New-RetentionCompliancePolicy

This cmdlet is available only in Security & Compliance PowerShell. For more information, see Security & Compliance PowerShell.

Use the New-RetentionCompliancePolicy cmdlet to create new retention policies and new retention label policies in the Microsoft Purview compliance portal. Creating a new policy also requires use of the New-RetentionComplianceRule cmdlet.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Syntax

New-RetentionCompliancePolicy
   [-Name] <String>
   [-Applications <MultiValuedProperty>]
   [-Comment <String>]
   [-Confirm]
   [-Enabled <Boolean>]
   [-ExchangeLocation <MultiValuedProperty>]
   [-ExchangeLocationException <MultiValuedProperty>]
   [-Force]
   [-IsSimulation]
   [-ModernGroupLocation <MultiValuedProperty>]
   [-ModernGroupLocationException <MultiValuedProperty>]
   [-OneDriveLocation <MultiValuedProperty>]
   [-OneDriveLocationException <MultiValuedProperty>]
   [-PolicyRBACScopes <MultiValuedProperty>]
   [-PolicyTemplateInfo <PswsHashtable>]
   [-PublicFolderLocation <MultiValuedProperty>]
   [-RestrictiveRetention <Boolean>]
   [-RetainCloudAttachment <Boolean>]
   [-SharePointLocation <MultiValuedProperty>]
   [-SharePointLocationException <MultiValuedProperty>]
   [-SkypeLocation <MultiValuedProperty>]
   [-SkypeLocationException <MultiValuedProperty>]
   [-WhatIf]
   [<CommonParameters>]
New-RetentionCompliancePolicy
   [-Name] <String>
   [-Comment <String>]
   [-Confirm]
   [-Enabled <Boolean>]
   [-Force]
   [-IsSimulation]
   [-RestrictiveRetention <Boolean>]
   [-RetainCloudAttachment <Boolean>]
   [-TeamsChannelLocation <MultiValuedProperty>]
   [-TeamsChannelLocationException <MultiValuedProperty>]
   [-TeamsChatLocation <MultiValuedProperty>]
   [-TeamsChatLocationException <MultiValuedProperty>]
   [-WhatIf]
   [<CommonParameters>]
New-RetentionCompliancePolicy
   [-Name] <String>
   -AdaptiveScopeLocation <MultiValuedProperty>
   [-Applications <MultiValuedProperty>]
   [-Comment <String>]
   [-Confirm]
   [-Enabled <Boolean>]
   [-Force]
   [-IsSimulation]
   [-RestrictiveRetention <Boolean>]
   [-RetainCloudAttachment <Boolean>]
   [-WhatIf]
   [<CommonParameters>]

Description

Policies are not valid until a rule is added (for retention policies) or a label is added (for retention label policies). For more information, see New-RetentionComplianceRule. In addition, at least one location parameter must be defined to create a retention policy or retention label policy.

To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see [Permissions in the Microsoft Purview compliance portal]/purview/microsoft-365-compliance-center-permissions).

Examples

Example 1

New-RetentionCompliancePolicy -Name "Regulation 123 Compliance" -ExchangeLocation "Kitty Petersen", "Scott Nakamura" -SharePointLocation "https://contoso.sharepoint.com/sites/teams/finance"

This example creates a retention policy named "Regulation 123 Compliance" for the mailboxes of Kitty Petersen and Scott Nakamura, and the finance SharePoint Online site.

The next step is to use the New-RetentionComplianceRule cmdlet to add a rule to the retention policy.

Example 2

New-RetentionCompliancePolicy -Name "Marketing Department" -Enabled $true -SharePointLocation https://contoso.sharepoint.com -RetainCloudAttachment $true -Comment "Regulatory compliance for Marketing Dept."

This example creates a new auto-apply label policy targeted to cloud attachments named Marketing Department with the specified details.

The next step is to use the New-RetentionComplianceRule cmdlet to add a retention label to the retention label policy.

Parameters

-AdaptiveScopeLocation

The AdaptiveScopeLocation parameter specifies the adaptive scope location to include in the policy. You create adaptive scopes by using the New-AdaptiveScope cmdlet. You can use any value that uniquely identifies the adaptive scope. For example:

  • Name
  • Distinguished name (DN)
  • GUID
Type:MultiValuedProperty
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Applications

The Applications parameter specifies the target when Microsoft 365 Groups are included in the policy (the ModernGroups parameter is set). Valid values are:

  • Group:Exchange for the mailbox that's connected to the Microsoft 365 Group.
  • Group:SharePoint for the SharePoint site that's connected to the Microsoft 365 Group.
  • "Group:Exchange,SharePoint" for both the mailbox and the SharePoint site that are connected to the Microsoft 365 Group.
  • blank ($null): This is the default value, and is functionally equivalent to the value "Group:Exchange,SharePoint".
Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Comment

The Comment parameter specifies an optional comment. If you specify a value that contains spaces, enclose the value in quotation marks ("), for example: "This is an admin note".

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Confirm

The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.
  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Enabled

The Enabled parameter specifies whether the policy is enabled or disabled. Valid values are:

  • $true: The policy is enabled. This is the default value.
  • $false: The policy is disabled.
Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ExchangeLocation

The ExchangeLocation parameter specifies the mailboxes to include in the policy. Valid values are:

  • A mailbox
  • A distribution group or mail-enabled security group (all mailboxes that are currently members of the group).
  • The value All for all mailboxes. You can only use this value by itself.

To specify a mailbox or distribution group, you can use any value that uniquely identifies it. For example:

  • Name
  • Distinguished name (DN)
  • Email address
  • GUID

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

If no mailboxes are specified, then no mailboxes are placed on hold.

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ExchangeLocationException

The ExchangeLocationException parameter specifies the mailboxes to exclude from the policy when you use the value All for the ExchangeLocation parameter. Valid values are:

  • A mailbox
  • A distribution group or mail-enabled security group

To specify a mailbox or distribution group, you can use any value that uniquely identifies it. For example:

  • Name
  • Distinguished name (DN)
  • Email address
  • GUID

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Force

The Force switch hides warning or confirmation messages. You don't need to specify a value with this switch.

You can use this switch to run tasks programmatically where prompting for administrative input is inappropriate.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-IsSimulation

The IsSimulation switch specifies the policy is created in simulation mode. You don't need to specify a value with this switch.

For more information about simulation mode, see Learn about simulation mode.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ModernGroupLocation

The ModernGroupLocation parameter specifies the Microsoft 365 Groups to include in the policy. Valid values are:

  • A Microsoft 365 Group
  • The value All for all Microsoft 365 Groups. You can only use this value by itself.

To identify the Microsoft 365 Group, you can use any value that uniquely identifies it. For example:

  • Name
  • Distinguished name (DN)
  • Email address
  • GUID

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ModernGroupLocationException

The ModernGroupLocationException parameter specifies the Microsoft 365 Groups to exclude from the policy when you use the value All for the ModernGroupLocation parameter.

You can use any value that uniquely identifies the Microsoft 365 Group. For example:

  • Name
  • Distinguished name (DN)
  • Email address
  • GUID

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Name

The Name parameter specifies the unique name of the retention policy. If the value contains spaces, enclose the value in quotation marks.

Type:String
Position:1
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-OneDriveLocation

The OneDriveLocation parameter specifies the OneDrive for Business sites to include. You identify the site by its URL value, or you can use the value All to include all sites.

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-OneDriveLocationException

This parameter specifies the OneDrive for Business sites to exclude when you use the value All for the OneDriveLocation parameter. You identify the site by its URL value.

