How to Create an Auto-Label Retention Policy Based on Sensitivity Labels

Making Sure Confidential Documents are Retained

By their very nature, sensitivity labels are intended to mark documents and files as containing important information. With this thought in mind, it makes sense to apply retention labels to files based on the sensitivity of the information they contain. Given that they know the content, you can ask users to assign appropriate retention labels to files, but humans are imperfect and often forget, which is where auto-label retention policies come in.

Auto-label retention policies run in the background to check Exchange Online messages, and files in SharePoint Online sites and OneDrive for Business sites. Auto-label retention labels also support Microsoft 365 Groups, meaning that they apply to the messages in group mailboxes and the files in the SharePoint Online team sites belonging to groups (including Teams). The basic principles of auto-label retention policies are:

  • Identify the objects to label through a content query. The query could be the presence of a sensitive information type known to Microsoft 365, like a credit card number. Microsoft 365 includes over 250 different sensitive information types, and organizations can create their own types to handle business requirements. Organizations can also create trainable classifiers based on business documents and use classifiers with auto-label policies. Finally, you can use a search constructed with the Keyword Query Language (KQL), which is what we’ll use.
  • Define a retention label for the policy to apply when it finds content matching its conditions. You can choose any retention label defined in the organization.

Auto-label retention policies are an advanced compliance feature, meaning that any account which comes within the scope of a policy must have an appropriate license (like Office 365 E5 or Microsoft 365 compliance).

Working Through an Example

In this example, we’ll create an auto-label retention policy to assign a retention label to documents and messages protected by the Highly Confidential sensitivity label. To do this, you:

  • Connect to the compliance endpoint with PowerShell by connecting to Exchange Online and then running the Connect-IPPSSession cmdlet.
  • Find the unique identifier (GUID) for the selected sensitivity label by running the Get-Label cmdlet. The ImmutableId property contains the GUID.

Get-Label | ? {$_.DisplayName -eq "Highly Confidential"} | Select-Object -ExpandProperty ImmutableId

Guid
----
9ec4cb17-1374-4016-a356-25a7de5e411d
  • Use SharePoint search to test the KQL query for the auto-label policy. The search term is in the form InformationProtectionLabelId:9ec4cb17-1374-4016-a356-25a7de5e411d wherethe managed SharePoint property used to hold sensitivity labels (InformationProtectionLabelId) is combined with the GUID identifying the sensitivity label you want to search for. Run the search and open one of the documents returned by the search to check that it has the correct sensitivity label. If no documents are found, it might indicate that the GUID is incorrect or that your account has access to no documents assigned this sensitivity label.
  • If the search term finds the correct documents, go to the Information governance section of the Microsoft 365 compliance center to create an auto-label retention policy. The condition of the policy uses the same search term as the content query to find the target documents. The policy action applies a suitable retention label to keep the documents for the desired period. Figure 1 shows the KQL query inserted in the settings of an auto-label retention policy.

Adding a KQL query to find documents with a sensitivity label as the content query in an auto-label retention policy
Figure 1: Adding a KQL query to find documents with a sensitivity label as the content query in an auto-label retention policy
  • Configure the policy with target locations. Remember to use Microsoft 365 Groups to cover SharePoint sites owned by groups and teams. Publish the policy when everything is complete.
  • After ten days or so, check that documents with the sensitivity label have the correct retention label, remembering that if a user assigns a retention label to a document, an auto-label policy won’t replace it.

The ten days mentioned above is an estimate rather than a guarantee. It can take SharePoint Online anything from seven days to two weeks for a new auto-label retention policy to become operational and start to apply retention labels.

Retention and Sensitivity

If you have the necessary licenses, auto-label retention policies are a great way to make sure that important information is kept for as long as required or that other information is removed once no longer required. Another example is to apply retention labels to Teams meeting recordings (a more flexible option than the default Teams-only retention for meeting recordings).

Microsoft’s original labeling plan features labels that had both retention and sensitivity capabilities. That plan fell by the wayside, perhaps because such labels might have been very complex to implement and manage. We now must implement retention labels and sensitivity labels separately. Auto-label retention policies are one way to bring the two together in some small way.


The Office 365 for IT Pros eBook includes chapters with in-depth coverage of both retention labels and sensitivity labels. If you’re planning a deployment which includes these components, you can benefit from our insight.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.