Microsoft 365 retention policy vs. backup: Why you need both

Policies help meet compliance requirements

Data retention is necessary for proactive regulatory compliance, to reduce the risk of litigation or a security breach, and to ensure users work with current and relevant content. It is important to ensure employees and storage systems cannot delete data until the end of a retention period or legal hold designation. To manage storage capacity requirements, organizations must delete unnecessary data at the end of its retention period.

However, a data retention policy is not a substitute for backup. When it comes to data protection, it is less a question of whether to institute a retention policy or a backup, than, "How can I use both tools with Microsoft 365 to my advantage?"

How a Microsoft 365 retention policy works

IT professionals should closely review the detailed documentation available on Microsoft 365 data retention capabilities and exemptions. Once aware of the capabilities and limitations of the retention policy, they can craft a thorough data protection plan in accordance with their organization's governance requirements.

Microsoft 365 facilitates control over data retention through retention labels and retention policies. These policies apply data retention settings across entire sites or mailboxes or to specific users. Retention labels, on the other hand, apply data retention settings to specific items, such as documents, emails or folders. Customers may use either retention policies or retention labels or use both in conjunction with one another.

Backups and backup software enable customers to write copies to a separate storage infrastructure. It is a best practice is to have data copies available on a third-party storage infrastructure along with Microsoft 365, in case there are any issues with Microsoft Azure.

Fill in policy gaps with backups

On-premises or third-party-provided backup software provides control over redundancy and replication for data copies, which helps ensure their availability and integrity. Along a similar vein, backup software provides more flexibility in terms of the recovery location of backup copies than a standard retention policy.

There are some gaps in retention settings that the right piece of backup software could fill.

There are some gaps in retention settings that the right piece of backup software could fill. For example, Microsoft 365 has some limitations in applying retention policies globally and on when data retention policies are applied. It only enables customers to apply one retention label at a time to emails and documents, and retention labels do not persist if the data is moved out of Microsoft 365.

There are some ways backup admins can alter or shorten retention periods. Microsoft uses a policy of "explicit over implicit," meaning a retention setting that an admin applies explicitly in a label takes precedence over one they apply implicitly with a policy. If there are two retention labels, the shortest one takes precedence. In theory, this setup could open the door to adjustable retention periods.

Backup software can ensure protection for Microsoft 365 data and simplify how backup admins control and oversee data retention. Organizations that integrate Microsoft 365 data protection as a component of overall data protection and implementation strategies can minimize complexity for administrators and meet data retention requirements. This integration includes the creation, implementation and management of Microsoft 365 data retention settings.