Last updated:

UK M365 Maturity Model Trial

The Information and Record Management Society (IRMS) UK has been preparing a M365 assessment project, which PROV has been offered a collaborative role in. The IRMS has requested that PROV circulate the IRMS assessment model to public offices that utilise the M365 suite. We would kindly ask you to consider joining us in undertaking an assessment of your opinion as to M365 best-practice by reading through the explanatory documents and filling out the assessment spreadsheet. If you choose to partake in this assessment, we would appreciate the spreadsheet and any comments being returned by Wednesday 27 November

The two documents are:

As part of this project, we would also be interested in holding a Teams meeting in November in order to discuss your experience utilising the assessment model and to provide further guidance as needed. We would propose doing so at 11:00 am on Thursday 21 November. If you/someone from your team would be available, please let us know. Otherwise we will happily accept feedback in written form. Please direct email feedback to ville.lidberg@prov.vic.gov.au

What is Microsoft 365?

Microsoft 365 (including Office 365 and SharePoint Online) is a suite of online products that is provided as a set of cloud-based subscription services. The subscription includes automatic software updates, which means that subscribers always have access to the latest version.

Access to the service is based on a tiered licence structure that provides different levels of access to various software products depending on the licence obtained. Microsoft 365 is designed to be flexible. Configurations vary widely, depending on how a specific organisation intends to use it.

Software services commonly part of the Microsoft 365 suite include:

  • Email services (e.g. Outlook, Exchange online)
  • Hosted services (e.g. Teams, SharePoint, and the browser-based Office Web Apps suite)
  • Office applications (i.e. access to the current versions of the Office desktop applications)
  • Collaboration tools (e.g. OneDrive, SharePoint, Teams, and Viva Engage).

 

Managing Records in Microsoft 365: A guide for Victorian public offices

Managing Records in Microsoft 365: A guide for Victorian public offices was developed to assist Victorian agencies in the management of records created and captured across the M365 environment. Whether your agency is implementing or currently managing an existing M365 environment, this guidance will be a useful resource in understanding the recordkeeping capabilities and limitations of M365. 

This guidance covers all areas of M365 that creates and manages records including, but not limited to, SharePoint, Exchange (for emails), Teams, Purview (for compliance activities) and Entra (for access arrangements and grouping). It also includes advice and recommendations on roles and responsibilities, recordkeeping configurations, retention policy settings, information architecture approaches, and much more. 

The guide was developed by M365 expert Andrew Warland who has spent many years working as a consultant across industries including government, advising and guiding organisations on effective recordkeeping within the M365 environment. 

Microsoft 365 and recordkeeping

The table below provides examples of recordkeeping information relevant for some common Microsoft 365 software services. Note that this is not a complete list, and that information on services listed may not be current as services are updated/upgraded regularly.

Service Comments

Co-Pilot

A M365 ChatGPT AI application that can be used to create and broadcast communications (e.g., Business Chat) or to carry out simple actions (such as clearing an inbox).

File Plan

Part of Purview Records Management. Used to create and manage retention labels/policies. Can also be used to manage data retention and disposition.

Groups in Teams / Stream 

Services all use the same groups which means that if a group is deleted in one service (such as Stream) the groups and all their content are also deleted from other services.

Loop

Loop is a collaboration tool that enables people to enter and edit text within a separate communication (like an email or a chat). Content is tagged as being written by the author, even when cut and pasted elsewhere by someone else.

Office Desktop Suite

Becomes read-only once the Microsoft 365 subscription lapses until a new subscription is purchased and activated.

OneDrive

Each user receives one terabyte (TB) of online storage and some plans include unlimited personal cloud storage per user.

Records are automatically deleted 60 days after the user account is disabled.

Power Apps & Power Automate

Can be used to automate some approval processes.

Purview Data Lifecycle Management

Manages retention policies for workloads, email, as well as teams and yammer messages. Enables retention of inactive mailboxes and provides storage for archived mailboxes. Includes import services for PST files.

Purview Records Management

Suite of capabilities to support records management including retention labels, ability to label something as a record, application of retention policies, disposition review, export, deletion including proof of deletion, and event-based retention. File plans used to manage retention and disposition. Can also be used to manage data.

