Microsoft 365 as a records management system

Understand the risks and requirements that Microsoft 365 and its programs like Sharepoint should address to be used as a records management system.

Last updated:
26 March 2026
On this page

This guidance should be used alongside the following pages to provide a complete understanding of how Microsoft 365 could be used as a records management system:

This guidance has been developed for State Records NSW by Andrew Warland, a consultant with many years of experience advising organisations on effective recordkeeping. 

Governance

Microsoft 365 includes an extensive range of configuration settings or options and functionality that can be used to support the management of records that remain stored in Exchange mailboxes (includes Teams chats and posts), SharePoint and OneDrive.

Because of this, organisations that use Microsoft 365 to manage records need to establish effective governance mechanisms to ensure that all IT, security and recordkeeping requirements are considered and factored into its configuration and its ongoing management. Configuration settings should be assessed and implemented to meet the requirements of the Standard on records management.

The type and structure of governance mechanisms may vary between organisations but three key requirements are: (a) understanding and documenting the configuration of all parts of the platform, (b) monitoring the environment, and (c) managing change.

Governance for Microsoft 365 should include all of the following actions or activities, including in regular meetings:

  • Reviewing the ‘as is’ configuration of the different options across the Microsoft 365 environment to ensure that they have been configured appropriately to meet recordkeeping compliance requirements.
  • Reviewing and discussing forthcoming changes to the environment announced in the Microsoft 365 roadmap or the Message Centre, including those that may require decisions and/or change management actions.
  • Reviewing privileged role assignments (including via Privileged Identity Management controls) and assignments to other roles and role groups (e.g., in Purview) based on a Role Based Access Control (RBAC) model.
  • Monitoring and reviewing usage and activity across the environment from the Reports – Usage area of the Microsoft 365 admin centre. This activity may include reviewing the size of active Exchange mailboxes and OneDrives and identifying those that might belong to key roles or are likely to contain records and will need additional attention if the user leaves the organisation.
  • Reviewing any inactive OneDrives that have been archived beyond 90 days because of retention policies or other reasons and deciding on appropriate retention periods for OneDrives.
  • Reviewing retention controls and disposal actions for records and other content stored across the primary Microsoft 365 workloads: personal Exchange mailboxes, Teams chats and channel messages, Microsoft 365 Group mailboxes and sites, other non-Group SharePoint sites, and OneDrive. 

 

Managing records

End users will use Microsoft 365 applications and storage systems to create, capture and store records. Most of these records will be stored in either Exchange Online mailboxes (including in hidden folders) or SharePoint (including OneDrive).

While the Microsoft 365 platform was not designed to be a dedicated recordkeeping system like an electronic document and records management system (EDRMS), it includes functionality across the platform that can be configured to manage records.

This functionality includes a range of configuration settings in the admin centres noted above, as well as the ability to provision and configure SharePoint sites in line with an information architecture model that defines how records should be managed to meet recordkeeping requirements.

One of the key ‘gaps’ in the ‘out of the box’ functionality in Microsoft 365 is the way the disposal of records works. The ‘Disposition’ functionality in Purview that is set up via retention labels for records stored in mailboxes and SharePoint may not be adequate because (a) its focus is on individual items rather than aggregations, (b) only minimal metadata is presented and retained after records are destroyed, and (c) the metadata may not be retained for as long as required.

Organisations may instead find it more useful to establish a process or procedure that is linked with the way information is stored and metadata is applied in SharePoint and the way retention labels have been configured and applied to those locations. The method involves aggregating related records in SharePoint libraries and applying a retention label at the library level, exporting the full set of metadata when the retention period ends for disposal approval, and retaining that metadata in a separate dedicated location after the records have been destroyed or transferred. This method is similar to the disposal of paper or physical records.

Managing records in Microsoft 365 is not about managing a single application or system. It requires: 

  • a detailed understanding of the platform
  • a suitable level of governance
  • knowledge of where records may be created, capture and stored
  • the correct configuration of settings and functionality in the various admin centres
  • an information architecture model for SharePoint that includes both provisioning and configuration details
  • useful guidance for end users, and
  • effective change management

 

Implementing

As with any other business system, Microsoft 365 should be implemented in the three stages described below if it is going to be used to manage records.1 In practice, Microsoft 365 will have already been implemented and it will need to be configured retrospectively to apply recordkeeping controls. Some of the activities described below could be used to support a retrospective approach.

1

Initiation and planning

This stage includes:

  • establishing a clear understanding of the organisation’s business and records management environment
  • developing and obtaining approval for a business case
  • drafting and finalising technical and functional requirements
  • designing the proposed configuration based on business engagement.2
2

Implementation

This stage includes:

  • establishing the design and understanding the impact of the proposed system on the existing IT environment
  • developing a migration strategy if required
  • developing an administration model
  • designing a security model
  • developing procedures and business rules
  • establishing how a business classification scheme (BCS) and retention requirements will be implemented
  • finalising the design
  • acquiring the new system
  • developing an implementation plan or strategy
  • configuring the system to meet organisational recordkeeping requirements
  • training administrators and end users.
3

Post-implementation

This stage includes:

  • a post-implementation review plan
  • reviewing the implementation outcomes.

