Table of Contents
Making Compliance Work Better
As discussed last week, Microsoft is simplifying how retention processing works for SharePoint Online and OneDrive for Business. It’s a good initiative because this topic is like a black box for many tenant administrators. The latest step comes in MC289965 (7 October – roadmap item 82063) to align how the SharePoint Online and OneDrive for Business browser interfaces deal with user requests to delete a file assigned a retention label configured to retain items for a specific period. For instance, a file might have a retention label with a retain action for seven years. (A retention label can be set to don’t delete or retain items, which makes it a visual marker).
Deleting Files in SharePoint Online and OneDrive for Business
Up to now, the following happens:
- OneDrive for Business: User deletes file with retention label. OneDrive for Business moves the file into the Recycle bin and captures a copy in the preservation hold library for the user’s account. A OneDrive account is a personal space and it’s reasonable to allow the account user to delete files if they wish. Note that you can’t delete a file assigned a record label. To create a retention label as a record, you need to use the Records Management solution in the Microsoft 365 compliance center (requires E5).
- SharePoint Online: User attempts to delete file with retention label but is blocked because of the presence of the retention label (Figure 1).
You can argue a case that SharePoint Online does the right thing. By not allowing the deletion to happen and keeping the file in place until its retention period expires, SharePoint Online demonstrates that the file has some importance.
The Problem for Compliance
However, the problem is that the current Microsoft 365 group model allows group members full control over most items in the SharePoint Online team sites used by Teams and Groups. Therefore, if SharePoint Online blocks a user from deleting a file because of a retention label, they can simply remove the label and then delete the file (unless the retention label is a record label). Although most users might not realize that they can remove a retention label to delete a file, the fact that they can is a big problem in terms of compliance. In that light, it’s better to allow the deletion to proceed. SharePoint Online will capture the file in the preservation hold library to ensure that its content remains indexed and discoverable for retention purposes.
Earlier Attempt to Change Ran into Problems
Last June, Microsoft published MC264360 to notify tenants that they planned to change the way the SharePoint Online browser interface worked to bring it in line with OneDrive for Business. In other words, users would be able to delete files even if a retention label with a retention period was present.
After pushback from customers, Microsoft withdrew the proposed change to do some additional work. The result of that work will roll out in early November for completion by the end of the month. SharePoint Online users will be able to delete labelled files like they can in OneDrive for Business unless the organization decides that this is a bad idea and updates the SharePoint Online configuration to retain the existing behavior. SharePoint Online will continue to block deletion of Items labelled as records.
Update January 11, 2022: The controls over deletion behavior are available in the Records management section of the Microsoft 365 compliance center (Figure 2).
Changing Things Back
If an organization decides that they’d like to keep things as they are, administrators will have to crack open the SharePoint Client Object Model (CSOM) and use the SetAllowFilesWithKeepLabelToBeDeletedSPO function in the SPPolicyStoreProxy class to set the value to False. Quite why Microsoft didn’t add a new parameter to the SPO-Tenant cmdlet to update this setting like all the other SharePoint Online organizational settings is beyond me. Microsoft says that when the feature rolls out, the ”configuration will be available within the Records Management solution settings.” That’s all fine and dandy, but Records management requires Office 365 E5 or Microsoft 365 Compliance E5 licenses, so many administrators might avoid it. This setting should be in the SharePoint Online admin center and settable through PowerShell.
No doubt someone who knows their way around CSOM will create and publish the code necessary to update the setting with PowerShell so that people without deep knowledge of SharePoint object models don’t have to, but I think it is unacceptable for Microsoft to push a change out that cannot be easily controlled by tenant administrators. On the bright side, I think most tenants will like the new delete behavior for files with retention labels and can therefore ignore grappling with CSOM.
Change Based on Experience
Changing the way SharePoint Online works when deleting files with retention labels with retention periods is the right thing to do. It will make compliance work better and is more logical for users. It’s just a pity that the opt-out control is hidden.
Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new development as they happen.
Thanks for this writeup Tony. Question: When the behavior change takes effect, will SharePoint allow deletion of content with Retention Duration = Forever?
I’m interpreting that our Forever label will still prevent deletion, and files will remain in their SharePoint locations. I hope this is true.
AFAIK, only labels marked as records will remain in the location and everything else can be deleted (but will be retained in the preservation hold library). Definitely something to keep an eye on when the feature is released.
Thanks for the great summary Tony. I really don’t think they are improving the situation with this change, so I’m glad they are providing the option to revert to the current method and I’d really hope that current tenants will not be switched automatically.
I’d love to see more real-world scenarios where this change is helpful. To me, if you decide that certain information should be retained it’s strange that we then allow (almost) any user to remove an item, so that it is no longer available to (almost) all the other users, and there’s no indication it ever existed. We’re creating these huge hidden buckets, and I think it undermines the concept of in-place retention.
I think they are also confusing roles by these items only being discoverable by eDiscovery – mainly as evidence in legal cases – is that the primary reason clients choose to retain information? I appreciate there are other users who can still find the deleted content, but again would love to see the real-world examples that trigger a site owner to trawl through preservation hold.
The problem they’re really addressing is the fact that any group member can change the label on a file and get around the retention setting. This isn’t good for compliance. It’s better to let the user delete the file and keep the file in the background, which is what the new behavior is. In traditional SharePoint, where you can restrict what users can do, the issue probably doesn’t arise, but in a world where Microsoft 365 Groups drive a lot of SharePoint consumption (mostly through Teams) and every group member has the same permissions, it’s probably the best thing to do.