ASD's Blueprint for Secure Cloud

Retention Policies

This section describes the design decisions associated with Retention Policies Microsoft 365 security features for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 5 minutes

Business information is required to be managed in order to comply with industry and government regulations and internal policies that require data to be retained for a certain period.

Microsoft 365 retention policies assist with meeting these requirements by providing the following features:

  • Configure policies to proactively decide whether to retain content, delete content, or both retain and then delete the content
  • Apply a single policy to the entire organisation or just to specific locations or users
  • Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information

When information is subject to a retention policy, end-users can continue to edit and work with the content as if nothing has changed because the content is retained in place, in its original location. But if someone edits or deletes content that is subject to the policy, a copy is saved to a secure location where it’s retained while the policy is in effect.

The following retention configuration are considered a basic approach to data retention. Organisations should investigate implementation of a maturity model to accommodate varying types of data. The Blueprint will update this section at a later date, but a high-level approach for organisations may include:

  1. Definition of a default policy to protect data from deletion
  2. Assignment of (adaptive) scopes
  3. Reduce default retention policies and deploy retention labels and records management process for granular control.

Cloud native deployments

Retention Policies configuration applicable to organisations leveraging a cloud native implementation.

ConfigurationValueDescription
Name: Exchange 7 Years Hold
Retention configurationRetain the data “7 years”How long the data is to be held by the policy.
LocationExchange email – All users included
Exchange public folders - All public folders included		The Office 365 location where the policy applies.
Name: SharePoint 7 Years Hold
Retention configurationRetain the data “7 years”How long the data is to be held by the policy.
LocationSharePoint Sites – All SitesThe Office 365 location where the policy applies.
Name: OneDrive 7 Years Hold
Retention configurationRetain the data “7 years”How long the data is to be held by the policy.
LocationOneDrive Accounts – All AccountsThe Office 365 location where the policy applies.
Name: Microsoft 365 groups 7 Years Hold
Retention configurationRetain the data “7 years”How long the data is to be held by the policy.
LocationMicrosoft 365 groups – All GroupsThe Office 365 location where the policy applies.
Name: Teams Channel Messages 7 Years Hold
Retention configurationRetain the data “7 years”How long the data is to be held by the policy.
LocationTeams channel messages – All teams includedThe Office 365 location where the policy applies.
Name: Teams chats 7 Years Hold
Retention configurationRetain the data “7 years”How long the data is to be held by the policy.
LocationTeams chats messages – All users includedThe Office 365 location where the policy applies.

Hybrid deployments

Retention Policy Configuration applicable to organisations leveraging a hybrid implementation

ConfigurationValueDescription
Name: Exchange 3 Years Hold
Retention configurationRetain the data for 3 yearsHow long the data is to be held by the policy.
LocationExchange email – All users includedThe Office 365 location where the policy applies.
Name: SharePoint 3 Years Hold
Retention configurationRetain the data for 3 yearsHow long the data is to be held by the policy.
LocationSharePoint Sites – All SitesThe Office 365 location where the policy applies.
Name: OneDrive 3 Years Hold
Retention configurationRetain the data for 3 yearsHow long the data is to be held by the policy.
LocationOneDrive Accounts – All AccountsThe Office 365 location where the policy applies.
Name: Microsoft 365 groups 3 Years Hold
Retention configurationRetain the data for 3 yearsHow long the data is to be held by the policy.
LocationMicrosoft 365 groups – All GroupsThe Office 365 location where the policy applies.
Name: Teams Channel Messages 3 Years Hold
Retention configurationRetain the data for 3 yearsHow long the data is to be held by the policy.
LocationTeams channel messages – All teams includedThe Office 365 location where the policy applies.
Name: Teams chats 3 Years Hold
Retention configurationRetain the data for 3 years.How long the data is to be held by the policy.
LocationTeams chats messages – All users includedThe Office 365 location where the policy applies.

Retention costs

Retention is included within E5 storage allocations. There are no additional charges for retention.

Security & Governance

Design

  • None identified

Configuration

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra