This chapter covers records management in Microsoft 365, a critical component of compliance and information governance. Records management ensures that an organization retains important content for legal, regulatory, or business needs and disposes of content that no longer has value. For the MS-900 exam, this topic falls under Domain 3 (Microsoft 365 Security and Compliance) and typically appears in 5-10% of questions, often focusing on retention policies, retention labels, and the difference between records and regular items. Understanding these concepts is essential for answering scenario-based questions about compliance requirements.
Jump to a section
Imagine a large corporation's physical archive room. Every document that enters—contracts, invoices, HR files—must be stamped with a retention label (like 'Keep 7 years' or 'Destroy after 1 year'). The archive manager (the compliance officer) sets policies: all financial records must be kept for 7 years, then shredded. Employees can't just throw away documents; they must submit a disposal request. The archive room has a secure area (record center) where documents can be locked (declared as records) so they can't be edited or deleted until the retention period expires. When a document's retention period ends, a supervisor reviews it (disposition review) before authorizing shredding (disposition). If an auditor asks for a document, the archive manager can place a legal hold (litigation hold) on it, preventing any disposal. This system ensures the company complies with regulations like Sarbanes-Oxley and avoids legal penalties. In Microsoft 365, this physical archive is digitized: labels become retention labels, policies become retention policies, the secure area becomes the Preservation Hold library, and the manager's holds become eDiscovery holds. The same rules apply—once a document is declared a record, it cannot be altered or deleted by anyone except a compliance administrator, and only after the retention period and a disposition review.
What is Records Management and Why It Exists
Records management in Microsoft 365 is the process of declaring content as a record—a version of an item that cannot be modified or deleted by users, even if they have edit permissions. It is part of the Microsoft Purview compliance portal and is built on top of retention policies and retention labels. The primary purpose is to help organizations comply with legal and regulatory obligations (e.g., SEC rules, GDPR, HIPAA) by preserving essential records and disposing of non-essential ones in a defensible manner. The exam expects you to know that records management is about *immutability* and *controlled disposition*.
How It Works Internally
Records management relies on two key constructs: retention policies and retention labels. Retention policies can be applied at the container level (e.g., entire SharePoint site, Exchange mailbox) and are set by administrators. Retention labels are applied at the item level (e.g., a specific document or email) and can be published so users apply them manually, or auto-applied based on conditions like sensitive information types or keywords. When a retention label is configured to mark content as a record, the item becomes read-only: users cannot edit, delete, or modify metadata. The underlying mechanism uses the Preservation Hold library in SharePoint and OneDrive, which stores a copy of the item before any modification or deletion attempt. In Exchange, items are moved to the Recoverable Items folder (specifically the Purges subfolder) and held there.
Key Components, Values, Defaults, and Timers
- Retention Policy: Applies to entire workloads (Exchange, SharePoint, OneDrive, Teams). Default retention period can be specified in days, months, or years (up to 30 years). Actions: retain, delete, or retain and then delete. - Retention Label: Applies to individual items. Can be published or auto-applied. When marked as a record, the label prevents editing and deletion. The label can also trigger a disposition review when the retention period ends. - Record Types: - Standard record: Users cannot edit or delete, but compliance admins can still manage. - Regulatory record: Even stricter—cannot be deleted by anyone, including admins, and cannot be changed. Requires a special configuration and is irreversible. - Disposition Review: A workflow that requires a designated reviewer to approve permanent deletion. This is configured in the retention label or policy. - Event-based retention: Retention starts when a specific event occurs (e.g., employee termination). Events are triggered manually or via Power Automate. - Default values: Retention policies are created in the Microsoft Purview compliance portal. The default action is to retain forever if no period is set. The maximum retention period is 30 years (3650 months or 10950 days). - Timers: - Processing time: After applying a retention label, it can take up to 7 days for the label to be enforced across all items. - Disposition review: Once the retention period expires, the item enters a review period (default 30 days) before deletion.
Configuration and Verification
To configure a retention label that declares records: 1. Navigate to Microsoft Purview compliance portal > Solutions > Records Management. 2. Create a label: define name, description, retention period (e.g., 7 years), action (retain and delete), and check "Mark content as a record" (or "Regulatory record"). 3. Publish the label to users or auto-apply using conditions. 4. Users can then apply the label to documents in SharePoint, OneDrive, or Outlook.
