With the retirement of Content Search (Classic) and eDiscovery Standard (Classic) in May, and alongside the future retirement of eDiscovery Premium (Classic) in August, organizations may be wondering how this will impact their existing search and purge workflow.
The good news is that it will not impact your organizations ability to search for and purge email, Teams and M365 Copilot messages; however there are some additional points to be careful about when working with purge with cmdlet and Graph alongside of the modern eDiscovery experience.
We have made some recent updates to our documentation regarding this topic to reflect the changes in the new modern eDiscovery experience. These can be found below and you should ensure that you read them in full as they are packed with important information on the process.
Find and delete email messages in eDiscovery | Microsoft Learn
Find and delete Microsoft Teams chat messages in eDiscovery | Microsoft Learn
Search for and delete Copilot data in eDiscovery | Microsoft Learn
The intention of this first blog post in the series is to cover the high-level points including some best practices when it comes to running search and purge operations using Microsoft Purview eDiscovery.
Please stay tuned for further blog posts intended to provide more detailed step-by-step of the following search and purge scenarios:
- Search and Purge email and Teams messages using Microsoft Graph eDiscovery APIs
- Search and Purge email messages using the Security and Compliance PowerShell cmdlets
I will update this blog post with the subsequent links to the follow-on posts in this series.
So let’s start by looking at the two methods available to issue a purge command with Microsoft Purview eDiscovery, they are the Microsoft Graph eDiscovery APIs or the Security and Compliance PowerShell cmdlets.
What licenses you have dictates which options are available to you and what type of items you can be purge from Microsoft 365 workloads.
- For E3/G3 customers and cases which have the premium features disabled
- You can only use the PowerShell cmdlets to issue the purge command
- You should only purge email items from mailboxes and not Teams messages
- You are limited to deleting 10 items per location with a purge command
- For E5/G5 customers and cases which have the premium features enabled
- You can only use the Graph API to issue the purge command
- You can purge email items and Teams messages
- You can delete up to 100 items per location with a purge command
To undertake a search and then purge you must have the correct permissions assigned to your account. There are two key Purview Roles that you must be assigned, they are:
- Compliance Search: This role lets users run the Content Search tool in the Microsoft Purview portal to search mailboxes and public folders, SharePoint Online sites, OneDrive for Business sites, Skype for Business conversations, Microsoft 365 groups, and Microsoft Teams, and Viva Engage groups. This role allows a user to get an estimate of the search results and create export reports, but other roles are needed to initiate content search actions such as previewing, exporting, or deleting search results.
- Search and Purge: This role lets users perform bulk removal of data matching the criteria of a search.
To learn more about permissions in eDiscovery, along with the different eDiscovery Purview Roles, please refer to the following Microsoft Learn article: Assign permissions in eDiscovery | Microsoft Learn
By default, eDiscovery Manager and eDiscovery Administrators have the “Compliance Search” role assigned.
For search and purge, only the Organization Management Purview Role group has the role assigned by default. However, this is a highly privileged Purview Role group and customers should considering using a custom role group to assign the Search and Purge Purview role to authorised administrators. Details on how to create a custom role group in Purview can be found in the following article.
Permissions in the Microsoft Purview portal | Microsoft Learn
It is also important to consider the impact of any retention policies or legal holds will have when attempting to purge email items from a mailbox where you want to hard delete the items and remove it completely from the mailbox.
When a retention policy or legal hold is applied to a mailbox, email items that are hard deleted via the purge process are moved and retained in the Recoverable Items folder of the mailbox. There purged items will be retained until such time as all holds are lifted and until the retention period defined in the retention policy has expired.
It is important to note that items retained in the Recoverable Items folder are not visible to users but are returned in eDiscovery searches. For some search and purge use cases this is not a concern; if the primary goal is to remove the item from the user’s view then additional steps are required.
However if the goal is to completely remove the email item from the mailbox in Exchange Online so it doesn't appear in the user’s view and is not returned by future eDiscovery searches then additional steps are required. They are:
- Disable client access to the mailbox
- Modify retention settings on the mailbox
- Disable the Exchange Online Managed Folder Assistant for the mailbox
- Remove all legal holds and retention policies from the mailbox
- Perform the search and purge operation
- Revert the mailbox to its previous state
These steps should be carefully followed as any mistake could result in additional data that is being retained being permanently deleted from the service. The full detailed steps can be found in the following article.
Delete items in the Recoverable Items folder mailboxes on hold in eDiscovery | Microsoft Learn
Now for some best practice when running search and purge operations:
- Where possible target the specific locations containing the items you wish to purge and avoid tenant wide searches where possible
- If a tenant wide search is used to initially locate the items, once the locations containing the items are known modify the search to target the specific locations and rerun the steps
- Always validate the item report against the statistics prior to issuing the purge command to ensure you are only purging items you intend to remove
- If the item counts do not align then do not proceed with the purge command
- Ensure admins undertaking search and purge operations are appropriately trained and equipped with up-to-date guidance/process on how to safely execute the purge process
- The search conditions Identifier, Sensitivity Label and Sensitive Information Type do not support purge operations and if used can cause un-intended results
Organizations with E5/G5 licenses should also take this opportunity to review if other Microsoft Purview and Defender offerings can help them achieve the same outcomes. When considering the right approach/tool to meet your desired outcomes you should become familiar with the following additional options for removing email items:
- Priority Clean-up (link): Use the Priority cleanup feature under Data Lifecycle Management in Microsoft Purview when you need to expedite the permanent deletion of sensitive content from Exchange mailboxes, overriding any existing retention settings or eDiscovery holds. This process might be implemented for security or privacy in response to an incident, or for compliance with regulatory requirements.
- Threat Explorer (link): Threat Explorer in Microsoft Defender for Office 365 is a powerful tool that enables security teams to investigate and remediate malicious emails in near real-time. It allows users to search for and filter email messages based on various criteria - such as sender, recipient, subject, or threat type - and take direct actions like soft delete, hard delete, or moving messages to junk or deleted folders. For manual remediation, Threat Explorer supports actions on emails delivered within the past 30 days
In my next posts I will be delving further into how to use both the Graph APIs and the Security and Compliance PowerShell module to safely execute your purge commands.
Microsoft