This chapter covers Microsoft 365's data governance and retention capabilities, including retention policies, retention labels, eDiscovery holds, and records management. These topics are critical for the MS-900 exam as they appear in roughly 15-20% of questions under Domain 3 (Security and Compliance). You will learn how to define retention rules, apply labels, manage legal holds, and understand the underlying mechanics that protect data from premature deletion while ensuring compliance with regulatory requirements.
Jump to a section
Imagine a corporate filing room where every document is stored in a cabinet with a built-in timer. When a document is placed in a drawer, the timer starts counting down from a preset number of days (e.g., 90 days). Once the timer expires, the document is automatically moved to a locked shredding bin. However, if a document is marked as 'legal hold' (e.g., because of a lawsuit), a special lock prevents the timer from starting or stops it if already running. The filing room also has a policy: all documents must be classified as 'Public,' 'Internal,' or 'Confidential,' and certain types (e.g., contracts) must be kept for 7 years. A compliance officer can search the entire room and place holds on any document. If someone tries to delete a document manually, the system checks the hold status first—if a hold exists, the delete is blocked and an alert is sent. This mirrors Microsoft 365's data governance: retention policies set timers, retention labels classify items, eDiscovery holds lock content, and deletion is prevented until the hold is removed.
What is Data Governance and Retention?
Data governance in Microsoft 365 refers to the policies, processes, and technologies that control how data is managed throughout its lifecycle—from creation to deletion. Retention is a key component that ensures data is kept for a minimum period (to meet legal or business needs) and then disposed of in a controlled manner. The primary tools in Microsoft 365 are retention policies and retention labels, both of which can preserve content, delete it, or both.
Why It Exists
Organizations face legal and regulatory requirements to retain certain types of data (e.g., financial records for 7 years, HR records for 3 years after termination). At the same time, they must avoid holding data indefinitely due to storage costs, privacy regulations (like GDPR), and legal exposure. Retention policies automate this balance. Additionally, when litigation or investigations occur, organizations must preserve all relevant data—eDiscovery holds prevent deletion or alteration of content.
How Retention Works Internally
Microsoft 365 uses a retention engine that runs as a background process across Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. When a retention policy or label is applied, the service marks each item with a retention tag. For mailboxes, this tag is stored in the Recoverable Items folder (also known as the dumpster). For SharePoint and OneDrive, the tag is stored in the Preservation Hold library, a hidden document library.
The retention engine periodically scans items (typically every 7 days) and checks if the retention period has expired. If the item is not under hold and the retention period has passed, the engine moves it to the Recycled Bin (or permanently deletes it if the policy specifies immediate deletion). If a hold is applied (e.g., via eDiscovery case), the engine skips deletion and locks the item.
Key Components and Defaults
Retention Policy: Applies retention settings at the location level (entire mailbox, site, etc.). Can be assigned to Exchange, SharePoint, OneDrive, Teams, and Groups. Default retention period is 0 days (no retention) unless specified.
Retention Label: Applies at the item level (specific email, document, etc.). Labels can be published to users via label policies so users can manually apply them, or they can be auto-applied based on content type or sensitive information.
Retention Period: Measured in days or years. Minimum value is 1 day, maximum is 30 years (or indefinite). For Exchange, the period starts from the date the item is sent or received. For SharePoint/OneDrive, from the date the item was last modified.
Retention Action: Can be "Retain only" (preserve forever or until period ends), "Delete only" (delete after period), or "Retain and then delete" (preserve for period, then delete).
eDiscovery Hold: Part of an eDiscovery case. When a hold is placed on a location, all content in that location is preserved indefinitely until the hold is released. Holds take precedence over retention policies.
Configuration and Verification Commands
In the Microsoft 365 admin center, navigate to Security & Compliance Center > Data governance > Retention. For PowerShell, use the Security & Compliance Center PowerShell (Exchange Online PowerShell for some commands). Example commands:
# Connect to Security & Compliance Center PowerShell
Connect-IPPSSession -UserPrincipalName admin@contoso.com
# Create a new retention policy
New-RetentionCompliancePolicy -Name "Finance Retention" -ExchangeLocation All -SharePointLocation "https://contoso.sharepoint.com/sites/finance"
# Add a retention rule to the policy (retain for 7 years then delete)
New-RetentionComplianceRule -Name "7 Year Retain" -Policy "Finance Retention" -RetentionDuration 2555 -RetentionRetentionAction KeepAndDelete -ExpirationDateOption ModificationAgeInDays
# Apply a retention label to a document (via SharePoint UI)
# Or publish label using PowerShell
New-ComplianceTag -Name "Confidential" -RetentionDuration 365 -RetentionAction Keep -IsRecordLabel $falseTo verify retention settings, use Get-RetentionCompliancePolicy and Get-RetentionComplianceRule. Check the Recoverable Items folder in a mailbox using Search-Mailbox -Identity user@contoso.com -SearchDumpsterOnly (Exchange Online).
