format.

In this analogy, the library also has legal requirements. Tax records must be kept for 7 years by law. The librarian cannot throw away last year's tax files in January. So a retention policy ensures those files are marked with a 7-year retention tag. If a government auditor comes, the library can prove they followed the rules.

A problem the library faces is accidental loss. If the librarian cleans out a shelf assuming a book is old, but it was actually a rare first edition, that is a disaster. In IT, this is why retention policies often have a "review before deletion" step or a soft-delete (recycle bin) that allows recovery within a short window.

Another relatable scenario is your personal email inbox. Without a retention policy, your inbox becomes a mess of thousands of emails from years ago. You might miss an important message because it is buried. If you set a rule to delete all emails older than one year, you might lose a receipt you need for warranty. So a smarter policy might archive emails after six months and delete them after two years. This is exactly what enterprise email retention policies do, but automated across the whole organization.

Why This Term Matters

Retention policies matter because they directly impact an organization’s legal compliance, operational efficiency, and data security. Without a retention policy, data accumulates endlessly. Storage costs grow, backup windows lengthen, and search performance degrades. More importantly, holding data past its legal requirement exposes the organization to fines and legal liabilities. For example, under GDPR, companies must delete personal data when it is no longer needed. Failing to do so can result in fines of up to 4% of global annual revenue.

From an operational perspective, a well-designed retention policy improves productivity. IT teams spend less time managing storage, employees can find relevant data faster, and compliance audits become smoother. Automated retention policies reduce the need for manual cleanup, which is error-prone and rarely done consistently.

Retention policies also play a critical role in e-discovery. During a lawsuit, an organization may need to produce relevant emails and documents. If a retention policy already categorizes and retains data systematically, e-discovery becomes faster and cheaper. If data was deleted prematurely due to a lack of policy, the organization could face sanctions.

Finally, retention policies are essential for data security. Old data is more likely to contain outdated security controls. Keeping obsolete databases with customer info increases the attack surface. By enforcing deletion, retention policies reduce the risk of data breaches from forgotten legacy systems.

How It Appears in Exam Questions

Retention policy questions appear in several common formats. The first type is scenario-based: "A company must retain customer transaction records for 5 years to meet regulatory requirements. After 5 years, the records should be deleted. Which configuration should be applied?" The answer is an S3 lifecycle policy or a Microsoft 365 retention policy with a 5-year period and delete action.

The second type is comparison: "What is the difference between a retention policy and a legal hold?" Here, you need to know that retention policies automate deletion, while legal holds preserve data indefinitely until the hold is removed. Retention policies can be time-based, but legal holds are indefinite.

The third type is troubleshooting: "Users are reporting that emails older than 30 days are missing from Outlook. An administrator confirms a retention policy is applied. What could be the cause?" Possible answers: the retention policy has a delete action with a 30-day period, or the policy applies to the entire mailbox and users are not aware of it.

The fourth type is design: "You need to design a backup strategy that keeps daily backups for 7 days, weekly backups for 4 weeks, and monthly backups for 12 months. Which retention scheme should you use?" The answer is GFS (Grandfather-Father-Son) retention.

Finally, exam questions may ask about the impact of a retention policy on storage costs, backup sizes, or recovery time objectives (RTO). For example, longer retention of backups increases storage costs and may slow down restores. You should be able to recommend a balanced policy based on business requirements.

Practise Retention policy Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A small law firm uses Microsoft 365 for email and document storage. They are required by law to keep client case files for 6 years after the case closes. After that, they can delete the files. The firm also wants to automatically delete internal meeting notes after 90 days to reduce clutter.

The IT administrator creates two retention policies in the Microsoft 365 Compliance Center. The first policy is named "Client Case Files Retention" and targets SharePoint document libraries containing case files. The retention period is set to 6 years, and the action is set to delete. The second policy is named "Internal Meeting Notes Retention" and targets a specific OneDrive folder. The period is 90 days with deletion. Both policies are published and take effect within 48 hours.

A lawyer queries an older case and finds the files are still available because the 6-year period has not expired. A different lawyer notices that meeting notes from a year ago are gone, they were deleted by the policy. The firm is happy because they are compliant and their storage is under control. This scenario shows how retention policies automate compliance and housekeeping without manual effort.

