New-RetentionCompliancePolicy
This cmdlet is available only in Security & Compliance PowerShell. For more information, see Security & Compliance PowerShell.
Use the New-RetentionCompliancePolicy cmdlet to create new retention policies and new retention label policies in the Microsoft Purview compliance portal. Creating a new policy also requires use of the New-RetentionComplianceRule cmdlet.
For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.
Syntax
New-RetentionCompliancePolicy
[-Name] <String>
[-Applications <MultiValuedProperty>]
[-Comment <String>]
[-Confirm]
[-Enabled <Boolean>]
[-ExchangeLocation <MultiValuedProperty>]
[-ExchangeLocationException <MultiValuedProperty>]
[-Force]
[-IsSimulation]
[-ModernGroupLocation <MultiValuedProperty>]
[-ModernGroupLocationException <MultiValuedProperty>]
[-OneDriveLocation <MultiValuedProperty>]
[-OneDriveLocationException <MultiValuedProperty>]
[-PolicyRBACScopes <MultiValuedProperty>]
[-PolicyTemplateInfo <PswsHashtable>]
[-PublicFolderLocation <MultiValuedProperty>]
[-RestrictiveRetention <Boolean>]
[-RetainCloudAttachment <Boolean>]
[-SharePointLocation <MultiValuedProperty>]
[-SharePointLocationException <MultiValuedProperty>]
[-SkypeLocation <MultiValuedProperty>]
[-SkypeLocationException <MultiValuedProperty>]
[-WhatIf]
[<CommonParameters>] New-RetentionCompliancePolicy
[-Name] <String>
[-Comment <String>]
[-Confirm]
[-Enabled <Boolean>]
[-Force]
[-IsSimulation]
[-RestrictiveRetention <Boolean>]
[-RetainCloudAttachment <Boolean>]
[-TeamsChannelLocation <MultiValuedProperty>]
[-TeamsChannelLocationException <MultiValuedProperty>]
[-TeamsChatLocation <MultiValuedProperty>]
[-TeamsChatLocationException <MultiValuedProperty>]
[-WhatIf]
[<CommonParameters>] New-RetentionCompliancePolicy
[-Name] <String>
-AdaptiveScopeLocation <MultiValuedProperty>
[-Applications <MultiValuedProperty>]
[-Comment <String>]
[-Confirm]
[-Enabled <Boolean>]
[-Force]
[-IsSimulation]
[-RestrictiveRetention <Boolean>]
[-RetainCloudAttachment <Boolean>]
[-WhatIf]
[<CommonParameters>] Description
Policies are not valid until a rule is added (for retention policies) or a label is added (for retention label policies). For more information, see New-RetentionComplianceRule. In addition, at least one location parameter must be defined to create a retention policy or retention label policy.
To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see [Permissions in the Microsoft Purview compliance portal]/purview/microsoft-365-compliance-center-permissions).
Examples
Example 1
New-RetentionCompliancePolicy -Name "Regulation 123 Compliance" -ExchangeLocation "Kitty Petersen", "Scott Nakamura" -SharePointLocation "https://contoso.sharepoint.com/sites/teams/finance"This example creates a retention policy named "Regulation 123 Compliance" for the mailboxes of Kitty Petersen and Scott Nakamura, and the finance SharePoint Online site.
The next step is to use the New-RetentionComplianceRule cmdlet to add a rule to the retention policy.
Example 2
New-RetentionCompliancePolicy -Name "Marketing Department" -Enabled $true -SharePointLocation https://contoso.sharepoint.com -RetainCloudAttachment $true -Comment "Regulatory compliance for Marketing Dept."This example creates a new auto-apply label policy targeted to cloud attachments named Marketing Department with the specified details.
The next step is to use the New-RetentionComplianceRule cmdlet to add a retention label to the retention label policy.
Parameters
-AdaptiveScopeLocation
The AdaptiveScopeLocation parameter specifies the adaptive scope location to include in the policy. You create adaptive scopes by using the New-AdaptiveScope cmdlet. You can use any value that uniquely identifies the adaptive scope. For example:
- Name
- Distinguished name (DN)
- GUID
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Applications
The Applications parameter specifies the target when Microsoft 365 Groups are included in the policy (the ModernGroups parameter is set). Valid values are:
Group:Exchangefor the mailbox that's connected to the Microsoft 365 Group.Group:SharePointfor the SharePoint site that's connected to the Microsoft 365 Group."Group:Exchange,SharePoint"for both the mailbox and the SharePoint site that are connected to the Microsoft 365 Group.- blank (
$null): This is the default value, and is functionally equivalent to the value"Group:Exchange,SharePoint".
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Comment
The Comment parameter specifies an optional comment. If you specify a value that contains spaces, enclose the value in quotation marks ("), for example: "This is an admin note".
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Confirm
The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.
- Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax:
-Confirm:$false. - Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Enabled
The Enabled parameter specifies whether the policy is enabled or disabled. Valid values are:
- $true: The policy is enabled. This is the default value.
- $false: The policy is disabled.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ExchangeLocation
The ExchangeLocation parameter specifies the mailboxes to include in the policy. Valid values are:
- A mailbox
- A distribution group or mail-enabled security group (all mailboxes that are currently members of the group).
- The value All for all mailboxes. You can only use this value by itself.
To specify a mailbox or distribution group, you can use any value that uniquely identifies it. For example:
- Name
- Distinguished name (DN)
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
If no mailboxes are specified, then no mailboxes are placed on hold.
