Compliance

SharePoint Retention Policies & Purview Guide

How to configure Microsoft Purview retention policies for SharePoint Online, including auto-apply labels, adaptive scopes, disposition reviews, and compliance strategies for regulated industries.

SharePoint Support TeamApril 2, 202615 min read
SharePoint Retention Policies & Purview Guide - Compliance guide by SharePoint Support
SharePoint Retention Policies & Purview Guide - Expert Compliance guidance from SharePoint Support

How Do SharePoint Retention Policies Work with Microsoft Purview?

SharePoint retention policies in Microsoft Purview automatically retain or delete content based on configurable rules tied to document age, content type, metadata, or sensitivity labels. In our 25+ years managing enterprise SharePoint environments, we have helped organizations across healthcare, finance, and government implement retention strategies that satisfy regulatory requirements while minimizing storage costs and legal exposure from over-retention.

SharePoint architecture diagram showing hub sites, team sites, and content structure
Enterprise SharePoint architecture with hub sites and connected team sites

Retention is not just about compliance — it is about risk management. Every document your organization keeps beyond its required retention period is a potential liability in litigation (discoverable content), a security risk (outdated sensitive data), and a cost center (unnecessary storage consumption). A well-designed retention strategy protects your organization on all three fronts.

Understanding Retention Policies vs. Retention Labels

Microsoft Purview offers two mechanisms for retention, and understanding the difference is critical for proper implementation.

Retention Policies

Retention policies are broad rules applied to entire locations (all SharePoint sites, specific sites, or specific libraries). They operate silently in the background without user visibility. A retention policy that retains all content in SharePoint for 7 years, then deletes it, requires zero user action.

Policies are ideal for baseline retention requirements that apply uniformly. For example, a policy that retains all SharePoint content for a minimum of 3 years ensures nothing is deleted prematurely, regardless of what label (or no label) a document carries.

Retention Labels

Retention labels are applied to individual documents or folders, either manually by users, automatically by policy, or through a trainable classifier. Labels are visible to users in the document library and can trigger specific actions like disposition reviews, regulatory record declarations, and event-based retention.

Labels are ideal for content that has specific retention requirements based on its type. A "Financial Record — 7 Year" label applied to invoices, a "Legal Hold — Indefinite" label applied to litigation-relevant documents, and a "Transient — 90 Days" label applied to drafts each enforce different retention periods on documents within the same library.

The Precedence Rules

When both a policy and a label apply to the same content, retention wins over deletion, longer retention wins over shorter, and explicit deletion wins over no deletion instruction. Understanding these precedence rules prevents unexpected behavior where content is retained longer than intended or deleted before its label-mandated period.

Configuring Retention Policies Step by Step

Step 1: Inventory Your Regulatory Requirements

Before creating any policies, document your retention obligations. Common requirements include:

  • Financial records: 7 years (SOX, IRS)
  • Healthcare records: 6-10 years after last treatment (HIPAA varies by state)
  • Employee records: 7 years after termination
  • Contracts: Duration plus 6-10 years
  • Email correspondence: 3-7 years depending on content
  • Tax records: 7 years minimum

Map these requirements to SharePoint content locations. Which sites contain financial records? Which libraries hold healthcare data? This mapping drives your policy design.

Step 2: Design Your Policy Architecture

We recommend a layered approach:

Layer 1 — Baseline policy: Retain all SharePoint content for your shortest universal requirement (typically 3 years). This catches everything, including content that users forget to label.

Layer 2 — Location-specific policies: Apply longer retention to specific sites. The Finance team site gets 7-year retention, HR gets 7 years post-termination (using event-based retention), Legal gets indefinite retention for active matters.

Layer 3 — Label-based retention: Publish retention labels for specific document types that need different treatment. Labels override policies when they mandate longer retention.

Step 3: Create Policies in the Purview Compliance Portal

Navigate to Microsoft Purview > Data lifecycle management > Retention policies. Create a new policy, select SharePoint sites as the location, choose specific sites or all sites, and set the retention period and action (retain only, retain then delete, or delete only).

For the baseline policy, select all SharePoint sites and configure "Retain items for 3 years from when they were last modified, then delete automatically." For site-specific policies, use the "Choose sites" option and select the appropriate sites.