Common Mistakes

Setting retention period too short for compliance data

Deleting data before the legally required period results in non-compliance and potential fines

Identify legal requirements for each data type and set retention period to at least the minimum required duration

Applying retention policy without testing on a small subset first

A misconfigured policy can delete critical data immediately, causing permanent loss

Always test new retention policies on a small, non-critical dataset before broad deployment

Confusing retention policy with backup policy

Backup policies are for recovery after data loss; retention policies govern data lifecycle and deletion. They serve different purposes

Use backup policies for recovery copies and retention policies for compliance and lifecycle management

Not considering legal hold override

A legal hold must take precedence over automatic deletion. If a retention policy deletes data under litigation, evidence is lost

Always check if a legal hold is active on the data before applying a retention policy. Implement hold-aware policies

Assuming retention policy applies instantly

Retention policies are evaluated periodically (e.g., every 7 days in M365, once per day in AWS). Instant deletion is not guaranteed

Understand the evaluation cycle of your platform and communicate expected delay to stakeholders

Using delete action when archive action would suffice

Deleting data permanently reduces recovery options. Archiving preserves data at lower cost in case future need arises

Use archive actions when possible to reduce cost while retaining data for longer than the primary retention period

Exam Trap — Don't Get Fooled

{"trap":"A question asks: 'A company wants to ensure that financial records are retained for 7 years and cannot be deleted by anyone, including administrators, before that period expires. Which retention mode should be used?' The answer choices include lifecycle policy, object lock in governance mode, object lock in compliance mode, and legal hold."

,"why_learners_choose_it":"Learners might choose 'governance mode' because it seems to offer flexibility, or 'legal hold' because it prevents deletion. Governance mode allows some users with special permissions to still delete objects, which violates the requirement.","how_to_avoid_it":"Understand that compliance mode in S3 Object Lock locks the object so that even the root user cannot delete it until the retention period expires.

This is the only option that guarantees no one can delete the records early. Legal hold is indefinite, not time-bound."

Commonly Confused With

Retention policyvsLegal hold

A legal hold preserves all relevant data indefinitely until the hold is lifted, usually for litigation. A retention policy has a fixed time period and may delete data after that period. Legal holds override retention policies.

If a company has a retention policy that deletes emails after 1 year, but a lawsuit occurs, a legal hold stops the deletion for those specific emails until the case ends.

Retention policyvsBackup retention

Backup retention defines how long recovery points are kept for disaster recovery. Retention policy covers all data lifecycle from creation to deletion, including non-backup data like emails and documents.

Backup retention keeps a daily server image for 30 days. Retention policy might keep customer records for 7 years then delete them from the live system.

Retention policyvsData classification

Data classification labels data by sensitivity or type (e.g., public, confidential). Retention policy uses these labels to decide how long to keep data. Classification is a prerequisite, not the policy itself.

An employee labels a document 'confidential'. A retention policy uses that label to retain the document for 5 years instead of 1.

Retention policyvsData archiving

Archiving moves data to cheaper storage for long-term preservation. Retention policy may include archiving as an action before eventual deletion, but retention policy also includes deletion. Archiving is a step, not the whole policy.

A retention policy archives email older than 2 years to cold storage, then deletes it after 5 more years.

Retention policyvsLifecycle policy

A lifecycle policy is the broader concept of managing data through phases (creation, active, archive, deletion). Retention policy is a specific type of lifecycle policy focused on time-based retention and deletion.

An S3 lifecycle policy can transition objects to Glacier and then expire them. That is a retention policy within the lifecycle.

Step-by-Step Breakdown

1

Identify data types and legal requirements

First, list all categories of data your organization handles (financial records, PII, emails, logs, etc.) and research any legal or regulatory minimum retention periods. This step defines the 'what' and 'how long' for the policy.

2

Choose retention actions

Decide what happens at the end of the period: delete permanently, archive to cheaper storage, or mark for review. For compliance data, deletion is often required. For operational data, archiving may be better.

3

Select target scope

Determine where the data resides (Exchange mailboxes, SharePoint sites, AWS S3 buckets, file shares). The policy scope must match the location. In M365, you can scope to specific users, sites, or groups.

4

Set the retention period

Configure the duration in days, months, or years. The start time is usually based on content creation or last modified date. For compliance, set the period to the legal minimum or longer.