For Microsoft 365, the post-implementation stage is likely to include the establishment of on-going governance arrangements. 

Configuration

Some of the available configuration settings, options and functionalities that can be configured to support the management of records in Microsoft 365 are listed below. This is not an exhaustive list.

Identity management (Entra)
  • Licence allocations.
  • The setting that determines if end users can create Microsoft 365 Groups which in turn determines if they can create Teams, Group-based sites, and Planners.
  • Privileged Identity Management (PIM) that is used to control the assignment of privileged roles, including to access Purview through the Compliance Administrator role.
  • Creation and implementation of conditional access policies that can be linked with SharePoint controls (see below) and information sensitivity labels.
  • Management of external identities for Teams shared channels.
Device management (InTune)
  • Management of devices. Links with SharePoint setting to determine what a person can do when they access SharePoint from an unmanaged device.
Microsoft 365 Admin
  • Copilot options.
  • Creation and management of Microsoft 365 and Security Groups and Distribution Lists.
  • Assignment of roles.
  • Configuration of a range of organisation settings, including for search, external sharing via SharePoint and OneDrive, and multiple other options.
  • Usage reports to support monitoring.
  • Access to the message centre to view forthcoming changes.
Exchange Admin
  • Management of user and shared mailboxes.
  • Management of active and inactive mailboxes, including via retention policies created in Purview.
Teams Admin
  • Creation of private and shared channels, each of which creates a new SharePoint site.
  • Configuration of Teams recordings and transcriptions, including expiration
SharePoint tenant-level setting
  • Ensuring that the option to allow ‘Everyone except external users’ to access SharePoint sites linked with private Microsoft 365 Groups is set to ‘False’ and using dynamic security groups to provide access to everyone where required. 

SharePoint Admin

The settings listed below assume that the organisation has a documented SharePoint information architecture model that defines how SharePoint sites should be provisioned and how sites and libraries should be configured to manage records.

  • Site creation methods and basic provisioning including site type, permissions and default settings.
  • Per-site options including hub registration or association, storage size, external sharing.
  • Incorporation of a Business Classification Scheme in the Term Store.
  • Creation of global content types that include custom metadata.
  • Configuration of external sharing (inherited from Microsoft 365 admin but can be set/further limited here for SharePoint and OneDrive). Additional controls around sharing, including for ‘anonymous’ sharing.
  • Configuration of a setting limiting what people can do when accessing SharePoint from unmanaged devices.
  • Configuration of a setting that allows end users to create sites.
  • Configuration of global date and time settings.
  • Setting storage limits for SharePoint sites and OneDrive.
  • Configuration of a setting to disable the ability to create sub-sites
  • Configuration of versioning settings.
  • SharePoint Advanced Management options, including auto-fill columns, ‘Data Access Governance’ reporting, additional controls.

SharePoint site provisioning and configuration

These settings assume the existence of a SharePoint information architecture model noted above.

  • Decisions around the best site types to manage records – Group-based, Communication, non-Group-based, other.
  • Creation of additional site columns.
  • Creation of additional site content types in addition to global content types.
  • Date/time locale.
  • Library creation and configuration, including addition of content types, metadata, and setting of default retention labels and/or sensitivity labels.
Purview (Data governance)
  • Assigning records managers to role groups, such as ‘Records Management’, if they have not been assigned to the ‘Compliance Administrator’ role.
  • Access to the audit logs to view all activity across Microsoft 365 workloads for a given period.
  • Creation and implementation of ‘backend’ retention policies for each workload. See below for the need to establish a suitable disposal methodology.
  • Creation and implementation of retention labels in line with classes in records retention and disposal authorities. See below for the need to establish a suitable disposal methodology.
  • Creation and implementation of information sensitivity labels.
  • Creation and implementation of data loss prevention (DLP) policies.
  • Compliance Manager, providing an assessment of the platform as configured against a range of regulations and standards including AS ISO 16175.
  • Creation of cases in eDiscovery to find and, if necessary, export records including in support of GIPA requests or to create PST files, or place legal holds to prevent destruction.
  • Data Security Posture Management, including for AI.
  • Insider Risk Management.
Defender (Security)
  • Incidents and alerts.
  • Threat intelligence.
  • Investigations.
  • Reporting.
  • Audits.

References

[1] Extracted from the NAA guide: IM standard - Implementing an EDRMS checklist. See also Developing systems – information management considerations | NSW Government and AS ISO 16175-1:2020.  [2] See ISO/TR 26122:2008 ‘Information and documentation – Work process analysis for records’

Related information

Download as PDF Print this page
Top of page