Cloud Confidential

Microsoft Purview offers various labeling options to help organizations manage their content effectively. These labels—Retention, Records, and Regulatory Records—each serve distinct purposes and come with their own sets of features and limitations.

I believe that some gaps in their design could lead to compliance risks and operational challenges. This post aims to highlight these gaps, focusing on the shortcomings in Records Labels regarding metadata immutability and the restrictive nature of Regulatory Record Labels.

I previously posted a blog entry regarding the issues with Regulatory Records that could lead to potential non-compliance and how treacherous they could become in organizations that do not invest in governance or Information Architecture design. This is precisely the reason why Regulatory Record Labels, while providing the desired immutability for both content and metadata, are not being considered as the perfect solution.

Gaps in Microsoft Purview Label Options

The key gap in Microsoft Purview’s Record Labels is their allowance for metadata changes, which contradicts the fundamental concept of records management. Ensuring metadata consistency and integrity is crucial for maintaining the authenticity of records, which is a regulatory requirement for many organizations.

On the other hand, Retention Labels serve well for managing the lifecycle of working documents, internal use, and Business Value assets but fall short for serious record-keeping.

While Microsoft does offer Regulatory Record Labels, their highly restrictive nature makes them less suitable for setups that are not strictly governed or well-designed. The irreversibility of actions taken under Regulatory Record Labels can be a significant risk if not managed correctly.

Therefore, recommending Record Labels can be a more practical approach. With strict governance in the Purview Center, Record Labels can become effectively immutable in practice when locked. However, since metadata can still be changed, they do not fully meet the requirements for ensuring the integrity and authenticity of records in compliance-heavy environments.

Proposed Solution

Introducing a new type of label: Record Labels with Immutable Metadata and Content.

This label would combine the flexibility of Record Labels with the assurance that both content and metadata cannot be altered, while still allowing administrators to change the label applied to the document or the duration. There should be no locking/unlocking of the records with this label type. Both Record Content and Metadata should always be locked.

Why It's Worth Considering

Based on experience, here are some key points:

1. Regulatory Compliance: Many organizations must adhere to strict regulatory requirements. This proposal addresses these needs more comprehensively, helping organizations avoid compliance risks.
   

2. Practical Flexibility: While Regulatory Record Labels are very rigid, this suggested label offers a balance by providing immutability for content and metadata while allowing necessary administrative flexibility.
   

3. Improving the Product: Constructive feedback is vital for product improvement. Highlighting these gaps can help Microsoft enhance their product, ultimately benefiting all users.
   

4. User Advocacy: Advocating for the needs of users and organizations is always valuable. If these gaps are causing challenges, it’s important for Microsoft to be aware so they can address them.

Introduction

In the previous post, I showed you how to enable Regulatory Records, which are disabled by default.

But what are Regulatory Records, and why wouldn’t they be enabled by default?

There are three types of Retention Labels in M365:

• Retention Labels (let’s call it a regular retention)

• Record Labels

• Regulatory Record Labels

A Regulatory Record Label, once applied to an item, cannot be changed, overridden, or removed. This immutability ensures compliance with regulatory requirements. When the retention period of a regulatory record ends, it follows the actions defined by the original label (e.g., deletion). You cannot apply a new label to extend or change this action. Regulatory Record Labels are tamper-proof.

The Issue

So, if the desired outcome is compliance, what’s wrong with having the Regulatory Records option at your disposal right away? Why wouldn’t they be enabled by default?

Because there are quite a few problems with the usage of Regulatory Record labels. In some cases, their inflexible nature becomes an issue, which ironically, could lead to potential non-compliance.

The immutable nature of Regulatory Records in Microsoft 365 is both a feature and a challenge.

One reason Regulatory Records option is not enabled by default is that they are designed for organizations with strict compliance requirements.

Mislabeling

Here is the first common concern: mislabeling the item. Imagine that you made a mistake when applying the label: you cannot reverse that. There is no button to press to undo that action. Incompetent Information Management Workers can create a non-compliance quagmire very quickly.

Having Regulatory Record Labels will require additional training programs and governance. Lack of a bullet-proof file plan and exhaustive documentation can also contribute to potential issues. And even if you have top-notch knowledgeable staff, to err is human.

Poor communication between departments can also lead to inconsistent application of regulatory labels.

Mergers, acquisitions, restructuring, or any other changes in organizational structure can disrupt information management processes and lead to inconsistent application of regulatory labels.

Need for Governance

Would you dare to use Regulatory Record Labels, especially in an organization that doesn’t have a solid file plan or solid personnel training?

Managing immutable records requires a high level of governance, as any mistakes in labeling can pose serious issues. Misinterpreting or misunderstanding regulatory requirements can result in the incorrect application of retention labels.

Additionally, if the end user is presented with a bunch of labels that were not properly named, if there are no naming conventions and Regulatory Record Labels are not reflected in the name, the user might just use them due to confusion. The user would see the Alert when applying a Regulatory Record Label, but we all know that most users don't bother reading them.

Without regular audits and reviews, mislabeling and non-compliance issues can go unnoticed for long periods.

Changes in Regulatory Requirements

Changes in regulatory requirements, although rare, do happen. Imagine if you have a few thousand documents that you were keeping for 7 years, but new regulation requires them to be kept for 10 years. You can increase your retention period.

If the new regulation changes the retention requirement to a shorter period (e.g., from 7 years to 5 years), there's no way to shorten the retention period of an already labeled regulatory record.

The biggest concern is human errors and issues with Information Architecture and Security.

Security Breaches and Unauthorized Access

Security breaches or unauthorized access to records can result in tampering or accidental mislabeling. An insider with malicious intent can cause significant damage by labeling items incorrectly. This malicious activity may go unnoticed, and if discovered, the insider could claim it was an error.

Lack of Security Permissions

M365 has a specific set of security permissions in MS Purview (formerly Compliance Center). Only personnel with specific permissions are allowed to create and publish Labels to the workloads, such as SharePoint.

The issue is that all published labels can be applied by a SharePoint Site user.

It does seem like a significant oversight that Microsoft did not provide more granular control over the application of Regulatory Record Labels in SharePoint Online. Given the importance and immutability of these labels, having more precise permission settings could help prevent accidental or unauthorized application, thereby reducing the risk of compliance issues and operational headaches.

Conclusion

Make sure that you enable the Regulatory Record Label option only if your governance, training, and structure are in place.

Conduct auditing exercises routinely and adjust accordingly.

Build a custom solution that provides Role-Based Access Control (RBAC) to restrict who can apply Regulatory Record Labels.

While I do hope that Microsoft addresses this issue, I am not holding my breath – I am currently building my own framework that will provide better control over Regulatory Record Labels in M365.

Have you heard about Regulatory Records but can't find them in MS Purview?

By default, Regulatory Records are disabled. When creating a Retention label, you'll only see two options: a regular Retention Label and Record (including Unlocked record).

The screenshot below illustrates that Regulatory Records are not available.

 To enable Regulatory Records, using PowerShell is the only available option now.

To connect to the Compliance Center (MS Purview), you will need the ExchangeOnlineManagement Module. If you haven't installed it yet, follow these steps: 

1. Install the module:

Install -Module -Name ExchangeOnlineManagment

2. Set the execution policy

Set-ExecutionPolicy RemoteSigned

3.  Import the module and connect to the Compliance Center:

Import-Module ExchangeOnlineManagement

Connect-IPPSSession -UserPrincipalName Your_UPN

4.   After connecting, execute the following command to enable Regulatory Records:

Set-RegulatoryComplianceUI -Enabled $true

The setting will take effect instantaneously.

You can verify by running the Get-RegulatoryComplianceUI command to see that the ‘Enabled’ property is set to True.

Return to the MS Purview Compliance Center and navigate to the Records Management Portal to create a new Retention label.

You can now see that “Mark items as a regulatory record “ option is available: