Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Marking Office 365 Documents and Email as Formal Records

Microsoft released a report in late October to demonstrate how well Microsoft 365 meets the compliance needs of the financial sector subject to U.S. regulations. The level of inaccuracy in the text meant that I didn’t think much of the report.

In any case, the report placed great emphasis on two developments. The first was that reactions to Teams messages would be captured in the audit log (inappropriate). The second is the advent of regulatory records. There’s no sign yet of audit events being logged as people react to Teams conversations in the Office 365 audit log, but if you’ve got the right licenses, retention labels can be created to mark documents and email as records or regulatory records.

Two Types of Record Retention Label

Two forms of record label exist inside Microsoft 365:

Record: After a record label is applied to an item, only administrators can remove the label or change it for another label. Anyone with write-access to an Exchange mailbox can apply a record label to an item in the mailbox. Any member of a SharePoint Online site can apply a record label to a file or list item. Once applied, a record label stops the item being deleted. Items with record labels stored in SharePoint Online and OneDrive for Business can have a locked or unlocked status. The content of a locked item cannot be edited, but its metadata (like the title) can be updated. Any site member can unlock an item to allow it to be edited.
Regulatory record: This is a stricter form of record label. The label cannot be removed from the tenant after it is created, and the only changes allowed to the label settings are an increase the retention period or to publish the label to additional locations. After a regulatory record label is applied to an item, no one can remove the label or delete the item until its retention period expires. The locked status of an item cannot be changed, so no one can edit an item’s content. However, documents can be opened in review mode and saved as a new file.

The big difference between the two label types is that a regulatory record is intended to mark final content which will remain immutable after a label is assigned. You can’t unlock or make changes to an item with a regulatory record label, and the item will remain until the retention period set in the label elapses, so it’s important not to assign these labels until content is finalized and ready for preservation.

Marking Items as Records

A record is a document, list item, or message assigned a special form of retention label to mark the item as a record or as a regulatory record (the difference between the two is explained below). Although retention labels are supported as part of Office 365 E3, you need Office 365 E5 or Microsoft 365 E5 to access the Records management system within the Microsoft 365 compliance center (Figure 1) to be able to manage record labels.

Image 1 Expand

“Normal” retention labels can’t be turned into a record label. Record labels can only be created and managed through Records Management.

Enabling Regulatory Record Labels

Not every organization needs to implement regulatory records. For this reason, before you can create new regulatory record labels, you must expose the UI to allow the compliance center to manage regulatory record labels. This is done by connecting a PowerShell session to the compliance endpoint and running the Set-RegulatoryComplianceUI cmdlet. The easiest way to do this is to connect to Exchange Online Management and then run the Connect-IPPSession cmdlet to connect to the compliance endpoint. For example:

Connect-ExchangeOnline -Credential $O365Cred
Connect-IPPSSession -Credential $O365Cred
Set-RegulatoryComplianceUI -Enabled $True

The command is effective immediately. To disable the UI to manage record labels, run:

Set-RegulatoryComplianceUI -Enabled $False

Editing the Content of SharePoint Items

Items marked with a record label can’t be deleted, but they can be updated. To update the content, any site member can unlock the item, edit the file, and lock the item again after the change is made. SharePoint shows the locked status with a small padlock on the item or folder icon. You can also see and update the locked status in the item properties (Figure 2). Users don’t need E5 licenses to apply retention labels.

Image 2 Expand

Records Management SPO Locked — Figure 2: Viewing the locked status of a SharePoint Online document (image credit: Tony Redmond)

If the item was updated since the last unlock action, SharePoint Online captures a copy of the item in the Records folder of the site Preservation Hold Library to preserve a version prior to editing.

It is possible that someone will lock a file while it is being edited by another member. When this happens, the file contains anything saved to the point it is locked (by autosave or the last explicit save). To keep a complete copy, the person editing the file will have to save it under a different name and then exit the edit session. After a short period, SharePoint frees the lock on the file to allow it to be unlocked. Any outstanding changes can then be merged back into the file.

Different Implementation in Exchange Online

The implementation of regulatory record labels within Exchange differs from that used by SharePoint Online and OneDrive for Business. Browser interfaces interact directly with the server while Exchange must support the synchronization model which enables Outlook desktop clients to work offline for extended periods.

After applying a regulatory record label to a message, a certain window of time is available to change the label. The window accommodates Outlook’s synchronization model and the need to update the new label status across multiple clients. After a few minutes, the window closes, and no further change is possible. Also, when you apply a record label to an Exchange folder, all the items stored in the folder automatically become records, even if the user later moves some or all the items out of the folder. When an Exchange item is tagged as a regulatory record, Outlook clients block deletion of the item. However, messages tagged as records can be moved between folders in the mailbox.

Not for Everyone

Using retention labels to mark Exchange and SharePoint items as records isn’t something that the average Office 365 tenant will be concerned about. This functionality is intended for use in a specialist area of compliance that affects certain industries. However, if you do have the licenses to create and manage record labels, you might be able to find a way to use this capability to preserve immutable information inside a business process.

by Tony Redmond
Dec 28, 2020

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with c...

How to Connect to Exchange Online Using PowerShell

Jun 9, 2023
Dec 05, 2023
Microsoft Says Chinese Hackers Compromised Exchange Email Accounts

Jul 13, 2023
How to Get Started With Exchange Online Archiving

Jun 16, 2023
Aug 11, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.