Blog Post

Exchange Team Blog
5 MIN READ

Troubleshooting Compliance Retention Policies in Exchange Online

The_Exchange_Team's avatar
Feb 27, 2023

In Part 1, I provided steps to troubleshoot the Legacy Exchange Retention policies, and in this part, Part 2, I delve into Compliance Retention policies. I look at two different scenarios that may impact a mailbox, providing step-by-step guidance on how to navigate and resolve issues you may encounter.

Scenario 1: Clearing the Recoverable Items Folder

Picture this: a user is trying to schedule a meeting, but they get an error message:

'554 5.2.0 STOREDRV.Deliver.Exception:QuotaExceededException.MapiExceptionShutoffQuotaExceeded; Failed to process message due to a permanent exception with message.” 

After some investigation, we discover that the root of the problem is a full recoverable items folder.

Identify the Compliance Retention Policy

The first step to resolve this issue is to identify the compliance retention policy that is applied to the mailbox. This can be done by using the Policy lookup tab under Data lifecycle management > Microsoft 365, and you'll have access to all the policies associated with your mailbox.

Or you use PowerShell:

 

Get-Mailbox <Identity> | fl InPlaceHolds

 

Examine the Compliance retention policy which will be found under InPlaceHolds parameter. For more info, see Learn about retention policies & labels to automatically retain or delete content.

Verify compliance retention rule applied to your mailbox, and what it does

This only applies if a compliance retention policy has been assigned under the InPlaceHolds parameter.

To identify the compliance retention rule, run the following command to obtain the rule, the retention actions, and the duration for this rule. Using the policy GUID acquired from the previous command (Get-Mailbox | fl InPlaceHold), you can retrieve the compliance rule and action on this policy:

 

Get-Mailbox | fl InPlaceHolds
Get-RetentionComplianceRule |? {$_.Policy -match “18aec5b1-04d8-40e4-8290-7b35f9834f24”}| fl Name, Retention*

 

In the above example, the items will be kept for five years (1825 days) before being deleted. You can also review the policy using Microsoft Purview under Data lifecycle management - Microsoft 365.

At this point, you have two options:

  1. Archive the items in the recoverable items folder using a legacy retention policy, or
  2. Permanently delete the data after consulting with your compliance team.

In this case, my customer decided to permanently delete the recoverable items, knowing that the data would be forever erased and unrecoverable. To do this, we exclude the mailbox from the compliance retention policy.

If you find that a compliance policy is the primary cause of the high quota due to retaining items and preventing MFA from purging them, you can follow the steps below to exclude that mailbox from the policy:

To exclude your mailbox from the compliance policy, go to the Purview Admin center and find the retention policy tab under Data lifecycle management. Locate the compliance policy from the previous step and click on it to edit. Follow the prompts by clicking "Next" until you reach the location tab. On the location tab, you will find an exclusion button which you can use to exclude your mailbox from the policy.

Alternatively, you can use Set-RetentionCompliancePolicy -Identity <policy name> - AddExchangeLocationException "Jane Doe". It can take up to a day for an exclusion to be applied. For more information, see How long it takes for retention policies to take effect.

To confirm that the policy was distributed correctly after the exclusion, use the following command:

 

Get-RetentionCompliancePolicy <Policy Name> -DistributionDetail | fl *distribution*, *exchangelocation*

 

If there is an error in the distribution status, use the following command to redistribute the policy:

 

Set-RetentionCompliancePolicy -Identity <policy name> -RetryDistribution 

 

The RetryDistribution switch specifies whether to redistribute the policy to all Exchange Online and SharePoint Online locations. You do not need to specify a value with this switch.

Check the delayed hold. After any type of hold is removed from a mailbox, a delay hold is applied. This means that the actual removal of the hold is delayed by 30 days. This gives admins an opportunity to search for or recover mailbox items that will be purged (purged) from the mailbox.

DelayHoldApplied will be True after the hold is removed; therefore, you need verify this parameter and disable it, if necessary, to clean the recoverable items folder.

 

Set-Mailbox <username> -RemoveDelayHoldApplied

 

This scenario might apply to any folder, such as the Inbox or any other folder that you wish to clear using the legacy retention policy, but the compliance retention policy prevents MFA from doing so.

Scenario 2: Restoring bulk deleted items that were deleted by mistake

Accidentally applying a compliance retention policy to the wrong mailbox or multiple mailboxes can result in bulk deletion of items. For example, one of my customers applied a policy that deletes content after six months to the entire company instead of a single user, resulting in the bulk deletion of items older than six months. However, there is a way to recover these deleted items.

To avoid any interference with the mailbox during the restore process, it is important to first disable email lifecycle (ELC) processing for the entire organization or for the specific affected mailbox, depending on the scope of the problem. This can be done by running the following command:

Set-OrganizationConfig –ELcProcessingDisabled $True

Next, you can use PowerShell to recover deleted emails from the recoverable items folder and restore them to their original location. You can restore the mail items based on the deletion date, for example:

Get-RecoverableItems -identity <User> -ResultSize unlimited -FilterItemType IPM.Note - FilterStartTime “dd/mm/yyyy” | Restore-RecoverableItems

This command will restore all email items that were deleted on the date specified by FilterStartTime.

It's important to note that, once the items are restored, you should check if there is any retention policy applied that could cause bulk deletion again and make sure to exclude the affected mailbox or mailboxes to prevent this scenario from happening again.

For more information on this process, please refer to the following:

Conclusion

In conclusion, troubleshooting retention policies in Exchange Online can be a complex task that requires a deep understanding of the different types of policies and their effects on a mailbox. By following the steps outlined in these articles, you will be able to identify and fix any issues related to legacy retention policies, tags, and compliance retention policies.

It's important to start by identifying the retention policy assigned to the mailbox, checking the retention tags actions included in the policy, and forcing the MFA to process the mailbox. Remember to always double-check that the correct policies and tags are applied and to give the process enough time to complete. By following these steps, you will be able to effectively manage your mailbox and ensure that your messages are being properly retained and processed.

Mustafa Nassar
Exchange Support Engineer

Published Feb 27, 2023
Version 1.0
  • MikeCrowley's avatar
    MikeCrowley
    Iron Contributor

    Helpful article, thank you. Some feedback on the product:

     

    It's an awkward feeling when I'm looking at a retention policy with a concerned customer, to find:

     

    • "Last Modified by: Mike | When: <recently>"

    and then I have to explain we modified the whole organization's retention policy because one user had a problem with their mailbox, and that "I promise, it's all we changed". It's not a good look. Similarly, even though this issue occurs frequently in large orgs, I wouldn't want to delegate the ability to modify org-wide retention policies to the service desk. If "the business" decides that a retention policy should be set on X date, I want the policy's whenChanged date to forever say whatever that date was. I wish Microsoft created tooling to solve this problem without so quickly directing folks to edit such a serious policy.

     

    The solution is to add an archive, and make sure a tag is working against the problematic folder (as you described in the last post), but this is complicated to explain to the service desk. It would be great if there was a more operational-friendly way to solve this problem. It is also concerning to see my preferred way be called "legacy" now, when the "non-legacy" suggestion is frightening. 

  • cmorales-90039's avatar
    cmorales-90039
    Copper Contributor

    I am confused how you got the policy GUID from the in Place holds... The numbers are not the same.

  • SAYATama's avatar
    SAYATama
    Copper Contributor

    Troubleshooting retention policies can be a maze, but I've been down that road. It's all about careful steps and double-checking. These guidelines look pretty detailed and should help smooth out any hiccups in Exchange Online. However, if it's unclear, anyone can alose use shorter guides like TechTapTo. Just remember, patience is key!

  • Thanks for sharing this article,

    Will there any option to recover / download the deleted email items, as .PST file, instead of recovery to the actual user mailbox location.

  • Hi The_Exchange_Team ,

    MS recommends to combine org-wide retention policies and retention labels. If possible, can you please detail the scenario of combining two auto-apply retention label policies (one policy to keep and delete after long time - say 10 years and another policy to delete items in shorter period of time -say 6 months)? what will be the pros & cons of this combination?