.svg){kind=small}
.png)
%20(1).avif)
Master Hacks: Migrate like a pro
Check out our video series to help you turn migration projects into masterpieces!
Table of contents
Microsoft 365’s self-service model is certainly a boon for collaboration, but it can also give IT admins a headache. Users can create team sites, communication sites, and Teams-connected workspaces without waiting for approval.
When someone creates a team in Microsoft Teams, Microsoft automatically creates a connected SharePoint site to store that team’s files. But this often leads to data sprawl and reduced visibility—a true compliance nightmare.
SharePoint retention policies managed through Microsoft Purview are a structured solution to this problem, helping you define how long to retain content and what happens to it once that period expires.
In this guide, we look at how Microsoft 365 retention policies work in practice and how they fit into your broader governance approach.
What are Microsoft Purview retention policies?
Retention policies are a core component of Microsoft Purview Data Lifecycle Management. They help organizations manage how long content is kept and when it can be deleted across M365 services like SharePoint, OneDrive, and Exchange.
Rather than relying on users to manage content manually, retention policies enforce lifecycle rules automatically. Depending on how they’re configured, they can either retain content, delete it, or do both in sequence.
Different configuration options allow you to:
- Retain content for a specified period
- Delete content after a specified period
- Retain content and then delete it after the specified period ends
These policies ensure content is preserved for compliance requirements while also helping reduce data sprawl over time.
Retention policies vs. retention labels
While they sound similar, retention policies and retention labels serve different purposes in Microsoft Purview.
Retention policies apply to locations—such as SharePoint sites, OneDrive accounts, or Exchange mailboxes. Content within those locations is governed by the policy automatically, based on where it lives.
Retention labels, on the other hand, apply at the item level (like documents or emails). They stay with the content as it moves within Microsoft 365. This distinction is important when mapping regulatory compliance.
Another key difference is how they’re used. Retention policies are centrally applied to broad locations, making them ideal for enforcing baseline governance at scale. Retention labels offer more flexibility because they can be applied manually or automatically and can also be used to declare content as a record, which can restrict editing or deletion.
Official Microsoft documentation is a useful resource for anyone looking for a more detailed breakdown of the differences between retention policies and labels.
How SharePoint Online retention policies affect files and sites
Retention policies apply to files stored in your selected SharePoint locations - whether that’s all sites, specific sites, or adaptive scopes based on attributes like site type or department. Once a policy is in place, it applies to both existing content and anything users add later. You can also base retention periods around a file’s creation or latest modification date.
If you want to use adaptive policy scopes, Microsoft requires additional licensing (Microsoft 365 E5/A5/G5) and that you have already created and configured the scope in Purview.
Once you define a site’s retention policy, users can still edit or delete content that’s subject to retention, but those actions don’t override the policy. Instead, SharePoint saves a copy of the original content in the Preservation Hold library for compliance purposes—a space that non-admin users can’t view or access.
The retention period and recycle bin phase are separate. Permanent deletion only happens after the retention period ends. From there, the 93-day recycle bin period begins, after which the item is permanently deleted.
Retain-only, delete-only, and retain-then-delete rules
Retain-only policies store a copy of changed or deleted files in the Preservation Hold Library until the retention period has expired. It’s the safest choice for sensitive content that you need to keep track of for auditing and legal reasons, but applying it broadly would risk content sitting around longer than you actually need.
Delete-only policies are a useful way of removing content that you know you won’t need past a certain date. After the defined period, it will follow the normal recycle bin deletion path. Be aware that relying too heavily on delete-only policies without rigorous checks in place risks losing important or sensitive content.
Retain-and-delete policies allow you to keep content for a defined period and then remove it when you no longer need it. This can be especially useful for businesses with a fixed compliance lifecycle, but could be too aggressive if you have sites with content types that become defunct at different rates.
How to configure SharePoint retention policy settings in Microsoft Purview
Once you know which locations you want to cover, creating a retention policy in Purview is straightforward. However, configuring it can still be tricky.
Follow this step-by-step guidance to get your policy up and running smoothly:
1. Confirm permissions: Sign in to the Microsoft Purview portal and make sure your account has the correct permissions to create and manage retention policies. Add any relevant team members to the Compliance Administrator group.
2. Go to the retention policy section: In Purview, open Solutions → Data Lifecycle Management → Policies → Retention Policies. Then, select New Retention Policy to begin.
3. Name your retention policy: Add a name (and optionally a description) that reflects both the retention period and scope, like a specific site or all sites. It’s best practice to have a set naming convention policy in place so all admins are on the same page.
4. Keep admin units at Full Directory: On the Assign Admin Units page, maintain the default Full Directory setting (Purview does not currently support admin units for these policy types).
5. Pick your retention policy: Decide whether to apply a static or adaptive scope. You’ll need to create and configure adaptive-scope policies ahead of time, and they require M365 E5 or equivalent licensing. We’re focusing on the static path in this guide, but you can find more information on adaptive scopes here.
6. Choose where to apply the policy: On the Choose Locations to Apply the Policy page, enable the SharePoint locations you want the policy rule to cover. The two main options are SharePoint sites (covers classic, modern, and communication sites) and Microsoft 365 Groups (covers both the group mailbox and its connected SharePoint site. You can pick whether the rule applies to the entire location or only specific areas in the Edit menu.
7. Check site connections: To confirm whether a site connects to a Microsoft 365 group, Teams, or neither, use the SharePoint admin center view filter. You can also do this with a PowerShell command.
8. Decide retention settings: Choose whether you want to retain content (indefinitely or for a specific period), delete it, or retain and then delete it at a set time and date. Once you’ve decided, set a trigger such as a file creation or last modification date. Finally, select what should happen once the retention policy expires (either do nothing or automatically delete the file(s)).
9. Review and finish: Check your settings before publishing, and once you’re happy, submit the policy. Retention applies to both existing and new content, with propagation depending on the number of locations and the volume of content within those locations.
Strengthening Microsoft 365 governance beyond retention policies
Retention policies are important, but they should be only one part of your wider governance strategy. After all, once content leaves a scoped location, your retention policy will no longer apply. If users can share SharePoint sites, files, and links with abandon, retention rules won’t highlight the hidden risks of unfettered permissions and ownership, meaning that if you’re not careful, your security and compliance efforts could be in danger.
Keep your environments safe while taking control of governance with ShareGate Protect. Gain full visibility into oversharing, unsafe links, guest access drift, and inactive workspaces. All in one place. Protect helps you find the risks and fix them fast, without touching what's working
To learn more about how ShareGate Protect strengthens Microsoft 365 governance while helping you find and fix risks, book a demo today.
Frequently asked questions
Depending on your policy type, content will be retained for a defined period, deleted after a defined period, or retained and then deleted once that period ends. Retain-only policies protect content but don't trigger automatic deletion—content simply stays in place (or in the Preservation Hold Library) for as long as the policy requires.
Yes and no. While they may appear to have deleted the local copy, SharePoint will make a copy and store it in the Preservation Hold Library until after the defined retention period.
Retention policies apply to a location, such as a SharePoint site, so all content in that location inherits the rule. Retention labels apply at the item level, such as a file, email, or document, so rules stay with the item even if you move it within the tenant.
