Optimizing OneDrive Retention Policies with Administrative Units and Adaptive Scopes

A special thank you note to Ashwini_Anand for contributing to the content of this blog.

In today's digital landscape, efficient data retention management is a critical priority for organizations of all sizes. Organizations can optimize their OneDrive retention policies, ensuring efficient and compliant data management tailored to their unique user base and licensing arrangements.

Scenario: Contoso Org encountered a distinct challenge - managing data retention for their diverse user base of 200,000 employees, which includes 80,000 users with F3 licenses and 120,000 users with E3 and E5 licenses. As per Microsoft licensing, F3 users are allocated only 2 GB of OneDrive storage, whereas E3 and E5 users are provided with a much larger allocation of 5 TB. This difference required creating separate retention policies for these users' groups. The challenge was further complicated by the fact that retention policies utilize the same storage for preserving deleted data.

If a unified retention policy were applied to all users such as retaining data for 6 years before deletion - F3 users’ OneDrive storage could potentially fill up within a year or less (depending on usage patterns). This would leave F3 users unable to delete or save new files, severely disrupting productivity and data management.

To address this, it is essential to create a separate retention policy for E3 and E5 users, ensuring that the policy applies only to these users and excludes F3 users. This blog will discuss the process of designing and implementing such a policy for the large user base based on separate licenses, ensuring efficient data management and uninterrupted productivity.

Challenges with Retention Policy Configuration for large organizations

1. Adaptive Scope

Adaptive scopes in Microsoft Purview allow you to dynamically target policies based on specific attributes or properties such as department, location, email address, custom Exchange attributes etc. Refer the link to get the list of supported attributes: Adaptive scopes | Microsoft Learn.

Limitation: Although Adaptive scopes can filter by user properties, Contoso, being a large organization, had already utilized all 15 custom attributes for various purposes. Additionally, user attributes also couldn’t be used to segregate users based on licenses. This made it challenging to repurpose any attribute for our filter criteria to apply the retention policy to a specific set of users. Furthermore, refinable strings used in SharePoint do not work for OneDrive sites.

2. Static Scope

Static scope refers to manually selected locations (e.g., specific users, mailboxes, or sites) where the policy is applied. The scope remains fixed and does not automatically adjust.

Limitation: Static scope allows the inclusion or exclusion of mailboxes and sites but is limited to 100 sites and 1000 mailboxes, making it challenging to utilize for large organizations.

Proposed Solution: Administrative Units with Adaptive Scope

To address the above challenges, it required utilizing Administrative Units (Admin Units - is a container within an organization that can hold users, groups, or devices. It helps us to manage and organize users within an organization more efficiently, especially in large or complex environments) with Adaptive Scopes for creation of a retention policy targeting E3 and E5 licensed users. 

This approach allows organizations to selectively apply retention policies based on user licenses, enhancing both efficiency and governance.

Prerequisites

• For Administrative unit - Microsoft Entra ID P1 license
• For Retention policy - Refer to the link: Microsoft 365 guidance for security & compliance - Service Descriptions | Microsoft Learn

Configuration Steps

Step 1: Create Administrative Unit:

1. Navigate to Microsoft Entra Admin Center https://entra.microsoft.com/#home
2. Click on ‘Identity’ and then click on ‘Show more’
3. Expand ‘Roles & admins’
4. Proceed to ‘Admin units’ -> Add.

Figure 1: Create an Administrative unit and enter the name and description

5. Define a name for the Administrative unit.
6. Click on ‘Next: Assign roles’
7.  No role assignment required, click on 'Next: Review + create’)
8. Click on ‘Create’.

To get more information about creating administrative unit, refer this link: Create or delete administrative units - Microsoft Entra ID | Microsoft Learn

Step 2: Update Dynamic Membership:

1. Select the Administrative Unit which is created in Step1.
2. Navigate to ‘Properties’
3. Choose ‘Dynamic User’ for Membership type.
4. Click on ‘Add a dynamic query’ for Dynamic user members.