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ExchangeLocationException
The ExchangeLocationException parameter specifies the mailboxes to exclude from the policy when you use the value All for the ExchangeLocation parameter. Valid values are:
- A mailbox
- A distribution group or mail-enabled security group
To specify a mailbox or distribution group, you can use any value that uniquely identifies it. For example:
- Name
- Distinguished name (DN)
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Force
The Force switch hides warning or confirmation messages. You don't need to specify a value with this switch.
You can use this switch to run tasks programmatically where prompting for administrative input is inappropriate.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-IsSimulation
The IsSimulation switch specifies the policy is created in simulation mode. You don't need to specify a value with this switch.
For more information about simulation mode, see Learn about simulation mode.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ModernGroupLocation
The ModernGroupLocation parameter specifies the Microsoft 365 Groups to include in the policy. Valid values are:
- A Microsoft 365 Group
- The value All for all Microsoft 365 Groups. You can only use this value by itself.
To identify the Microsoft 365 Group, you can use any value that uniquely identifies it. For example:
- Name
- Distinguished name (DN)
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ModernGroupLocationException
The ModernGroupLocationException parameter specifies the Microsoft 365 Groups to exclude from the policy when you use the value All for the ModernGroupLocation parameter.
You can use any value that uniquely identifies the Microsoft 365 Group. For example:
- Name
- Distinguished name (DN)
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Name
The Name parameter specifies the unique name of the retention policy. If the value contains spaces, enclose the value in quotation marks.
| Type: | String |
| Position: | 1 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-OneDriveLocation
The OneDriveLocation parameter specifies the OneDrive for Business sites to include. You identify the site by its URL value, or you can use the value All to include all sites.
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-OneDriveLocationException
This parameter specifies the OneDrive for Business sites to exclude when you use the value All for the OneDriveLocation parameter. You identify the site by its URL value.
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PolicyRBACScopes
The PolicyRBACScopes parameter specifies the administrative units to assign to the policy. A valid value is the Microsoft Entra ObjectID (GUID value) of the administrative unit. You can specify multiple values separated by commas.
Administrative units are available only in Microsoft Entra ID P1 or P2. You create and manage administrative units in Microsoft Graph PowerShell.
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PolicyTemplateInfo
This parameter is reserved for internal Microsoft use.
| Type: | PswsHashtable |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PublicFolderLocation
The PublicFolderLocation parameter specifies that you want to include all public folders in the retention policy. You use the value All for this parameter.
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-RestrictiveRetention
The RestrictiveRetention parameter specifies whether Preservation Lock is enabled for the policy. Valid values are:
- $true: Preservation Lock is enabled for the policy. No one -- including an administrator -- can turn off the policy or make it less restrictive.
- $false: Preservation Lock isn't enabled for the policy. This is the default value.
After a policy has been locked, no one can turn off or disable it, or remove content from the policy. And it's not possible to modify or delete content that's subject to the policy during the retention period. The only ways that you can modify the retention policy are by adding content to it, or extending its duration. A locked policy can be increased or extended, but it can't be reduced, disabled, or turned off.
Therefore, before you lock a retention policy, it's critical that you understand your organization's compliance requirements, and that you don't lock a policy until you are certain that it's what you need.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-RetainCloudAttachment
Note: This parameter is currently in Preview, is not available in all organizations, and is subject to change.
The RetainCloudAttachment parameter specifies that this is a cloud attachment policy. Valid values are:
- $true: The policy is a cloud attachment policy.
- $false: The policy is not a cloud attachment policy. This is the default value.
For the value $true, you can only use the following location parameters:
- SharePointLocation and SharePointLocationException
- OneDriveLocation and OneDriveLocationException
- ModernGroupLocation and ModernGroupLocationException
A tag that uses a cloud attachment policy to create a rule can be a record label or a regulatory label. You can't use a publishing tag for a cloud attachment policy to create a rule; only apply tags are supported.
The RetainCloudAttachment parameter is not available on the Set-RetentionCompliancePolicy cmdlet.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-SharePointLocation
The SharePointLocation parameter specifies the SharePoint Online sites to include. You identify the site by its URL value, or you can use the value All to include all sites.
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
SharePoint Online sites can't be added to the policy until they have been indexed. If no sites are specified, then no sites are placed on hold.
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-SharePointLocationException
This parameter specifies the SharePoint Online sites to exclude when you use the value All for the SharePointLocation parameter. You identify the site by its URL value.
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-SkypeLocation
The SkypeLocation parameter specifies the Skype for Business Online users to include in the policy.
You can use any value that uniquely identifies the user. For example:
- Name
- Distinguished name (DN)
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-SkypeLocationException
This parameter is reserved for internal Microsoft use.
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-TeamsChannelLocation
The TeamsChannelLocation parameter specifies the Teams to include in the policy.
You can use any value that uniquely identifies the team. For example:
- Name
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-TeamsChannelLocationException
The TeamsChannelLocationException parameter specifies the Teams to exclude when you use the value All for the TeamsChannelLocation parameter. You can use any value that uniquely identifies the team. For example:
- Name
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-TeamsChatLocation
The TeamsChatLocation parameter specifies the Teams users to include in the policy.
You can use any value that uniquely identifies the user. For example:
- Name
- Distinguished name (DN)
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-TeamsChatLocationException
The TeamsChatLocationException parameter specifies the Teams users to exclude when you use the value All for the TeamsChatLocation parameter. You can use any value that uniquely identifies the user. For example:
- Name
- Distinguished name (DN)
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-WhatIf
The WhatIf switch doesn't work in Security & Compliance PowerShell.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for