Control 4.3: Site and Document Retention Management - Portal Walkthrough
This playbook provides portal configuration guidance for Control 4.3.
Prerequisites
Before starting, ensure you have:
- SharePoint Admin role assigned
- Microsoft 365 E5 or E5 Compliance license
- SharePoint Advanced Management enabled for tenant
- Retention requirements documented by regulation and content type
Step 1: Document Retention Requirements
Identify retention requirements for your organization:
- Regulatory requirements (FINRA, SEC, SOX, GLBA)
- Business requirements
- Legal hold requirements
- Agent knowledge source retention needs
Retention Periods by Regulation:
| Regulation | Retention Period | Content Type |
|---|---|---|
| FINRA 4511 | 6 years | Books and records |
| SEC 17a-3/4 | 3–6 years | Communications (3y), financial records (6y) |
| SOX 404 | 7 years | Financial records |
| GLBA | 5-7 years | Customer information |
Step 2: Configure Inactive Site Policies
Create policy to manage inactive sites:
- Navigate to Microsoft Purview
- Go to Data lifecycle management > Microsoft 365
- Click Open under "Inactive site policies"
- Click Create policy
- Configure:
- Scope: All sites or specific site templates
- Inactivity period: 90 days (adjust per requirements)
- Notification: Email to site owners and admins
- Action: Notify > Mark read-only > Archive
- Enable the policy
Step 3: Configure Site Ownership Policies
Ensure sites have active owners:
- Navigate to Policies > Site lifecycle management
- Click Open under "Site ownership policies"
- Create policy to identify orphaned sites
- Configure notification to SharePoint admins
- Set action for unresolved ownership issues:
- Notify admins to assign new owners
- Mark read-only after 30 days if no owner assigned
Step 4: Set Organization Retention Defaults
Configure organization-wide settings:
- Navigate to Settings in SharePoint Admin Center
- Review "OneDrive Retention" setting
- Set to 365 days minimum for regulated organizations
- Review "Version history limits" settings
Step 5: Integrate with Microsoft Purview
For comprehensive document-level retention:
- Navigate to Microsoft Purview Compliance Portal
- Go to Data lifecycle management > Microsoft 365
- Create retention labels for document-level retention
- Apply retention labels to sensitivity-labeled content
- Configure retention policies for regulated content types
- Coordinate with eDiscovery for legal holds
Governance Level Configurations
Baseline (Level 1)
| Setting | Value |
|---|---|
| Inactive site policy | Identify sites inactive for 90+ days |
| Policy action | Notify only |
| Version history | Enabled for document recovery |
Recommended (Level 2-3)
| Setting | Value |
|---|---|
| Site ownership policy | Identify and remediate orphaned sites |
| Inactive site action | Archive after 180 days |
| OneDrive retention | 365 days minimum |
| Retention by content type | Apply labels to regulated content |
Regulated (Level 4)
| Setting | Value |
|---|---|
| Policy-driven retention | All Zone 3 sites have documented retention |
| Manual deletion | Disabled for regulated content |
| Deletion logs | Immutable and non-editable |
| Legal hold integration | Coordinated with eDiscovery |
Validation
After completing the configuration, verify:
- Inactive site policy enabled with 90+ day threshold in SharePoint Admin Center
- Site ownership policy configured to identify and remediate orphaned sites
- OneDrive retention set to 365 days minimum in SharePoint Admin Center settings
- Retention labels created for FINRA (6-year), SEC (6-year), and SOX (7-year) content in Microsoft Purview
Expected Result: Inactive sites are identified and managed, orphaned sites have remediation workflow, and retention policies apply to regulated content.
Back to Control 4.3 | PowerShell Setup | Verification Testing | Troubleshooting
Updated: January 2026 | Version: v1.2