Data Protection Centre/Microsoft 365/A Guide to OneDrive for Business Data Retention

Categories

In this article

  • Default data retention in OneDrive for business
  • Limitations of default retention methods
  • Native retention methods
  • Retention policies to retain OneDrive for business data
  • eDiscovery to retain OneDrive for business data
  • Microsoft 365 native backup tool
  • Limitations of native retention methods
  • Retention with third-party backup solutions

A Guide to OneDrive for Business Data Retention

15 Apr 2025
6 min read

OneDrive data retention at a glance

There are gaps in OneDrive data retention:
  • Files deleted from OneDrive can be permanently lost if they are not restored within the default retention period.

  • Microsoft 365’s retention rules can be complicated and may not apply uniformly, creating potential risks for data loss.

Read more

OneDrive for Business is a cloud storage platform that is part of the Microsoft 365 productivity suite. With widespread adoption among organizations in North America and Europe, securing OneDrive data is more critical than ever.
This article explores the different ways using which IT administrators can retain Microsoft OneDrive for business data.

1. Default data retention in OneDrive for business

When a file is deleted in OneDrive for Business, it is initially moved to the first-stage Recycle Bin, where end users can recover it. If the file is deleted from the first-stage Recycle Bin, it is transferred to the second-stage Recycle Bin, which is accessible only by the site collection administrator. Files remain recoverable across both stages for a total of 93 days from the initial deletion date. After the 93-day retention period ends, the files are permanently deleted and cannot be restored through native Microsoft 365 recovery options. 

Below is a diagram illustrating the movement of a OneDrive file from deletion to recovery.

Deleted OneDrive data timeline

To learn more about how to recover deleted data from OneDrive, click here

2. Limitations of Microsoft 365 default retention for OneDrive for business files

While Microsoft 365 offers a built-in retention period of 93 days for deleted OneDrive files, there are several limitations to this native approach.
  • First, all data retained, whether active or in the Recycle Bin continues to consume storage quota allocated to the organization’s Microsoft 365 subscription. If the storage limit is reached, organizations must purchase additional storage to avoid service disruptions. 

  • Additionally, once the 93-day retention window expires, deleted files are purged permanently from the system and cannot be recovered through Microsoft’s native tools. This poses a significant risk in cases of accidental or malicious deletions that go unnoticed beyond the default retention period. 

3. How to retain OneDrive for business data?

There are several retention tools that can be used to ensure OneDrive for business data gets retained beyond the default retention period. Native retention methods like retention rules and eDiscovery features, and third-party backup tools are top three methods businesses can use to preserve their OneDrive data.

OneDrive is a personal file storage location and SharePoint is a collaborative storage platform. However, both these services share similar designs and core functionalities. Hence, the retention methods listed here also apply to SharePoint sites. To learn more about SharePoint retention, click here.

4. Native retention methods

Microsoft 365 offers several native retention mechanisms that allow organizations to manage the lifecycle of OneDrive for Business data beyond the default 93-day retention period. These methods are designed to help businesses meet compliance, legal, and operational needs by preserving or deleting content based on defined rules. 

Organizations with supported Microsoft 365 licenses can use tools like Retention Policies, Retention Labels, and eDiscovery (Standard and Premium) to enforce data governance strategies. Additionally, Microsoft has introduced Microsoft 365 Backup as a solution to recover and restore OneDrive data. 

4.1. Retention policies and retention labels to retain OneDrive for business data

Retention policies allow IT administrators to automatically retain or delete content based on pre-defined conditions. These policies are applied at the account level across workloads such as Exchange, SharePoint, Teams, and OneDrive for Business. 
Organizations can use retention policies to:  Retain OneDrive content for a specific period—even if a user deletes it. 
  • Automatically delete files after a specified duration. 
  • Apply policies to selected users, groups, or OneDrive sites. 
  • Use adaptive scopes to dynamically target users based on attributes like department or location. 
Retention labels provide a more granular level of control compared to retention policies. They can be applied manually by users or automatically by Microsoft 365 based on conditions like file metadata or location. 
With retention labels, you can: 
  • Assign specific retention settings to files and folders within OneDrive. 
  • Automatically apply labels using predefined rules or sensitive information types. 
  • Use default labels for OneDrive document libraries. 
  • Define whether content is retained, deleted, or reviewed when a retention period expires. 
  • Make content record-based, preventing edits or deletion during the retention period. 

These policies and labels operate silently in the background and are managed via the Microsoft Purview compliance portal. To learn more about retention policies and labels, click here.

4.1.1. Licensing requirements to use retention policy

Organizations with the following licenses can set retention policies to preserve their OneDrive for business data:
●     Microsoft 365 E5/G5/A5/E3/G3/A3
●     Office 365 E5/G5/A5/E3/G3/A3/F3/E1/G1

4.1.2. How to set retention rules to retain OneDrive for business files?

Note: To create and configure retention policies, users would need Global admin or compliance admin credentials.

Follow the below steps to set retention rules to preserve OneDrive for business files
  • Step 1: Sign in to the Microsoft Purview portal -> Solutions -> Data Lifecycle Management.

Retention Step 1
  • Step 2: Select Policies -> Retention policies.

Retention Step 2
  • Step 3: Select ‘Retention policy’ -> ‘+New retention policy’.

  • Step 4: Add a name to your retention policy and select the type of retention policy you need.

  • Step 5: Choose ‘OneDrive account’ as the location. Administrators can choose specific accounts to include or exclude.

  • Step 6: Choose the retention duration. Administrators can choose to retain the data in the chose OneDrive account for a custom period or forever.

Set a retention policy duration
  • Step 7: Review and finish. Check the settings and click “Submit”.

After the retention policy is created, it could take at least 24 hours to take effect.

4.1.3. What happens when OneDrive for business data gets deleted after retention policy is applied?

When a retention policy is applied to a OneDrive for Business account, Microsoft 365 ensures that business-critical data is not permanently lost, even if a user attempts to delete it. 
Deleted files are not immediately removed from the system. Instead, they follow a preservation-first workflow governed by the configured retention settings. 
The diagram below illustrates what happens when OneDrive files get deleted after a retention policy is applied.

Deleted OneDrive data timeline after applying retention policy
Here’s how the process works: 
  • User deletes a file: When a user deletes a file in OneDrive, it is first moved to the first-stage Recycle Bin, where it remains for up to 93 days. If the user deletes the file from the Recycle Bin during this period, it is moved to the second-stage Recycle Bin, accessible only by the administrator. 

  • Retention policy triggers Preservation Hold: If a retention policy is in place, Microsoft 365 creates a hidden copy of the file and stores it in the Preservation Hold Library. This applies even if the user has deleted the file from both Recycle Bins. The preserved copy is not visible to the user but is retained securely until the end of the retention period. 

  • File remains accessible to admins: While the file is no longer visible to the user, administrators can search, recover, or export the preserved data using Microsoft Purview Content Search, eDiscovery, or Graph API integrations. This ensures compliance even when end users delete content maliciously or unintentionally. 

  • End of retention period: Once the retention period expires (e.g., 3 years, 7 years, etc.), Microsoft 365 automatically and permanently deletes the content. The file is purged from all back-end storage, including the Preservation Hold Library, and cannot be recovered using native tools. 

    If no retention policy is applied, the standard 93-day Recycle Bin timeline applies, after which the file is automatically and permanently deleted. 

  • Post-deletion recovery (Microsoft intervention): If an admin needs to recover a file that was mistakenly deleted and is no longer available, they can contact Microsoft within 14 days of permanent deletion. Beyond this 14-day window, data recovery is no longer possible through Microsoft support. 

4.2. Microsoft eDiscovery to retain OneDrive for business data

eDiscovery refers to the process of searching, compiling, analyzing, and presenting important business data as possible evidence in a legal case. Microsoft 365 provides two eDiscovery tools (Standard and Premium eDiscovery) to help organizations collect and preserve the required data. Using a Core eDiscovery case, organizations can run content searches, and place holds to preserve OneDrive data indefinitely. 
You can use Microsoft Purview eDiscovery to identify, hold, and export content. 

To learn more about eDiscovery, click here.

4.2.1. License requirements to access eDiscovery to preserve OneDrive for business data

To use eDiscovery (Standard), an E3/G3/A3 license is required. For eDiscovery (Premium), an E5/G5/A5 license is required. 
Using Core eDiscovery, organizations can create cases, run content searches, and place legal holds on OneDrive content to preserve it indefinitely, even if users delete the data. 
With Advanced eDiscovery, businesses can go further and collect, analyze, review, tag, and export OneDrive data for legal workflows. 

4.2.2. How to enable eDiscovery holds to retain OneDrive for business files?

  • Step 1: Go to Microsoft Purview portal. In the left navigation pane, select Show all, and then select eDiscovery > Premium or eDiscovery > Standard.

Note: Users need to login with Global administrator or compliance administrator credential to access the Microsoft Compliance center.

  • Step 2: On eDiscovery (Standard) page, create a case that you want to create the hold in by clicking ‘+Create a case’ or open an existing case.

  • Step 3: Click the case name and navigate to ‘Holds’ on the top menu bar. Click ‘+Create’.

Create new holds in Core eDiscovery case
  • Step 4: Add a name for the hold and a description if needed.

  • Step 5 Turn on the toggle button next to SharePoint Sites. (OneDrive for business accounts are included under SharePoint sites).

  • Step 6: To place a hold on specific OneDrive for business accounts, click ‘Choose sites’. The administrator can choose from a list of OneDrive for business site URLs or manually add a specific OneDrive account URL.

Choose sites to put on hold
  • Step 7: Add keywords to lookout for.

  • Step 8: Review the settings and click ‘Submit’.

To know more about difference between retention policies and eDiscovery holds in Microsoft 365, click here.

4.3. Microsoft 365 native backup tool

To ensure data protection and continuity, Microsoft 365 Backup automatically backs up OneDrive, SharePoint, and Exchange Online data at regular intervals. Microsoft 365 Backup allows you to restore OneDrive files and folders to a previously known good state using point-in-time recovery. 

4.4. Limitations of native retention methods

  • Retention policies and eDiscovery features are available only with E3 and E5 licenses.  

  • In case of modification or deletion of any OneDrive data retained using retention policies, a copy of the data moves to the preservation hold library. Preservation hold library storage is counted against the total storage quota and businesses will have to purchase additional storage when using retention. Below is a note from Microsoft that highlights the storage implication when using the Preservation Hold Library.

Because the Preservation Hold library is included in the site's storage quota, you might need to increase your storage when you use retention settings for SharePoint and Microsoft 365 groups.

  • Unlike third-party backup tools, native retention feature does not come with automated recovery options. In case of a data loss event, administrators can only export the data and restore it manually. Microsoft eDiscovery also lacks the auto-enrollment feature that automatically preserves  data belonging to newly added users.

  • To retain deleted/suspended user data, organizations need to continue paying license costs.

  • OneDrive data retained using eDiscovery becomes inaccessible to the users. Users cannot modify or work on the OneDrive data as long as the hold is in place.

  • Microsoft 365 Backup does not comply with the industry-recommended 3-2-1 backup standard endorsed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This strategy requires maintaining at least three copies of your data (one primary and two backups), storing backups on two different types of media, and keeping at least one copy offsite to safeguard against events like hardware failure, cyberattacks, or natural disasters.

  • Microsoft 365 Backup lacks file and folder-level restore capabilities for OneDrive and SharePoint. Users cannot restore individual items from a specific point in time, limiting recovery flexibility during incidents involving partial data loss or corruption.

5. Retain OneDrive for business files using third-party backup solutions

Third-party backup solutions like SysCloud helps organizations effortlessly back up OneDrive for business data. SysCloud automatically backs up all OneDrive data and allows administrators to restore the data from the backup archives at any time.

 
Go Beyond Microsoft’s Retention Limits

Explore how SysCloud offers automated backup, unlimited retention, and effortless recovery for OneDrive for Business.

Get actionable SaaS administration insights

We don’t spam. Unsubscribe anytime.

In this article

  • Default data retention in OneDrive for business
  • Limitations of default retention methods
  • Native retention methods
  • Retention policies to retain OneDrive for business data
  • eDiscovery to retain OneDrive for business data
  • Microsoft 365 native backup tool
  • Limitations of native retention methods
  • Retention with third-party backup solutions

Start enjoying faster and easier backups, today

Avoid costly data retention gaps and minimize time to recovery with SysCloud's cloud backup.Start 30-Day Free Trial
Certifications
Certifications