Permissions and Compliance Controls in SharePoint and Teams

It’s been a crazy whirlwind tour of the Mid-Atlantic region over the past few weeks, with Customer Immersion Experiences from Maryland to VA Beach and everywhere in-between! These programs continue to draw massive interest with deep dives into better leveraging the technologies that customers already own in Office 365, like Teams, Planner, Skype for Business, Flow, Delve, and Sway. I’ve had great discussions with IT pros and office staff about their pain points and how to address them with their current toolsets, but one question in particular has come up several times in the past couple of weeks, so I figure it’s probably worth addressing directly.

It’s come in various incarnations, but it basically breaks down like this: I know I can use retention policies and legal hold in Exchange Online to prevent users from deleting corporate emails, but how do I prevent users from deleting corporate files in SharePoint / Teams / etc.?

And I’ll admit the first time I heard the question, it threw me. I love Teams. I live in it daily. But I do not love SharePoint. It’s too abstract for me, and I find that impenetrable from a learning perspective. I recognize that Teams is just a pretty shell on SharePoint, but I did not know if compliance capabilities even existed in SharePoint.

First, let’s establish some baseline terms and how they differ. SharePoint Online supports permissions and compliance controls. Permissions break down into traditional user/group access and rights management.

User/group permissions grant access to an object or set of objects in SharePoint Online. This maps 1:1 with Windows file server permissions. Create, read, write, delete. That’s it.

Rights management takes a much more granular approach to controls, enabling restrictions on printing, cut & paste, saving to alternate storage containers, forwarding to others, even screen-sharing. Rights management is revocable, expirable, and portable—the permissions travel with the file no matter where it’s stored.

Compliance controls cover retention and deletion policies. They are more broad-stroke and apply to the sites & files themselves, rather than the users accessing them.

Retention, or hold, policies are the gist of what we’re after today, but it’s important to know how they interact with document deletion policies. A document deletion policy automatically deletes data that has not been modified in a certain amount of time, but it cannot override a hold policy. If you define a 3-year hold and a 2-year deletion policy, your data will delete at the 3-year mark. If you have over-lapping policies between a site and a constituent document, and the deletion policy does manage to nuke the file, it will be preserved in a special container called the “Preservation Hold library”.

This, incidentally, is where files go when they are manually deleted. Users are not notified that the data is protected by a hold policy. They hit delete, the file disappears. But the data can be accessed and restored.

Going back to the question, since Teams, SharePoint, and other file solutions in Office 365 leverage SharePoint Online, you can create a retention policy for whatever your legal requirements, a deletion policy as needed, and trust that no matter what tool your users use to access the data, it is protected.