Interaction with Related Technologies
Microsoft Purview Compliance Portal: Central management for retention, eDiscovery, and records management.
Data Lifecycle Management (DLM): Works with retention labels to auto-classify data.
Records Management: A subset of retention labels where content is marked as a record (immutable). Records cannot be deleted or edited by users, and they have a higher level of protection.
eDiscovery (Premium): Uses retention holds to preserve data for cases. eDiscovery searches can find content across locations even if it has been deleted (as long as it's still in the Recoverable Items folder).
Microsoft 365 Backup: Complements retention by providing point-in-time recovery, but retention policies are the primary tool for compliance-driven preservation.
Retention in Microsoft Teams
Teams data is stored in Exchange (chat messages), SharePoint (files), OneDrive (private files), and the Microsoft 365 Group mailbox. Retention policies can be applied to Teams conversations (channel messages and chat messages). For channel messages, the retention timer starts from the message creation date. For chat messages, it starts from the last time the message was modified. Deleted Teams messages are retained in the Recoverable Items folder of the underlying Exchange mailbox for up to 30 days (or longer if a hold is applied).
Adaptive Scopes
Starting in 2022, Microsoft introduced adaptive scopes in retention policies. Instead of applying a policy to all mailboxes or all sites, you can define a dynamic scope based on attributes like department, location, or custom attributes. For example, a policy can apply to all users in the "Finance" department. Adaptive scopes are evaluated on a recurring basis (every 24 hours) to include new users or exclude users who no longer match the criteria.
Timers and Thresholds
Retention evaluation cycle: Every 7 days, the retention engine checks items for expiration.
Hold duration: eDiscovery holds are indefinite until released.
Deletion delay: After retention period ends, there is a 7-day grace period before permanent deletion (to allow for recovery).
Label auto-application: Can be triggered based on sensitive information types (e.g., credit card numbers) or trainable classifiers. The classification happens within 24 hours of item creation.
Compliance Score and Records Management
Microsoft Purview Compliance Manager uses retention policies as part of its controls. Records management (declaring an item as a record) adds an extra layer: records have a disposition review before deletion, and they cannot be modified. Records can be declared manually or automatically via retention labels with the "Mark as record" option.
Summary of Key Mechanics
A retention policy or label is created and assigned to a location or item.
The retention engine marks the item with a retention tag and starts the timer.
The engine scans every 7 days for items whose timer has expired.
If no hold exists, the item is moved to the Recycle Bin (or permanently deleted).
If a hold exists, deletion is blocked indefinitely.
Users can delete items manually, but deleted items remain in the Recoverable Items folder until the retention period expires (if a hold or retention policy preserves them).
Create a Retention Policy
Navigate to Microsoft Purview compliance portal > Data lifecycle management > Microsoft 365 > Retention policies. Click 'New retention policy'. Provide a name and description. Choose locations: Exchange email, SharePoint sites, OneDrive accounts, Microsoft 365 Groups, or Teams channel/chat messages. For each location, you can include or exclude specific users/sites. Then define the retention rule: choose whether to retain content, delete content, or both. Set the retention period (days or years). Optionally, configure adaptive scopes (dynamic inclusion based on attributes). The policy will be applied to all existing and new content in the selected locations.
Define Retention Rules
After creating the policy, you add one or more retention rules. Each rule specifies the retention action (retain, delete, or retain then delete) and the duration. You can also set the start of the retention period based on content age (e.g., when created, last modified, or sent/received). For Exchange, the default is sent/received date. For SharePoint/OneDrive, the default is last modified date. You can also apply a rule only to content with a specific retention label, enabling granular control.
Publish Retention Labels
To allow users to manually apply retention labels, you must publish them via a label policy. In the compliance portal, go to Data lifecycle management > Labels > Label policies. Create a new policy, select the labels to include, and choose the locations (e.g., Exchange, SharePoint, OneDrive). Users in those locations will see the label in their apps (Outlook, SharePoint, OneDrive). They can apply the label to individual items. Auto-apply policies can be configured to assign labels automatically based on conditions like sensitive info types or keywords.
Apply an eDiscovery Hold
In an eDiscovery case (eDiscovery > Cases > Open a case), go to 'Holds' and create a new hold. Specify the locations (mailboxes, sites, etc.) to preserve. Optionally, add a query filter to preserve only specific content (e.g., emails containing a keyword). Once applied, the hold prevents any content in those locations from being permanently deleted. The hold takes effect immediately. Even if a retention policy's deletion timer expires, the hold overrides it. The hold remains until it is manually removed or the case is closed.
