Interesting Exploits in Office 365 and SharePoint

Category Archives: Compliance

First Impressions – Microsoft Advanced Data Governance

Microsoft announced new capabilities for Advanced Data Governance at the Ignite conference in September 2016.  As of April 1, these features have been released into the O365 platform.  As with all O365 releases, these are rolling out in waves.  If you navigate to the Security and Compliance Center, you will see additional options under Classifications and Data Governance.

There are a significant number of features that have been released, but for the purposes of this discussion, we are going to focus on the specific capabilities surrounding information governance and policy.

Retention Policies and Classification Labels

Microsoft’s capabilities around retention are not new.  Both Exchange and SharePoint have featured mechanisms to define how long content items should exist.  Many of these manifesting themselves over 10 years ago.  What is new with the recent announcement and update is Microsoft’s unification of retention policies across the Office 365 (O365) service.  Within a series of mouse clicks, one can create a retention policy and apply it to Exchange (email and public folders), SharePoint sites, OneDrive for Business, Office 365 Groups and Skype for Business content.  To an organization, this now provides the ability to create and enforce a number of information governance initiatives. 

Layered on top of Retention Policies are Classification Labels.  Classification Labels allow organizations to apply a specific information governance rule to content manually.  The Classification Label sets can be published to different locations across the Office 365 platform.  The result provides users the ability to easily follow information governance policy without having to have deep knowledge or training.  Apply a Classification Label of “External Proposal” to a new sales proposal and the user is done.

Alternatively, Classification Labels can be defined and applied automatically and/or by default to a set of locations.  Maybe your organization has a mergers and acquisitions group.  A Classification Label can be defined and automatically applied to all content created in that group regardless of where it is stored.  The added benefit of a Classification Label over a Retention Policy is that the label will actually manifest on the content, whether a document or email.

Retention Policies and Classification Labels offer the ability to ubiquitously apply to all content in the platform as a global policy.  Alternatively, they can be applied to very specific content, in specific targeted locations.  This flexibility offers organizations great power to solve many diverse and unique information governance challenges.

Before organizations jump into this pool with both feet, I suggest that they take a deeper look at these capabilities so that they obtain the results that they expect.

Retention and Records

The new Advanced Data Governance (ADG) features provide the ability to perform content retention as well as record declaration.  Retention, as implemented in the ADG context retains content for the specified period of time.  This doesn’t mean that the content is inaccessible.  Users may continue to work with the content including editing, sharing and collaborating.  Content that is under a retention policy behaves like any other content to the user.  What is different is when a content item is deleted.  The ADG features manage the preservation of the content so that it is not lost.

Retained content is handled differently than content marked as a “record”.  This is a unique option for a Classification Label and removes the ability to modify the content in any way.  This prevents users from modifying the specific item and will change the behavior experienced during the normal course of working.

Deletion and Destruction

The process that occurs when content is no longer retained may be defined as a delete action.  The retention policy can be defined to do nothing at the end of retention, or perform a delete.  It is important to note that delete in this case doesn’t mean “delete immediately”.  ADG uses the recycle bin to provide a staged deletion process.  Therefore, “deleted” content may still exist in the recycle bin for a period of time.

In the future, there are plans to put approval process in place for the retention policy that will provide organizations the ability to create more formal processes around information destruction. 

Date Calculations

With this release, ADG provides date options for the calculation of the retention period.  Standard dates such as Created and Modified are available and an option for when the content was labeled (in the case of Classification Labels).

Currently there is no option to support custom date fields or event-driven (also known as retention triggers) retention.  These are going to be available soon per Microsoft.


After being involved with the preview as a Microsoft ISV and working with several joint partners we have some initial impressions of these new features.

  • Microsoft has finally moved to unification of policy management – this is a big plus because we no longer manage separate, application specific policies
  • Application of Retention Policies and Classification Labels – definition of the policies and labels is quite easy and operates through a very modern wizard, stepping even the novice through the process.
  • Timeliness of Processes – in our experience, the policy application service level agreements aren’t immediate, some taking as long as seven days.  We are sure that as ADG gets wider adoption and Microsoft gains experience with the service, these will come down.
  • Not your traditional records management – there is some adjustment that will be needed for more traditional organizations using legacy records management solution to adapt to these new concepts.  For some organizations, these capabilities will augment more regimented processes to address the ever-increasing proliferation of content and the risks it represents.
  • Terminology – we can only suggest taking your time and understand what each of these new features is doing.  We found ourselves a little confused more than once with the use of terminology.
  • Enterprise Perspective – one of the biggest challenges we faced was understanding the what, when and where of the Retention Policies and Classification Labels.  Since each of these is a simple listing of defined policies and labels, it becomes very difficult to track where certain policies are applied and what labels are available.   We suggest starting with very broad definitions and picking relevant naming conventions (you can name and describe these any way you want).  Microsoft is gathering feedback in this area, so we hope to see good things coming.
  • What about other sources – as stated previously, Microsoft has made a great stride with these capabilities.  If your organization has other locations or applications that need to have policy assigned, you will need to look for solutions that extend the platform.