5

Enable legal hold override check

Ensure that any active legal holds on the data will pause the retention policy. Do not apply a delete action to data under hold. Most platforms automatically override deletion when a legal hold is present.

6

Test the policy in a pilot group

Apply the policy to a small, non-critical subset of data. Monitor for unexpected deletions, performance issues, or errors. Adjust the period or actions based on feedback before full rollout.

7

Deploy and monitor

Publish the policy to the entire organization. Monitor system logs and compliance reports to verify the policy is being applied correctly. Set alerts for policy failures or deletions of critical data.

8

Review and update periodically

Laws and business needs change. Review retention policies at least annually. Update periods, actions, or scope as needed. Document changes and communicate them to stakeholders.

Practical Mini-Lesson

In practice, designing a retention policy requires balancing cost, compliance, and operational needs. Let's walk through a real-world example. A mid-size healthcare provider uses Microsoft 365 and AWS S3 for different data. They must comply with HIPAA, which requires patient records to be kept for 6 years. They also have internal HR files that they want to keep for 3 years.

In Microsoft 365, the administrator creates two retention policies using the Compliance Center. The first is named 'Patient Records Retention' and targets all SharePoint sites and Exchange mailboxes related to patient data. The period is set to 6 years, and the action is 'Delete items automatically'. The second policy is 'HR Employee Records' targeting a specific HR document library with a 3-year retention and delete action. After publishing, the Managed Folder Assistant starts processing. The administrator verifies the policies by checking the compliance report for each workload.

It is important to know that retention policies in M365 do not apply to items in the recycle bin until they are permanently deleted. Also, if a user deletes an item before the retention period ends, the item is moved to the Preserve Hold library (hidden) and retained until the policy expires. This prevents premature deletion by users.

On AWS S3, the same healthcare provider stores patient scan images. They use S3 Object Lock with Compliance mode for 6 years. This prevents any accidental or malicious deletion. After 6 years, a lifecycle rule transitions the objects to S3 Glacier Deep Archive for another 5 years, then expires them. This layered approach reduces cost while maintaining compliance.

A common mistake in practice is applying a retention policy to a large dataset without understanding the initial scan time. For example, if you apply a 1-day retention to a SharePoint site with 100,000 documents, the policy may take days to evaluate and delete, leading to confusion. Always check the expected processing time and communicate with users.

Another practical consideration is that retention policies should be documented in a data governance policy. This includes the purpose, scope, retention schedule, and exception process. During an audit, you will be asked to prove that your retention policy is enforced. Logs and compliance reports serve as evidence.

Finally, professionals must know how to reverse a mistaken deletion. Some platforms offer a 'restore from recycle bin' option for a limited time. Others require restoration from backup. Always have a backup strategy independent of the retention policy to recover from accidental data loss.

How Retention Policy Enables Compliance in Collaboration Workloads

Retention policy is a cornerstone mechanism for governing data lifecycle in modern collaboration workloads such as Microsoft 365, Google Workspace, and third-party SaaS platforms. In enterprise environments, retention policies ensure that organizational data is preserved for a legally mandated duration and then either deleted or archived in accordance with regulatory frameworks like GDPR, HIPAA, FINRA, and SOX. These policies are not merely IT housekeeping; they are legally enforceable obligations that can trigger severe penalties if mishandled.

At its core, a retention policy defines two critical parameters: the retention period and the disposal action. The retention period specifies how long an item must be kept after creation or after a triggering event, such as the last modification or deletion by a user. The disposal action determines what happens at the end of that period, typically a soft delete (user-recoverable), a hard delete (permanent erasure), or a retention hold (preserving items even if users try to delete them). Compliance officers and security architects use retention policies to balance the need for data availability during audits against the principle of data minimization.

In collaboration workloads like Microsoft 365, retention policies apply at the mailbox, SharePoint site, OneDrive account, and Teams channel level. A single policy can cover content across Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams, including messages in chats and channels. The policy is evaluated periodically by the compliance backend using a timer-based job that checks the age of items against the configured retention duration. Items within the defined scope that reach the end of their retention period are automatically acted upon. This automation eliminates human error and ensures consistent enforcement across thousands of users.

