SharePoint Retention + Purview Label Mapping: Enterprise Reference (2026)

SharePoint Retention + Purview Label Mapping: Enterprise Reference

A practical reference mapping SharePoint content types to Microsoft Purview retention labels by content category, jurisdiction, and regulatory framework. Adapt to your environment.

Quick Answer

Map every SharePoint content type to ONE retention label (Purview Retention Policy) and ONE sensitivity label (Purview Information Protection). The retention label answers "how long do we keep this?" The sensitivity label answers "who can access this?" Both feed Microsoft 365 Copilot behavior.

The 12 SharePoint Content Categories

EPC Group's reference taxonomy. Each category maps to a retention label (R-#) and sensitivity label (S-#).

1. Executive + Board Materials

• Retention: R-12 (Permanent / Lifetime of Organization)
• Sensitivity: S-5 (Confidential — Executive Only, encrypted, do-not-forward)
• Copilot: Restricted Search ON; not surfaced to non-executives
• Autolabel rule: SharePoint hub /executive-* + Teams private channel /Executive-Leadership

2. Legal + Contracts

• Retention: R-10 (10 years after contract termination)
• Sensitivity: S-4 (Confidential — Legal, encrypted)
• Copilot: Visible to legal + procurement + named contract parties only
• Autolabel rule: trainable classifier on "indemnity" + "force majeure" + "term and termination"

3. Financial Records

• Retention: R-7 (7 years per SEC 17a-4 / IRS guidance)
• Sensitivity: S-4 (Confidential — Finance)
• Copilot: Visible to finance + audit + named approvers
• Autolabel rule: SSN + EIN + bank account number patterns

4. HR + Personnel Records

• Retention: R-7 (7 years after termination) / R-Term (jurisdiction-specific termination retention)
• Sensitivity: S-4 (Confidential — HR)
• Copilot: Visible to HR + manager + employee only (Information Barriers)
• Autolabel rule: SSN + DOB + W-4 patterns + HR template documents

5. Patient / Customer Health Information (PHI/ePHI)

• Retention: R-PHI (6 years federal HIPAA + state-specific extension)
• Sensitivity: S-5 (Confidential — ePHI, encrypted, watermark)
• Copilot: Visible to clinical staff in Information Barrier segment only
• Autolabel rule: MRN + ICD-10 + diagnosis patterns + named patient lists

6. Customer + Sales Records

• Retention: R-5 (5 years after relationship end)
• Sensitivity: S-3 (Internal — Customer)
• Copilot: Visible to sales + service + account team
• Autolabel rule: customer ID patterns + signed agreements

7. Engineering + Product Designs

• Retention: R-PROD (Lifetime of Product + 10 years)
• Sensitivity: S-3 or S-4 (Internal or Confidential depending on IP value)
• Copilot: Visible to engineering + product + named partners
• Autolabel rule: CAD file extensions + product-name dictionary + IP-classifier

8. Marketing + Public Content

• Retention: R-3 (3 years from publication)
• Sensitivity: S-1 (Public)
• Copilot: Fully open
• Autolabel rule: explicit owner label only

9. Project + Engagement Documents

• Retention: R-5 (5 years from project closure)
• Sensitivity: S-3 (Internal — Project Team)
• Copilot: Visible to project team + management chain
• Autolabel rule: Microsoft Teams private channel inheritance

10. Training + Knowledge Base

• Retention: R-Active (Active + 2 years post-archive)
• Sensitivity: S-2 (Internal)
• Copilot: Fully open within tenant
• Autolabel rule: training template documents + LMS export pattern

11. Operational + Day-to-Day Communications

• Retention: R-3 (3 years standard email + Teams chat)
• Sensitivity: S-2 (Internal)
• Copilot: Standard Graph permissions
• Autolabel rule: default label policy

12. Regulated Records (SOX, FINRA, FDA, FERPA)

• Retention: R-Reg (Regulation-specific, ranges 3-30 years)
• Sensitivity: S-4 (Confidential — Regulatory)
• Copilot: Restricted Search + Information Barrier per regulator scope
• Autolabel rule: industry-specific classifier (FINRA: client account number patterns; FDA: clinical trial protocol IDs)

Jurisdiction Mapping

Region	Retention Driver	Sensitivity Override
US Federal	HIPAA (6yr), SOX (7yr), IRS (7yr)	Standard
EU (GDPR)	Article 17 right to erasure	+ Data Subject category
California (CCPA)	12 months min, deletion right	+ Personal Information classifier
Canada (PIPEDA)	Personal info disposal after purpose	+ PII classifier
Healthcare State Extensions	State-specific (e.g., FL 7yr adult, age-of-majority + 7 minor)	Override federal floor
Financial (FINRA Rule 4511)	6 years from creation	+ FINRA classifier
Public Sector	NARA (federal) or state retention schedule	+ Public Records classifier

Microsoft 365 Copilot Behavior Map

Sensitivity Label	Copilot Grounding	Copilot Output
S-1 Public	Searchable	No label inheritance
S-2 Internal	Searchable within tenant	Internal label inherits
S-3 Internal-Restricted	Filtered by Information Barrier	Internal-Restricted label inherits
S-4 Confidential	Restricted Search applies	Confidential label inherits + DLP scrub
S-5 Confidential-Encrypted	Excluded from Copilot	N/A

Implementation Sequence

Step 1: Inventory. Run SharePoint Site Inventory PowerShell + Purview content explorer. Identify which content categories live where.

Step 2: Build Label Taxonomy. Use the 5 sensitivity labels + 12 retention labels above as starting baseline. Refine for jurisdiction.

Step 3: Container Labels First. Apply container labels to SharePoint sites + Teams + Groups BEFORE deploying file labels.

Step 4: Default Label Policies. Each container gets a default label. Files inherit.

Step 5: Autolabeling for Regulated Content. Trainable classifiers + sensitive info types. Run in simulation mode first.

Step 6: Retention Label Application. Auto-apply via policy. Manual override allowed by content owner.

Step 7: Copilot Behavior Validation. Test prompts as each persona. Validate Restricted Search + DLP for Copilot output.

Step 8: Quarterly Audit. Content explorer + activity explorer + DLP policy match report.

Bottom Line

Map every SharePoint content type to ONE retention + ONE sensitivity label. Apply container labels first. Add autolabeling for regulated content. Validate Copilot behavior per persona. Audit quarterly. The taxonomy above is a starting baseline; refine for your jurisdiction + regulatory scope.

Frequently Asked Questions

Q: Can a document have multiple sensitivity labels?
A: No. One sensitivity label per document. Multiple retention labels are technically possible via Adaptive Scope but operationally complex.

Q: How do I migrate legacy SharePoint content into this taxonomy?
A: Bulk-apply container labels to sites; autolabeling backfills file labels over 30-60 days; manual remediation for edge cases.

Q: Does this work for Microsoft Teams + OneDrive + Loop?
A: Yes. Sensitivity labels apply to all M365 workloads. Retention labels apply to email + Teams chat + SharePoint + OneDrive + Loop components.

Q: How do I prove compliance to auditors?
A: Microsoft Purview Content Explorer + Activity Explorer + Audit (Premium) provide the evidence trail.

Q: What if my retention label policy conflicts with regulatory requirements?
A: Regulatory wins. Adjust the retention label or build a jurisdiction-specific variant. Document the rationale.

Q: Why EPC Group?
A: 29 years Microsoft + SharePoint consulting. Errin O'Connor authored Microsoft Press books including SharePoint inside-out volumes. EPC Group is a Microsoft Solutions Partner with all six designations. See /reviews.

Next Steps

• Schedule a Purview + Retention Discovery: /contact
• Productized assessment: /services/sharepoint-governance-health-check
• Ongoing engagement: /services/sharepoint-governance-consulting
• Copilot-specific governance: /services/copilot-governance-consulting
• Call (888) 381-9725