How to Create Retention Policies for Microsoft Teams
I work with many legal and regulatory organizations that require no retention period for Microsoft Teams channels and their users’ chats. Other industries dictate that the information must be retained for 7 years while other customers don’t want to let go of any information and retain their chats indefinitely. This blog post will assist you with an overview, outline where the data is stored, considerations, pre-requisites, and how to implement retention periods within Microsoft Teams.
Microsoft Teams can utilize retention policies within Office 365 to define what data the user would like to retain and how long they would like to keep it for. By default, these range from 5, 7, or 10 years.
Organizations often keep data for industry regulations or legal requirements to retain the data for a particular period. An example of this is Bill 198 in Canada or Sarbanes-Oxley in the United States that dictates particular data must be kept for a particular period of time; another example of this would be that tax returns must be kept for seven years.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Another example is around meeting GDPR requirements and organizations may want to reduce their risk in the event of litigation or security incidents by permanently deleting the data they are not required to retain.
Where is the data stored
Microsoft Teams chats and channel conversations are held in 1 of 3 places within Microsoft 365. All information is stored within a Mailbox, however, these mailboxes have different RecipientTypeDetails attributes.
- GroupMailbox: This type of mailbox is used to store message data for Teams Channels
- MailUser: This type of mailbox stores message data for on-premises Teams users
- UserMailbox: This type of mailbox stores message data for cloud-based users
It’s worth noting that RoomMailbox, used for Teams conference rooms, is not currently supported for Teams retention policies.
An increasing number of larger organizations are setting the policy to retain chat to 1 day and then delete the chat. One consideration is that setting private chat retention to a very low number is should force communication into the appropriate channels, however, the information sent via chat could be deleted before the messages are read. In addition, setting the retention period low could force users to leave Teams and its low retention policy settings as instant messages are not received, thus having an adverse effect required. Set the policy to something suitable to the impact of the exposure whist still ensuring that productivity is kept.
Another consideration is that when a user leaves the organization and their Microsoft 365 account is deleted, their chat messages are subject to the retention period and stored in an inactive mailbox. The chat messages remain subject to any of the rection policies set before the mailbox was made inactive. This means that the contents are available for an eDiscovery search.
There is also a limitation of using Outlook and Teams retention policies. Outlook can incorrectly display the default folder policy if a user were to view the properties of a mailbox folder within the Outlook desktop client. This is incorrect and is a known issue. Rather, the user should see the mailbox retention period policy that is applied to the folder – the Microsoft Teams retention policy is not set to the user’s mailbox.
The global admin for the organization needs to create retention policies. This role can create, edit, and ultimately delete the retention policies within the organizations.
How to Implement Retention Policies
- Log into Office 365 Admin Portal
- Visit the Microsoft 365 compliance center
- Select Policies then Retention.
4.Click New retention policy
5. Input Name and Description (Optional)
6. Select the location to which the policy will be applied towards. In this instance, we are going to set the retention policy for Team channels messages and Teams chats. By default, this is applied to all Channels and All users. Should this need to be reduced, then select the appropriate Channels and Users
7. Select the retention period or not to retain the data duration of time. For example, your organization may decide to retain data indefinitely, or 5,7,10 or a custom (bespoke) period. Adversely, your organization may decide that this data must be transient and requires the data to be deleted after 1 day (the minimum retention period). Complete and press Next
8. Review the policy and acknowledge that the configuration meets your requirements and press Submit
Once these steps have been completed the retention policies will be applied to the Teams chats and the Teams channel messages outlined when the policies were created.