Solution Atlas
EverydayUser storyConsultative playbook

We have 15 years of unmanaged content and the audit is asking

SharePoint, OneDrive, and Teams hold years of accumulated content with no retention policy applied. Legal has flagged that some categories should have been disposed of years ago; others must be kept indefinitely. The auditor wants evidence of an information lifecycle baseline.

Trigger
Audit finding; legal exposure on retained content.
Good outcome
Retention labels live for top categories, records management active for regulated content, disposal cadence operational.
Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

  • ·Audit preparation in progress with retention findings
  • ·Legal exposure flagged on either over-retained or under-retained content
  • ·No retention policies applied across M365 surfaces
  • ·SharePoint, OneDrive, Teams content accumulated for many years
  • ·Records management absent or in indefinite pilot

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

  1. 1.What does your retention policy look like today across M365 surfaces — formal, partial, or absent?

    WhyEstablishes the baseline. Most customers have point fixes for individual sites and nothing tenant-wide.

    Listen for: “none” · “site-by-site” · “pilot only”

  2. 2.Has Legal flagged specific content types as over-retained, under-retained, or both?

    WhyBoth directions matter. Both produce audit exposure.

  3. 3.What is your records management programme today — pilot, partial, or none?

    WhyDistinct from retention. Records management adds immutability and audit trail.

  4. 4.Who would own information lifecycle — IT, Legal, Compliance, or shared?

    WhyOwnership is the maturity threshold. Often nobody owns the cross-functional question.

  5. 5.What does Internal Audit want to see — evidence of policy, evidence of enforcement, or both?

    WhySharpens the deliverable.

  6. 6.What is your storage cost trajectory on unmanaged content?

    WhyAnchors the cost-of-status-quo conversation.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

M365 E3 or E5 estate with no tenant-wide retention policies. SharePoint sites accumulating content over many years. OneDrive and Teams content rarely reviewed. No records management label structure. Legal exposure unclear because the content estate is unmapped. Storage cost climbing without governance.

Typical concerns

  • ·Over-retention of content that should have been disposed of
  • ·Under-retention of content with regulatory hold requirements
  • ·Legal review of historical content takes weeks per request
  • ·No disposal cadence; content accumulates indefinitely
  • ·Storage cost rising without business case

Capability gaps

  • ·Retention label taxonomy applied tenant-wide
  • ·Records management for regulated content categories
  • ·Disposal review cadence
  • ·Legal hold workflow for litigation
  • ·Cross-functional ownership (IT + Legal + Compliance)
Target architecture

Retention label taxonomy live tenant-wide (typically five to eight labels covering the major content classes). Records management active for regulated categories (financial records, HR records, regulated communications). Disposal review cadence operational with quarterly Legal sign-off. Legal hold workflow integrated with eDiscovery. Cross-functional ownership with IT, Legal, and Compliance signed up.

Key capabilities

  • Tenant-wide retention label taxonomy
  • Records management for regulated categories
  • Quarterly disposal review cadence
  • Legal hold workflow
  • Cross-functional ownership cadence

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

  1. Decision 1.Label taxonomy — simple (3–5 labels) vs full (8–15 labels)

    Simple (3–5)

    When it fitsMid-size org with no prior taxonomy; user adoption prioritised.

    Trade-offsLess granular for regulated content categories.

    Full (8–15)

    When it fitsRegulated industry; differentiated retention periods per content class.

    Trade-offsHarder to roll out; users mis-label without strong CoE.

    Default recommendationStart with 5 labels (Public, Internal, Confidential, Regulated, Records); add granularity in phase 2 if content classes demand it.

  2. Decision 2.Label application — auto-apply vs user-applied vs hybrid

    Auto-apply (requires P2)

    When it fitsMature trainable classifiers available; large estate.

    Trade-offsRequires E5 or Purview add-on; classifier tuning ongoing.

    User-applied (P1, ships with E3)

    When it fitsSmaller estate; willingness to train users; cost-sensitive.

    Trade-offsAdoption uneven; mis-labelling common.

    Hybrid — auto-apply on key surfaces + user-applied elsewhere

    When it fitsMid-size org with priority content classes (e.g. M&A folders) needing auto-apply.

    Trade-offsTwo operating models.

    Default recommendationHybrid — auto-apply on top 5 site collections + user-applied elsewhere.

  3. Decision 3.Records management scope — regulated content only vs broader

    Regulated only (financial, HR, regulated comms)

    When it fitsPragmatic starting point; immutability where required.

    Trade-offsNon-regulated retention is policy-only, not enforced.

    Broader (records management for most content classes)

    When it fitsHigh audit pressure; appetite for stricter governance.

    Trade-offsUser-experience friction; storage cost rises.

    Default recommendationRegulated content only for the first 12 months; expand as the programme matures.

Low-risk trial — proof of value

60-day Information Lifecycle baseline

8 weeks

Retention label taxonomy authored with Legal sign-off. Labels published tenant-wide. Auto-apply piloted on top 5 SharePoint site collections. Records management activated for regulated content categories. First disposal review cadence run with Legal present. Legal hold workflow validated against one test scenario.

Success criteria

  • Label taxonomy approved by Legal and published
  • Auto-apply coverage above 70% on the pilot sites
  • Records management active for regulated categories
  • First disposal review cadence run with documented decisions

InvestmentPurview IP P1 included in M365 E3; P2 (auto-apply) requires E5 or add-on (~€2–3/user/month uplift). Estimated ~€3–5k/month for the trial scope at mid-size org scale.

Proof metrics

  • ·Tenant-wide label coverage above 60% within 90 days
  • ·Storage cost trajectory bent downward on the pilot sites
  • ·Disposal review cadence operating quarterly
  • ·Audit-readiness report demonstrates retention compliance

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Why for this story

Retention labels, records management, and disposal sit in Purview. The classification baseline auditors expect — without it, downstream lifecycle controls are theatre.

Why for this story

Includes Purview IP P1 with manual retention. P2 features (auto-apply, trainable classifiers) require E5 or the add-on. E3 is the floor.

Back to Information lifecycle management