From a security perspective, retention policies also serve as a defense against insider threats and malicious data destruction. Even if a user has full delete permissions, a retention policy with a preservation hold prevents permanent deletion of data until the hold expires. This provides incident responders with a window to investigate and recover critical evidence. For example, in a compromised account scenario, an attacker might attempt to delete emails to cover tracks, but a retention policy ensures that those messages remain recoverable for eDiscovery purposes.

Exam-ready knowledge requires understanding that retention policies are independent of user-deleted item recovery features like the Recycle Bin. While the Recycle Bin provides short-term recovery (typically 93 days for SharePoint), retention policies extend that safety net to much longer periods, often years. Candidates should know that when a retention policy is applied to a location, user-deleted items are moved to a special preservation hold library and are not permanently removed until all retention holds are lifted. This dual-layer protection is a frequent exam scenario, especially in SC-900 and MS-102.

Finally, retention policies must be designed in a tiered manner. Organizations often deploy a default retention policy that applies to all workloads, supplemented by more restrictive policies for highly regulated departments like finance or human resources. Understanding the precedence and interaction between multiple policies, and the concept of the longest retention hold, is critical for compliance architects. This knowledge directly supports the Security and Compliance domain in the SC-900, MS-900, and Azure AZ-104 exams.

How Retention Policy Impacts Storage Costs and Licensing

Implementing retention policies has direct cost implications that organizations must account for in their cloud budgets. Every retained item incurs storage costs, whether it resides in Exchange Online mailboxes, SharePoint site collections, OneDrive accounts, or Teams chat logs. While cloud providers offer generous baseline storage quotas, prolonged retention periods, especially with preservation holds, can cause storage consumption to swell far beyond user expectations. For example, a mailbox that is 5 GB under normal usage might balloon to 20 GB if a three-year retention policy prevents the automatic deletion of older emails.

In Microsoft 365, retention policies affect billing through two primary mechanisms: archival storage and litigation hold storage. Exchange Online Plan 1 provides 50 GB of mailbox storage, but items placed under retention hold do not count toward the user's mailbox quota in the same way as normal items. Instead, they are stored in a separate, recoverable items folder that can exceed the mailbox quota by up to 30 GB for Exchange Online Plan 2. For organizations that purchase Exchange Online Archiving licenses, additional storage up to 1.5 TB is available, but this requires careful licensing planning.

SharePoint Online and OneDrive for Business charge based on total storage consumed across the tenant. A retention policy that applies to all SharePoint sites will preserve all versions of documents, including earlier versions that users might otherwise have deleted. Over time, this can lead to dramatic storage growth, especially in content-heavy sites. Organizations must monitor their storage usage via the SharePoint admin center and consider setting site-level storage limits to cap the financial impact. In Azure and on-premises hybrid scenarios, retention policies for backup data (such as those in Azure Backup) directly influence the cost of backup storage and long-term archival tiers like Cool or Archive.

Licensing considerations are equally important. Retention policies in Microsoft 365 require specific licenses per user, typically included in E3 and E5 subscriptions or as add-ons for Business Premium. Without the correct licenses, retention policies may not be enforceable, leaving a compliance gap. Exam questions often test the distinction between standard retention (included in most paid plans) and advanced features like eDiscovery holds, which require E5 or Compliance add-on licenses. For example, the SC-900 exam frequently asks which licenses are needed to place a mailbox on litigation hold.

To manage costs effectively, administrators should implement retention policies with clear expiration dates and conduct regular audits of preserved content. Turning off a retention policy does not delete the preserved items immediately; organizations may continue to pay for storage for those items until they are manually purged. Understanding this cost trap is essential for the AZ-104 and MS-102 exams, where cost management is a central objective. The bottom line is that retention policies must balance compliance requirements with financial constraints, and exam candidates should be prepared to calculate or estimate storage growth given a retention duration.

Understanding Retention Policy Precedence and Conflicts

One of the most confusing aspects of retention policy management is understanding what happens when multiple policies apply to the same content. This scenario is extremely common in large enterprises where a default organization-wide policy coexists with department-specific or location-specific policies, such as a seven-year retention for finance records and a two-year policy for general collaboration. Microsoft 365 uses a precedence model based on the principle of longest retention hold. This means that if an item is subject to two or more retention policies, the item will be retained until the expiration date of the policy that requires it to be kept longest. This is a simple rule, but its implementation has several subtleties that exam questions love to explore.