To verify: In SharePoint, a document with a record label will have a lock icon and the "Delete" and "Edit" buttons disabled. The item's properties show a "Record status" field. In Exchange, the email will appear with a note in the header that it is a record.
How It Interacts with Related Technologies
eDiscovery: Records are included in eDiscovery searches unless filtered out. Records cannot be deleted by eDiscovery holds—they are already immutable.
Data Lifecycle Management (DLM): Records management is a subset of DLM. DLM includes retention and deletion policies, while records management adds immutability.
Microsoft Information Protection (MIP): Sensitivity labels and retention labels work together. A file can have both a sensitivity label and a retention label. The retention label's restrictions override the sensitivity label's permissions for editing/deletion.
Teams: Retention policies apply to Teams channel messages and chat messages. Records management can be applied to files shared in Teams via SharePoint.
Power Automate: Can trigger events for event-based retention or disposition reviews.
Specific Exam-Noteworthy Details
The maximum retention period is 30 years (not 99 years or indefinite).
Regulatory records are irreversible; once set, you cannot change the label back to a standard record.
Disposition review is optional but recommended for defensible disposal.
Records management requires a Microsoft 365 E5 or Compliance add-on license (E3 includes basic retention but not records management).
The Preservation Hold library is hidden from users but accessible to compliance administrators.
Trap Patterns on the Exam
Wrong answer: "Retention policies can be applied to individual items." Reality: Retention policies apply to containers (sites, mailboxes); retention labels apply to items.
Wrong answer: "A record can be deleted by the site owner." Reality: Only a compliance administrator can delete a record, and even then only after the retention period and disposition review.
Wrong answer: "Retention labels are the same as sensitivity labels." Reality: They serve different purposes—sensitivity labels protect data (encryption, access control), retention labels manage lifecycle (retention, deletion, immutability).
Define Compliance Requirements
Identify the legal, regulatory, or business requirements for retaining and disposing of content. For example, a financial firm must retain audit records for 7 years under SEC Rule 17a-4. This step determines the retention period and whether content must be declared a record (immutable) or just retained for a period. In the Microsoft Purview compliance portal, this translates to creating retention labels or policies with specific durations (e.g., 7 years) and actions (retain and delete).
Create Retention Labels and Policies
In the Records Management solution, create retention labels that define the retention period and action. For records, enable the 'Mark content as a record' option. Determine if the label should be published (users apply manually) or auto-applied based on conditions like sensitive info types or keywords. Also create retention policies for broad coverage (e.g., all SharePoint sites). Each label or policy has a name, description, retention period (days/months/years up to 30 years), and action (retain, delete, or retain then delete).
Publish or Auto-Apply Labels
Publish the retention label so users can apply it to documents and emails. Auto-apply labels using conditions: for example, if a document contains a credit card number, auto-apply a label that marks it as a record. The auto-apply process uses trainable classifiers or sensitive information types. Once published or auto-applied, the label becomes available in Outlook, SharePoint, and OneDrive. Users see the label in the item's properties and can apply it manually (if published).
Apply Labels to Content
Users or automated processes apply the retention label to specific items. For example, a user in SharePoint selects a document, opens the details pane, and chooses the '7-Year Record' label. In Outlook, a user can apply a label to an email by selecting 'Apply policy' in the ribbon. Once applied, the content is marked as a record: it becomes read-only, and any attempt to edit or delete is blocked. A copy is stored in the Preservation Hold library (SharePoint) or Recoverable Items (Exchange).
Manage Retention and Disposition
During the retention period, the content is preserved. When the period expires, the item enters a disposition review stage (if configured). A designated reviewer receives a notification and can approve deletion, extend retention, or add a hold. If no review is configured, the item is automatically deleted after the retention period. Disposition reviews are managed in the Microsoft Purview compliance portal under Records Management > Disposition. This step ensures defensible disposal.
Enterprise Scenario 1: Financial Services Compliance
A large bank must comply with SEC Rule 17a-4, which requires that certain electronic records be preserved in a non-rewritable, non-erasable format (WORM) for 7 years. The bank uses Microsoft 365 E5 with records management. They create a retention label called 'SEC 17a-4 Record' with a retention period of 7 years, marked as a regulatory record (immutable). The label is auto-applied to all documents in a specific SharePoint site that contains trade confirmations and account statements. The bank also configures a disposition review to ensure that before deletion, a compliance officer approves. In production, the bank has thousands of documents labeled daily. A common issue is that users try to edit a confirmed trade—they get an error. The bank's helpdesk must explain that the document is a record and cannot be modified. If misconfigured (e.g., not set as regulatory record), an admin could accidentally delete the records, violating compliance. Scale: over 10 million documents retained across multiple sites. Performance: retention labels are applied asynchronously; it can take up to 7 days for the label to be enforced on all existing items, but new items are labeled immediately.
Enterprise Scenario 2: Healthcare Records Retention
A hospital network uses Microsoft 365 to store patient records and must comply with HIPAA, which requires retaining medical records for 6 years after the last patient encounter. They create a retention label 'HIPAA Medical Record' with a retention period of 6 years, marked as a standard record. The label is published so that doctors and nurses can apply it manually to patient documents. The hospital also uses event-based retention: when a patient record is closed, an event triggers the start of the 6-year retention. They use Power Automate to fire the event. A challenge is that some users forget to apply the label; the hospital then uses auto-apply based on a sensitive information type that detects medical record numbers. If misconfigured (e.g., retention period set to 10 years instead of 6), they retain data longer than necessary, increasing storage costs and legal risk. Scale: 500,000 patient records across multiple SharePoint sites. Performance: event-based retention requires careful management of event triggers; if an event is not fired, the retention never starts.
Enterprise Scenario 3: Legal Holds and Disposition
A law firm uses records management to handle client files. They have a policy to retain client files for 10 years after case closure. They create a retention label 'Client File' with a 10-year retention and disposition review. When a case closes, the lawyer applies the label. After 10 years, the system notifies the firm's compliance officer, who reviews the file and either approves deletion or extends retention if the client is still active. A common problem is that a litigation hold from eDiscovery overrides the disposition—the file cannot be deleted until the hold is released. The firm must ensure that eDiscovery holds are removed before the disposition review can proceed. If misconfigured (e.g., no disposition review), files are automatically deleted after 10 years, potentially destroying evidence needed for future cases. Scale: 100,000 client files. Performance: disposition reviews can be batched; the system can handle thousands of reviews per month.
What MS-900 Tests on Records Management
The MS-900 exam objective 3.4 covers "Describe the compliance management capabilities in Microsoft 365." Specifically, you need to understand the difference between retention policies and retention labels, the concept of records, and the basic lifecycle of content. The exam does NOT require deep configuration steps but expects you to know when to use each tool. Look for scenario-based questions like: "A company needs to prevent users from deleting financial documents for 7 years. Which should you use?"
Most Common Wrong Answers and Why Candidates Choose Them
Choosing 'sensitivity labels' instead of 'retention labels' – Candidates confuse sensitivity labels (which encrypt and restrict access) with retention labels (which manage retention and immutability). The trap: both are in the Microsoft Purview compliance portal. The key differentiator: sensitivity labels protect data from unauthorized access; retention labels protect data from deletion/modification.
Selecting 'retention policy' when the question mentions 'specific documents' – Retention policies apply to entire sites or mailboxes, not individual items. Candidates think 'policy' is broader and thus better, but for item-level control, you need retention labels.
Believing that a record can be deleted by a site owner – The exam tests that once content is declared a record, only compliance administrators can delete it (and only after the retention period and any disposition review). Users, even site owners, cannot delete records.
Thinking that 'regulatory record' is the same as 'standard record' – The exam may ask about the strictest record type. Regulatory records cannot be deleted by anyone, including admins. Standard records can be deleted by compliance admins.
Specific Numbers, Values, and Terms That Appear Verbatim
Maximum retention period: 30 years (or 3650 months, 10950 days).
Default disposition review period: 30 days.
Time for retention label to apply to existing items: up to 7 days.
Record types: Standard record and Regulatory record.
Term: Preservation Hold library (SharePoint/OneDrive) and Recoverable Items folder (Exchange).
License requirement: Microsoft 365 E5 or Compliance add-on for records management features (basic retention is in E3).
Edge Cases and Exceptions
If a retention label is applied to a folder in SharePoint, all documents in that folder inherit the label, but the label can still be changed on individual documents unless the folder is set to block changes.
Retention policies for Teams chats and channel messages: these are stored in Exchange and are subject to the same retention rules as emails.
When a user leaves the organization, their OneDrive files remain subject to retention policies and labels even after the user is deleted.
Event-based retention: the retention period starts when the event is triggered, not when the label is applied. If the event is never triggered, the content is retained indefinitely.
How to Eliminate Wrong Answers
If the question asks about preventing deletion of specific documents, eliminate any answer that mentions 'retention policy' without 'label'—policies apply to containers.
If the question mentions immutability or WORM, look for 'record' or 'regulatory record' in the answer.
If the question says users should be able to apply the label themselves, the answer must include 'published' retention labels (not auto-applied).
If the question involves legal holds, remember that eDiscovery holds override retention periods and prevent deletion.
Records management ensures content cannot be modified or deleted (immutability) and allows controlled disposition.
Retention policies apply to containers; retention labels apply to individual items.
Retention labels can mark content as a standard record (immutable) or regulatory record (immutable and undeletable by admins).
Maximum retention period is 30 years (3650 months, 10950 days).
Disposition review is optional but recommended for defensible deletion; default review period is 30 days.
Records management requires Microsoft 365 E5 or Compliance add-on license.
The Preservation Hold library (SharePoint/OneDrive) and Recoverable Items folder (Exchange) store copies of records.
Event-based retention starts when a custom event is triggered, not when the label is applied.
These come up on the exam all the time. Here's how to tell them apart.
Retention Policy
Applies to entire containers (sites, mailboxes, Teams).
Set by administrators only.
Cannot be applied by users.
Cannot mark content as a record.
Best for broad, organization-wide requirements.
Retention Label
Applies to individual items (documents, emails).
Can be applied by users (published) or automatically (auto-apply).
Can mark content as a record (standard or regulatory).
Supports disposition reviews.
Best for specific items that need immutability or custom retention.
Mistake
Retention policies and retention labels are the same thing.
Correct
Retention policies apply to entire workloads (e.g., all SharePoint sites, all Exchange mailboxes) and are set by admins. Retention labels apply to individual items (documents, emails) and can be applied manually by users or automatically by conditions. They have different scopes and use cases.
Mistake
Once a retention label is applied, it can be removed by the user.
Correct
If the label marks content as a record, the user cannot remove or change the label. Only a compliance administrator can modify or remove a record label, and even then, for regulatory records, it cannot be removed at all.
Mistake
A retention policy always deletes content after the retention period.
Correct
A retention policy can be configured to only retain content (no deletion), only delete content, or retain and then delete. The default action is to retain forever if no period is specified. Deletion is not automatic unless explicitly configured.
Mistake
Records management is available in Microsoft 365 E3.
Correct
Basic retention policies are available in E3, but records management features (declaring records, regulatory records, disposition reviews) require Microsoft 365 E5 or the Microsoft 365 Compliance add-on license.
Mistake
A record can be edited by the site owner.
Correct
Once content is declared a record, it becomes read-only for all users, including site owners. Even compliance administrators cannot edit the content; they can only delete it after the retention period and disposition review (except for regulatory records, which cannot be deleted by anyone).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A retention policy applies to entire workloads like all SharePoint sites or all Exchange mailboxes. It is set by administrators and cannot be applied by users. A retention label applies to individual items such as a specific document or email. Labels can be published so users apply them manually, or auto-applied based on conditions. Only labels can mark content as a record and trigger disposition reviews.
No. Once a document is marked as a record, it becomes read-only. Users cannot edit, delete, or modify the document. Only a compliance administrator can delete it, and only after the retention period expires and any disposition review is completed. For regulatory records, even administrators cannot delete them.
Basic retention policies are available in Microsoft 365 E3. However, records management features—such as marking content as a record, regulatory records, and disposition reviews—require Microsoft 365 E5 or the Microsoft 365 Compliance add-on license.
It can take up to 7 days for a retention label to be applied to all existing items in a SharePoint site or OneDrive account. New items are labeled immediately when the label is applied manually or automatically.
If a disposition review is configured, the item enters a review stage where a designated reviewer can approve deletion, extend retention, or add a hold. If no disposition review is configured, the item is automatically deleted after the retention period ends. The default review period is 30 days.
Yes. A document can have both a sensitivity label (which controls access and encryption) and a retention label (which controls retention and immutability). The retention label's restrictions (read-only for records) override the sensitivity label's permissions for editing and deletion.
A regulatory record is the strictest type of record. It is immutable and cannot be deleted or modified by anyone, including compliance administrators. This is irreversible once applied. A standard record is also immutable but can be deleted by a compliance administrator after the retention period and disposition review.
You've just covered Records Management in Microsoft 365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?