Tutorial / Cram Notes
A preservation lock is a feature that allows an administrator to lock a retention policy or retention label policy, preventing anyone from disabling the policy, decreasing the retention duration, or making any changes that would reduce the level of data retention specified by the policy. This ensures that the data is preserved in an immutable state for compliance purposes.
When to Use a Preservation Lock
Preservation locks are primarily used in scenarios where an organization is obliged to follow industry regulations, like financial services or healthcare. These regulations may require that specific types of information be retained for a certain period, during which the data cannot be altered or deleted.
How to Configure Preservation Locks
- Create a Retention Policy or Retention Label Policy:
- Access the Microsoft 365 compliance center.
- Navigate to the Data governance > Retention section.
- Click on “+ Create” to set up a new policy or choose an existing one to which you want to apply the lock.
- Define the settings for the policy, such as what content it applies to, the retention period, and the action after the retention period ends.
- Configure the Preservation Lock:
- Once the retention policy or label policy is created, select the “More actions” menu for the policy in the list.
- Choose the option to “Turn on preservation lock.”
- Read the warning message that appears carefully. Applying a preservation lock is irreversible; the policy cannot be turned off, deleted, or made less restrictive once the lock is in place.
- Agree to the conditions and apply the lock.
Considerations Before Applying a Preservation Lock
There are several critical considerations to keep in mind before locking a policy:
- Once a lock is applied, it is permanent.
- You cannot decrease the retention duration or widen the scope of the policy to cover fewer users or content.
- Policies can still be made more restrictive, for example, by extending the retention period or expanding the scope to include more users.
These immutability aspects ensure that policies cannot be circumvented, which is often a requirement for strict regulatory compliance.
Comparison: Locked vs. Unlocked Retention Policies
| Feature | Locked Retention Policy | Unlocked Retention Policy |
|---|---|---|
| Delete Policy | Not possible | Possible |
| Reduce Retention Duration | Not possible | Possible |
| Change Retention Action | Not possible | Possible |
| Scope Reduction | Not possible | Possible |
| Extend Retention Duration | Possible | Possible |
| Increase Scope | Possible | Possible |
| Manual or Accidental Policy Change | Not possible | Possible |
Example Scenario
Imagine a financial institution that must comply with regulations requiring it to retain all email communications for seven years. An administrator creates a retention policy in the Microsoft 365 compliance center to retain all emails for this duration. Upon creating the policy, the administrator locks it to prevent any future changes that could lead to non-compliance with regulatory standards.
By configuring the preservation lock, the organization ensures that even if personnel changes occur or other organizational shifts take place, the integrity of their data preservation strategy remains intact, thus avoiding potential legal penalties.
In conclusion
configuring preservation locks is a straightforward process, but it carries significant implications due to its irreversible nature. It is vital that SC-400 candidates understand the implications of applying a preservation lock and the scenarios in which it is appropriate to use. Proper use of this feature allows an organization to meet regulatory requirements and maintain data integrity, which is a priority for an Information Protection Administrator.
Practice Test with Explanation
True or False: A preservation lock can only be applied to a retention label policy, not to a retention policy.
- Answer: False
A preservation lock can be applied to both retention label policies and retention policies, preventing these policies from being turned off or made less restrictive.
True or False: Once a preservation lock is placed on a retention policy or label in Microsoft 365, it cannot be removed.
- Answer: True
Preservation locks are designed to make a retention policy or label immutable once applied which means it cannot be removed or altered.
Which permission level is required to configure a preservation lock on a retention policy or label?
- A. Global Administrator
- B. Compliance Administrator
- C. Retention Manager
- D. User Management Administrator
- Answer: B. Compliance Administrator
A Compliance Administrator, or an equivalent custom role that includes the necessary permissions, is required to configure a preservation lock.
True or False: Preservation locks do not apply to policies or labels that are set to delete content.
- Answer: False
Preservation locks can apply to policies or labels configured for both retention and deletion, ensuring that the policy cannot be disabled or made less strict.
Can you disable a preservation lock after a regulatory investigation concludes?
- A. Yes, after the investigation concludes, you can disable the lock.
- B. No, once enabled, it cannot be disabled.
- Answer: B. No, once enabled, it cannot be disabled.
A preservation lock is irrevocable, and it cannot be disabled even after a regulatory investigation concludes.
When a preservation lock is in place, which of the following actions are allowed?
- A. Deleting the policy
- B. Extending the retention period
- C. Reducing the retention period
- D. None of the above
- Answer: B. Extending the retention period
When a preservation lock is in place, you can potentially make the retention period longer, but you can’t reduce it, delete the policy, or make other changes that would weaken the policy.
True or False: To create a preservation lock, you must have the retention policy or label published and applied to content.
- Answer: True
Before you can place a preservation lock, the retention policy or label must be published and be in a state where it is actively applied to content.
Preservation locks are typically used in which of the following scenarios?
- A. To temporarily protect data during a minor organizational change
- B. To comply with industry regulations that require a defensible retention policy
- C. To protect data until a specified date before allowing alterations
- D. To give users full flexibility in modifying retention settings
- Answer: B. To comply with industry regulations that require a defensible retention policy
Preservation locks are used to ensure compliance with regulations that mandate immutability in retention policies, preventing such policies from being turned off or made less restrictive.
True or False: You can apply a preservation lock to a policy without turning on the preservation lock option first.
- Answer: False
To apply a preservation lock, you must first turn on the option for the lock when creating or configuring the retention policy or label. It cannot be applied retroactively.
Before applying a preservation lock, you must:
- A. Notify all users.
- B. Disable all security features.
- C. Obtain approval from a manager.
- D. Verify there are no current holds or eDiscovery cases that would be affected.
- Answer: D. Verify there are no current holds or eDiscovery cases that would be affected.
It’s crucial to ensure that there are no existing holds or eDiscovery cases that could be impacted by the preservation lock, as it will make the policy immutable.
True or False: You can apply a preservation lock to a policy with zero days deletion.
- Answer: True
A preservation lock can be applied to a retention policy with any retention duration, including zero days (which effectively means items can be deleted immediately after the policy becomes inactive or expires).
True or False: When configuring a retention policy with preservation lock, you must provide a justification for the lock that will be logged in the audit log.
- Answer: True
When configuring a preservation lock, administrators must provide a justification for the lock. This justification is then recorded in the audit logs for future reference and compliance purposes.
Interview Questions
What is a preservation lock in Microsoft 365 compliance?
A preservation lock is a setting that prevents a retention label or policy from being removed or modified, preserving the associated content in its current state.
How can preservation locks be configured?
Preservation locks can be configured using the Microsoft 365 compliance center or Microsoft PowerShell.
What are the types of preservation locks available in Microsoft 365 compliance?
There are two types of preservation locks auto-preservation and manual preservation.
How does auto-preservation work?
Auto-preservation is enabled by default for all retention labels and policies. When this setting is turned on, it locks the label or policy, preventing it from being deleted or modified.
How does manual preservation work?
Manual preservation is used to lock a specific retention label or policy, and can be enabled or disabled by a compliance administrator.
How long can a preservation lock be set for?
Preservation locks can be set for a maximum duration of 100 years.
What happens to content when a preservation lock is applied?
When a preservation lock is applied, any associated content is protected from deletion, editing, or modification until the lock is removed.
How can a preservation lock be removed?
A preservation lock can be removed by disabling the auto-preservation setting or manually removing the lock.
What are some use cases for preservation locks?
Preservation locks are commonly used in legal or regulatory scenarios where it is necessary to retain content for a specific period of time.
What is the difference between a preservation lock and legal hold?
A preservation lock is a setting that preserves content, whereas legal hold is a process that allows you to preserve content and prevent it from being edited or deleted, typically in response to a legal or regulatory requirement.
Great article on configuring preservation locks! Very timely for my SC-400 exam prep.
Super helpful guide. I was struggling with the concept of preservation locks, but this made it clear.
Could someone clarify if preservation lock settings can be modified after they are set?
Is there a difference between a preservation lock and a retention lock?
Thanks for this, helped a lot!
I think there’s a typo in the second section about applying locks on OneDrive.
How does preservation lock tie into data compliance?
Can we apply preservation locks on all data types?