This chapter covers retention policies and retention labels in Microsoft Purview, which are core compliance tools for managing data lifecycle. For the SC-900 exam, this topic appears in roughly 10-15% of questions under Domain 4 (Compliance Solutions), Objective 4.2. You will need to understand the difference between policies and labels, how they interact, and the specific retention actions (keep, delete, keep then delete). We will also cover adaptive vs static scopes, disposition review, and the default retention periods for common workloads like Exchange and SharePoint.
Jump to a section
Imagine a corporate library where every document must be kept for a specific period. The librarian (retention policy) decides which shelves items go on and how long they stay. Some shelves are for records that must be kept for 7 years (regulatory), others for 3 years (project files), and some for 30 days (temporary notices). Each shelf has a 'keep until' date. Once that date passes, the librarian automatically moves items to a shredding bin—but only if no one has placed a 'do not destroy' label on the item. That label is a retention label: it overrides the shelf's default rule. For example, a contract might have a 'Regulatory - 7 years' label, so even if it sits on a 3-year shelf, the librarian checks the label and keeps it for 7 years. The library also has a 'hold' system: if an audit is underway, the librarian locks all related items in a separate cabinet (litigation hold) regardless of labels or shelves. This analogy mirrors how Microsoft Purview works: retention policies apply automatically at the container level (e.g., SharePoint site), retention labels are manually or automatically assigned to individual items, and legal holds override both. The librarian (system) runs a daily job to check expiration and dispose items only if no hold or label prevents it.
What Are Retention Policies and Retention Labels?
Retention policies and retention labels are Microsoft Purview features that help organizations govern their data by retaining what is needed and deleting what is not. They are part of the Information Governance and Records Management solutions. The core purpose is to meet regulatory requirements, reduce litigation risk, and manage storage costs.
Key Differences: Policy vs Label
Retention Policy: Applies automatically to all content in a specified location (e.g., all mailboxes in a tenant, all SharePoint sites in a scope). It works at the container level. You cannot apply a retention policy to individual items; it covers everything in the scope.
Retention Label: Applies to individual items (e.g., a specific email, document, or Teams message). Labels can be auto-applied based on conditions (sensitive info types, trainable classifiers) or manually assigned by users or admins. Labels provide more granular control.
Both policies and labels can perform three retention actions: - Retain only: Keep data for a specified period, then do nothing (no deletion). - Delete only: Delete data after a specified period. - Retain then delete: Keep data for a period, then automatically delete.
How Retention Works Internally
When you create a retention policy or label, you define a retention period (e.g., 7 years) and what happens at the end (delete, keep, or review). The system then applies a 'retention hold' on the content. This hold prevents permanent deletion until the retention period expires. The hold is enforced by the underlying workload (Exchange, SharePoint, OneDrive, Teams, Yammer).
For Exchange Online, retention holds are applied to mailboxes. When a user deletes an email, it goes to the Recoverable Items folder. The retention hold prevents the item from being purged from that folder until the retention period ends. For SharePoint and OneDrive, retention holds are applied at the document level. When a user deletes a file, it goes to the site's recycle bin or preservation hold library, and the retention hold prevents permanent deletion.
Default Retention Periods and Timers
Exchange Online: The default retention period for a policy is indefinite unless specified. The system uses the 'Age of item' property (date received for emails, date created for documents).
SharePoint/OneDrive: Retention is based on the last modified date or created date, depending on the policy configuration. The system checks for expiration daily via a timer job.
Teams: Retention applies to channel messages (standard and private) and chat messages. For channel messages, retention is based on the message creation date. For chat messages, it's based on the last updated date.
Yammer: Community messages and private messages have their own retention settings.
Adaptive vs Static Scopes
Static Scope: You select specific users, groups, or sites. The policy applies to those entities and all content within them. If you add new users later, you must manually update the policy.
Adaptive Scope: You define a query-based scope using Azure Active Directory attributes (e.g., Department = 'Finance'). The policy automatically applies to any user or site that matches the query. When new users join the Finance department, the policy applies automatically. Adaptive scopes are recommended for dynamic environments.