Step 4: Configure Adaptive Scopes

Adaptive scopes are one of the most powerful features introduced in recent Purview updates. Instead of manually selecting individual sites for a policy, you define a query that automatically includes matching sites. For example, an adaptive scope that targets all sites with "Finance" in the site name or sites owned by members of the Finance department automatically includes new Finance team sites as they are created.

This eliminates the administrative burden of updating policies every time a new site is created. For large enterprises with hundreds or thousands of sites, adaptive scopes are essential.

Implementing Retention Labels

Creating Labels

In the Purview compliance portal, navigate to Data lifecycle management > Labels. Create labels for each distinct retention category:

  • Financial Record — 7 Years: Retain for 7 years from creation date, then trigger disposition review
  • Contract — Active: Retain indefinitely until an event (contract expiration) starts the retention clock
  • Project Document — 5 Years: Retain for 5 years from project closure date
  • Transient — 90 Days: Delete after 90 days from creation

For regulated industries, mark labels as "regulatory records" to prevent users from modifying retention settings or removing labels. This creates an immutable retention enforcement that satisfies auditor requirements.

Auto-Apply Label Policies

Manual labeling depends on user compliance, which is unreliable at scale. Auto-apply label policies use conditions to automatically apply labels without user intervention.

Keyword-based auto-apply: Apply the "Financial Record" label to any document containing terms like "invoice," "purchase order," "payment," or "accounts receivable." This uses content inspection to classify documents based on their text content.

Content type-based auto-apply: Apply the "Contract" label to all documents with the "Vendor Contract" or "Client Contract" content type. This leverages your existing content type architecture for retention.

Trainable classifiers: Use machine learning models to identify document types based on content patterns. Microsoft provides pre-trained classifiers for common categories (resumes, invoices, tax forms) and allows you to train custom classifiers on your own content.

Sensitivity label-based: Apply retention labels based on existing sensitivity labels. All documents labeled "Confidential — Financial" automatically receive the "Financial Record — 7 Years" retention label.

Event-Based Retention

Some retention requirements start their clock from an event rather than a fixed date. Employee records must be retained for 7 years after termination — not from creation. Contract documents must be retained for 10 years after contract expiration — not from upload.

Microsoft Purview supports event-based retention through event types. Create an event type (Employee Departure, Contract Expiration, Project Closure), associate it with retention labels, and then trigger the event when the real-world event occurs. This starts the retention clock for all content carrying that label and associated with the event.

For automated event triggering, integrate with Power Automate. When an employee is disabled in Azure AD, a flow can automatically trigger the "Employee Departure" event, starting retention clocks on all associated documents without manual intervention.

Disposition Reviews

For regulated content, automatic deletion is often inappropriate — a human must review and approve deletion. Disposition reviews provide this governance layer.

When content reaches the end of its retention period, instead of automatic deletion, it enters a disposition review queue. Designated reviewers examine the content, check for any reason to extend retention (ongoing litigation, audit requirement), and either approve disposal or extend retention.

Configure disposition reviewers carefully. They should be content owners or compliance officers who understand the regulatory context, not IT administrators who lack business context.

Monitoring and Reporting

Data Lifecycle Management Reports

The Purview compliance portal provides reports on policy application status, label distribution, pending dispositions, and content volumes by retention category. Review these reports monthly to ensure policies are applying correctly and labels are being used as intended.

Content Explorer

Use Content Explorer to see exactly which documents carry which labels and to spot-check classification accuracy. For auto-applied labels, sample 50-100 documents per label to verify the classification logic is working correctly. Misclassified documents indicate that your auto-apply conditions need refinement.

Audit Logs

All retention actions (label application, label removal, disposition approval, content deletion) are logged in the Microsoft 365 unified audit log. For regulated organizations, configure audit log retention for at least 10 years to demonstrate compliance during audits.

Compliance Strategies by Industry

Healthcare (HIPAA)

HIPAA requires retention of medical records for 6 years from the date of creation or the date when the record was last in effect, whichever is later. State laws may impose longer periods. Implement content type-based auto-labeling for patient records, configure event-based retention triggered by patient discharge dates, and enable disposition reviews for all medical record deletion.

Financial Services (SOX, SEC, FINRA)

Financial organizations face overlapping retention requirements from multiple regulators. SOX requires financial records for 7 years, SEC mandates broker-dealer records for 3-6 years, and FINRA requires communications for varying periods. Layer multiple labels to ensure the longest applicable requirement governs each document.

Government (NARA, State Records)

Government agencies must comply with National Archives and Records Administration (NARA) schedules and state-specific records retention schedules. These can be extremely granular, with different retention periods for hundreds of record categories. Invest in a comprehensive content type taxonomy that maps directly to records schedules.

Getting Expert Help

Retention policy implementation is a high-stakes project where mistakes can result in regulatory violations or premature deletion of critical records. Our [SharePoint consulting team](/services/sharepoint-consulting) specializes in retention architecture for regulated industries.

We offer retention policy design, implementation, and auditing services that ensure your SharePoint environment meets regulatory requirements while minimizing storage costs and legal exposure. Our [ongoing support plans](/services/sharepoint-support) include quarterly retention compliance reviews.

Whether you are starting from scratch or need to remediate an existing retention implementation, [contact us](/contact) for a retention readiness assessment. For organizations planning a migration, our [migration services](/services/sharepoint-migration) include retention policy migration and validation.

Frequently Asked Questions

What happens to content when a retention policy is deleted?

When you delete a retention policy, content previously governed by that policy is no longer protected from deletion. However, content is not automatically deleted — it simply loses its retention protection. If a user or another policy deletes the content, it will not be recoverable beyond the standard Recycle Bin retention period (93 days).

Can users override retention labels?

For standard retention labels, users with appropriate permissions can remove or change labels. For labels marked as "regulatory records," users cannot remove the label or modify the document until the retention period expires. Choose the appropriate label type based on your compliance requirements.

How do retention policies interact with litigation holds?

Litigation holds always take precedence over retention policies. Content under litigation hold cannot be deleted, even if a retention policy or label mandates deletion. Once the hold is released, normal retention processing resumes.

What is the Preservation Hold Library?

When a retention policy or hold applies to SharePoint content and a user modifies or deletes the original, SharePoint preserves the original version in a hidden Preservation Hold Library within the site. This library is not visible to users and is managed entirely by the retention system. It ensures that retained content is preserved even if users attempt to delete it.

How do adaptive scopes work with dynamic site membership?

Adaptive scopes evaluate their queries periodically (typically every 24-48 hours) to include newly matching sites and exclude sites that no longer match. This means there can be a brief delay between site creation and policy application. For compliance-critical scenarios, also apply a baseline tenant-wide policy as a safety net.

Can I apply different retention periods to different document types in the same library?

Yes, using retention labels. A single library can contain documents with different retention labels, each enforcing a different retention period. This is the primary advantage of labels over policies — policies apply uniformly to entire locations, while labels differentiate by document.

How much storage does the Preservation Hold Library consume?

The Preservation Hold Library consumes storage from the site's quota. For sites with aggressive retention policies and high edit volumes, this can be significant. Monitor Preservation Hold Library sizes using PowerShell or the SharePoint admin center storage reports. Consider this storage impact when sizing your tenant storage allocation.

What is the difference between "retain then delete" and "delete only" policies?

"Retain then delete" ensures content is kept for the specified period and then automatically deleted. "Delete only" deletes content older than the specified age but does not prevent users from deleting newer content. "Retain then delete" is appropriate for regulatory requirements, while "delete only" is appropriate for data hygiene policies.

Share this article:

Written by Errin O'Connor

Founder, CEO & Chief AI Architect | Microsoft Press Bestselling Author | 25+ Years Microsoft Ecosystem

Errin O'Connor is a Microsoft Press bestselling author of 4 books covering SharePoint, Power BI, Azure, and large-scale migrations. He leads our SharePoint consulting practice with expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments.

Expert SharePoint Services

SharePoint ConsultingHealthcare SolutionsFinancial Services Solutions
View pricing →Read our FAQ →See case studies →

Need Expert Help?

Our SharePoint consultants are ready to help you implement these strategies in your organization.

Get a Free ConsultationView Pricing