--- name: Retention and Records Management Audit description: Audit Microsoft Purview retention labels, policies, records management coverage, disposition reviews, and Microsoft 365 Copilot content retention. --- # Retention and Records Management Audit > **TL;DR:** This skill reviews how your organisation keeps and disposes of Microsoft 365 content, including Copilot interactions, and produces a prioritised report of retention gaps so you can prove compliant records management. ## What does Microsoft Purview retention and records management cover? Microsoft Purview retention labels and retention policies govern how long content in Exchange, SharePoint, OneDrive, and Microsoft Teams is kept or deleted, while records management adds declaration, disposition reviews, and immutable retention for regulatory recordkeeping. This skill inspects that configuration across Microsoft 365, including the retention of Microsoft 365 Copilot prompts and responses, so coverage and disposition controls are evidenced. It complements Microsoft Entra identity governance and Purview data loss prevention (DLP) by ensuring retained content is governed end to end. The audit is purely observational and never alters a single label or policy. ## When should you run this skill? - "Can we prove which workloads our retention policies actually cover?" - "Are Copilot prompts and responses being retained the way our policy requires?" - "Do we have any disposition reviews that are overdue or unassigned?" - "Which retention labels are published but never applied to content?" - "Are records declared as regulatory records being protected from deletion?" - "We have a compliance audit next week and need a retention coverage baseline." - "Has anyone created retention policies with conflicting or unbounded settings?" ## How this skill works, step by step 1. Connect read-only to Microsoft Purview compliance endpoints using delegated, least-privilege credentials. 2. Enumerate all retention policies and map the Microsoft 365 workloads each one covers, flagging uncovered locations such as Teams chats or Copilot interactions. 3. Inventory published retention labels and label policies, identifying labels that are orphaned, unpublished, or never applied. 4. Inspect records management configuration, including regulatory record declarations, file plan descriptors, and event-based retention triggers. 5. Review disposition review stages for items that are overdue, unassigned, or missing approver coverage. 6. Check retention settings for Microsoft 365 Copilot content to confirm prompts and responses are captured under an active policy. 7. Detect conflicting or unbounded retention configurations where overlapping policies create ambiguous outcomes. 8. Derive a risk score per finding from coverage gaps, disposition backlog, and regulatory exposure, weighting unprotected records highest. 9. Compile the findings into a prioritised report with remediation guidance, without changing any configuration. ## Output format The skill produces a findings table followed by a summary. Each row represents one retention or records management observation with its assessed risk. | Finding | Area | Risk | Recommendation | | --- | --- | --- | --- | | Copilot interactions not covered by any retention policy | Copilot retention | High | Extend an existing policy to include Microsoft 365 Copilot locations | | 14 disposition review items overdue beyond 90 days | Disposition review | Medium | Reassign reviewers and clear the backlog before the audit window | Summary metrics accompany the table: - Total retention policies and the workloads each covers - Count of published labels with zero applied items - Number of regulatory records and their protection status - Disposition review backlog by stage and age - Overall retention coverage risk rating ## Scope and safety This skill is read-only by default and makes no changes to any retention policy, label, record, or disposition review. This skill does NOT: - Create, edit, publish, or delete retention labels or policies - Approve, reject, or reassign disposition review items - Modify records management declarations or file plan settings - Delete, relabel, or move any user or Copilot content ## Licensing and permissions ### Licences and add-ons | Capability used | Minimum licence | | --- | --- | | Retention policies and retention labels across Microsoft 365 | Microsoft 365 E3 | | Records management, regulatory record declarations, file plan, and disposition reviews | Microsoft 365 E5 or E5 Compliance | | Retention of Microsoft 365 Copilot prompts and responses | Microsoft 365 Copilot licence plus an E5 or E5 Compliance retention plan | ### Least-privilege roles - Global Reader for read-only visibility across the Purview compliance configuration. - Compliance Data Administrator (or membership of the Records Management role group) where read access to file plan and disposition review details is required. ### Microsoft Graph permissions (read-only) - Retention and records management in Microsoft Purview is administered through the Microsoft Purview portal and the Security and Compliance PowerShell module (for example the `Get-RetentionCompliancePolicy`, `Get-ComplianceTag`, and `Get-FilePlanPropertyAuthority` cmdlets) rather than Microsoft Graph, so no Graph application scopes are required for this skill. Connect read-only using delegated credentials granted only the roles above. ## Sources and compliance - [Learn about retention policies and retention labels](https://learn.microsoft.com/en-us/purview/retention) - [Learn about records management](https://learn.microsoft.com/en-us/purview/records-management) - Supports the Essential Eight control of regular backups by ensuring retention coverage preserves recoverable records, and aligns with ISM guidance on data retention and the secure destruction of records once disposition is authorised. - [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model) - Output in Australian English