Microsoft 365 FERPA Compliance Effort


To better support the research, teaching, and learning mission of the University of Illinois Urbana-Champaign, Technology Services will be making updates to features of the Microsoft 365 suite (Teams, SharePoint, OneDrive). These changes come at the recommendation of the Collaboration Portfolio Advisory Group (CPAG) and the Office of the Registrar to better protect student data and make the Microsoft 365 suite compliant with the Family Educational Rights and Privacy Act (FERPA).

The two changes being made in 2023 include:

  • Limiting cloud storage integration to Microsoft products (Teams, SharePoint, OneDrive) and U of I Box
  • Disabling integration with unrestricted third-party applications

One change expected in May 2024:

  • Establishing a 10-year file retention policy

Limiting Cloud Storage Integration

Microsoft Teams currently allows non-FERPA-compliant cloud storage integrations with Google Drive, Dropbox, and other solutions, which may put student educational records at risk.

Cloud Storage FAQs

The change is being implemented on May 17, 2023.

Teams, SharePoint, OneDrive, and U of I Box will be allowed.

No. Google Drive is not FERPA-approved so you will not be able to directly access them through Microsoft 365 products.

No. Dropbox is not FERPA-approved, nor FERPA compliant, so you will not be able to directly access them through Microsoft 365 products.

After the change is implemented, any existing connections to non-approved cloud storage solutions will stop working from Teams. Your files are not impacted.

Only Teams, OneDrive, SharePoint, and U of I Box are FERPA approved.

Yes. This change will not impact storage options from working. It only prevents the storage from being integrated with Teams.

Unless the university has a contract with a specific vendor and that vendor is FERPA compliant, it is unlikely to be approved. At this time, the university is not considering other cloud storage options.

Only U of I Box PHI folders are approved to store HIPAA data. Microsoft 365 products are not approved. This effort will make Microsoft 365 products FERPA-approved, but not HIPAA.

Only U of I Box will be approved. Neither Egnyte nor Citrix Sharefile are approved.

No. The university still maintains contacts with Google. After the policy goes into effect you cannot access your Files in Google Drive through Teams. You will have to access files in Google Drive through Google.

No, you are not required to move files to U of I Box. You can store your file in Google Drive, U of I Box, Teams, SharePoint, or OneDrive.

The important part to note is that if you continue to use a cloud storage solution other than U of I Box, Teams, SharePoint, or OneDrive, you will not be able to access them through the Teams interface.

Other efforts regarding cloud and user storage use, retention, and data classification are being pursued and what additional options should exist for archival or research data. More information will be forthcoming about storage platform recommendations.

Third-Party Application Integration

Microsoft Teams currently allows a customer to integrate any number of third-party applications. This freedom creates an unmanageable data risk to the university.

Application Integration FAQs

View a list of applications that will remain enabled after October 25 in the Answers KnowledgeBase. This list will continue to be updated in the coming months.

You are strongly encouraged to select the Subscribe to changes button at the bottom of the article to be notified when changes are made to the article.

KnowledgeBase article subscribe to changes button

The applications that are listed in the Apps menu of Teams are the ones being referenced in this FERPA-compliance-related change. Select the image to enlarge.

Screenshot of the Application menu in Microsoft Teams

The scope of the change at this time will not disable applications that you’ve already integrated into Teams.

Anyone trying to add an unapproved application after May 17 will not be able to integrate the application.

Only those applications that meet specific criteria set by the university will be approved. The university is currently determining the criteria to evaluate existing applications.

View a list of applications that will remain enabled after May 17.

The university is working through a process for you to know what applications meet the criteria. Until that is published, you can try to add an application. If it does not meet the criteria, you will not be able to add it.

Establishing a File Retention Period

There is not currently a retention period set for files in Microsoft Teams. Enabling this feature will help ensure that data is deleted in a timely manner to better protect student information. The file retention policy change is delayed until at least May 2024.

Retention Period FAQs

A retention policy is a pre-determined period of time after which select content will automatically be deleted. Policies may be different durations for different types of items.

In this instance, only the files being stored in Microsoft 365 cloud storage are in scope. 

The retention policy is 10 years from the Last Modified Date. If you modify a file the 10 year count starts fresh.

Files stored on your device(s) have a lot of detailed data (called metadata) about the file. Most Microsoft files have a created date and a last modified date. The retention period for Teams, SharePoint, and OneDrive files will use the Last Modified Date. That means every time you modify and save a file, the retention period countdown starts over.

Only files stored in Microsoft 365 products (Teams, SharePoint, and OneDrive) fall under this retention period policy. It does not impact your chat message history. However, files shared in chat are still subject to the retention policy.

The retention policy starts the day you upload a file to Teams, SharePoint, or OneDrive.

For example: You created a Word document in 2020 and saved it to your desktop. One December 1, 2022 you uploaded that Word document to Teams. The retention policy would start counting on December 1, 2022, not 2020.

No. The retention policy does not impact your email directly. Keep in mind that if you send an email to someone and provide a link to a file in Teams, SharePoint, or OneDrive, and that file reaches the end of its life (per the retention policy), the file will be deleted and the link will no longer work.

Further guidance will be coming out over the course of the next two years as more complete cloud storage inventory and policy reviews are being completed.

The initial retention policy announced is the longest retention policy recommendation agreed to meet responsible management of data for various data compliance requirements. This will not address longer-term ‘archival’ needs and further recommendations will be made for those needs in the future.

If you need to keep a file longer than ten years you should either modify it or store it outside of the Microsoft 365 cloud storage options (Teams, OneDrive, SharePoint). For example, in U of I Box.

The ten-year retention policy is the longest retention policy recommendation agreed upon to meet responsible management of data for various data compliance requirements. This will not address longer term ‘archival’ needs and further recommendations will be made for those needs in the future.