Stream (Classic / On SharePoint)

Intelligent video service that hosts, shares and analyses video content.

Teams

Communication methods include instant messaging, voice over internet protocol (VoIP), audio, video, and web conferencing.

Viva Engage

Members of a group are automatically able to access a team calendar, a shared Outlook inbox, a SharePoint library, a SharePoint team site, a shared OneNote notebook and Planner.

Effective records management aims to ensure that:

  • Full, reliable and accurate records are created, captured and managed
  • The integrity of records and associated metadata is maintained
  • People are able to find what they are looking for when they need it
  • Records are secure from unauthorised access and destruction
  • Accessible records are exported from the system when required
  • Records remain accessible for as long as they are needed and then lawfully disposed of.

This can be achieved through a range of different means, including:

  • Working across and within Microsoft 365 services to build records management functionality and associated processes in compliance with PROV standards. 
  • Integration with an Enterprise Content Management System, or Electronic Document and Record Management System (or another similar solution) in compliance with PROV standards.

PROV recommends the following actions:

  1. Determine the kind of licence held (e.g., E3, E5) and whether your organisation is part of a multi-organisational tenancy or standalone (this information will determine what is possible within M365 for your organisation).
  2. Obtain knowledge of the administrative applications and tools used to manage records in Microsoft 365. Please note that there are multiple administrative centres across Microsoft 365. There are also various configuration settings in these centres that can be applied for appropriate records management.
  3. Conduct a gap analysis to determine whether these controls are sufficient to manage records within the agency or whether additional controls, configuration, or integration is needed.
  4. Assess the culture of the agency to determine the probability and impact of users not complying with records management controls within the Microsoft 365 environment.
  5. Set controls for records that consider the user experience and minimise risk of non-compliance (Purview Compliance Manager includes pre-built assessments for common regional and industry standards and regulations).
  6. Where AI or machine learning tools are used ensure that a program of regular monitoring and auditing of the process by a human being is in place and that risks are identified and mitigated appropriately.
  7. Where third party plugs in are to be used, develop, and maintain an integration management plan that specifies how the impact of Microsoft 365 updates and upgrades will be monitored and risk to records minimised.
  8. Determine where and how automation can be best applied to minimise risk to records and improve effective control of records (Power Automate can be used in conjunction with retention labels to automate retention and disposal).
  9. Be aware of Microsoft 365 Purview records management and data lifecycle management functionality, how they can be used to manage disposal of agency records, and where other mechanisms or processes are needed. Purview Records Management includes retention labels, policies, and file plans for retention and disposal, while Purview Data Lifecycle Management covers retention for workloads and manages messages (Teams and Yammer) and email (inactive and archive mailboxes).
  10. Conduct a gap assessment and management plan against disposal requirements to determine and minimise risk to records.
  11. Consider and seek to minimise risk to records when determining whether to migrate records from a decommissioned system (including systems that manage email) into Microsoft 365.

Ideally, records management controls should be included during the planning and configuration stage. The ability to adjust configuration settings may be limited post implementation, but some controls may still be applied. For example:

  • Microsoft have a validation method that should be used when migrating records into SharePoint or OneDrive as metadata is automatically updated when uploading files.
  • To manage public records in M365, both data management and record management functionality are required (both are in Microsoft Purview) and will need to work together to ensure controls (including retention and disposal) are lawfully applied.
  • Setting permissions for records manager functionality occurs across two portals (M365 Defender Portal and Microsoft Purview Compliance Portal) and permissions are based on the role-based access control (RBAC) permissions model. Permissions can only be managed by someone with the correct admin role status (role management).
  • Logging can be automated to ensure that accountability or integrity questions can be effectively addressed depending on the license held.
  • Labels and labelling policies are applied in different ways and can be used to manage retention of records and security regimes, including sensitivity classifications. Automated labelling can be applied depending on the license held.
  • Retention labels can be used to mark items as a record or a regulatory record, both of which have additional controls that can be applied. Records have more flexibility regarding actions that can be applied compared with regulatory records. Please note that regulatory records cannot be edited or deleted. Once the label of regulatory record is applied to an item, it cannot be removed by anyone. Regulatory records cannot have their retention period shortened. If an item is checked out in SharePoint, it cannot be made a regulatory record. Regulatory record declaration functionality must be enabled using PowerShell.
  • Retention labels can be used as classification labels if the retention action is set to review later.
  • Usage rights are applied through sensitivity labels, policy, or role-based permission levels, and can be configured to automatically apply to the label or template selected. Be aware of whether usage rights will be applied to the single instance only or across a broader group as different methods of application cover different situations.
  • Unique IDs for documents can be set up within SharePoint Online using the automatic SharePoint Document ID functionality, but this is not the default, and the functionality must be activated by a site collection administrator. Please note that the unique document ID will only travel with the document if the location it has moved to also has unique ID functionality. Otherwise, it will be removed from the document.
  • Alerts can be set up or customised to advise of unauthorised deletions, changes, and amendments and should be appropriate for regulatory, legislative, and business reporting (including reporting of risk to records). Alerts require auditing to be enabled and searchable and can be set up through Purview. Functionality is dependent on the license held. Please note that audit logs are only retained for 90 days with the standard Audit package but are retained for one year with a premium audit package and can be expanded to 10-year retention if an additional license is purchased.
  • Reporting tools can be used to identify user behaviours that place records at risk so that appropriate governance structures can be put in place (note that functionality will depend on the license held).
  • E-Discovery tools that search all content, including email, can be set up through the Security and Compliance Centre (note that functionality will depend on the license held).

If the Microsoft 365 service is integrated with an EDRMS or ECM system, then disposal controls can continue to be applied in that system through traditional methods (such as assigning retention periods through the business classification scheme and folder structure).

In M365, retention and disposal are controlled within Purview. To ensure that disposal covers all areas of M365, including email and chat, both data management and records management functionality are required (see the table, below). Some features require full E5 license or equivalent, while others only need E3 or equivalent – see M365 https://learn.microsoft.com/en-us/microsoft-365/compliance/manage-data-governance for details.

Microsoft Purview Data Lifecycle Management

Microsoft Purview Records Management

Retention policies for Microsoft 365 workloads, with retention labels for exceptions

Lets you retain or delete content with policy management for email, documents, Teams and Yammer messages.

File plan

Lets you create retention labels interactively or import in bulk, and export for analysis. Labels support additional administrative information (optional) to help you identify and track business or regulatory requirements.

Inactive mailboxes

Lets you retain mailbox content after employees leave the organization so that this content remains accessible to administrators, compliance officers, and records managers.

Retention labels for individual items, retention policies if needed for baseline retention

Labels support flexible retention and deletion schedules that can be applied manually or automatically, with records declaration when needed.

Use a retention policy to assign the same retention settings for content at a site or mailbox level.

Use a retention label to assign retention settings at an item level (folder, document, email). Labels can be applied in multiple ways and can be automated to apply when specific conditions are met.

Items inherit the retention settings from their container specified in the retention policy, but they don’t travel with them to a new location. Use retention labels if the setting needs to travel with the item.

Archive mailboxes

Provides additional mailbox storage space for users.

Disposition review and proof of disposition

Manual review of content before it’s permanently deleted, with proof of disposition of records.

Import service for PST files

Supports bulk-importing PST files to Exchange Online mailboxes to retain and search email messages for compliance or regulatory requirements.

 

 

Be aware that:

  • Different software or services across M365 may have different retention settings or limitations. Ensure that you know how retention works for the specific area of M365 you are working within and use the right retention tool for the right situation.
  • There are multiple repositories where records may be saved across the different apps and sites that make up M365.
  • Records with a retention policy applied that are edited or deleted will have a copy saved to a set location that may be different to its original location. If you don’t have the right permissions, you will not see the folders that content is saved within.
  • As a copy of anything with a retention setting is saved to a default folder anytime someone edits or deletes it, ensure that storage capacity is sufficient to hold your records.
  • If the retention setting is to travel with the content, regardless of where it is, assign retention using retention labels; retention settings applied by policy only apply to the current location of the content, and will no longer be applied if the content is moved.
  • For retention labels to be automated, there needs to be a common element they can be applied to. For example, type of information, keyword, or pattern matches. Content search can be used to locate items with the same retention label.
  • Retention policies can be applied to specific users, multiple locations, or specific locations.
  • Proof of disposition is supplied when using retention labels under certain circumstances (such as declaring content to be a record) but only for up to seven years.
  • If you are in a tenancy, then some settings are applied across the whole tenancy. See https://learn.microsoft.com/en-us/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings for details on the difference between licenses, tenants and so on.
  • For details see: https://learn.microsoft.com/en-us/microsoft-365/compliance/retention

There are a lot of resources available on the web that address disposal in some way that may be of value, such as the following:

 

Below is a table of possible risk to records that may be encountered when implementing Microsoft 365 and some suggested mitigation strategies.

Risk Challenge Mitigation
Risk to meeting legislative requirements Public records remain subject to privacy, security, freedom of information (FOI) and public records requirements while they are held externally in Microsoft 365.

The compliance management templates provided include PROV recordkeeping standards, the Victorian Protective Data Security Standards, and others. Use the Compliance Manager functionality within Purview to adjust configuration as required. Functionality depends on the license held.

High risk areas may require tailored solutions. For example, records above a specific security classification may need to be only created or stored on systems that are under direct agency control.

Risk to evidential integrity of records, unauthorised access and unlawful deletion The collaborative design of Microsoft 365 places the user in a position of decision maker regarding management of records when most users lack the skills and knowledge to manage records appropriately.

Have records management controls (automated where possible) in place to ensure that the evidential integrity of records is not put at risk, records remain accessible, and records are not subject to unauthorised access or unlawful disposal.

For example, use policy settings, sensitivity and other labels, and audit log alerts to notify the appropriate person if unauthorised access occurs or an unauthorised event is triggered.

Ensure storage is sufficient to enable copies of records that have been edited or deleted are captured to counter inappropriate moderation or unlawful disposal.

Risk to full and accurate records of Victorian Government It may be unclear who owns or holds what rights over the public records in Microsoft365 environments, including rights over records contained in laws from the jurisdiction where the records are being held.

Clarify ownership and rights over agency records and, where there is lack of clarity, ensure that the records are held within agency owned and controlled systems.

For example, clearly express record ownership and rights in contracts and agreements.

Ensure that data is hosted in Australia, preferably Victoria – as required by Victorian Government Privacy and Security controls.
Risk of losing records Content may be lost due to Microsoft service changes, as part of normal service operations that include automated deletion, or upon removal of the service by Microsoft.

Review and remain up to date with service changes including release notices to ensure that risk to records is known.

For example, if a Microsoft notice flags that a service will be disabled, review and either move or convert records from that service to one that is being actively managed.

Be aware of:

  • Storage caps (i.e., what is the full amount of storage permitted by the license held and what is counted as storage).
  • Retention caps (i.e., Microsoft enforced retention durations may apply to specific areas that are based on license held, such as 90 day audit log retention).
  • Migration information (i.e., the metadata that travels with the records, the circumstances it might not travel with the records, the kind of migration tools that may need to be used for best results, and so on).

 

Apps and other products in or aligned with M365 are often retired and replaced with a new product that does something similar. Often migration of any documents created using the previous version will need to be migrated into something else as once the app or product is retired, the functionality will no longer work, and content will be lost. Generally, there will be:

  • An announcement with information about what (if anything) will be replacing the retired app/product, timeframes, and key milestones.
  • Time to identify what needs to be migrated, plan for the migration, and capture any other documentation of relevance.
  • A cut-off point where the app or product will no longer function.

Microsoft 365 is a cloud service that utilises web-based applications (including forms of social media). As such, records management advice for cloud computing, electronic approval services, management of websites, social media, migration, mobile technologies, and decommissioning systems also apply. 

Microsoft 365 should be implemented in line with PROV recordkeeping standards and policies.

Material in the Public Record Office Victoria archival collection contains words and descriptions that reflect attitudes and government policies at different times which may be insensitive and upsetting

Aboriginal and Torres Strait Islander Peoples should be aware the collection and website may contain images, voices and names of deceased persons.

PROV provides advice to researchers wishing to access, publish or re-use records about Aboriginal Peoples