Overview of retention and the data lifecycle

  • 5 minutes

In Microsoft 365, it's easy to create and share data. Without the right controls, it's as easy for that data to linger indefinitely or disappear before it should. Whether the goal is to meet regulatory requirements, reduce exposure to stale content, or preserve business records, Microsoft Purview provides retention policies to help manage the lifespan of data in a secure, predictable way.

Retention in Microsoft Purview lets organizations decide how long to keep content and what happens when that time is up. You can retain content to make sure it's available for legal or operational reasons. You can delete content to reduce risk. Or you can do both. Retain it for a defined period, then delete it when it's no longer needed.

Protecting data through retention

While retention is often used for compliance, it also plays a key role in data security. It protects important information from being deleted, either by accident or on purpose. Once a retention rule is in place, content is preserved even if a user tries to remove it. This is especially important when the content might be subject to audits, investigations, or legal holds.

Retention also helps prevent risk from forgotten or outdated files. Without rules to remove stale content, organizations are left with documents that are no longer in use but still contain sensitive information. These files might sit on SharePoint sites or in OneDrive accounts long after they're needed. If there's no business or legal reason to keep them, removing them helps reduce exposure to future threats.

Understanding the data lifecycle

Retention is one part of managing the data lifecycle. The data lifecycle refers to how information is handled from the time it's created until the time it's deleted. In Microsoft Purview, lifecycle management includes several steps:

  • Classifying content
  • Protecting sensitive data
  • Applying retention rules
  • Disposing of content when it's no longer needed

Retention plays a central role by ensuring that data is kept for as long as needed, and removed when it's no longer necessary.

Examples of how retention supports security and governance

Retention policies are used to solve common, real-world problems related to data security and compliance:

  • A manager deletes a Teams message thread about an ongoing HR investigation. Retention keeps that content preserved until the required time period ends.
  • A marketing team stores outdated customer reports in SharePoint. A retention policy deletes those files automatically after three years. This reduces the amount of sensitive data left unmonitored.
  • A company is required to keep employee tax forms for seven years. Retention policies ensure that these files are held for the full required duration, even if someone attempts to clean up their mailbox.

These examples show how retention supports both compliance and security goals. It helps control how long data exists and ensures it isn't removed too soon or kept longer than necessary.