Retention Labels: Auto-apply and Manual
Retention labels can be: - Manually published: Users or admins apply the label to items via Outlook, SharePoint, or the Purview compliance portal. - Auto-applied: Based on conditions:
- Sensitive information types (e.g., credit card numbers, SSN) - Trainable classifiers (e.g., 'inappropriate text', 'resumes') - Content contains specific words or patterns - Content matches a data loss prevention (DLP) policy - Content is shared with external users
Interaction Between Retention Policies and Labels
When both a policy and a label apply to the same item, the longest retention period wins. For example:
A policy retains for 3 years.
A label retains for 7 years.
The item is retained for 7 years.
If one policy says retain and another says delete, the retain action takes precedence. The system always ensures data is not deleted prematurely.
Disposition Review
For sensitive data, you can enable disposition review. When a retention period expires, the item enters a 'disposition review' state. An assigned reviewer must approve permanent deletion. This adds a human-in-the-loop step. Disposition reviews can be set up for both policies and labels.
Preservation Lock
A preservation lock prevents anyone (including global admins) from deleting or shortening the retention period. It is used for regulatory requirements. Once locked, the policy cannot be modified (except to extend the period). This is common for SEC or FINRA compliance.
PowerShell Commands for Configuration
To manage retention policies via PowerShell:
# Connect to Exchange Online PowerShell
Connect-ExchangeOnline
# Get all retention policies
Get-RetentionPolicy | Format-Table Name, RetentionPolicyType
# Create a new retention policy
New-RetentionPolicy -Name "7 Year Regulatory" -RetentionPolicyType "Modify"
# Add a retention tag to the policy (e.g., delete after 7 years)
New-RetentionPolicyTag -Name "7 Year Delete" -Type All -AgeLimitForRetention 2555 -RetentionAction DeleteFor compliance labels:
# Connect to Security & Compliance Center PowerShell
Connect-IPPSSession
# Get all retention labels
Get-ComplianceTag | Format-Table Name, RetentionAction, RetentionDuration
# Create a new retention label
New-ComplianceTag -Name "7 Year Record" -RetentionAction Keep -RetentionDuration 2555 -RetentionType CreationAgeInDaysInteraction with Related Technologies
eDiscovery: Retention holds are separate from eDiscovery holds. An eDiscovery hold preserves data for legal investigation. If both a retention policy and an eDiscovery hold apply, both must be removed before data can be deleted.
Data Lifecycle Management (DLM): Retention policies are part of DLM. They work alongside data classification and data loss prevention.
Records Management: Retention labels can mark items as 'records' (regulatory records). Records have additional restrictions (e.g., cannot be modified). This is part of the Records Management solution.
Microsoft 365 Backup: Retention policies do not replace backups. They are for compliance, not disaster recovery.
Identify Compliance Requirements
First, determine the regulatory or business requirements for retaining data. For example, GDPR may require deletion after 30 days, while financial regulations may require 7 years. Map these requirements to specific workloads (Exchange, SharePoint, Teams). This step determines the retention period and action (keep, delete, keep then delete). Also identify if disposition review or preservation lock is needed.
Choose Scope: Adaptive or Static
Decide whether to use adaptive or static scopes. Adaptive scopes use queries against Azure AD attributes (e.g., Department, Country). For example, apply a 7-year policy to all users in the 'Legal' department. Static scopes require manual selection of users/groups/sites. Adaptive scopes are dynamic and reduce administrative overhead. In the Purview compliance portal, you create the scope first, then assign it to the policy.
Create Retention Policy in Purview
In the Microsoft Purview compliance portal, navigate to Data Lifecycle Management > Microsoft 365 > Retention policies. Click 'New retention policy'. Name the policy (e.g., '7 Year Regulatory - Exchange'). Select the locations (Exchange email, SharePoint sites, OneDrive accounts, Teams channel messages, Teams chats, Yammer). For each location, define the retention period (e.g., 7 years) and action (retain, delete, or retain then delete). Optionally enable disposition review.