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-PolicyRBACScopes

The PolicyRBACScopes parameter specifies the administrative units to assign to the policy. A valid value is the Microsoft Entra ObjectID (GUID value) of the administrative unit. You can specify multiple values separated by commas.

Administrative units are available only in Microsoft Entra ID P1 or P2. You create and manage administrative units in Microsoft Graph PowerShell.

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-PolicyTemplateInfo

This parameter is reserved for internal Microsoft use.

Type:PswsHashtable
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-PublicFolderLocation

The PublicFolderLocation parameter specifies that you want to include all public folders in the retention policy. You use the value All for this parameter.

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-RestrictiveRetention

The RestrictiveRetention parameter specifies whether Preservation Lock is enabled for the policy. Valid values are:

  • $true: Preservation Lock is enabled for the policy. No one -- including an administrator -- can turn off the policy or make it less restrictive.
  • $false: Preservation Lock isn't enabled for the policy. This is the default value.

After a policy has been locked, no one can turn off or disable it, or remove content from the policy. And it's not possible to modify or delete content that's subject to the policy during the retention period. The only ways that you can modify the retention policy are by adding content to it, or extending its duration. A locked policy can be increased or extended, but it can't be reduced, disabled, or turned off.

Therefore, before you lock a retention policy, it's critical that you understand your organization's compliance requirements, and that you don't lock a policy until you are certain that it's what you need.

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-RetainCloudAttachment

Note: This parameter is currently in Preview, is not available in all organizations, and is subject to change.

The RetainCloudAttachment parameter specifies that this is a cloud attachment policy. Valid values are:

  • $true: The policy is a cloud attachment policy.
  • $false: The policy is not a cloud attachment policy. This is the default value.

For the value $true, you can only use the following location parameters:

  • SharePointLocation and SharePointLocationException
  • OneDriveLocation and OneDriveLocationException
  • ModernGroupLocation and ModernGroupLocationException

A tag that uses a cloud attachment policy to create a rule can be a record label or a regulatory label. You can't use a publishing tag for a cloud attachment policy to create a rule; only apply tags are supported.

The RetainCloudAttachment parameter is not available on the Set-RetentionCompliancePolicy cmdlet.

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-SharePointLocation

The SharePointLocation parameter specifies the SharePoint Online sites to include. You identify the site by its URL value, or you can use the value All to include all sites.

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

SharePoint Online sites can't be added to the policy until they have been indexed. If no sites are specified, then no sites are placed on hold.

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-SharePointLocationException

This parameter specifies the SharePoint Online sites to exclude when you use the value All for the SharePointLocation parameter. You identify the site by its URL value.

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-SkypeLocation

The SkypeLocation parameter specifies the Skype for Business Online users to include in the policy.

You can use any value that uniquely identifies the user. For example:

  • Name
  • Distinguished name (DN)
  • Email address
  • GUID

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-SkypeLocationException

This parameter is reserved for internal Microsoft use.

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-TeamsChannelLocation

The TeamsChannelLocation parameter specifies the Teams to include in the policy.

You can use any value that uniquely identifies the team. For example:

  • Name
  • Email address
  • GUID

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-TeamsChannelLocationException

The TeamsChannelLocationException parameter specifies the Teams to exclude when you use the value All for the TeamsChannelLocation parameter. You can use any value that uniquely identifies the team. For example:

  • Name
  • Email address
  • GUID

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-TeamsChatLocation

The TeamsChatLocation parameter specifies the Teams users to include in the policy.

You can use any value that uniquely identifies the user. For example:

  • Name
  • Distinguished name (DN)
  • Email address
  • GUID

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-TeamsChatLocationException

The TeamsChatLocationException parameter specifies the Teams users to exclude when you use the value All for the TeamsChatLocation parameter. You can use any value that uniquely identifies the user. For example:

  • Name
  • Distinguished name (DN)
  • Email address
  • GUID

You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-WhatIf

The WhatIf switch doesn't work in Security & Compliance PowerShell.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance