Offic365 Retention policy - Excluding sites
Recently seen issues with people trying to manage tenant-wide (global) retention policies on Office 365.
While the Security and Compliance Center has been around a while now, and the core labels, policy and audit from Exchange team is robust, there's a lot which is just downright flaky.
Topical favourite for me is the do's and dont's with updating Retention policies. Now dont get confused with managing Retention and Disposal - labels, information policies etc - Nope, this is site retention.
You can just apply a global policies with SCC, and the main one IT providers slap-on a site (without consultation or understanding the operational risk they have just arbitrarily subjected that organisation to..) is "retain everything for 25 years". Awesome.
This breaches so many compliance and legislative requirements in so many regions of the world I wont even start. What the perception it does is to provide a way to safe guard against accidental data-loss... unfortunately it prevents regular maintenance activities on SharePoint, OneDrive and Teams areas too.
During maintenance you want to be able to temporarily Exempt sites from this draconian approach retention, while you run appropriate configuration updates etc. ...and here's where Microsoft's lack of test-management and release-processes shows up - when you create a policy, if you *dont* exempt a site at the beginning, you cannot add / remove / modify list of exempted sites later through the Security and Compliance Center UI.
Yep Microsoft didn't fully test all the branches for the basic UI operation for add/remove. Dont worry - a day or so's testing and we have a workaround.
Situation:
Have a global site retention policy in place, with sites listed in the "Exclude" section. We have a test-site created for a job which is no longer required.
Under business-policy we need to get rid of it. Under the technical implementation of retention policy we can't.
Task:
add "test" site to the "Exclude" section in the retention policy so that can remove the unwanted test-site.
Issue:
Edit policy, add site to "Exclude" list and save - which gives error message.
Work-around:
Create a policy with an explicit Exclusion, then add site to policy. Now if you need to manage sites we can (re)edit to add and remove sites from "Exclusion" and trigger release of site.
Sounds simple doesn't it? Its not, its fiddly because the UI is flaky (quelle surprise)
Background
Pre-req: correct role permissions:
user making change has Org mgmt. and Compliance Administrator roles
Select policy with Excluded sites
Edit site list
Copy all current sites excluded
notepad, or powershell list out to csv
Save policy change
Commit policy and exit
Refresh list of policies
Select policy with Excluded sites again
Edit site list
Add all current sites excluded – from notepad, or csv
Add new site to excluded list
Save policy changes
Commit policy and exit
At this point this policy will now save, and in about 4 - 8 hours, affected site will be excluded and we can now work on it.
After this we can remove the entry from the site-policy.
[People always forget to remove it]
This is open ticket with Microsoft, but because we have a work-a-round we are not seeing any urgency by them to fix it.
If you've found anything like this let me know *and raise a ticket and a stink in the forums* - its the only way we'll get them fixed.
If you want to talk about managing content using Office 365 policies, Security and Compliance Centre or just have a good coffee and a chat - give us a shout: