Data Life Cycle

What Is Data Lifecycle Management?

Data Lifecycle Management in Microsoft Purview governs how long data is kept, when it becomes a record, and what happens when the retention period expires. It is the enforcement layer for data minimization — a core principle of HIPAA, HITECH, GDPR, and PCI DSS compliance.

Lifecycle policies ensure that data is kept as long as required by regulation or policy, and no longer. This reduces the attack surface, limits discovery scope in litigation, and reduces storage costs from stale data accumulation.

The audit defensibility standard requires that an auditor can ask: "Show me the rule, the system that enforces it, the evidence it ran, and the disposition record." Every retention label, policy, and workflow must produce one of those four artifacts.

Four-Stage Retention Methodology

Operating Principle: Retain and Protect are a paired control — every retention label must have a sibling DLP policy. Retain forever, protect never creates liability, not compliance.

① Discover

Purview Content Explorer + Data Map scan all locations. SIT confidence scores identify regulated content. SHIR enables on-premises scans. Inventory generates the master retention matrix.

② Classify

Sensitivity label + Retention label applied — manually, by auto-apply SIT rule, or via adaptive scope. Content-based SIT for unstructured discovery; metadata/property triggers for stable structured categories.

③ Retain

Retention hold prevents deletion for the defined period. Trigger is event-based (termination, closure) or time-based (creation, last modified). Legal hold via eDiscovery overrides all retention periods.

④ Dispose

At expiry: disposition review for records, auto-delete for non-records. Power Automate enforces approver SLAs. Disposition event logged permanently — the audit proof. No deletion without logged evidence.

On-Premises Coverage Gap: Purview classifies on-premises content via SHIR but does not natively retain on-premises files. Interim: use FSRM + Purview-driven move-to-archive. Long-term: migrate regulated content to SharePoint / OneDrive.

HR Retention Schedule — HUM Domain Reference

The HUM domain is the foundational domain set for the Lifecycle Control Model (LCM). Each record type maps to a retention code, trigger, period, disposition action, and record/regulatory classification. This schedule is the authoritative source for Purview retention label configuration in the Human Resources function.

Reference	Record Type	Subcategory	Trigger	Retention	Disposition	Record	Regulatory
HUM-100	Benefits Records	Benefits	Time	Permanent	Retain	Yes	No
HUM-110	Compensation Records	Compensation	Time	6 years	Delete	Yes	No
HUM-120	Incentive Payout Calculations	Compensation	Time	7 years	Delete	Yes	No
HUM-200	Recruiting / Candidate Records	Recruiting	Time	4 years	Delete	Yes	No
HUM-210	Immigration and I-9 Records	Immigration	Event	3 years	Delete	Yes	Yes
HUM-220	Affirmative Action Plans	Compliance	Event	5 years	Delete	Yes	No
HUM-300	Personnel Records	Personnel Records	Event	4 years	Delete	Yes	No
HUM-400	Training and Development Records	Training	Event	6 years	Delete	Yes	No
HUM-600	Exposure Monitoring Records	Health and Safety	Time	30 years	Delete	Yes	Yes
HUM-610	Employee Medical Records	Medical	Event	30 years	Delete	Yes	Yes
HUM-620	OSHA and External Incident Records	Incidents	Time	5 years	Delete	Yes	No
HUM-621	Internal Incident Records	Incidents	Time	3 years	Delete	Yes	No
HUM-630	Workers Compensation Records	Workers Compensation	Event	5 years	Delete	Yes	Yes
HUM-700	Labor Relations Records	Labor Relations	Time	Permanent	Retain	Yes	Yes
HUM-800	HR Investigation Records	Investigations	Event	3 years	Delete	Yes	No

Regulatory Records (HUM-210, HUM-600, HUM-610, HUM-630, HUM-700): These five categories carry regulatory record status — immutable once declared, requiring compliance officer unlock. Purview must be configured to declare these as Regulatory Records, not standard Records. Disposition requires explicit sign-off; auto-delete is not permitted.

📋 15 Record Types

Across 9 subcategories: Benefits, Compensation, Recruiting, Immigration, Compliance, Personnel, Training, Health & Safety, and Investigations.

⚖️ 5 Regulatory Records

HUM-210, HUM-600, HUM-610, HUM-630, HUM-700. Immutable. Require explicit unlock and documented disposition authority.

♾️ 2 Permanent Retains

HUM-100 (Benefits) and HUM-700 (Labor Relations) are permanent — no disposition. These items must never enter a disposition review workflow.

Retain + Protect Pairing Matrix — HUM Domain

Every HUM retention label must be paired with a sibling DLP policy using a consistent naming convention: RET-HUM-[code] for the retention label, DLP-HUM-[code] for the DLP rule. This ensures that content being retained is also being protected — not just preserved as liability.

Retention Label	Paired DLP Policy	SIT Trigger	Sensitivity Label	Priority Tier
RET-HUM-610	DLP-HUM-610	Employee Medical / HIPAA-adjacent PHI	Confidential	Tier 1 — High
RET-HUM-600	DLP-HUM-600	Occupational Health / Exposure Records	Confidential	Tier 1 — High
RET-HUM-210	DLP-HUM-210	I-9 / Immigration Document Numbers	Confidential	Tier 1 — High
RET-HUM-700	DLP-HUM-700	Labor Agreement Terms / Union Metadata	Internal	Tier 2 — Medium
RET-HUM-300	DLP-HUM-300	SSN, DOB, Employee ID	Confidential	Tier 1 — High
RET-HUM-110	DLP-HUM-110	Salary / Compensation Figures	Internal	Tier 2 — Medium
RET-HUM-800	DLP-HUM-800	HR Investigation Keywords + Names	Confidential	Tier 2 — Medium
RET-HUM-630	DLP-HUM-630	Workers Comp Claims / Injury Codes	Confidential	Tier 2 — Medium

Data Lifecycle Stages

① Create / Receive

Data enters the organization. Sensitivity label applied (manually or automatically). Classification determines lifecycle path. Records declaration happens here for regulated content.

② Active Use

Data is actively accessed and modified. Retention hold prevents deletion. DLP and labeling enforce access and sharing controls during this phase.

③ Inactive / Archive

Data no longer actively used but must be retained. Moved to archive tier if applicable. Access becomes read-only or requires formal request. Retention clock continues running.

④ Disposition

Retention period expires. Disposition review triggered (for records) or automated deletion occurs. Disposition proof logged for compliance audit.

Retention Policy Design — Cross-Function Reference

Content Type	Function	Retention Period	Trigger	Action at Expiry	Record
Patient account records	Patient Services	7 years	Account closure	Disposition review → delete	Yes
Loan documents	Lending	7 years post-payoff	Loan closure date	Disposition review → delete	Yes
Personnel Records (HUM-300)	Human Resources	4 years	Separation event	HR review → delete	Yes
Email (general)	All	3 years	Creation date	Auto-delete	No
Financial reports (audited)	Finance	10 years	Report date	Disposition review	Yes
Contracts	Legal	10 years post-expiry	Contract end date	Legal review → delete	Yes
Meeting recordings (Teams)	All	180 days	Recording date	Auto-delete	No
Security logs / SIEM	Security	1 year hot + 6 year archive	Log date	Archive then delete	Regulatory
Employee Medical Records (HUM-610)	Human Resources	30 years	Separation event	Disposition review → delete	Regulatory
Labor Relations Records (HUM-700)	Human Resources	Permanent	N/A	Retain — no disposition	Regulatory

HUM Domain Reference: See the HR Retention Schedule section above for the complete 15-record HUM domain reference set — the Lifecycle Control Model (LCM) baseline for Purview configuration.

Authoritative Source: Records and Compliance owns the canonical retention matrix. Purview consumes it via adaptive-scope retention labels. In case of conflict between Purview policy and the Records and Compliance schedule, Records and Compliance controls.

Records Management

Regulatory Records

Content declared as a regulatory record cannot be modified or deleted — only unlocked by compliance officers with documented justification. Immutable once declared. Use for origination records, SAR filings, regulatory exam correspondence, and HIPAA-designated PHI records.

Records (Locked)

Standard record status prevents deletion but allows edit with audit trail. Used for contracts, policies, and procedures. Disposition review required at end of retention period — cannot auto-delete without reviewer approval.

Auto-Apply Retention Label Strategy

Retention labels can be applied automatically to content based on SIT matches, trainable classifiers, or keyword conditions. This ensures regulatory content is retained without relying on users to apply labels manually.

Auto-Apply Priority Order

Explicit user-applied label — always wins, never overridden automatically
Auto-apply based on SIT match (e.g., SSN, account number) — high confidence required
Auto-apply based on trainable classifier (e.g., legal documents, financial statements)
Default label from document library or site policy — lowest priority

Simulation Before Publishing

Always run retention label auto-apply policies in simulation mode first. Review what would be labeled. Check for false positives that would lock content prematurely as records.

Disposition Review Process

📬 Trigger

Retention period expires. Purview creates a disposition review task and notifies assigned reviewers. Items pending review are held — cannot be deleted until reviewed.

👤 Review

Reviewer inspects item metadata, title, and content snippet. Decision options: Approve for deletion, Retain (extend period), Re-label, or Export a copy before deletion.

📋 Proof of Disposal

Upon approval, Purview logs the disposal event with reviewer identity, timestamp, and item metadata. This proof-of-disposal record is retained permanently for compliance audit.

Disposition Automation (Power Automate): For high-volume categories, use Power Automate to enforce reviewer SLAs, route to an approver pool, and surface a disposition SLA dashboard. Without automation, monthly review volumes exceeding ~5,000 items create a bottleneck that silently delays audit-defensible disposal. Regulatory Records (HUM-210, -600, -610, -630, -700) always require human reviewer approval — never auto-delete.

Disposition Type	Records and Compliance Role	Can Auto-Delete?	Evidence Required
Regulatory Record (e.g., HUM-700)	Compliance Officer unlock required	No	Signed disposition memo + audit log
Standard Record	Disposition reviewer approval	No — review mandatory	Purview disposition log
Non-record content	Policy owner	Yes — if policy defines auto-delete	Purview deletion event log
Legal hold	eDiscovery / Legal	No — hold overrides all	Hold release memo + audit trail

Known Risks & Mitigations

Risk	Priority	Mitigation
Multiple retention systems (SharePoint, NetApp, Veritas, Purview) creating conflicting schedules	High	Records and Compliance owns canonical matrix. Purview consumes via adaptive-scope labels. Single source of truth.
Retain forever, protect never — items retained without paired DLP or labeling become liability	High	Enforce Retain + Protect pairing matrix. Every RET-HUM-* label must have a sibling DLP-HUM-* policy.
Auto-labeling false positives mis-trigger long retention on transient files	Medium	Run auto-apply in simulation mode first. Set minimum confidence threshold. Prefer metadata triggers for stable categories.
Custom property dependency — export or save-as can strip metadata properties	Medium	Prefer SIT content inspection for unstructured discovery; use SharePoint column metadata for structured locations.
On-premises coverage gap — Purview classifies via SHIR but does not natively retain on-premises	High	Interim: FSRM + Purview-driven move-to-archive. Long-term: migrate regulated content to SharePoint / OneDrive.
Disposition bottleneck when monthly review volumes exceed ~5,000 items	Medium	Power Automate with approver pool, SLA dashboard, and auto-escalation after 48 hours of no response.
Encryption baseline gap — retention class without paired sensitivity-label encryption	High	Build encryption baseline matrix per retention class. High-risk HUM categories require Confidential label with AIP encryption.

PowerShell Reference — Labels & Retention

All Purview label and retention operations can be performed via PowerShell using the Security & Compliance PowerShell module. Connect first with Connect-IPPSSession. Sensitivity label cmdlets and retention/compliance tag cmdlets are distinct command families — they are not interchangeable.

Module prerequisite: Install-Module ExchangeOnlineManagement — then Connect-IPPSSession -UserPrincipalName admin@yourtenant.onmicrosoft.com. Requires Compliance Administrator or higher role. MFA will prompt if enforced.

A1 — Sensitivity Label Cmdlets

Scope distinction: Sensitivity label cmdlets (Get-Label, New-Label, etc.) operate on classification labels that control access, encryption, and marking. They are not retention labels. A sensitivity label and a retention label can be applied to the same item simultaneously but are configured and managed through entirely separate cmdlet families.

Get-Label | Select Name, Guid

Sensitivity · Enumerate active labels

Returns all published sensitivity labels in the tenant with their display name and immutable GUID. Use this as your label inventory baseline. GUIDs are the stable identifiers — display names can be changed; GUIDs cannot.

Get-Label | Select Name, Guid

Get-Label -IncludeDeleted

Sensitivity · Include deleted / orphaned labels

Returns all labels including those that have been deleted. Critical for reconciling GUID orphans that appear in audit logs — if a GUID in your audit data does not appear in Get-Label output, it will appear here. Useful for post-migration cleanup and for cross-tenant AIP classic label investigations.

Get-Label -IncludeDeleted

Search-UnifiedAuditLog — LabelApplied

Sensitivity · Audit · Label application events

Queries the Unified Audit Log for sensitivity label application events in the specified date window. Returns the user, file, workload, label GUID, and timestamp. If the label GUID in the result does not resolve to a name in Get-Label output, cross-reference with Get-Label -IncludeDeleted — that is an orphaned GUID artifact (see note below).

Search-UnifiedAuditLog `
    -StartDate 05/14/2026 `
    -EndDate   05/15/2026 `
    -Operations LabelApplied

Orphaned GUID artifacts in audit logs
Audit log entries like f2bd1a1b-88ad-42f1-b7e6-fcd5770fff8f or c89fde59-1bbd-4f0c-b3bb-3afb87b12fd are not newly generated labels. They are label ID references that no longer resolve to a friendly display name. This occurs when:

A label was deleted — GUID remains in historical audit records permanently
A label was renamed — old display name is lost in earlier telemetry; GUID is stable
Labels no longer properly resolve in the reporting UI (sync lag, tenant migration)
Cross-tenant / legacy AIP classic labeling — external files stamped with labels from another tenant's label taxonomy or AIP classic client

Resolution path: Run Get-Label -IncludeDeleted | Where-Object {$_.Guid -eq "<guid>"} to identify the original label. If it returns a result, the label was deleted. If it returns nothing, it originated from another tenant or AIP classic.

Get-Label — Full Detail Export

Sensitivity · Full property export

Exports all label properties to a CSV — useful for audits, change-management snapshots, and reconciling audit log GUIDs against the current label set.

Get-Label | Select Name, DisplayName, Guid, ContentType, Priority, Disabled `
    | Export-Csv -Path ".\SensitivityLabels_$(Get-Date -f yyyyMMdd).csv" -NoTypeInformation

A2 — Retention Label Cmdlets

Scope distinction: Retention label cmdlets (Get-ComplianceTag, New-ComplianceTag) create and manage retention labels — rules that define how long content is kept and what happens at expiry. A retention policy (New-RetentionCompliancePolicy) is the container that deploys a retention label to one or more locations (Exchange, SharePoint, OneDrive, Teams). Both are required to make retention work end-to-end.

Get-ComplianceTag

Retention · Enumerate all retention labels

Returns all retention labels (ComplianceTags) in the tenant. Equivalent of Get-Label for retention. Use to confirm a label exists before building an auto-apply policy or fact-checking the HUM retention schedule against live configuration.

Get-ComplianceTag | Select Name, RetentionAction, RetentionDuration,
    RetentionType, IsRecordLabel, IsRegulatoryLabel | Format-Table -AutoSize

Get-RetentionCompliancePolicy

Retention · Enumerate deployed retention policies

Lists all retention policies deployed in the tenant — the containers that publish retention labels to specific locations. A label without a policy is not enforced anywhere. Check both Get-ComplianceTag (the label exists) and Get-RetentionCompliancePolicy (the label is deployed).

Get-RetentionCompliancePolicy | Select Name, Enabled, Mode, `
    ExchangeLocation, SharePointLocation, OneDriveLocation | Format-Table -AutoSize

New-ComplianceTag — Create a Retention Label

Retention · Create label

Creates a new retention label. Key parameters: -RetentionAction = Keep, Delete, or KeepAndDelete · -RetentionDuration = days · -RetentionType = CreationAgeInDays, ModificationAgeInDays, EventAgeInDays, TaggedAgeInDays · -IsRecordLabel $true = declares content as a locked record · -IsRegulatoryLabel $true = immutable regulatory record (requires Compliance Officer to unlock).

New-ComplianceTag `
    -Name              "RET-HUM-300" `
    -Comment           "Personnel Records — 4 years post-separation event. HUM domain." `
    -RetentionAction   "KeepAndDelete" `
    -RetentionDuration 1461 `
    -RetentionType     "EventAgeInDays" `
    -IsRecordLabel     $true `
    -IsRegulatoryLabel $false

New-RetentionCompliancePolicy — Deploy to Locations

Retention · Create policy container

Creates the policy that deploys a retention label to one or more Microsoft 365 locations. The policy is the shell — the label rule is added via New-RetentionCompliancePolicyAction (next). -RestrictiveRetention $false keeps the policy non-preservative (label-only, not full hold). Use All as location value to apply tenant-wide.

New-RetentionCompliancePolicy `
    -Name                "POL-HUM-300-PersonnelRecords" `
    -Comment             "Deploys RET-HUM-300 to HR SharePoint locations" `
    -SharePointLocation  "https://yourtenant.sharepoint.com/sites/HumanResources" `
    -OneDriveLocation    "All" `
    -Enabled             $true

New-RetentionCompliancePolicyAction — Attach Label to Policy

Retention · Attach label rule to policy

Binds the retention label to the policy container. This is the final step that activates the label in the specified locations. -PublishComplianceTag for manual/auto-apply publish; use -ApplyComplianceTag with -ContentMatchQuery for SIT-based auto-apply policies.

New-RetentionCompliancePolicyAction `
    -Policy              "POL-HUM-300-PersonnelRecords" `
    -PublishComplianceTag "RET-HUM-300"

Sensitivity Label Inventory — Reference / Demo Format

ℹ️ Demonstration Format. The table below illustrates the structure of a sensitivity label inventory export (Get-Label | Select Name, DisplayName, Guid) using the platform's 4-label taxonomy as a reference baseline. Replace with your tenant's actual output during configuration. GUIDs shown are synthetic placeholders — run Get-Label in your tenant to obtain live values.

GUIDs are immutable — they persist in audit logs permanently even after a label is renamed or deleted. Use this inventory format to reconcile GUID-only entries in Search-UnifiedAuditLog output against the current label taxonomy. Populate with your tenant's real Get-Label output and refresh at each program checkpoint.