Figure 2: Update the membership type to Dynamic

5. Click on ‘Edit' for Rule syntax

Figure 3: Dynamic membership rules editor

6. In order to include E3 and E5 licensed users who are using OneDrive, you need to include SharePoint Online Service Plan 2 enabled users. Use the query below in the code snippet to define the dynamic membership. 
    

   user.assignedPlans -any (assignedPlan.servicePlanId -eq "5dbe027f-2339-4123-9542-606e4d348a72" -and assignedPlan.capabilityStatus -eq "Enabled")

   
   Figure 4: Dynamic membership rule syntax editor
7. Click on 'Save' to update the Dynamic membership rules
8. Click on 'Save' to update the Administrative unit changes.
9. Open the Administrative Unit and click on the 'Users' tab to check if users have started to populate.

Note: It may take some time to replicate all users, depending on the size of your organization. Please wait for minutes and then check again.

Figure 5: Administrative unit scoped users

Step 3: Create Adaptive Scope under Purview Portal:

1. Access https://purview.microsoft.com
2. Navigate to ‘Settings’
3. Expand ‘Roles & scopes’ and click on ‘Adaptive scopes’
4. Create a new adaptive scope, providing ‘Name’ and ‘Description’.
5. Proceed to select the Administrative unit which was created earlier. (It takes time for the Admin/Administrative Unit to become visible. Please wait for some time if it does not appear immediately.)

Figure 6: Create an Adaptive unit and select the previously created Administrative unit

6. Click on ‘Add’ and ‘Next’
7. Select ‘Users’ and 'Next'

Figure 7: Select the scope type 'users' at this point.

8. Once the Admin unit is selected, we need to specify the criteria which allows to select users within the Admin unit (this is the second level of filtering available). However, in this case since we needed to select all users of the admin unit, hence the below criteria was used. 
   
   Click 'Add attribute' and form the below query. 
   Email addresses is not equal to $null
    
   Note: You can apply any other filter if you need to select a subset of users within the Admin Unit based on your business use case. 

Figure 8: Add a user query to filter the scope

9. Click on ‘Next’
10. Review and ‘Submit’ the adaptive scope.

Step 4: Create Retention Policy using Adaptive Scope:

1. Access https://purview.microsoft.com/datalifecyclemanagement/overview
2. Navigate to ‘Policies’ and then go to ‘Retention Policies’.
3. Create a ‘New Retention policy’, providing a ‘Name’ and ‘Description’.
4. Proceed to select the Administrative unit created earlier. Click on ‘Add or remove admin units’

Figure 9: Create a retention policy and select the previously created administrative unit

5. Choose ‘Adaptive’ and click on ‘Next’.

Figure 10: Select the 'Adaptive' retention policy type

6. Click on ‘Add scopes’ and Select the previously created Adaptive scope.

Figure 11: Select the Adaptive scope and location at this point.

7. Click on ‘Next’ to proceed and select the desired retention settings.
8. Click Next and Finish

Outcome

By implementing Admin Units with adaptive scopes, organizations can effectively overcome challenges associated with applying OneDrive retention policies for distinguished and large set of users. This approach facilitates the dynamic addition of required users, eliminating the need for custom attributes and manual user management. Users are dynamically added or removed from the policy based on license status, ensuring seamless compliance management.

FAQ:

Why is it important to differentiate retention policies based on user licensing tiers?

It is important to differentiate retention policies based on user licensing tiers to ensure that each user group has policies tailored to their specific needs and constraints, avoiding issues such as storage limitations for users with lower-tier licenses like F3. 

How many Exchange custom attributes are typically available?

There are typically 15 Exchange custom attributes available, which can limit scalability when dealing with a large user base.

What challenge does Adaptive Scoping face when including a large number of OneDrive sites?

Adaptive Scoping faces the challenge of including a large number of OneDrive sites due to limitations in the number of custom attributes allowed. While these custom attributes help in categorizing and managing OneDrive sites, the finite number of attributes available can restrict scalability and flexibility.

Why are refinable strings a limitation for Adaptive Scoping in OneDrive?

Refinable strings are a limitation for Adaptive Scoping in OneDrive because their usage is restricted to SharePoint only.

What are the limitations of Static Scoping for OneDrive sites?

Static Scoping for OneDrive sites is limited by the strict limit of including or excluding only 100 sites, making it usage limited for larger environments.

Do we need any licenses to create an administrative unit with dynamic membership?

Yes, a Microsoft Entra ID P1 license is required for all members of the group.Select the 'Adaptive' retention policy type