Making Compliance Work Better
As discussed last week, Microsoft is simplifying how retention processing works for SharePoint Online and OneDrive for Business. It’s a good initiative because this topic is like a black box for many tenant administrators. The latest step comes in MC289965 (7 October – roadmap item 82063) to align how the SharePoint Online and OneDrive for Business browser interfaces deal with user requests to delete a file assigned a retention label configured to retain items for a specific period. For instance, a file might have a retention label with a retain action for seven years. (A retention label can be set to don’t delete or retain items, which makes it a visual marker).
Deleting Files in SharePoint Online and OneDrive for Business
Up to now, the following happens:
- OneDrive for Business: User deletes file with retention label. OneDrive for Business moves the file into the Recycle bin and captures a copy in the preservation hold library for the user’s account. A OneDrive account is a personal space and it’s reasonable to allow the account user to delete files if they wish. Note that you can’t delete a file assigned a record label. To create a retention label as a record, you need to use the Records Management solution in the Microsoft 365 compliance center (requires E5).
- SharePoint Online: User attempts to delete file with retention label but is blocked because of the presence of the retention label (Figure 1).
You can argue a case that SharePoint Online does the right thing. By not allowing the deletion to happen and keeping the file in place until its retention period expires, SharePoint Online demonstrates that the file has some importance.
The Problem for Compliance
However, the problem is that the current Microsoft 365 group model allows group members full control over most items in the SharePoint Online team sites used by Teams and Groups. Therefore, if SharePoint Online blocks a user from deleting a file because of a retention label, they can simply remove the label and then delete the file (unless the retention label is a record label). Although most users might not realize that they can remove a retention label to delete a file, the fact that they can is a big problem in terms of compliance. In that light, it’s better to allow the deletion to proceed. SharePoint Online will capture the file in the preservation hold library to ensure that its content remains indexed and discoverable for retention purposes.
Earlier Attempt to Change Ran into Problems
Last June, Microsoft published MC264360 to notify tenants that they planned to change the way the SharePoint Online browser interface worked to bring it in line with OneDrive for Business. In other words, users would be able to delete files even if a retention label with a retention period was present.
After pushback from customers, Microsoft withdrew the proposed change to do some additional work. The result of that work will roll out in early November for completion by the end of the month. SharePoint Online users will be able to delete labelled files like they can in OneDrive for Business unless the organization decides that this is a bad idea and updates the SharePoint Online configuration to retain the existing behavior. SharePoint Online will continue to block deletion of Items labelled as records.
Update January 11, 2022: The controls over deletion behavior are available in the Records management section of the Microsoft 365 compliance center (Figure 2).
Changing Things Back
If an organization decides that they’d like to keep things as they are, administrators will have to crack open the SharePoint Client Object Model (CSOM) and use the SetAllowFilesWithKeepLabelToBeDeletedSPO function in the SPPolicyStoreProxy class to set the value to False. Quite why Microsoft didn’t add a new parameter to the SPO-Tenant cmdlet to update this setting like all the other SharePoint Online organizational settings is beyond me. Microsoft says that when the feature rolls out, the ”configuration will be available within the Records Management solution settings.” That’s all fine and dandy, but Records management requires Office 365 E5 or Microsoft 365 Compliance E5 licenses, so many administrators might avoid it. This setting should be in the SharePoint Online admin center and settable through PowerShell.
No doubt someone who knows their way around CSOM will create and publish the code necessary to update the setting with PowerShell so that people without deep knowledge of SharePoint object models don’t have to, but I think it is unacceptable for Microsoft to push a change out that cannot be easily controlled by tenant administrators. On the bright side, I think most tenants will like the new delete behavior for files with retention labels and can therefore ignore grappling with CSOM.
Change Based on Experience
Changing the way SharePoint Online works when deleting files with retention labels with retention periods is the right thing to do. It will make compliance work better and is more logical for users. It’s just a pity that the opt-out control is hidden.
Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new development as they happen.