Name	Display Name	GUID (Example — replace with tenant output)	Notes
Public	Public	`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`	Lowest classification tier — approved for external sharing, no encryption controls
Internal	Internal	`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`	Standard internal business content — not for external sharing; visual marking only
Confidential	Confidential	`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`	Regulated data (PHI, PII, financial) — DLP enforcement active, encryption optional per sub-label
Restricted	Restricted	`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`	Highest classification — encryption enforced, access scoped to named principals; requires compliance review to share
Secure Email	Secure Email - Sensitive Information	`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`	Exchange-scoped — encryption on outbound sensitive email; maps to Confidential tier
Attorney Client Privileged	Attorney Client Privileged	`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`	Legal privilege classification — Legal team access only; maps to Restricted tier
PHI — Contains Patient Information	PHI - Patient Information	`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`	HIPAA scope — PHI SIT trigger; paired with DLP-PHI policy; maps to Confidential or Restricted
PII — Contains SSN	Personal - Contains SSN	`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`	PII scope — SSN SIT trigger; paired with DLP-HUM-300; maps to Confidential tier
PII — Contains TIN	Personal - Contains TIN Information	`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`	Tax / IRS scope — TIN SIT trigger; maps to Confidential tier

How to populate this table for your tenant: Connect to Security & Compliance PowerShell (Connect-IPPSSession) and run:

Get-Label | Select Name, DisplayName, Guid | Export-Csv -Path ".\LabelInventory_$(Get-Date -f yyyyMMdd).csv" -NoTypeInformation

Replace the placeholder rows above with the CSV output. Refresh at each engagement checkpoint and compare against the prior snapshot to identify additions, renames, and deletions.

GUID orphan reconciliation: If Search-UnifiedAuditLog returns a GUID not in your inventory, run Get-Label -IncludeDeleted | Where-Object {$_.Guid -eq "<guid>"}. A result means the label was deleted but existed in this tenant. No result means the label originated from another tenant (cross-tenant AIP-labeled file) or was applied via AIP classic client from a different taxonomy. Document the finding and add to the known-orphan register.

How To: Build a Retention Label — HUM-300 Personnel Records (Example)

HUM-300 specification: Personnel Records · Trigger = Separation event (Event-based) · Retention = 4 years (1,461 days) · Action = Delete · Record type = Locked Record (not regulatory) · Disposition = HR reviewer required · Paired DLP = DLP-HUM-300 (SIT trigger: SSN, DOB, Employee ID) · Sensitivity label pairing = Confidential.

Retention labels for event-based triggers require two separate configurations: the label itself (the rule), and an event type (the trigger definition). For HUM-300, the event type is Employee Separation — a Power Automate flow or manual entry fires the event when an employee leaves, which starts the 4-year retention clock on all items tagged with this label.

Two build paths are documented below. Path 1 (without File Plan) is acceptable for initial configuration and testing. Path 2 (with File Plan) is the production standard — it attaches regulatory metadata that enables defensible audit reporting and integrates with the Records Management file plan in Purview.

Path 1 — Without File Plan · UI Walk-Through

1

Navigate to Retention Labels

Open Microsoft Purview compliance portal → Data lifecycle management → Microsoft 365 → Labels tab.
Alternatively: Records management → File plan → + Create a label (this path leads directly to Path 2 with file plan — use Data lifecycle management for Path 1).

2

Create the Label — Name and Description

Click + Create a label. On the Name your retention label page:

Name: RET-HUM-300
Description for users: Personnel Records — applies when this document is associated with an active or former employee. Do not remove.
Description for admins: HUM-300 · 4 years post-separation · Event-based trigger · Locked Record · HR reviewer disposition · Paired: DLP-HUM-300

3

Define Retention Settings

On the Define retention settings page:

Retain items for a specific period: 4 years
Start the retention period based on: When an event occurs
At the end of the retention period: Delete items automatically — then enable Trigger a disposition review and add the HR reviewer group or individual

Important: Selecting "When an event occurs" means the 4-year clock does NOT start until an Employee Separation event is explicitly fired for that employee. Items tagged before the event fires are held indefinitely until the event occurs. This is by design — personnel records must not auto-delete before separation is confirmed.

4

Declare as Record

On the Choose what happens during the retention period page, select Mark items as a record. Do not select "Mark items as a regulatory record" — HUM-300 is a standard locked record, not immutable regulatory. Regulatory record status is reserved for HUM-210, HUM-600, HUM-610, HUM-630, HUM-700.

5

Review and Create

Review the summary. Confirm: Name = RET-HUM-300, Retention = 4 years, Trigger = Event, Action = Delete with disposition review, Record = Yes (locked). Click Create label. The label now exists but is not published or auto-applied anywhere yet.

6

Publish or Auto-Apply

After creation, Purview prompts: What do you want to do with this label after it's created?

Publish label to users and apps — makes the label available for manual application in SharePoint, OneDrive, Exchange. Users see it in the retention label picker. Use this for content that HR staff manually tag.
Auto-apply label to content — Purview automatically applies the label based on SIT match (SSN, DOB, Employee ID) or trainable classifier. This is the preferred path for unstructured HR content at scale.

For HUM-300, use both: publish for HR staff manual labeling and configure an auto-apply policy targeting SSN + Employee ID SIT matches in HR SharePoint locations.

7

Create the Employee Separation Event Type

Navigate to Records management → Events → Manage event types → + Create. Create an event type named Employee Separation. When an employee separates, create an event of this type (+ Create on the Events tab), enter the employee's Asset ID (typically their Employee ID), and Purview starts the 4-year clock on all items tagged RET-HUM-300 for that Asset ID.

Path 1 — Without File Plan · PowerShell

HUM-300: Create label, policy, and attach — no file plan

Retention · HUM-300 · Event-based · Record

Creates the retention label, creates the deployment policy scoped to the HR SharePoint site, and attaches the label to the policy. Run each block sequentially. Replace the SharePoint URL and reviewer email with your environment's confirmed values.

# Step 1 — Create the retention label
New-ComplianceTag `
    -Name              "RET-HUM-300" `
    -Comment           "HUM-300: Personnel Records. 4 yrs post-separation. Event trigger. Locked record. HR reviewer disposition. Paired: DLP-HUM-300." `
    -RetentionAction   "KeepAndDelete" `
    -RetentionDuration 1461 `
    -RetentionType     "EventAgeInDays" `
    -IsRecordLabel     $true `
    -IsRegulatoryLabel $false `
    -ReviewerEmail     "hr-records-reviewer@yourorg.com"

# Step 2 — Create the policy container
New-RetentionCompliancePolicy `
    -Name               "POL-HUM-300-PersonnelRecords" `
    -Comment            "Deploys RET-HUM-300 to HR SharePoint and OneDrive locations" `
    -SharePointLocation "https://yourtenant.sharepoint.com/sites/HumanResources" `
    -OneDriveLocation   "All" `
    -Enabled            $true

# Step 3 — Publish the label via the policy
New-RetentionCompliancePolicyAction `
    -Policy              "POL-HUM-300-PersonnelRecords" `
    -PublishComplianceTag "RET-HUM-300"

# Step 4 — Verify
Get-ComplianceTag -Identity "RET-HUM-300" | Select Name, RetentionDuration, RetentionType, IsRecordLabel
Get-RetentionCompliancePolicy -Identity "POL-HUM-300-PersonnelRecords" | Select Name, Enabled, Mode

Path 2 — With File Plan · UI Walk-Through

What is a File Plan? A file plan is a structured metadata layer attached to a retention label that records the business classification context — the why behind the retention rule. It maps to your organisation's records schedule and enables defensible audit reporting. It does not change how the label behaves technically; it enriches the label for governance reporting and records management oversight. For regulated environments, file plan is the production standard for all HUM domain labels.

File plan is only available in Records Management. Navigate via Records management → File plan → + Create a label. The Data lifecycle management path does not surface the file plan metadata fields.

1

Navigate to Records Management → File Plan

Microsoft Purview compliance portal → Records management → File plan tab → + Create a label.

2

Name and Description (same as Path 1)

Complete the name and description fields identically to Path 1 Step 2. The difference begins on the next page.

3

File Plan Descriptors — HUM-300 Values

On the Define file plan descriptors page, complete each field with the HUM-300 mapping:

File Plan Field	HUM-300 Value	Purpose
Reference ID	`HUM-300`	Maps to the retention schedule reference code — the primary cross-reference key for audit reporting
Business function / department	Human Resources	Organizational owner of the record class
Category	Personnel Records	High-level record category within the HR function
Sub-category	Personnel Records	Granular classification within the category
Authority type	Business requirement	Indicates whether the retention is regulatory, legal, or business-driven — HUM-300 is business requirement (not statutory)
Provision / citation	Client HR Records Policy · HIPAA / applicable regulation	The policy or regulation that mandates this retention period. For HUM-300, the primary driver is the client's internal HR policy; add applicable regulatory citation (e.g., HIPAA/HITECH for healthcare, state privacy laws) where employee-related PHI or PII is in scope

4

Retention Settings, Record Type, Publish

Complete Steps 3 through 7 from Path 1 identically. The file plan metadata is stored alongside the label — it does not change the retention behavior, trigger, duration, or record type settings.

5

Verify in File Plan View

Return to Records management → File plan. The label RET-HUM-300 will appear with all file plan columns populated. You can export the full file plan to CSV: Export button at the top of the file plan view. This export is the audit-defensible record of your retention schedule configuration.

Path 2 — With File Plan · PowerShell

HUM-300: Create label with full file plan metadata

Retention · HUM-300 · File Plan · Event-based · Record

File plan descriptors are passed as a hashtable via -FilePlanProperty. The key names are fixed — use exactly: ReferenceId, Department, Category, SubCategory, AuthorityType, Provision, Citation.

# Step 1 — Create label with file plan descriptors
$filePlan = @{
    ReferenceId   = "HUM-300"
    Department    = "Human Resources"
    Category      = "Personnel Records"
    SubCategory   = "Personnel Records"
    AuthorityType = "Business Requirement"
    Provision     = "Client HR Records Policy"
    Citation      = "HIPAA / applicable regulation (confirm with compliance team)"
}

New-ComplianceTag `
    -Name              "RET-HUM-300" `
    -Comment           "HUM-300: Personnel Records. 4 yrs post-separation. Event trigger. Locked record. HR reviewer. Paired: DLP-HUM-300." `
    -RetentionAction   "KeepAndDelete" `
    -RetentionDuration 1461 `
    -RetentionType     "EventAgeInDays" `
    -IsRecordLabel     $true `
    -IsRegulatoryLabel $false `
    -ReviewerEmail     "hr-records-reviewer@yourorg.com" `
    -FilePlanProperty  $filePlan

# Step 2 — Policy and attachment (same as Path 1)
New-RetentionCompliancePolicy `
    -Name               "POL-HUM-300-PersonnelRecords" `
    -Comment            "Deploys RET-HUM-300 to HR SharePoint and OneDrive" `
    -SharePointLocation "https://yourtenant.sharepoint.com/sites/HumanResources" `
    -OneDriveLocation   "All" `
    -Enabled            $true

New-RetentionCompliancePolicyAction `
    -Policy               "POL-HUM-300-PersonnelRecords" `
    -PublishComplianceTag "RET-HUM-300"

# Step 3 — Verify file plan fields populated
Get-ComplianceTag -Identity "RET-HUM-300" | Select Name, FilePlanMetadata | Format-List

How To: Build a Retention Label for SSN Content (Generic)

Generic reference — not organisation-specific. This walk-through applies to any Microsoft 365 tenant. Replace all placeholder values (tenant URL, reviewer email, site URL) with your environment's values. The retention label name RET-PII-SSN is a suggested convention — adapt to your organisation's naming standard.

Social Security Numbers are regulated PII under HIPAA (when associated with patient records), state privacy laws (California CCPA, New York SHIELD Act, and equivalents), and multiple sector-specific frameworks. A retention label for SSN content typically pairs with an auto-apply policy using the built-in U.S. Social Security Number (SSN) sensitive information type.

Unlike HUM-300 (event-triggered), SSN retention is typically time-based from creation or last modification — the clock starts when the document is created, not when a downstream event occurs. Seven years is a common baseline; confirm against your legal and compliance team's guidance before publishing.

Path 1 — Without File Plan · UI Walk-Through

1

Navigate to Retention Labels

Microsoft Purview compliance portal → Data lifecycle management → Microsoft 365 → Labels tab → + Create a label.

2

Name and Description

Name: RET-PII-SSN
Description for users: This document contains Social Security Number data and is subject to a 7-year retention requirement. Do not delete.
Description for admins: PII retention label for SSN content. 7 years from creation. Time-based. Locked Record. Disposition review required. Pairs with DLP-PII-SSN auto-apply policy.

3

Define Retention Settings

Retain items for a specific period: 7 years
Start the retention period based on: When items were created
At the end of the retention period: Delete items automatically — enable Trigger a disposition review and add a Privacy or Compliance reviewer

Consider using "Last modified" instead of "Created" if your SSN documents are regularly updated (e.g., employee records templates that get overwritten). Using "Created" on a frequently-modified document means the retention clock continues from the original creation date regardless of subsequent edits.

4

Declare as Record

Select Mark items as a record. This locks the document and creates an audit trail on any modification. For most SSN content, standard Record (locked) is appropriate. Only upgrade to Regulatory Record if your compliance framework explicitly requires immutability and compliance officer unlock.

5

Review and Create

Confirm summary: RET-PII-SSN · 7 years · Created date trigger · Delete with disposition review · Locked Record. Click Create label.

6

Create an Auto-Apply Policy (SIT-based)

When prompted, select Auto-apply label to content. Then:

Choose content to auto-label: Select Apply label to content that contains sensitive info
Sensitive info type: Search for and add U.S. Social Security Number (SSN)
Confidence level: Set to High confidence (confidence level 85 or above). Do not use Low confidence for record-locking auto-apply — false positives will lock unintended content.
Instance count: 1 to Any — any document with a single SSN match gets labeled

7

Scope the Policy — Locations

Select which Microsoft 365 locations to include:

SharePoint sites: Scope to sites that handle HR, Finance, or member services content. Do not apply tenant-wide without first running in simulation mode.
OneDrive accounts: Consider including for HR staff home drives.
Exchange mailboxes: Include if SSN content is expected in email bodies or attachments.

8

Run in Simulation Mode First

Before publishing, select Run policy in simulation mode. Review results after 24–48 hours in the Policy results view. Check for:

False positives (test files, templates, redacted documents being matched)
Unexpected volume — very high match counts may indicate a SIT confidence threshold is too low
Locations you did not intend to include

Only turn simulation off and publish to Active mode after review is satisfactory. Once active and content is marked as a Record, it cannot be unlocked without deliberate action.

Path 1 — Without File Plan · PowerShell

RET-PII-SSN: Create label, auto-apply policy, simulation mode

Retention · Generic SSN · Time-based · Record · Auto-apply

The auto-apply SIT-based policy uses -ApplyComplianceTag with a -ContentMatchQuery referencing the SIT. The policy is created in simulation mode (-Mode TestWithNotifications) — change to Enable only after reviewing simulation results.

# Step 1 — Create the retention label
New-ComplianceTag `
    -Name              "RET-PII-SSN" `
    -Comment           "PII: SSN content. 7 years from creation. Time-based. Locked Record. Disposition review required." `
    -RetentionAction   "KeepAndDelete" `
    -RetentionDuration 2557 `
    -RetentionType     "CreationAgeInDays" `
    -IsRecordLabel     $true `
    -IsRegulatoryLabel $false `
    -ReviewerEmail     "privacy-reviewer@yourorg.com"

# Step 2 — Create the auto-apply policy in simulation mode
New-RetentionCompliancePolicy `
    -Name               "POL-AUTOAPPLY-RET-PII-SSN" `
    -Comment            "Auto-applies RET-PII-SSN to content matching US SSN SIT at high confidence" `
    -SharePointLocation "https://yourtenant.sharepoint.com/sites/HumanResources",
                        "https://yourtenant.sharepoint.com/sites/Finance" `
    -OneDriveLocation   "All" `
    -ExchangeLocation   "All" `
    -Mode               "TestWithNotifications" `
    -Enabled            $true

# Step 3 — Attach label via SIT-based auto-apply rule
New-RetentionCompliancePolicyAction `
    -Policy              "POL-AUTOAPPLY-RET-PII-SSN" `
    -ApplyComplianceTag  "RET-PII-SSN" `
    -ContentMatchQuery   "SensitiveType='U.S. Social Security Number (SSN)|1|85'"

# Step 4 — Check simulation results after 24-48 hrs
Get-RetentionCompliancePolicy -Identity "POL-AUTOAPPLY-RET-PII-SSN" | Select Name, Mode, DistributionStatus

# Step 5 — Activate after review (remove -WhatIf before running)
# Set-RetentionCompliancePolicy -Identity "POL-AUTOAPPLY-RET-PII-SSN" -Mode Enable -WhatIf

Path 2 — With File Plan · UI Walk-Through

1

Navigate to Records Management → File Plan

Microsoft Purview compliance portal → Records management → File plan tab → + Create a label.

2

File Plan Descriptors — Generic SSN Values

File Plan Field	Suggested Value	Notes
Reference ID	`PII-SSN-001`	Adapt to your retention schedule numbering convention
Business function / department	Privacy / Compliance	Owner of the PII retention obligation
Category	Personally Identifiable Information
Sub-category	Government Identifiers — SSN
Authority type	Regulatory	HIPAA/HITECH and state privacy laws make this regulatory-driven, not just business policy
Provision / citation	HIPAA Privacy Rule · [State] Privacy Act	Add your state's applicable privacy statute — e.g., CCPA (California), NY SHIELD, etc.

3

Retention Settings, Record Type, Auto-Apply, Simulation

Complete all remaining steps identically to Path 1 Steps 3–8. The file plan metadata does not change any behavioral settings — it enriches the label for records management reporting and audit defensibility.

Path 2 — With File Plan · PowerShell

RET-PII-SSN: Create label with file plan metadata

Retention · Generic SSN · File Plan · Time-based · Record

Same label creation as Path 1 with -FilePlanProperty hashtable added. Policy creation and auto-apply attachment are identical to Path 1 Steps 2–3 above — those do not change when a file plan is used.

# Step 1 — Create label with file plan descriptors
$filePlanSSN = @{
    ReferenceId   = "PII-SSN-001"
    Department    = "Privacy / Compliance"
    Category      = "Personally Identifiable Information"
    SubCategory   = "Government Identifiers - SSN"
    AuthorityType = "Regulatory"
    Provision     = "HIPAA Privacy Rule"
    Citation      = "45 C.F.R. Parts 160 and 164 · [Add applicable state privacy statute]"
}

New-ComplianceTag `
    -Name              "RET-PII-SSN" `
    -Comment           "PII: SSN content. 7 years from creation. Time-based. Locked Record. Disposition review required." `
    -RetentionAction   "KeepAndDelete" `
    -RetentionDuration 2557 `
    -RetentionType     "CreationAgeInDays" `
    -IsRecordLabel     $true `
    -IsRegulatoryLabel $false `
    -ReviewerEmail     "privacy-reviewer@yourorg.com" `
    -FilePlanProperty  $filePlanSSN

# Steps 2-5: Policy creation, auto-apply rule, and simulation are
# identical to Path 1 PowerShell above — run those blocks after this one.

# Verify file plan fields
Get-ComplianceTag -Identity "RET-PII-SSN" | Select Name, FilePlanMetadata | Format-List

References

Auto-Apply Priority Order

Simulation Before Publishing

Data Life Cycle

① Discover

② Classify

③ Retain

④ Dispose

Permanent Retains (No Disposition)

Long-Duration Regulatory (30 yr)

Event-Triggered Records

Time-Triggered Records

Pairing Rule

Regulatory Record Disposition