In conclusion, Microsoft deserves credit for listening to its clients and taking this leap forward.  For those of us committed to the platform, we are happy to see these capabilities.  While adding some great capabilities, we believe that organizations will find that there will be compliance requirements and information handling processes that will require broader and deeper functionality in specific areas.


Content Types and Workflows

The process of creating content type based workflows is sometimes daunting for the SharePoint professional because it requires a number of steps and the order of those steps is critical.

In this tutorial, we have a Content Type Hub defined for our farm and a team site in which we want to use a content type hierarchy to manage our content. For a specific hierarchy of content types, we want to have a specific workflow available to process the content. We don’t want to have this workflow apply to other content types in the library, only specific types of content.

This example steps through the manual process of workflow creation using SharePoint Designer and standard SharePoint administrative features. Obviously, the process can be automated or packaged into features to expedite the publication of the workflow to multiple sites.

Let’s start with our assumptions:

  • the Content Type hierarchy has been defined in our Hub
  • the target team site has been created

The Content Type hierarchy that we have created is as follows:

  • Document
  • Enterprise Document
  • Administration
  • Equipment Operation Manuals and Specifications

For this exercise, we will be associating our workflow with the Administration content type and subsequently applying the workflow to the child content type, Equipment Operation Manuals and Specifications.

Step 1: Create workflow at the Content Type Hub

This will be a reusable workflow that is associated to our parent content type (because we want to work with specific columns of that content type).

Assign Workflow to highest level content type

When creating the workflow, ensure that you have selected the content type to associate to the workflow. If you don’t select a content type, the specific columns will not be available to the workflow.

Step 2: Define the content of the workflow

In our sample workflow, we are only going to manipulate specific column values. I would anticipate that your workflow will be much more complex than this.

Save and Publish the workflow

The workflow must be saved and published. This will make the workflow available in our Content Type Hub.

Step 3: Export the Workflow to install into our target team site

Because the Content Type Hub only publishes the workflow association and not the workflow itself, we must package and install the workflow into our team site. This involves saving the workflow as a portable template (in the form of a WSP).

The Workflow is saved in the Site Assets library in the content type hub (where we created the content type)

Navigate to the Site Assets library and download a copy of the workflow

Save the WSP to a local location on the drive

Step 4: Install the workflow in the target site

Navigate to the site where the workflow is to be used.

Go to Site Settings > Solutions

Upload the solution to the site

Once uploaded, select Activate

Navigate to site settings (in the target site)

Go to the Site Actions area and select Manage Site Features

The Activated workflow solution will now appear as a site feature. Activate this feature

Step 5: Associate the Workflow to the Content Type Parent

Go back to the Content Type Hub and navigate to the content type that you want to associate to the workflow

Select Workflow Settings

We are going to add the new workflow to the Parent Content Type, Administration

Configure the options that you want for the workflow.

IMPORTANT: Make sure that you select “Yes” for the “Add this workflow to all content types that inherit from this content type?”

In the Workflow Admin Screen, select “Update all content types that inherit from this type with these workflow settings

Step 6: Publish the updated content type

Now we need to publish the content type and the changes back out to our subscribing sites

Navigate back to the content type (parent)

Select the manage publishing

If the content type has been previously published, you will need to republish it

Step 7: Publish the Content Type

Once the Publish/Republish has been selected go to Central Admin and run the Content Type Hub and Content type Subscriber jobs

Step 8: Validate the Target Site Configuration

Once the publishing jobs have completed, navigate to your target site and assign the content types to a library.

Once you import content and assign to one of your content types, you will then be able to use the workflows

Select an item and workflows

You will see the workflow assigned to the content in the target library

Hopefully you have found this post useful and can easily see where you can apply this process to your environment and applications.

Selecting a Records Management Strategy: What’s Best for You

I recently did a webinar in conjunction with Earley & Associates about creating a Records and Information Management Strategy within your organization.  The presentation is divided into two parts, a business perspective and a technical perspective. 

I specifically address the foundational components of a strategy within your organization and how to get started.  During the second half, I cover the elements within SharePoint 2010 that can be leveraged as part of your strategy.

To view larger, click the Full Screen Icon

I’d like to thank Earley & Associates for hosting the webinar and hope you enjoy viewing the replay.

Managing Information Policies and Compliance in SharePoint 2010 – Idera Software Webinar Presentation

I recently delivered a webinar with Idera Software on Information Policies and Compliance with SharePoint 2010.  This is a very basic introduction of the component parts of the policy and compliance puzzle.

The overview of the webinar was published as “Information accumulation can be a big issue within such a collaborative platform as SharePoint 2010.  There are techniques and best practices to control how information is kept and enumerated as valuable to the organization.  During this session, participants will gain valuable insight as to how to assign information policies to Work In Progress or Draft information and the application of Record Retention to critical documents within their SharePoint environment.  The topics covered will include SharePoint 2010 Information Management Policies, Content Types, the Record Center, location-based policies and In Place Records management.”

You can hear the full version of the recorded webinar through the following link:

The presentation slides are available here: Idera Webinar – Managing Information Policies and Compliance in SharePoint 2010