First, the precedence rule applies to both preservation and deletion. If Policy A says 'keep for 3 years and then delete' and Policy B says 'keep for 5 years and then delete', the item will be kept for 5 years. If Policy A says 'keep for 5 years' and Policy B says 'delete after 2 years', the deletion action from Policy B is suppressed because Policy A's retention hold overrides it. The system retains the item for 5 years and then deletes it. This behavior ensures that the most stringent compliance requirement is always satisfied.

Second, conflicts can arise between retention policies and retention labels. Retention labels are applied manually or automatically to individual items, whereas retention policies apply to entire locations. When a retention label is applied to an item, it takes precedence over the policy if the label has a shorter retention period? No, the system preserves the longest duration from either the label or the policy. So if a label requires 10 years and a policy requires 3 years, the item stays for 10 years. This is a frequent source of confusion in exams like the CISSP and CySA+, where candidates might assume labels always override policies.

Third, there is a specific exception for litigation holds or eDiscovery holds. These holds override any deletion action from retention policies. If a mailbox is placed on litigation hold, even if a retention policy's disposal action is triggered, the item remains preserved. This is because litigation holds are generally applied for legal reasons and must supersede all automated lifecycle rules. The MS-102 exam often presents a scenario where a user is under litigation hold and a retention policy tries to delete old emails, candidates must know that the hold wins.

Fourth, conflicts can occur when a policy is removed or modified. If you remove a retention policy that had a longer retention period, items that were under that policy do not get immediately deleted. Instead, they remain preserved under the remaining policies. The system re-evaluates all items based on the new policy set. This can lead to unexpected retention if a shorter policy was hidden by the longer one. Administrators must test changes in a staging environment before applying them to production.

Finally, exam candidates should understand that the 'longest retention' rule has no exception for user intent or administrative override. Even if an admin explicitly tries to delete an item, the compliance backend will reject the permanent deletion if any retention policy applies. This is a key security property that distinguishes retention policies from simple archive settings. Knowing this can help answer scenario-based questions in the SAA-C03 and CISSP exams that ask why a deleted file keeps reappearing in eDiscovery. The takeaway is that retention policies create a safety net that cannot be bypassed by traditional delete operations.

Using Retention Policy as a Forensic Tool for eDiscovery Investigations

Retention policies serve a dual purpose in the Security and Compliance landscape: they are both a data lifecycle governance mechanism and a powerful forensic tool for eDiscovery investigations. When an organization faces litigation, an audit, or an internal investigation, the ability to preserve all potentially relevant data is critical. Retention policies, when combined with eDiscovery holds, provide a robust framework to ensure that electronic evidence is not destroyed, even if users attempt to delete it. In fact, the integration between retention policies and eDiscovery is a major theme in the MS-102, SC-900, and CISSP exams.

The most common forensic use case is the preservation of mailbox data. When a legal case is opened, compliance officers place an eDiscovery hold on specific mailboxes. This hold actually creates a retention policy on those mailboxes that prevents permanent deletion of any items. However, eDiscovery holds differ from standard retention policies in that they do not have an expiration date, they remain in effect until the hold is manually removed by the compliance administrator. Items modified or deleted by the user while a hold is active are preserved in the Recoverable Items folder in Exchange Online. This folder has a quota that can be increased by an administrator to accommodate the preserved data.

For collaboration content in SharePoint Online and OneDrive for Business, eDiscovery holds preserve all versions of documents. This means that even if a user deletes a document or overwrites it with a later version, the original version is retained in the document version history and is discoverable in eDiscovery searches. The retention policy ensures that the document library's recycle bin and preservation hold library are not purged until the hold is lifted. This is extremely important for exam scenarios where a user claims they permanently deleted incriminating files, candidates must know that retention policies make such deletion reversible.

In Microsoft Teams, eDiscovery of chat messages requires retention policies that are specifically applied to Teams chat data. Without a retention policy, Teams messages are automatically deleted after 30 days (for standard users) or 90 days (for GCCH clouds). A retention policy can extend this period to years, preserving the full conversation thread including edits and deletions within the chat. When an eDiscovery hold is placed on a Teams user, their chat messages and channel messages are preserved in the underlying Exchange mailbox and SharePoint site respectively. The MS-102 exam often tests this architectural detail.

Another critical forensic capability is the use of Content Search in the Microsoft Purview compliance portal. With retention policies in place, content searches can locate items across Exchange, SharePoint, OneDrive, and Teams, even items that users believe they have deleted. The retention policy ensures that these items are still present in the Preservation Hold library or the Recoverable Items folder. This is a direct test of the concept of 'soft delete' vs 'hard delete'. In the Security+ exam, candidates frequently see questions about eDiscovery being possible only if retention policies are configured.

Finally, organizations must be careful not to apply retention policies that automatically delete data needed for an active investigation. A common mistake is to set a retention policy on a mailbox that deletes items older than 90 days, but then fail to remove that policy when a legal hold is needed. The result can be a gap where some evidence is preserved by the hold but other items are purged by the policy. The optimal practice is to apply an eDiscovery hold that explicitly overrides any conflicting retention policy. Understanding this interplay is essential for the CySA+ exam, where incident response requires both preservation and analysis of digital evidence.

Troubleshooting Clues

Items not being deleted after retention period expires

Symptom: Admin reports that emails older than the retention period are still visible in user mailboxes after the policy should have deleted them.

The Managed Folder Assistant runs on a 7-day schedule. It may not have processed the mailbox since the policy became active. If a litigation hold or eDiscovery hold is applied, deletion is suppressed. Check the hold status on the mailbox.

Exam clue: This triggers exam questions asking why a retention policy did not take immediate effect. Correct answer: 'The Managed Folder Assistant runs on a schedule, not in real-time.'

Retention policy applies to unexpected users or mailboxes

Symptom: A policy intended for the Finance department is affecting the entire tenant. Users from Sales report emails being preserved.

The policy was likely created with -ExchangeLocation $null or with -AllExchangeLocation $true, causing it to apply to all mailboxes. Administrators must explicitly scope to specific user groups or mailboxes.

Exam clue: Candidates must differentiate between scoping to a specific user and scoping to all users. The cmdlet parameters -ExchangeLocation and -AllExchangeLocation are distinct and commonly confused.

Cannot delete a mailbox because retention policy holds content

Symptom: Admin tries to remove a user's mailbox but receives an error: 'This mailbox cannot be removed because it is under retention policy hold.'

The mailbox is still subject to a retention policy. To delete the mailbox, the admin must first remove the retention policy hold from the mailbox or disable the policy for that user.

Exam clue: This scenario is classic in MS-102 and AZ-104. The solution is to identify the retention policy and remove the user from its scope before deleting the mailbox.

SharePoint document library shows unexpected storage growth

Symptom: A SharePoint site's storage usage has doubled within a month. Administrators suspect retention policies are preserving old document versions.

Retention policies preserve all versions of documents. If the site has many large files with frequent editing, the version history grows dramatically. The policy prevents automatic deletion of older versions.

Exam clue: Questions about storage optimization test the understanding that retention policies increase storage by preserving versions. The solution is to limit version count or adjust retention settings.

Teams messages are not appearing in eDiscovery search

Symptom: A compliance officer cannot find Teams chat messages in a content search despite having retention policy applied to Teams.

Teams messages are stored in the underlying Exchange mailbox of each participant, but only if the retention policy has been applied to Teams conversations specifically. A policy applied only to mailboxes will not capture Teams chat data.

Exam clue: This directly tests the knowledge that Teams messages require a separate retention policy targeting Teams channel messages and chats. The SC-900 exam includes this nuance.

Retention policy deletion action is ignored for some items

Symptom: Some items survive the deletion action while others are properly deleted. There is no pattern based on user or folder.

Items that have been modified within the retention period are reset. If a user modified an old email, its retention timer restarts from the modification date. Only items that have not been modified since creation are deleted at the original expiration.

Exam clue: This behavior (reset on modification) is a common exam trap. Candidates must understand that retention duration is based on the last modification date, not creation date, unless configured otherwise.

Policy appears in policy list but does not show status

Symptom: When running Get-RetentionCompliancePolicy, the policy shows but its Mode is 'Pending' or 'DeletionPending'. Users report no effect.

A policy in 'Pending' mode has not been fully applied. This happens when a policy is newly created or modified and is waiting for replication across all Exchange servers. DNS propagation delays can also cause this.

Exam clue: Exam scenarios often show a policy that is not working yet. Correct action: Wait for replication or force sync by restarting the Managed Folder Assistant.

Retention policy labels are not applying to documents

Symptom: Admins assign a retention label to a SharePoint document, but the label does not become active. The document remains with default retention.

Labels require a label policy to be published to the location. If the retention label is created but not published to the SharePoint site, it will not apply. A document must be saved or checked in after applying the label.

Exam clue: This tests the difference between creating a label and publishing a label policy. The Security+ and CISSP exams use this to assess practical understanding of label deployment.

Memory Tip

Think of retention policy as a 'digital timer for data': start, count down, then delete or archive automatically.

Learn This Topic Fully

This glossary page explains what Retention policy means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.An organization has two retention policies applied to the same mailbox. Policy A retains items for 3 years and then deletes them. Policy B retains items for 5 years and then deletes them. What happens to an email that is 4 years old?

2.A compliance administrator creates a new retention policy and expects it to apply immediately. After 24 hours, the policy has not affected any mailboxes. What is the most likely cause?

3.An administrator tries to permanently delete a mailbox that is under a retention policy. What error will they encounter?

4.Which of the following is true regarding retention policies and eDiscovery holds?

5.An organization wants to retain all Microsoft Teams chat messages for 5 years. What must the administrator configure?

Frequently Asked Questions

What is the difference between retention policy and retention label in Microsoft 365?

A retention policy is applied to a broad scope like a site or mailbox automatically. A retention label is applied manually or via auto-classification to specific items and can also trigger a retention period. Both lead to deletion or archiving, but labels offer more granular control.

Can a retention policy be removed after it is applied?

Yes, but removal stops the policy from processing new items. Items already subject to the policy continue to be retained or deleted based on the previously applied rules. In some platforms, once a preservation lock is enabled, the policy cannot be removed or shortened.

How long does it take for a retention policy to start deleting data?

It depends on the platform. In Microsoft 365, evaluation occurs every 7 days. In AWS S3, lifecycle policies are evaluated once per day. In Exchange, the Managed Folder Assistant runs every 7 days. Changes are not instant.

What happens if a retention policy conflicts with a legal hold?

Legal hold always takes precedence. If a legal hold is active on an item, the retention policy will not delete it. The item is preserved until the hold is removed, after which the retention policy may act.

Is it possible to set a retention policy on a per-folder basis?

Yes, in many platforms. For example, in SharePoint, you can apply a retention label to a specific folder or document library. In file servers, you can use folder-level policies. Cloud platforms like AWS S3 allow prefix-level lifecycle rules.

What is the default retention policy in Microsoft 365?

There is no default retention policy. Organizations must create their own. However, there are default labels for regulatory compliance that can be used. Without a policy, data is kept indefinitely until a user deletes it.

Can retention policies be applied to archived data?

Yes, retention policies can apply to data in archive tiers. For example, in Microsoft 365, a policy can cover archive mailboxes. In AWS, lifecycle policies can transition and expire objects in Glacier. Archiving does not exempt data from retention.

What audit logs record retention policy actions?

In Microsoft 365, retention policy actions are logged in the Audit log (Unified Audit Log). In AWS S3, server access logs and CloudTrail record lifecycle actions. In Exchange, Administrator Audit Logging tracks policy changes.

Summary

A retention policy is a critical data governance tool that defines how long data is kept and what happens when the time is up. It helps organizations meet legal requirements, manage storage costs, and reduce security risks. Without a proper retention policy, data either accumulates endlessly or is deleted prematurely, both of which are problematic.

For IT certification exams, retention policy appears across platforms like AWS, Microsoft 365, and general compliance frameworks. You need to understand the difference between retention and backup, the role of legal holds, and how to configure policies for different data types. Be ready for scenario questions where you choose the correct retention period and action based on regulatory requirements.

In practice, retention policy implementation requires careful planning, testing, and monitoring. Professionals must document policies, review them periodically, and ensure they align with changing business and legal landscapes. The ability to design and manage retention policies is a valuable skill for system administrators, compliance officers, and architects alike.