Create and Publish Retention Labels
If granular control is needed, create retention labels. Go to Records Management > File Plan > Create a label. Define the label name, retention period, and action. Optionally mark as a record (regulatory). Then publish the label so users can apply it manually, or set up auto-application rules (e.g., based on sensitive info types). Auto-application uses conditions like 'content contains credit card number'.
Monitor and Review Disposition
After deployment, monitor the disposition reviews. In Purview, go to Data Lifecycle Management > Disposition. Reviewers must approve or reject deletion requests. Use PowerShell to generate reports on pending dispositions. Also monitor the policy effectiveness using the 'Retention policy report' in Purview. Adjust policies as needed based on audit findings or changing regulations.
Scenario 1: Financial Services Firm (SEC Rule 17a-4)
A large financial firm must retain all electronic communications (emails, instant messages) for 7 years with no deletions. They use a retention policy with a preservation lock to prevent any changes. The policy is applied to all Exchange mailboxes and Teams chats using an adaptive scope that includes all employees. The retention action is 'retain' (no deletion). They also enable disposition review for items older than 7 years to allow legal to review before final deletion. The firm uses static scopes for specific trading desks that have additional 3-year retention for certain documents. Common misconfiguration: forgetting to enable preservation lock, which would allow admins to accidentally shorten the retention period. They also set up auto-apply retention labels for any email containing 'trade confirmation' to ensure extra protection.
Scenario 2: Healthcare Provider (HIPAA)
A hospital must retain patient records for 6 years after last treatment. They use a retention label called 'Patient Record - 6 Year' that is auto-applied to any document containing a medical record number (sensitive info type). The label action is 'retain then delete' with a 6-year period. They also have a separate retention policy for billing records (7 years) applied to the Finance department via adaptive scope. Challenge: overlapping policies cause items to be retained for the longer of the two (7 years). To avoid this, they ensure the billing policy has a shorter period or exclude certain locations. They also use disposition review for records that are near expiration to allow compliance officers to approve deletion.
Scenario 3: Technology Startup (GDPR Compliance)
A startup must delete personal data of EU citizens within 30 days of request. They use a retention label called 'GDPR - Delete after 30 days' that is manually applied by the privacy team to specific documents. They also have a retention policy for all SharePoint sites that retains content for 3 years for business continuity. The GDPR label overrides the policy for the specific items. They use PowerShell to regularly run reports on items with the GDPR label to ensure timely deletion. Pitfall: users forget to apply the label, so they set up auto-application based on a trainable classifier that detects personal data. They also enable litigation hold for any ongoing GDPR disputes.
What SC-900 Tests on Retention Policies and Labels (Objective 4.2)
The exam focuses on: - Differences between retention policies and retention labels: Candidates must know that policies apply to all content in a location, while labels apply to individual items. - Retention actions: Keep, delete, keep then delete. The exam may ask which action to use for regulatory compliance (usually 'retain' or 'retain then delete'). - Adaptive vs static scopes: Know that adaptive scopes use AAD queries and automatically include new users. - Interaction: When a policy and label conflict, the longest retention period wins. The retain action takes precedence over delete. - Preservation lock: Prevents modification of the policy. Used for regulatory compliance. - Disposition review: A human must approve deletion after retention period ends. - Locations: Exchange, SharePoint, OneDrive, Teams, Yammer.
Common Wrong Answers
'Retention policies can be applied to individual emails' — Wrong. Policies apply to all items in a container. Labels are for individual items.
'When a policy and label conflict, the label always wins' — Wrong. The longest retention period wins, regardless of whether it's from a policy or label.
'Static scopes are better for dynamic environments' — Wrong. Adaptive scopes are better.
'Preservation lock can be removed by an admin' — Wrong. It is permanent once enabled.
'Retention policies replace backups' — Wrong. They are for compliance, not disaster recovery.
Specific Numbers and Terms
Retention periods are in days (e.g., 2555 days for 7 years).
The default retention period for a policy is 'indefinite' if not specified.
Disposition review is enabled at the policy/label creation step.
Preservation lock is a toggle in the policy settings.
Adaptive scopes use Azure AD attributes (e.g., Department, Country).
Edge Cases
Teams private channels: Retention policies for private channels are managed separately from standard channels.
Yammer: Community messages have different retention settings than private messages.
Multi-geo tenants: Retention policies apply per geo location.
How to Eliminate Wrong Answers
If a question asks about applying retention to a specific document, eliminate any answer that mentions a 'policy' (should be 'label'). If the question mentions 'automatic application based on department', eliminate 'static scope' (should be 'adaptive'). If the question mentions 'cannot be changed', look for 'preservation lock'. If the question mentions 'human approval', look for 'disposition review'.
Retention policies apply to containers; retention labels apply to individual items.
When both apply, the longest retention period wins.
Adaptive scopes use AAD queries and automatically include new users; static scopes require manual updates.
Preservation lock makes a retention policy immutable; cannot be removed.
Disposition review adds human approval before deletion after retention period ends.
Retention actions: retain only, delete only, retain then delete.
Locations: Exchange, SharePoint, OneDrive, Teams, Yammer.
Retention policies are for compliance, not backup.
These come up on the exam all the time. Here's how to tell them apart.
Retention Policy
Applies to all content in a container (mailbox, site, etc.)
Cannot be applied to individual items
Configured via Data Lifecycle Management > Retention policies
Supports adaptive and static scopes
Best for broad, automatic retention rules
Retention Label
Applies to individual items (email, document, message)
Can be manually or automatically applied
Configured via Records Management > File Plan
Does not use scopes; uses auto-apply conditions or manual assignment
Best for granular, item-level control
Mistake
Retention policies can be applied to individual emails or documents.
Correct
Retention policies apply to all content in a specified location (e.g., all mailboxes in a scope). Only retention labels can be applied to individual items.
Mistake
When a retention policy and a retention label conflict, the label always takes precedence.
Correct
The longest retention period wins, regardless of whether it comes from a policy or label. If the policy retains for 7 years and the label for 3, the item is retained for 7 years.
Mistake
Static scopes are recommended for dynamic organizations where users change frequently.
Correct
Adaptive scopes are recommended because they automatically include new users based on AAD attributes. Static scopes require manual updates.
Mistake
Preservation lock can be removed by a global admin if needed.
Correct
Preservation lock is permanent. Once enabled, no one (including global admins) can delete or shorten the retention period. It can only be extended.
Mistake
Retention policies and labels are a substitute for backups.
Correct
Retention policies are for compliance and data governance, not disaster recovery. They prevent deletion but do not protect against corruption or accidental overwrites. Backups are still needed.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A retention policy applies automatically to all content within a specified location (e.g., all mailboxes in a department). A retention label applies to individual items (e.g., a specific email or document). Policies are for broad, automatic governance; labels provide granular control. On the exam, remember: policies = container level, labels = item level.
The longest retention period wins. If the policy retains for 3 years and the label for 7, the item is retained for 7 years. Also, the retain action takes precedence over delete. This ensures data is not deleted prematurely. The exam may test this with scenario questions.
An adaptive scope uses a query against Azure AD attributes (e.g., Department = 'Finance') to dynamically include users, groups, or sites. It automatically applies to new members that match the query. Use adaptive scopes when your organization has frequent changes (hires, transfers) to avoid manual updates. Static scopes require you to manually add each user.
Yes, unless a preservation lock is enabled. A preservation lock prevents any changes (deletion or shortening of retention period). It can only be extended. This is used for regulatory compliance. Without a lock, admins can modify the policy, including the retention period and locations.
Disposition review is a process where an assigned reviewer must approve or reject the permanent deletion of items when their retention period expires. It adds a human-in-the-loop step for sensitive data. It is configured during policy or label creation. The exam may ask which feature provides a review step before deletion.
For Teams, retention policies can be applied to channel messages (standard and private) and chat messages. For Yammer, policies apply to community messages and private messages. The retention period is based on message creation date or last updated date. The system runs a daily timer job to check for expiration.
'Retain' keeps the data indefinitely after the retention period ends (no automatic deletion). 'Retain then delete' automatically deletes the data after the retention period ends. Use 'retain' for legal holds, 'retain then delete' for data minimization. The exam may ask which action to choose for GDPR compliance (usually 'retain then delete').
You've just covered Retention Policies and Labels — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?