Microsoft plans to add a new capability to its Purview compliance platform that automatically surfaces sensitive data sitting in SharePoint and OneDrive, then recommends retention policies to match. The feature, tracked under Microsoft 365 Roadmap ID 562343, is scheduled to reach public preview in August 2026 and general availability in September 2026, according to a roadmap update on July 14.

The goal is to give compliance and IT teams direct visibility into ungoverned sensitive content across two of the most sprawling collaboration repositories in Microsoft 365. Instead of requiring administrators to manually hunt for data that needs retention rules, Purview will proactively identify potentially sensitive files and propose policy actions.

What Microsoft Is Actually Adding

The roadmap entry describes a feature within Purview Data Lifecycle Management that “provides visibility into sensitive Microsoft 365 data in OneDrive and SharePoint, alongside recommendations for retention policies.” In practice, that means the compliance portal will scan designated locations, spot files containing sensitive information types—such as financial data, personally identifiable information, or proprietary documents—and surface them to administrators. It will then offer suggested retention settings tailored to that content.

Microsoft hasn’t yet published the full set of sensitive information types that will trigger recommendations, nor has it detailed whether the system will allow one-click application of those policies or simply present them as guidance. The feature is being built for the web-based Purview experience and will roll out to the standard worldwide multi-tenant cloud first. Licensing requirements remain unspecified, though Purview Data Lifecycle Management capabilities typically require E5 compliance add-ons or equivalent.

This shift is substantial. Historically, retention policies in Purview have been a manual, top-down exercise. Compliance officers decide how long to keep content, when to delete it, or whether to retain it indefinitely, and then configure policies by selecting workloads and locations. The new feature flips that model: the system starts with the actual data, determines what looks sensitive, and only then suggests governance actions.

What This Means for You

For IT and Compliance Admins

If your organization manages SharePoint sites or OneDrive accounts where users regularly dump contracts, HR documents, or customer records, this feature could save hours of manual inventory work. Rather than combing through libraries asking “what’s in here and what should we do with it,” Purview will paint a picture of sensitive data hot spots and propose retention rules.

But the recommendations will need validation. “Sensitive” doesn’t automatically mean “keep longer.” A file containing unredacted credit card numbers might need immediate deletion under a data-minimization policy, while a board-meeting memo might require preservation for years. Treat the recommendations as a starting point for discussion with legal, records management, and business stakeholders—not as a one-click compliance solution.

Also, Purview’s accuracy will depend on how well your environment already classifies data. If sensitivity labels and trainable classifiers are poorly tuned, the recommendations could be noisy or miss critical files. Admins should plan to audit the suggestions before applying them broadly.

For Information Workers and End Users

End users won’t see the dashboard directly, but they may notice changes downstream. If a new retention policy suddenly locks a SharePoint folder or preserves deleted OneDrive files longer than expected, it could cause confusion or frustration. Communication between compliance teams and site owners will be essential to explain why files are sticking around—or disappearing.

For Business Decision-Makers

The feature represents a step toward closing the gap between information protection (what data is sensitive) and information governance (what rules apply to that data). Many organizations already use sensitivity labels or data loss prevention (DLP) policies to detect and protect sensitive content, but linking that detection to retention policies has typically required manual stitching. If Purview can automate that linkage, it might help organizations reduce compliance risk without additional headcount.

How We Got Here

Microsoft has been steadily building out Purview’s Data Lifecycle Management capabilities since the platform’s launch. Retention policies have long been a core piece, applying to Exchange email, Teams chats, SharePoint sites, and OneDrive accounts. But the process of defining what to retain and for how long has always been a manual, policy-first exercise.

The roadmap item (first published on May 18, 2026) signals a move toward data-first governance, where the system assists in surfacing risk rather than waiting for an admin to identify it. This aligns with a broader industry trend toward AI-driven compliance tools that reduce manual effort. It also follows Microsoft’s earlier investments in adaptive policy scopes and trainable classifiers that can dynamically identify content based on patterns rather than rigid rules.

The specific focus on SharePoint and OneDrive is telling. These workloads are often the most chaotic from a governance perspective—users routinely sync, share, and store sensitive files without thinking about retention. Microsoft’s own Purview adoption guidance has stressed the importance of “knowing your data” before applying policies, but the tools to accomplish that at scale have been limited outside of eDiscovery or content search. The new insight-and-recommend feature aims to fill that gap.

What to Do Now

There’s nothing to deploy yet, but the lead time between now and the public preview (targeted for August 2026) gives organizations a chance to prepare.

  1. Audit your current retention coverage. Review existing policies for SharePoint and OneDrive. Are there gaps? Sites without any retention rules? Overly broad “retain everything” policies that might create excess risk? Clean up what you can now so that incoming recommendations address real blind spots.

  2. Map ownership of retention decisions. In many enterprises, retention policies are approved by a cross-functional team that includes legal, compliance, records management, and IT. Confirm who holds sign-off authority so that when recommendations arrive, you can streamline review and approval instead of getting bogged down in internal debate.

  3. Validate your sensitive-information classifications. If you use sensitivity labels, DLP, or content classifiers, check their accuracy. Are they triggering on the right files? Are there high false-positive rates? Recommendations from Purview will be only as good as the underlying classification signals.

  4. Monitor the roadmap and Message Center. Microsoft has communicated these dates as targets, not commitments, and feature scope can shift during preview. Watch for updates to Roadmap ID 562343 and look for Message Center posts that will detail preview enrollment, licensing prerequisites, and any tenant-level configuration needed to enable the insights.

  5. Prepare for a pilot. When the public preview does arrive, test it first on a small, non-critical SharePoint site or a subset of OneDrive accounts. Compare the recommended policies against your actual retention schedule and use that feedback to refine your classification strategy before rolling out more broadly.

Outlook: More Automated Governance Ahead

Microsoft’s roadmap hints at a future where compliance tools become more proactive and advisory. This feature is unlikely to be the final word: once the system can recommend retention policies, extensions into automatic policy creation, adaptive scoping, or even remediation of non-compliant content seem plausible. Competitors in the data governance space are already moving in that direction, and Microsoft’s investment in Purview suggests it intends to keep pace.

In the nearer term, the public preview will be the real test. How well the recommendations align with real-world retention schedules—and how transparent Microsoft makes the reasoning behind them—will determine whether admins trust the feature or dismiss it as a gimmick. Either way, it’s a clear signal that “know your data” is becoming less of a manual chore and more of a built-in capability.