Missing Audit Records for Retention Labels Applied to SharePoint Online Documents
Activity Explorer Highlights Label Activities
In June 2020, I covered Microsoft’s “Know Your Data” initiative, essentially the introduction of a bunch of new features in the Data classification section of the Microsoft 365 compliance center. Requiring Office 365 E5 or Microsoft 365 E5 (or E5 compliance) licenses, Microsoft targets this functionality at large enterprises who want to know about how users handle information.
The Activity Explorer is a dashboard for activities involving retention and sensitivity labels. The data surfaced in the dashboard comes from a variety of sources, including signals generated by Office applications and the SharePoint Online and OneDrive for Business browser interfaces. Signals accumulate as users or auto-label policies assign labels to items or users remove or replace a label. The Office 365 audit log also captures events for these activities. The Activity Explorer supports filters to allow compliance administrators to focus in on specific timeframes, actions, or users and view matching data. The option exists to export the data to a CSV file for analysis in a tool like Power BI.
The Hole Created by a Data Collection Glitch
It all looks good, until you realize that a massive gap exists in the logging of retention labels. Everything works as expected if users assign labels using the SharePoint browser UI or an auto-label policy processes items based on a match against queries, sensitive information types, or trainable classifiers.
However, no records are captured when documents are added to a document library where a default label is defined for that library. Given that this is a popular method to ensure that documents receive appropriate retention labels when created in or uploaded to SharePoint Online, it’s a big gap in label data acquisition.
The net result is that the Activity Explorer displays only a subset of retention label activity in a tenant. In addition, no audit records exist in the audit log, meaning that a backstop to find and report the data is unavailable.
Reproducing the Problem
The steps to demonstrate the problem are easy to follow. First, configure a document library so that it has a default label. Currently, you can only configure a library to apply a retention label. Many people have asked Microsoft to support the same functionality for sensitivity labels, but for now retention is the only game in town.
Figure 1 shows the library settings for the document library where I store files for articles, including this post. Any file created or uploaded to the library receives the Approved retention label with a 10-year retention period (surely enough time to correct any errors in text).
Microsoft regards this kind of labeling as an automatic function and therefore insists on Office 365 E5 licenses to cover its use. There’s no enforcement of the license requirement and I suspect that many organizations use the feature in blissful ignorance of the sometimes confusing Microsoft licensing policies for compliance. Basically, if you have Office 365 E3 you can apply retention labels manually, but once automatic application comes into the picture, including setting default labels for libraries, the requirement rises to E5.
The default label means that all my articles have a retention label (Figure 2), or what Microsoft now calls a “standard retention label” to differentiate from record retention labels. However, none of these label assignments show up in the Activity Explorer.
Something Happened in December
When I noticed that retention label activity didn’t show up in the Activity Explorer, I checked the audit log to look for records capturing these events (you can grab a copy of the script I used from GitHub). I discovered that the last audit record in the log for the document library is from 14 December 2020. Despite the generation of many documents since, no records are in the audit log. Records exist when a user explicitly applies a retention label to a document through the SharePoint browser interface. Audit records also exist for label updates or deletions. These actions are also available in the Activity Explorer. Figure 3 shows details captured when I replaced the Approved label with one called Strategic Planning.
Shifting Sands in Microsoft 365
Unless you’re interested in compliance and data classification, these ramblings might seem totally unimportant. However, on a wider level, when something stops working suddenly, it speaks to the difficulties of coordinating change across the whole of the Microsoft 365 ecosystem. Several Microsoft engineering groups need to cooperate to ensure that everything works to support a feature like the Activity Explorer. I don’t know where things failed to stop the capture of audit records around mid-December, but it’s upsetting that Microsoft doesn’t appear to have noticed.
I logged a support incident (#23694230) which went nowhere slowly. Support is a very difficult job, especially for something like Office 365 where details are so different across tenants, and I appreciate that. But it would have been nice to be able to communicate with a support engineer who understood auditing and compliance. I guess it’s a rare skill and my report ended up being closed without resolution. Such is life.