Control 4.3: Site and Document Retention Management

Overview

Control ID: 4.3 Control Name: Site and Document Retention Management Regulatory Reference: FINRA 4511, SEC 17a-3/4, GLBA 501(b), SOX 404 Setup Time: 1-2 hours

Purpose

Manage the lifecycle of SharePoint sites and documents to ensure proper retention for regulatory compliance and timely disposition of content no longer needed. This control addresses both site-level lifecycle management and document retention through sensitivity labels and retention policies.

For agent governance, retention management is critical because AI agents access SharePoint as a knowledge source. Properly retained content ensures agents provide accurate, compliant responses while expired or outdated content is appropriately archived or disposed of. This prevents agents from surfacing stale information that could lead to regulatory violations or poor customer outcomes.

Key Capabilities

Site Lifecycle Management

Automated policies for managing inactive, orphaned, and uncertified sites.

Navigation: SharePoint Admin Center → Policies → Site lifecycle management

Policy Types:

Policy Type	Purpose	Actions
Inactive site policies	Identify sites with no activity	Notify owners, archive, or mark read-only
Site ownership policies	Find sites without owners	Notify admins, require new owner, mark read-only
Site attestation policies	Ensure site information is current	Notify owners, require attestation, archive if overdue

Document Retention Settings

Organization-wide retention settings for documents and OneDrive content.

Navigation: SharePoint Admin Center → Settings

Key Settings:

Setting	Description	Default
OneDrive Retention	Days to retain deleted user OneDrive	30 days
Version history limits	How many versions to keep	Organization-level setting

Prerequisites

Primary Owner Admin Role: SharePoint Admin Supporting Roles: Purview Records Manager, Purview Compliance Admin

Licenses Required

License	Purpose	Required For
Microsoft 365 E5 or E5 Compliance	Full retention capabilities and advanced eDiscovery	Tier 2-3 environments
SharePoint Advanced Management Plan 1	Site lifecycle management policies	All zones with lifecycle automation
Microsoft Purview	Retention labels and policies	Document-level retention
Power Platform Premium	Agent governance integration	Agents using SharePoint sources

Permissions Required

Role	Purpose	Scope
Microsoft Purview Compliance Administrator	Create and manage retention policies and labels	Tenant-wide
SharePoint Administrator	Configure site lifecycle policies and settings	SharePoint Admin Center
Records Management	Manage file plan and disposition	Purview Compliance Portal
Compliance Data Administrator	Review retention reports and analytics	Purview Compliance Portal

Dependencies

Dependency	Control Reference	Purpose
Sensitivity Labels	4.1 - Information Access Governance	Labels can trigger retention
Audit Logging	1.7 - Comprehensive Audit Logging	Track retention events
eDiscovery	1.19 - eDiscovery for Agent Interactions	Legal hold coordination
DLP Policies	1.5 - Data Loss Prevention	Protect retained content

Pre-Setup Checklist

[ ] Microsoft 365 E5 or E5 Compliance licenses assigned
[ ] SharePoint Advanced Management enabled for tenant
[ ] Retention requirements documented by regulation and content type
[ ] File plan created for regulated content categories
[ ] Stakeholder approval for retention periods obtained
[ ] Legal hold procedures documented
[ ] Agent knowledge source inventory completed

Governance Levels

Baseline (Level 1)

Requirement	Implementation
Retention policy awareness	Document retention requirements per regulation
Inactive site identification	Create inactive site policy to identify stale sites
Basic version history	Enable version history for document recovery

Implementation Steps:

Navigate to SharePoint Admin Center
Go to Policies → Site lifecycle management
Click Open under "Inactive site policies"
Create policy to identify sites inactive for 90+ days
Configure notification to site owners
Set action to "notify only" initially

Recommended (Level 2-3)

Requirement	Implementation
Site ownership policies	Ensure all sites have active owners
Automated disposition	Configure archive/read-only for abandoned sites
Retention by content type	Apply retention labels to regulated content
Deletion audit logs	Enable audit logging for deletions

Additional Steps:

Create Site ownership policy:
Identify sites where owner has left organization
Notify admins to assign new owners
Mark read-only after 30 days if no owner assigned
Configure Inactive site policy actions:
Notify owners after 90 days inactivity
Archive after 180 days if no response
Navigate to Settings → OneDrive Retention
- Set appropriate retention period (recommend 365 days for Tier 2+)

Regulated/High-Risk (Level 4)

Requirement	Implementation
Policy-driven retention	All Tier 3 (enterprise-managed) sites have documented retention policies
No manual deletion	Disable manual deletion for regulated content
Immutable deletion logs	All deletions logged and non-editable
Legal hold integration	Coordinate with eDiscovery for holds

Retention Periods by Regulation:

Regulation	Retention Period	Content Type
FINRA 4511	6 years	Books and records
SEC 17a-3/4	6 years	Communications, records
SOX 404	7 years	Financial records
GLBA	5-7 years	Customer information

Setup & Configuration

Step 1: Document Retention Requirements

Identify retention requirements for your organization:

Regulatory requirements (FINRA, SEC, SOX, GLBA)
Business requirements
Legal hold requirements
Agent knowledge source retention needs

Step 2: Configure Inactive Site Policies

Create policy to manage inactive sites:

Navigate to Policies → Site lifecycle management
Click Open under "Inactive site policies"
Click Create policy
Configure:
Scope: All sites or specific site templates
Inactivity period: 90 days (adjust per requirements)
Notification: Email to site owners and admins
Action: Notify → Mark read-only → Archive
Enable the policy

Step 3: Configure Site Ownership Policies

Ensure sites have active owners:

Click Open under "Site ownership policies"
Create policy to identify orphaned sites
Configure notification to SharePoint admins
Set action for unresolved ownership issues

Step 4: Set Organization Retention Defaults

Configure organization-wide settings:

Navigate to Settings
Review "OneDrive Retention" setting
Set to 365 days minimum for regulated organizations
Review "Version history limits" settings

Step 5: Integrate with Microsoft Purview

For comprehensive retention:

Use Microsoft Purview retention labels for document-level retention
Apply retention labels to sensitivity-labeled content
Configure retention policies for regulated content types
Coordinate with eDiscovery for legal holds

PowerShell Configuration

Connect to Purview PowerShell

# Prerequisites: Install Exchange Online PowerShell module
# Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser

# Connect to Security & Compliance PowerShell
Connect-IPPSSession -UserPrincipalName admin@contoso.com

# Verify connection
Get-RetentionCompliancePolicy | Select-Object Name, Enabled, Mode | Format-Table

Create Retention Policies

# Create a retention policy for SharePoint sites containing agent knowledge
$PolicyName = "FSI-Agent-Knowledge-Retention-7Years"

New-RetentionCompliancePolicy -Name $PolicyName `
    -Comment "Retention policy for agent knowledge sources per FINRA 4511 and SEC 17a-4" `
    -SharePointLocation "https://contoso.sharepoint.com/sites/AgentKnowledge" `
    -Enabled $true

# Create retention rule for the policy (7 years, retain and delete)
New-RetentionComplianceRule -Name "FSI-7Year-Retention-Rule" `
    -Policy $PolicyName `
    -RetentionDuration 2555 `
    -RetentionDurationDisplayHint Days `
    -RetentionComplianceAction KeepAndDelete `
    -ExpirationDateOption ModificationAgeInDays

Write-Host "Retention policy created: $PolicyName" -ForegroundColor Green

# Create tier-specific retention policies
$Tiers = @(
    @{Name="Tier1-Personal"; Duration=365; Sites="https://contoso.sharepoint.com/sites/Tier1-*"},
    @{Name="Tier2-Team"; Duration=1825; Sites="https://contoso.sharepoint.com/sites/Tier2-*"},
    @{Name="Tier3-Enterprise"; Duration=2555; Sites="https://contoso.sharepoint.com/sites/Tier3-*"}
)

foreach ($Tier in $Tiers) {
    New-RetentionCompliancePolicy -Name "FSI-$($Tier.Name)-Retention" `
        -SharePointLocation $Tier.Sites `
        -Enabled $true

    New-RetentionComplianceRule -Name "FSI-$($Tier.Name)-Rule" `
        -Policy "FSI-$($Tier.Name)-Retention" `
        -RetentionDuration $Tier.Duration `
        -RetentionDurationDisplayHint Days `
        -RetentionComplianceAction KeepAndDelete

    Write-Host "Created retention policy for $($Tier.Name)" -ForegroundColor Green
}

Apply Retention Labels

# Create retention labels for different content types
$Labels = @(
    @{Name="FSI-Financial-Records-7Y"; Duration=2555; Action="KeepAndDelete"; Description="7-year retention for financial records (SOX 802)"},
    @{Name="FSI-Communications-6Y"; Duration=2190; Action="KeepAndDelete"; Description="6-year retention for communications (FINRA 4511)"},
    @{Name="FSI-Customer-Data-5Y"; Duration=1825; Action="KeepAndDelete"; Description="5-year retention for customer information (GLBA)"},
    @{Name="FSI-Regulatory-Immutable"; Duration=2555; Action="Keep"; Description="7-year immutable retention for regulatory records"}
)

foreach ($Label in $Labels) {
    New-ComplianceTag -Name $Label.Name `
        -Comment $Label.Description `
        -RetentionDuration $Label.Duration `
        -RetentionAction $Label.Action `
        -RetentionType ModificationAgeInDays `
        -IsRecordLabel $false

    Write-Host "Created retention label: $($Label.Name)" -ForegroundColor Green
}

# Publish retention labels via label policy
New-RetentionCompliancePolicy -Name "FSI-Retention-Labels-Policy" `
    -PublishComplianceTag "FSI-Financial-Records-7Y","FSI-Communications-6Y","FSI-Customer-Data-5Y","FSI-Regulatory-Immutable" `
    -SharePointLocation All `
    -Enabled $true

Write-Host "Retention labels published to all SharePoint sites" -ForegroundColor Green

Export Retention Configuration

# Export all retention policies for documentation
$ExportPath = "C:\FSI-Governance\RetentionConfig"
New-Item -ItemType Directory -Path $ExportPath -Force | Out-Null

# Get all retention policies
$Policies = Get-RetentionCompliancePolicy
$Policies | Select-Object Name, Enabled, Mode, SharePointLocation, Comment, WhenCreated |
    Export-Csv -Path "$ExportPath\RetentionPolicies.csv" -NoTypeInformation

# Get all retention rules
$Rules = Get-RetentionComplianceRule
$Rules | Select-Object Name, Policy, RetentionDuration, RetentionComplianceAction, ExpirationDateOption |
    Export-Csv -Path "$ExportPath\RetentionRules.csv" -NoTypeInformation

# Get all retention labels
$Labels = Get-ComplianceTag
$Labels | Select-Object Name, RetentionDuration, RetentionAction, IsRecordLabel, Comment |
    Export-Csv -Path "$ExportPath\RetentionLabels.csv" -NoTypeInformation

Write-Host "Retention configuration exported to: $ExportPath" -ForegroundColor Green

# Create summary report
$Report = @"
FSI Retention Configuration Report
Generated: $(Get-Date -Format "yyyy-MM-dd HH:mm:ss")
=====================================

Total Retention Policies: $($Policies.Count)
Total Retention Rules: $($Rules.Count)
Total Retention Labels: $($Labels.Count)

Policies by Status:

- Enabled: $($Policies | Where-Object {$_.Enabled -eq $true}).Count
- Disabled: $($Policies | Where-Object {$_.Enabled -eq $false}).Count

"@
$Report | Out-File "$ExportPath\RetentionSummary.txt"

Get Sites with Retention Policies

# Connect to SharePoint Online
# Connect-SPOService -Url https://contoso-admin.sharepoint.com

# Get all retention policies and their SharePoint locations
$RetentionPolicies = Get-RetentionCompliancePolicy | Where-Object { $_.SharePointLocation -ne $null }

$SiteRetentionReport = @()
foreach ($Policy in $RetentionPolicies) {
    $Rule = Get-RetentionComplianceRule -Policy $Policy.Name

    foreach ($Site in $Policy.SharePointLocation) {
        $SiteRetentionReport += [PSCustomObject]@{
            SiteUrl = $Site
            PolicyName = $Policy.Name
            RetentionDuration = $Rule.RetentionDuration
            Action = $Rule.RetentionComplianceAction
            PolicyEnabled = $Policy.Enabled
        }
    }
}

# Display report
$SiteRetentionReport | Format-Table -AutoSize

# Export for compliance documentation
$SiteRetentionReport | Export-Csv -Path "C:\FSI-Governance\SiteRetentionMapping.csv" -NoTypeInformation
Write-Host "Site retention mapping exported" -ForegroundColor Green

# Find sites WITHOUT retention policies (potential gap)
$AllSites = Get-SPOSite -Limit All
$SitesWithRetention = $SiteRetentionReport.SiteUrl | Select-Object -Unique
$SitesWithoutRetention = $AllSites | Where-Object { $_.Url -notin $SitesWithRetention }

Write-Host "`nSites WITHOUT retention policies: $($SitesWithoutRetention.Count)" -ForegroundColor Yellow
$SitesWithoutRetention | Select-Object Url, Title, Template | Format-Table

Financial Sector Considerations

Regulatory Mapping

Regulation	Requirement	Retention Period	How This Control Helps
FINRA 4511	Books and records retention	6 years	Automated retention policies ensure compliant retention periods
SEC 17a-4	Non-rewriteable, non-erasable storage	6 years	Preservation lock prevents modification during retention
SOX 802	Audit workpapers and records	7 years	Financial records retained with immutable settings
GLBA 501(b)	Customer information protection	5-7 years	Customer data retained securely with access controls

Tier-Specific Retention Requirements

Tier	Content Types	Retention Period	Disposition	Agent Impact
Tier 1 (Personal Productivity)	Personal productivity docs	1 year	Auto-delete	No agent access allowed
Tier 2 (Team Collaboration)	Team collaboration, internal docs	3-5 years	Review then delete	Agents may access; stale content flagged
Tier 3 (Enterprise Managed)	Customer communications, financial records	6-7 years	Legal review required	Agents access current, compliant content only
Tier 3+ (Regulated)	Regulatory filings, audit records	7+ years	Regulatory approval	Immutable; agents read-only access

FSI Implementation Example

# FSI Retention Configuration Example
fsi_retention_config:
  organization: "Contoso Financial Services"
  compliance_framework:
    - FINRA
    - SEC
    - SOX
    - GLBA

  retention_policies:
        - name: "Tier1-Personal-Retention"
      scope: "Personal productivity sites"
      retention_days: 365
      action: "KeepAndDelete"
      agent_access: false

        - name: "Tier2-Team-Retention"
      scope: "Team collaboration sites"
      retention_days: 1825  # 5 years
      action: "KeepAndDelete"
      agent_access: true
      agent_freshness_flag: 90  # Flag content older than 90 days

        - name: "Tier3-Enterprise-Retention"
      scope: "Enterprise managed sites"
      retention_days: 2555  # 7 years
      action: "KeepAndDelete"
      legal_review_required: true
      agent_access: true
      agent_version_control: true

        - name: "Tier3-Regulatory-Immutable"
      scope: "Regulatory compliance sites"
      retention_days: 2555  # 7 years
      action: "Keep"  # No deletion without approval
      preservation_lock: true
      agent_access: "read-only"
      audit_all_access: true

  agent_knowledge_sources:
    - site: "https://contoso.sharepoint.com/sites/AgentKB"
            retention_policy: "Tier3-Enterprise-Retention"
      content_review_cycle: "quarterly"
      stale_content_threshold_days: 180
      auto_archive_stale: true

  disposition_workflow:
    review_stages:
      - stage: 1
        reviewer: "Content Owner"
        sla_days: 14
      - stage: 2
        reviewer: "Compliance Officer"
        sla_days: 7
      - stage: 3
        reviewer: "Legal (if required)"
        sla_days: 30

    escalation:
      enabled: true
      escalate_after_days: 45
      escalate_to: "Records Management"

Zone-Specific Configuration

Zone 1 (Personal Productivity):

Apply a baseline minimum of retention policies/labels for SharePoint content that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
Avoid expanding scope beyond the user’s own data unless explicitly justified.
Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

Apply ensure agent knowledge sources follow retention and disposition rules for shared agents and shared data sources; require an identified owner and an approval trail.
Validate configuration in a pilot environment before broader rollout; retain policy configs + evidence of label/policy assignment.
Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

Require the strictest configuration for retention policies/labels for SharePoint content and enforce it via policy where possible (not manual-only).
Treat changes as controlled (change ticket + documented testing); retain policy configs + evidence of label/policy assignment.
Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Test Procedure

Navigate to SharePoint Admin Center → Policies → Site lifecycle management
Verify inactive site policy exists and is enabled
Check site ownership policy configuration
Review policy notification settings
Navigate to Settings → verify OneDrive retention setting
Test policy by reviewing notification queue

Expected Results:

[ ] Inactive site policy configured and enabled
[ ] Site ownership policy configured (recommended)
[ ] Notification templates customized appropriately
[ ] OneDrive retention set per requirements
[ ] Policy actions align with governance requirements

Verification Evidence

Evidence Type	Location	Retention
Policy configuration screenshots	Site lifecycle management	1 year
Policy execution logs	Site lifecycle management	Per policy
Retention settings screenshot	Settings page	1 year
Site disposition records	Governance documentation	6 years

Troubleshooting & Validation

Common Issues and Solutions

Issue	Possible Cause	Resolution
Retention policy not applying to sites	Policy scope misconfigured or sync delay	Verify SharePoint locations in policy; wait 24-48 hours for propagation; check policy is enabled
Users can delete content under retention	Retention label not set to "Record"	Enable record declaration on label or use preservation lock; users can delete but content is preserved
Retention labels not visible to users	Label policy not published to location	Publish label policy to SharePoint locations; wait up to 24 hours for sync
Disposition review not triggering	Review not configured or reviewers not assigned	Configure disposition review in label settings; assign reviewers with Disposition Management role
Legal hold conflicts with retention	Hold takes precedence over retention deletion	This is expected behavior; content under hold is never deleted regardless of retention policy
Agent accessing stale content	Content past freshness threshold	Implement content review workflow; use metadata to flag stale content; configure agent to filter by date
Audit events missing for retention actions	Unified audit log not enabled	Enable audit logging in Purview portal; retention events appear under "File and page activities"

Validation Commands

# Verify retention policy status
Get-RetentionCompliancePolicy -Identity "FSI-Agent-Knowledge-Retention-7Years" |
    Select-Object Name, Enabled, Mode, DistributionStatus

# Check retention rule configuration
Get-RetentionComplianceRule -Policy "FSI-Agent-Knowledge-Retention-7Years" |
    Select-Object Name, RetentionDuration, RetentionComplianceAction

# Verify label publication status
Get-RetentionCompliancePolicy -Identity "FSI-Retention-Labels-Policy" |
    Select-Object Name, Enabled, PublishComplianceTag

# Check for policy distribution errors
Get-RetentionCompliancePolicy | Where-Object { $_.DistributionStatus -ne "Success" } |
    Select-Object Name, DistributionStatus, DistributionResults

Additional Resources

Control	Relationship
4.1 - Information Access Governance	Sensitivity labels can auto-apply retention
4.2 - Site Access Reviews	Access reviews align with retention periods
1.7 - Comprehensive Audit Logging	Track retention policy events
1.19 - eDiscovery for Agent Interactions	Legal holds override retention deletion
1.5 - Data Loss Prevention	DLP protects retained content
2.4 - Business Continuity and Disaster Recovery	Retained content included in backups

Support & Questions

For implementation support or questions about this control, contact:

Records Management Lead (retention policy design)
Compliance Officer (regulatory requirements)
SharePoint Administrator (site lifecycle policies)
AI Governance Lead (agent knowledge source management)

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ✅ Current