Governance

SharePoint Records Management with Microsoft Purview: Complete Enterprise Guide

Implement enterprise records management in SharePoint using Microsoft Purview. Covers retention labels, records declaration, disposition reviews, regulatory records, and ISO 15489 alignment.

Errin O'ConnorFebruary 24, 202614 min read
SharePoint Records Management with Microsoft Purview: Complete Enterprise Guide - Governance guide by SharePoint Support
SharePoint Records Management with Microsoft Purview: Complete Enterprise Guide - Expert Governance guidance from SharePoint Support

Records Management in the Microsoft 365 Era

Records management — the systematic control of records from creation through final disposition — has traditionally lived in standalone systems like HP TRIM, OpenText Documentum, or Laserfiche. Microsoft Purview Records Management, integrated directly into SharePoint and Microsoft 365, is now enterprise-ready and included in Microsoft 365 E5 and the Compliance add-on.

SharePoint architecture diagram showing hub sites, team sites, and content structure
Enterprise SharePoint architecture with hub sites and connected team sites

This guide covers implementation of a complete records management program using SharePoint and Microsoft Purview, aligned to ISO 15489 and DoD 5015.2 standards.

Records Management Fundamentals

What Is a Record?

A record is a document that has been declared as evidence of a business transaction or legal obligation. Key characteristics:

  • Fixed: Cannot be altered after declaration
  • Authentic: Can be proven to be what it claims to be
  • Reliable: Content can be trusted as accurate
  • Usable: Can be retrieved throughout its retention period

Not every document in SharePoint is a record. Email drafts, working documents, and temporary files are non-records — they can be deleted when no longer needed.

Records Retention Schedule

The foundation of records management is the retention schedule — a comprehensive list of record types, retention periods, and final disposition actions.

Example enterprise retention schedule excerpt:

| Record Series | Record Type | Retention Trigger | Period | Disposition |

|--------------|------------|------------------|--------|-------------|

| HR-001 | Employee Personnel File | Separation date | 7 years | Destroy |

| FIN-001 | Accounts Payable Invoices | FY close | 7 years | Destroy |

| LEG-001 | Contracts (general) | Expiration | 7 years | Destroy |

| LEG-002 | Real Estate Contracts | Expiration | 10 years | Review |

| CORP-001 | Board Minutes | Permanent | Permanent | Archive |

| IT-001 | Audit Logs | Log date | 1 year | Destroy |

| MKT-001 | Marketing Materials | Supersession | 3 years | Destroy |

Microsoft Purview Retention Architecture

Retention Labels vs. Retention Policies

Retention Policies (broad, location-based):

  • Applied to entire SharePoint sites, OneDrive accounts, or Exchange mailboxes
  • All content in the location is subject to the same retention rule
  • Use for: general compliance (delete email after 3 years, keep SharePoint content for 7 years)

Retention Labels (granular, item-level):

  • Applied to specific documents, emails, or Teams messages
  • Can declare content as a record (immutable)
  • Support event-based retention (start clock on a business event)
  • Use for: formal records management, regulatory compliance

Choosing the Right Approach

| Scenario | Use | Reason |

|---------|-----|--------|

| Keep all SharePoint content for 7 years | Retention Policy | Simple, blanket rule |

| Declare board minutes as permanent records | Retention Label | Item-level control, record declaration |

| Start retention clock on contract expiration | Event-based Retention Label | Trigger-based start date |

| Auto-classify invoices and apply 7-year label | Auto-apply Label | Trainable classifier + content type |

Implementing Retention Labels in Purview

Step 1: Create the Retention Schedule in Purview

Access: Microsoft Purview compliance portal → Records Management → File Plan

```

File Plan Structure:

├── Corporate Records

│ ├── Board Minutes (CORP-001) — Permanent, Record

│ ├── Annual Reports (CORP-002) — 10 years, Record

│ └── Corporate Policies (CORP-003) — Supersession + 5 years

├── Financial Records

│ ├── Accounts Payable (FIN-001) — 7 years after FY close

│ ├── General Ledger (FIN-002) — 7 years after FY close, Record

│ └── Tax Returns (FIN-003) — 7 years, Regulatory Record

├── HR Records

│ ├── Personnel Files (HR-001) — 7 years post-separation, Record

│ ├── Recruitment Files (HR-002) — 2 years, Destroy

│ └── Training Records (HR-003) — 3 years post-separation

└── Legal Records

├── Contracts (LEG-001) — 7 years post-expiration

└── Litigation Files (LEG-002) — 7 years post-judgment, Record

```

Step 2: Configure Retention Label Settings

For each retention label, configure:

  • Retention action: Retain only, Retain then delete, Delete only
  • Retention period: Fixed years, or based on event
  • Record declaration: Mark as record, Mark as regulatory record, or Neither
  • Disposition review: Required yes/no, reviewer email
  • File plan descriptors: Function, category, authority (optional but recommended for DoD 5015.2)

```powershell

# Create retention label via PowerShell (Security & Compliance module)

Connect-IPPSSession

New-ComplianceRetentionLabel `

-Name "Personnel Files - 7 Years" `

-RetentionAction KeepAndDelete `

-RetentionDuration 2555 ` # 7 years in days

-RetentionDurationDisplayHint Years `

-IsRecordLabel $true `

-Notes "HR-001: Employee personnel files. Retain 7 years from separation date."

```

Step 3: Publish Labels to SharePoint

Labels are published via Label Policies to specific SharePoint sites, M365 groups, or all of SharePoint.

```powershell

# Publish HR retention labels to HR SharePoint site

New-RetentionCompliancePolicy `

-Name "HR Records Retention Policy" `

-SharePointLocation "https://contoso.sharepoint.com/sites/HR"

New-RetentionComplianceRule `

-Policy "HR Records Retention Policy" `

-PublishComplianceTag "Personnel Files - 7 Years","Recruitment Files - 2 Years","Training Records - 3 Years"

```

Step 4: Auto-Apply Labels

Manual labeling fails at scale. Use auto-apply to classify documents automatically:

Method 1: Content Type-based auto-apply

```powershell

New-RetentionCompliancePolicy -Name "Auto-Label Contracts" `

-SharePointLocation "https://contoso.sharepoint.com/sites/Legal"

New-RetentionComplianceRule -Policy "Auto-Label Contracts" `

-ApplyComplianceTag "Contracts - 7 Years" `

-ContentContainsSensitiveInformation @{Name="All Full Names"; minCount="1"} `

-ContentMatchQuery "ContentType:Contract"

```

Method 2: Trainable Classifier auto-apply

Use pre-built or custom trainable classifiers to auto-label:

  • Built-in classifiers: Legal Affairs, Finance, HR, Healthcare
  • Custom classifiers: Train on your document corpus (minimum 50 positive, 50 negative samples)

Records Declaration

Declaring Records in SharePoint

When a document is declared as a record:

  • It becomes immutable: no edits, moves, or renaming allowed
  • Version history is preserved
  • Document cannot be deleted (only disposition via Purview)

Method 1: Manual declaration via SharePoint library → right-click → Compliance Details → Declare as Record

Method 2: Automatic via retention label — configure the label to mark as record on creation or application

Method 3: Via Power Automate when triggered by approval workflow completion

Regulatory Records

Regulatory records are even more restrictive than standard records:

  • Even tenant administrators cannot delete
  • Cannot be unlocked (unlike standard records)
  • Required for: SEC Rule 17a-4, FINRA, certain FDA requirements

Use regulatory records only for genuine regulatory obligations — they are very difficult to manage if applied broadly.

Event-Based Retention

Event-based retention is essential for legal, HR, and contract records where the retention clock starts on a business event (not creation date).

Configuring Event-Based Retention

  • Create event type (e.g., "Employee Separation", "Contract Expiration")
  • Create retention label tied to event type (e.g., "Personnel File - 7 Years From Separation")
  • Apply label to documents
  • When event occurs (employee separates), trigger the event clock:

```powershell

# Trigger event-based retention when employee separates

Connect-IPPSSession

New-ComplianceRetentionEvent `

-Name "Separation - John Smith - 2026-02-24" `

-EventType "Employee Separation" `

-SharePointAssetIdQuery "EmployeeID:E12345" `

-EventStartDate "2026-02-24"

```

Documents with "Personnel File - 7 Years From Separation" label and AssetID "E12345" now have their 7-year clock starting February 24, 2026.

Disposition Reviews

At the end of a retention period, records often require human review before destruction — especially for records with legal, historical, or financial significance.

Configuring Disposition Reviews

  • Create retention label with disposition review enabled
  • Specify reviewers (by email or group)
  • When retention period expires, reviewers receive notification
  • Review options: Approve disposal, Relabel (extend retention), Approve disposal with documentation

Disposition Review Workflow

Reviewers access: Purview portal → Records Management → Disposition

For each item, reviewers see:

  • Document name and metadata
  • Current label and retention period
  • Item location (SharePoint URL)
  • Full document preview

Best practice: Assign reviews to records managers or department heads, not IT. They understand business value.

SharePoint Records Center (Legacy)

The SharePoint Records Center (available in SharePoint Online) is a legacy approach from SharePoint 2010-2016. It is NOT recommended for new deployments. Use Microsoft Purview instead.

If you have an existing Records Center, plan migration:

  • Export records inventory from Records Center
  • Map to Purview retention labels
  • Apply labels to existing documents
  • Retire the Records Center site

Compliance with Regulatory Standards

DoD 5015.2 (U.S. Federal Records)

Microsoft 365 and SharePoint are certified for DoD 5015.2 Chapter 2 (non-classified). Key requirements:

  • Unique record identifier: Use SharePoint item ID + site URL
  • Vital records flagging: Sensitivity label "Vital Record"
  • Audit trail: Purview audit log covers all access and modifications
  • Disposal authority: Retention label tied to NARA schedules

ISO 15489 Alignment

ISO 15489 is the international records management standard. Alignment checklist:

  • [ ] Retention schedule published and approved by records manager
  • [ ] Retention labels applied to all record series
  • [ ] Record declaration prevents modification
  • [ ] Audit trail for all records (Purview audit log)
  • [ ] Disposition reviews completed and documented
  • [ ] Off-site backup of permanent records (Azure immutable storage)

SEC Rule 17a-4 (Financial Services)

For broker-dealers, investment advisors, and covered financial firms:

  • Records must be preserved in non-rewriteable, non-erasable format (WORM)
  • Use Azure Immutable Blob Storage or Purview regulatory records label
  • Microsoft provides an SEC 17a-4 attestation letter

Integration with SharePoint Libraries

Recommended Library Configuration for Records

```

Records Library Best Practices:

✅ Enable versioning (major + minor) to capture all drafts before declaration

✅ Require check-out before editing working documents

✅ Default retention label = most common record type for that library

✅ Custom metadata columns: Record Series, Retention Schedule, Date Declared

✅ Audit log enabled: All document access logged

✅ In-place records enabled in list settings for libraries with formal records

✅ View: "Active Records" filtered on Record = Yes

✅ View: "Pending Disposition" filtered on items near end of retention

```

Practical Implementation Roadmap

Phase 1 (Weeks 1-4): Foundation

  • Approve enterprise retention schedule with legal and records manager
  • Create file plan in Microsoft Purview
  • Create all retention labels per schedule
  • Publish labels to top-priority SharePoint sites (Legal, Finance, HR)

Phase 2 (Weeks 5-8): Auto-Application

  • Configure auto-apply policies using content types and classifiers
  • Set up event types for HR separations and contract expirations
  • Integrate event triggers with HR system via Power Automate
  • Train records manager on disposition review workflow

Phase 3 (Weeks 9-12): Governance and Audit

  • Run mock disposition review for oldest records
  • Generate retention compliance reports from Purview
  • Conduct user training on records declaration
  • Document program for ISO/DoD/regulatory audit readiness

Conclusion

Microsoft Purview Records Management transforms SharePoint from a document collaboration tool into a full enterprise records management platform. The investment in building a proper retention schedule and Purview label taxonomy pays dividends in regulatory compliance, litigation readiness, and reduced storage costs from systematic disposition.

EPC Group implements enterprise records management programs for regulated industries including financial services, healthcare, government, and legal. Contact us to assess your current records management posture and design a Purview-based solution.

Share this article:

Written by Errin O'Connor

Founder, CEO & Chief AI Architect | Microsoft Press Bestselling Author | 25+ Years Microsoft Ecosystem

Errin O'Connor is a Microsoft Press bestselling author of 4 books covering SharePoint, Power BI, Azure, and large-scale migrations. He leads our SharePoint consulting practice with expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments.

Expert SharePoint Services

SharePoint ConsultingDocument ManagementGovernment Solutions
View pricing →Read our FAQ →See case studies →

Need Expert Help?

Our SharePoint consultants are ready to help you implement these strategies in your organization.

Get a Free ConsultationView Pricing