Monitor Retention and Holds
Use the compliance portal to monitor the status of retention policies and holds. Under 'Data lifecycle management' > 'Overview', you can see the count of items under retention. For eDiscovery holds, the case dashboard shows which locations are on hold. Use PowerShell cmdlets like `Get-RetentionCompliancePolicy` and `Get-CaseHoldPolicy` to retrieve details. For auditing, enable mailbox auditing and review audit logs for retention-related events (e.g., hold applied, policy created). The Unified Audit Log records all retention and hold actions.
Enterprise Scenario 1: Financial Compliance
A global bank must retain all financial communications (emails, chat messages) for 7 years per SEC regulations. They create a retention policy for Exchange mailboxes and Teams chat messages with a 7-year retention period (2,555 days) using 'Retain and then delete'. They also create a retention label 'SEC Record' that is auto-applied to emails containing specific keywords (e.g., 'trade', 'settlement'). The label ensures those items are marked as records, preventing deletion or modification even after the retention period ends (records require disposition review). The bank uses adaptive scopes to apply the policy only to users in the trading and compliance departments. In production, this policy covers 5,000 mailboxes and 10,000 Teams users. Performance is not impacted because the retention engine runs asynchronously. Common misconfiguration: forgetting to include Teams chat messages (which are stored in Exchange but require separate selection in the policy). If the policy is applied only to mailboxes, chat messages are not retained, leading to compliance gaps.
Enterprise Scenario 2: Legal Hold for Litigation
A large law firm is involved in a lawsuit and must preserve all data from a specific client's matter. They create an eDiscovery case named 'Client X Litigation' and place a hold on the mailboxes of 20 attorneys and 5 SharePoint sites related to the case. The hold is query-based, preserving only emails and documents containing the client's name. The hold prevents any deletion, even if the firm's standard retention policy would have deleted older emails. After the case settles (3 years later), they release the hold. During the hold, users can still edit documents, but previous versions are preserved in the Preservation Hold library. A common issue: if the hold is applied to a site that also has a retention policy with a deletion action, the hold takes precedence, but the retention policy's 'retain' action still applies—so content is kept for the full retention period even after the hold is removed. The firm must carefully plan the hold release to avoid immediate deletion of old content.
Enterprise Scenario 3: GDPR Data Minimization
A European retailer needs to delete customer data after 3 years of inactivity to comply with GDPR's storage limitation principle. They create a retention label 'Customer Data' with a retention period of 3 years from last modification, then delete. The label is auto-applied to OneDrive and SharePoint documents containing personally identifiable information (PII) using a sensitive information type (e.g., EU passport number). They also create a retention policy for Exchange mailboxes that deletes emails older than 3 years (delete-only action). The challenge is ensuring that data subject requests (right to erasure) can be handled—if a customer requests deletion, the admin must manually find and delete the data, which may still be under retention if the 3-year period hasn't expired. To handle this, they use a separate 'Consent Withdrawn' label that overrides the retention period (set to delete immediately). Misconfiguration: applying a retention policy that retains data longer than the GDPR maximum (e.g., 10 years) would violate GDPR, so careful auditing is required.
MS-900 Objective Coverage
This topic falls under Domain 3: Microsoft 365 Security and Compliance, specifically objective 3.4: Describe data governance and retention capabilities. The exam tests your ability to differentiate between retention policies and retention labels, understand eDiscovery holds, and identify the correct tool for a given scenario. Roughly 3-5 questions on the exam touch these concepts.
Common Wrong Answers and Traps
Confusing retention policies with retention labels: Many candidates think a retention policy is applied at the item level (like a label). In reality, a policy applies to an entire location (e.g., all mailboxes), while a label is applied to individual items. The exam may ask: 'You need to retain all emails from the finance department for 5 years. What should you use?' The correct answer is a retention policy (with adaptive scope or location selection), not a label. Wrong answer: 'Create a retention label and publish it to all users.' That would require manual application, not automatic retention of all emails.
Overlooking eDiscovery hold precedence: Candidates often assume that a retention policy with a deletion action will delete data even if a hold is active. The correct behavior is that holds override deletion. A question might state: 'A retention policy deletes emails after 90 days. An eDiscovery hold is placed on the mailbox. What happens to emails older than 90 days?' The answer: they are preserved indefinitely until the hold is removed.
Misunderstanding 'retain and then delete' vs 'retain only': Some think 'retain and then delete' means the item is deleted immediately after the retention period ends. Actually, there is a 7-day grace period. The exam might ask: 'After the retention period expires, how long until the item is permanently deleted?' Answer: up to 7 days.
Ignoring adaptive scopes: Older questions assumed static scopes (all users or specific users). Newer exam content includes adaptive scopes based on attributes. A question might describe a dynamic group of users by department, and the correct answer is to use an adaptive scope in a retention policy, not a static list.
Specific Numbers and Terms to Memorize
Retention period maximum: 30 years (or indefinite).
Retention evaluation cycle: every 7 days.
Grace period after expiration: 7 days.
eDiscovery holds: indefinite duration.
Records: cannot be modified or deleted without disposition review.
Preservation Hold library: hidden library in SharePoint/OneDrive where retained items are stored.
Recoverable Items folder: mailbox folder for deleted items under retention/hold.
Edge Cases and Exceptions
Teams messages: Retention for channel messages starts from creation date; for chat messages, from last modification.
Microsoft 365 Groups: Group mailbox and site are treated as separate locations; a policy targeting 'Groups' applies to both.
Deleted users: If a user is deleted, their mailbox and OneDrive are retained for 30 days (soft-delete). If a retention policy or hold exists, the content is preserved for the full retention period even after the user is deleted.
Labels vs policies on the same item: If both a policy and a label apply, the longer retention period wins. If one deletes and the other retains, the retain action takes precedence.
How to Eliminate Wrong Answers
When faced with a question, first identify the scope: is it at the location level (policy) or item level (label)? Next, determine the action: retain, delete, or both? Then check if a hold is involved—holds always override deletion. Finally, consider whether the scenario requires automatic application (use auto-apply label or policy) or manual (publish label). Eliminate answers that confuse these elements.
Retention policies apply at the location level; retention labels apply at the item level.
eDiscovery holds override retention policies and prevent deletion indefinitely.
The retention evaluation cycle runs every 7 days; after expiration, there is a 7-day grace period before permanent deletion.
Retention period can be set from 1 day to 30 years or indefinite.
Records are immutable and cannot be modified or deleted without a disposition review.
Adaptive scopes allow dynamic inclusion based on user attributes (e.g., department).
Deleted items under retention are stored in the Recoverable Items folder (Exchange) or Preservation Hold library (SharePoint/OneDrive).
These come up on the exam all the time. Here's how to tell them apart.
Retention Policy
Applies to entire locations (mailbox, site, etc.)
Cannot be applied manually by users
One policy can cover many users/sites
Used for broad, organization-wide retention requirements
Cannot be used to declare records (but can work with labels)
Retention Label
Applies to individual items (email, document, etc.)
Can be published for manual application by users
Can be auto-applied based on conditions
Used for granular, item-level retention
Can mark items as records (immutable)
Mistake
Retention policies delete data immediately after the retention period ends.
Correct
There is a 7-day grace period before permanent deletion. During this time, the item is still recoverable from the Recycle Bin or Recoverable Items folder.
Mistake
Retention labels and retention policies are the same thing.
Correct
A retention policy applies to an entire location (e.g., all mailboxes), while a retention label is applied to individual items. Labels can be published for manual application or auto-applied based on conditions.
Mistake
An eDiscovery hold is only needed for litigation, not for compliance.
Correct
eDiscovery holds can be used for any legal or regulatory requirement to preserve data. They are part of the eDiscovery case workflow and are not limited to litigation.
Mistake
Once a retention policy is applied, users cannot delete their own content.
Correct
Users can still delete items, but the deleted items are retained in the Recoverable Items folder until the retention period expires (if the policy is set to retain). If the policy is delete-only, deletion is immediate.
Mistake
Retention policies in Teams only apply to channel messages, not chat messages.
Correct
Retention policies can be applied to both Teams channel messages and chat messages. Chat messages are stored in the user's Exchange mailbox and are subject to the same retention rules.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A retention policy applies to entire locations (e.g., all mailboxes in an organization) and cannot be manually applied by users. A retention label applies to individual items (e.g., a specific email or document) and can be published for users to apply manually or auto-applied based on conditions. Policies are broad; labels are granular.
After you create or modify a retention policy, it can take up to 7 days for the retention engine to process all existing items. New items are tagged immediately. The policy's effects (deletion or retention) are applied during the next evaluation cycle.
Once a retention policy deletes an item (after the 7-day grace period), it is permanently removed and cannot be recovered through normal means. You would need a backup (e.g., Microsoft 365 Backup or a third-party backup) to restore it.
When a user is deleted, their mailbox and OneDrive are soft-deleted for 30 days. If a retention policy or eDiscovery hold applies, the data is preserved for the full retention period even after the 30-day soft-delete window. The data is stored in the Recoverable Items folder or Preservation Hold library.
You can either specify individual users or groups when creating the policy (static scope) or use an adaptive scope to dynamically include users based on attributes like department or location. Adaptive scopes are evaluated every 24 hours.
Yes. When creating a retention rule, choose the action 'Delete only' or 'Retain and then delete'. The data will be deleted after the specified period (plus a 7-day grace period).
A record is a document or email that has been declared as a record via a retention label with the 'Mark as record' option. Records cannot be modified or deleted by users, and they require a disposition review before deletion. Regular items under retention can still be edited (if not locked) and can be deleted by users (though retained in the background).
You've just covered Data Governance and Retention — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?