Marking Office 365 Documents and Email as Formal Records
Microsoft released a report in late October to demonstrate how well Microsoft 365 meets the compliance needs of the financial sector subject to U.S. regulations. The level of inaccuracy in the text meant that I didn’t think much of the report.
In any case, the report placed great emphasis on two developments. The first was that reactions to Teams messages would be captured in the audit log (inappropriate). The second is the advent of regulatory records. There’s no sign yet of audit events being logged as people react to Teams conversations in the Office 365 audit log, but if you’ve got the right licenses, retention labels can be created to mark documents and email as records or regulatory records.
Two Types of Record Retention Label
Two forms of record label exist inside Microsoft 365:
- Record: After a record label is applied to an item, only administrators can remove the label or change it for another label. Anyone with write-access to an Exchange mailbox can apply a record label to an item in the mailbox. Any member of a SharePoint Online site can apply a record label to a file or list item. Once applied, a record label stops the item being deleted. Items with record labels stored in SharePoint Online and OneDrive for Business can have a locked or unlocked status. The content of a locked item cannot be edited, but its metadata (like the title) can be updated. Any site member can unlock an item to allow it to be edited.
- Regulatory record: This is a stricter form of record label. The label cannot be removed from the tenant after it is created, and the only changes allowed to the label settings are an increase the retention period or to publish the label to additional locations. After a regulatory record label is applied to an item, no one can remove the label or delete the item until its retention period expires. The locked status of an item cannot be changed, so no one can edit an item’s content. However, documents can be opened in review mode and saved as a new file.
The big difference between the two label types is that a regulatory record is intended to mark final content which will remain immutable after a label is assigned. You can’t unlock or make changes to an item with a regulatory record label, and the item will remain until the retention period set in the label elapses, so it’s important not to assign these labels until content is finalized and ready for preservation.
Marking Items as Records
A record is a document, list item, or message assigned a special form of retention label to mark the item as a record or as a regulatory record (the difference between the two is explained below). Although retention labels are supported as part of Office 365 E3, you need Office 365 E5 or Microsoft 365 E5 to access the Records management system within the Microsoft 365 compliance center (Figure 1) to be able to manage record labels.
“Normal” retention labels can’t be turned into a record label. Record labels can only be created and managed through Records Management.
Enabling Regulatory Record Labels
Not every organization needs to implement regulatory records. For this reason, before you can create new regulatory record labels, you must expose the UI to allow the compliance center to manage regulatory record labels. This is done by connecting a PowerShell session to the compliance endpoint and running the Set-RegulatoryComplianceUI cmdlet. The easiest way to do this is to connect to Exchange Online Management and then run the Connect-IPPSession cmdlet to connect to the compliance endpoint. For example:
Connect-ExchangeOnline -Credential $O365Cred Connect-IPPSSession -Credential $O365Cred Set-RegulatoryComplianceUI -Enabled $True
The command is effective immediately. To disable the UI to manage record labels, run:
Set-RegulatoryComplianceUI -Enabled $False
Editing the Content of SharePoint Items
Items marked with a record label can’t be deleted, but they can be updated. To update the content, any site member can unlock the item, edit the file, and lock the item again after the change is made. SharePoint shows the locked status with a small padlock on the item or folder icon. You can also see and update the locked status in the item properties (Figure 2). Users don’t need E5 licenses to apply retention labels.
If the item was updated since the last unlock action, SharePoint Online captures a copy of the item in the Records folder of the site Preservation Hold Library to preserve a version prior to editing.
It is possible that someone will lock a file while it is being edited by another member. When this happens, the file contains anything saved to the point it is locked (by autosave or the last explicit save). To keep a complete copy, the person editing the file will have to save it under a different name and then exit the edit session. After a short period, SharePoint frees the lock on the file to allow it to be unlocked. Any outstanding changes can then be merged back into the file.
Different Implementation in Exchange Online
The implementation of regulatory record labels within Exchange differs from that used by SharePoint Online and OneDrive for Business. Browser interfaces interact directly with the server while Exchange must support the synchronization model which enables Outlook desktop clients to work offline for extended periods.
After applying a regulatory record label to a message, a certain window of time is available to change the label. The window accommodates Outlook’s synchronization model and the need to update the new label status across multiple clients. After a few minutes, the window closes, and no further change is possible. Also, when you apply a record label to an Exchange folder, all the items stored in the folder automatically become records, even if the user later moves some or all the items out of the folder. When an Exchange item is tagged as a regulatory record, Outlook clients block deletion of the item. However, messages tagged as records can be moved between folders in the mailbox.
Not for Everyone
Using retention labels to mark Exchange and SharePoint items as records isn’t something that the average Office 365 tenant will be concerned about. This functionality is intended for use in a specialist area of compliance that affects certain industries. However, if you do have the licenses to create and manage record labels, you might be able to find a way to use this capability to preserve immutable information inside a business process.