Blog Post

Security, Compliance, and Identity Blog
8 MIN READ

Using Adaptive Policy Scopes to Apply M365 Retention to Shared, Resource, and Inactive Mailboxes

Brendon Lee's avatar
Brendon Lee
Icon for Microsoft rankMicrosoft
Jan 11, 2022

Update (2022-02-08🙂 This blog has been updated to include recent changes in the feature.

 

Back in October 2021 we announced the public preview of an exciting new Microsoft Information Governance and Records Management feature called adaptive policy scopes. This feature provides advanced flexibility when applying retention policies and labels to user, site, and group locations in Microsoft 365.

 

Many organizations have regulatory, legal, or business requirements that demand different retention rules to apply to various departments, locations, and roles. Adaptive policy scopes help to provide the flexibility needed to achieve these requirements by allowing administrators to scope policies based on common attributes and properties from Azure AD (including those synced from on-premises AD in hybrid environments) or indexed properties from SharePoint Online sites.

 

However, there are also certain scenarios in which an organization may want to include or exclude locations from a policy based on more granular attributes such as the type or state of an object. This is particularly true in Exchange Online as several different types of mailboxes exist.  The most common types of mailboxes are user mailboxes and Microsoft 365 group mailboxes (which are used by Microsoft 365 Modern Groups and Microsoft Teams).  These mailbox types are easily targeted using adaptive policy scopes with user and group scopes, respectively.   

 

But there are several other types and states of mailboxes that organizations commonly use.  These can include shared mailboxes, resource mailboxes, and inactive mailboxes.  This blog post will review how an administrator can create scopes that include or exclude these other common types of mailboxes for maximum flexibility in applying Microsoft 365 retention policies and labels.

 

Shared mailbox retention with adaptive policy scopes

 

When adaptive policy scopes were in private preview one of the most common requests we received was to support shared mailboxes.  Shared mailboxes are used by organizations when multiple users need to access a single mailbox such as a support, receptionist, or department mailbox.  Unfortunately, although they were included in organization-wide retention policies using static scopes, we were unable to add shared mailbox support to adaptive policy scopes before it went to public preview.  We are excited to announce that support for shared mailboxes in adaptive policy scopes has recently been fully rolled out and you can now create scopes to target them in your tenant today.

 

Shared mailboxes share many similar attributes with user mailboxes.  There are several ways that you could effectively target them in adaptive policy scopes, such as using department, location, or even some custom identifiable information specified with CustomAttributes1-15. 

 

For example, let’s say you want to target all mailboxes that are in the legal department and have retention requirements.  You can use the department attribute and utilize one of the custom attributes to identify mailboxes that should be included in the scope, which are all available options in the simple query builder for adaptive policy scopes:

 

The simple query builder can be used to target different mailbox types using custom attributes.

 

NOTE: If your organization synchronizes its on-premises directory with Azure AD, for synced objects you will need to configure most attributes on-premises and then synchronize any changes with Azure AD before querying them in adaptive policy scopes.

 

But, what if you want to include or exclude a shared mailbox in an adaptive policy scope based solely on the mailbox type?  This is where the advanced query builder can be very useful.

 

The advanced query builder is an alternate configuration option for the adaptive policy scopes wizard.  With user scopes (which target the types of mailboxes we are discussing in this blog), it uses OPATH to query objects.  You can access the advanced query builder by clicking the blue button at the top of the simple query builder screen:

 

The advanced query builder can be accessed using the button in the top right of the simple query builder.

 

With OPATH and the advanced query builder, you can use the RecipientTypeDetails property of the mailbox with the SharedMailbox type.  Exchange Online PowerShell can be used to test the OPATH query:

 

Update (2022-02-08): This article previously recommended using the IsShared property but since then RecipientTypeDetails has been supported.  RecipientTypeDetails is a better choice for shared mailboxes as it excludes certain system mailboxes such as discovery search mailboxes.

 

Get-Mailbox -Filter {RecipientTypeDetails -eq "SharedMailbox"}

Name                      Alias           Database                       ProhibitSendQuota
----                      -----           --------                       -----------------
TestSharedMailbox20211... testsharedma... NAMPR13DG031-db016             99 GB (106,300,44...
TestSharedMailbox22022... testsharedma... NAMPR13DG091-db016             99 GB (106,300,44...

 

Then, simply input the OPATH query into the advanced query builder within the adaptive policy scope wizard:

 

The advanced query builder can use OPATH to filter SharedMailboxes using RecipientTypeDetails

 

NOTE: For more examples of using OPATH and the advanced query builder, check out our recent webinar Building Advanced Queries for Users and Groups with Adaptive Policy Scopes.

 

Resource mailbox retention using adaptive policy scopes

 

Like shared mailboxes, resource mailboxes were also not available for use in adaptive policy scopes at the launch of the public preview, but now are available to use in your tenant today.  Resource mailboxes are used to help manage physical resources in Exchange Online.  There are two different types of resource mailboxes:

  • Room mailbox is a resource mailbox that is assigned to a physical location, such as a conference room.
  • Equipment mailbox is a mailbox assigned to a resource that is not location-specific, such as a projector.

 

Unlike shared mailboxes, however, resource mailboxes historically have never been included in Microsoft 365 retention policies.  Now, with adaptive policy scopes, you can create policies specifically for your organization’s room and equipment mailboxes (such as a policy to delete items after 1 year) or include them in your organization's existing retention policies.

 

Since resource mailboxes are very similar to shared mailboxes, most of the options an administrator has for filterable properties are the same.  For filtering by mailbox type using OPATH and the advanced query builder, you can again use the property RecipientTypeDetails with RoomMailbox or EquipmentMailbox types:

 

Update (2022-02-08): This article previously recommended using the IsResource property but since then RecipientTypeDetails has been supported.  RecipientTypeDetails is a better choice for resource mailboxes as allows you to distinguish between room and equipment mailboxes.

 

 

OPATH in Exchange Online PowerShell

 

Get-Mailbox -Filter {RecipientTypeDetails -eq "RoomMailbox"}

Name                      Alias           Database                       ProhibitSendQuota
----                      -----           --------                       -----------------
testRoomMailbox           testRoomMailbox namPR13DG304-db141             99 GB (106,300,44...


Get-Mailbox -Filter {RecipientTypeDetails -eq "EquipmentMailbox"}

Name                      Alias           Database                       ProhibitSendQuota
----                      -----           --------                       -----------------
testEquipmentMailbox      testEquipmen... NAMPR13DG086-db021             99 GB (106,300,44...


Get-Mailbox -Filter {RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox"}

Name                      Alias           Database                       ProhibitSendQuota
----                      -----           --------                       -----------------
testRoomMailbox           testRoomMailbox namPR13DG304-db141             99 GB (106,300,44...
testEquipmentMailbox      testEquipmen... NAMPR13DG086-db021             99 GB (106,300,44...

 

OPATH in the advanced query builder - including both room and equipment mailboxes

 

The advanced query builder can use OPATH to filter room or equipment mailboxes using RecipientTypeDetails

 

Inactive mailbox retention using adaptive policy scopes

 

Unlike shared and resource mailboxes, inactive mailboxes have been supported with adaptive policy scopes since the public preview release.  Inactive mailboxes are not a mailbox type; they are instead a mailbox state. 

 

When a user object is deleted from Azure AD (such as when an employee leaves the organization), the Microsoft 365 license once again becomes available.  But, if the associated mailbox has a legal or regulatory hold applied to it, we cannot delete the mailbox so, instead, it becomes inactive.

 

Before adaptive policy scopes, retention policies that applied to the entire organization (org-wide) for the Exchange location would automatically affect inactive mailboxes. However, there was no efficient way to have a retention policy specific to inactive mailboxes until now.  For example, an organization may choose to keep inactive mailbox data for 1 year after an employee leaves but keep the data of active employees for 5 years.

 

With adaptive policy scopes, you can target inactive mailboxes using the advanced query builder similarly to how you would for shared and resource mailboxes, but using the IsInactiveMailbox property:

 

OPATH in Exchange Online PowerShell

 

Get-Mailbox -IncludeInactiveMailbox -Filter {IsInactiveMailbox -eq "True"}

Name                      Alias           Database                       ProhibitSendQuota
----                      -----           --------                       -----------------
inactivemailboxTest       inactivemail... NAMPR13DG282-db075             99 GB (106,300,44...

 

NOTE: You can also filter on other properties such as department, location, and custom attributes however once a mailbox is made inactive, those properties cannot be changed.

 

Applying a scope to multiple mailbox types

 

One of the major benefits of adaptive policy scopes is how powerful they can be.  Administrators can create extremely complex queries allowing virtually any requirement to be achievable.  As a more advanced example, the following scope applies to shared mailboxes, room mailboxes, but excludes all inactive mailboxes:

 

Update (2022-02-08): This article previously recommended using the IsShared and IsResource properties but since then RecipientTypeDetails has been supported.  RecipientTypeDetails is a better choice for shared and resource mailboxes as it excludes certain system mailboxes such as discovery search mailboxes and allows distinction between resource mailbox types.

 

OPATH in Exchange Online PowerShell

 

Get-Mailbox -Filter {((RecipientTypeDetails -eq "RoomMailbox") -or (RecipientTypeDetails -eq "SharedMailbox")) -and (IsInactiveMailbox -eq "False")}

Name                      Alias           Database                       ProhibitSendQuota
----                      -----           --------                       -----------------
TestSharedMailbox20211... testsharedma... NAMPR13DG031-db016             99 GB (106,300,44...
TestSharedMailbox22022... testsharedma... NAMPR13DG091-db016             99 GB (106,300,44...
testRoomMailbox           testRoomMailbox namPR13DG304-db141             99 GB (106,300,44...

 

OPATH in the advanced query builder

 

OPATH and the advanced query builder allow for complex but flexible scoping.

 

Validating Advanced Queries

 

Update (2022-02-08) Previously, we never had  any validation for OPATH queries.  That meant if the query was incorrectly formatted you would only know after waiting several days for the scope the populate.  We've since released basic query validation for OPATH.  If an incorrect query is entered and the scope is saved/created, an error message will display:

 

OPATH queries are now validated before saving.

 

However, you may want to know which objects will match the query while building it.  To help understand what objects a query will return, we've created a script that can be used to validate OPATH queries for user and group scopes.

 

Also, as we previously stated, we hosted a recent webinar that discussed building advanced queries for user and group scopes.

 

The validation script allows testing results from an OPATH query.The script will give a sample output and allow export if -ExportCSV is specified.

 

FAQ

 

What scope type should I use for shared, resource, or inactive mailboxes?

For shared, resource, and inactive mailboxes, you should use the “user” scope type as they all refer to user objects in Azure AD.

 

Do I need to use the advanced query builder and OPATH for shared, resource, and inactive mailboxes?

By default, all mailbox types are included in the scope.  So, if you don't need to exclude any of these mailbox types, you can use the simple query builder provided the properties needed are available.  If you do need to exclude one or more of these mailbox types or if the simple query builder doesn't have a property that you need to filter, you will need to use OPATH and the advanced query builder as RecipientTypeDetails, IsShared, IsResource, and IsInactiveMailbox properties are not currently available in the simple query builder.

 

What if I have already created scopes for my organization but didn’t take into consideration shared, resource or inactive mailboxes?

If your existing scope doesn’t already exclude the types of mailboxes you don’t want included you should consider modifying the scopes using the above properties.  If your existing scope uses a query built with the simple query builder, you will need to convert your query to OPATH and use the advanced query builder.

 

Do shared and resource mailboxes need to be licensed to use with adaptive policy scopes?

Yes, as with user mailboxes, shared and resource mailboxes need to have an applicable license applied for compliant usage with adaptive policy scopes.  As of the publish date of this blog these licenses include the following:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5 Compliance
  • Microsoft 365 E5/A5 Information Protection and Governance
  • Microsoft 365 F5 Compliance
  • Microsoft 365 F5 Security and Compliance
  • Office 365 E5/A5/G5

 

How do you appropriately license an inactive mailbox?

Inactive mailboxes must have the appropriate license assigned to the mailbox before making it inactive.  Once the mailbox is made inactive the license will be free to use elsewhere. For more information, see create an inactive mailbox.

Updated Feb 08, 2022
Version 2.0
  • Those are great additions, thank you! The licensing requirement is of course unfortunate 🙂

  • I'm getting this error on my Production Tenant, but it works with my Test Tenant.  Any idea what's wrong here?

     

    .:| Verifying Required Connectivity |:.

    - Exchange Online PowerShell: Connected

    .:| Validating OPATH Query - Enter a OPATH Query |:.

    - Query to Validate: Department = 'Woodrow Wilson Rehab Center'
    - Scope Type: User
    - Validating RawQuery (Quick)...PASSED
    - Validating RawQuery (Full)...FAILED
    A parameter cannot be found that matches parameter name 'IncludeSoftDeletedRecipients'.

  • tacks_22's avatar
    tacks_22
    Copper Contributor

    (Please respond to this comment, as my other one doesn't have working email. Thanks!)

    I'm getting this error on my Production Tenant, but it works with my Test Tenant.  Any idea what's wrong here?

     

    .:| Verifying Required Connectivity |:.

    - Exchange Online PowerShell: Connected

    .:| Validating OPATH Query - Enter a OPATH Query |:.

    - Query to Validate: Department = 'Woodrow Wilson Rehab Center'
    - Scope Type: User
    - Validating RawQuery (Quick)...PASSED
    - Validating RawQuery (Full)...FAILED
    A parameter cannot be found that matches parameter name 'IncludeSoftDeletedRecipients'.

  • tacks_22's avatar
    tacks_22
    Copper Contributor

    Brendon Lee  Let me know if you have any answer on why I'm getting "A parameter cannot be found that matches parameter name 'IncludeSoftDeletedRecipients'." Thanks!

  • tacks_22 You may not have appropriate permissions.  The script uses -IncludeSoftDeletedRecipients with Get-Recipient - try running that cmdlet outside of the script with that parameter and see if you get the same error

  • Igbins81's avatar
    Igbins81
    Copper Contributor

    Brendon Lee Do user mailboxes need to have specific license to use with adaptive policy scopes? My users already have E3 licenses, is this sufficient?

  • sintra3000's avatar
    sintra3000
    Copper Contributor

    If an adaptive scope is used to retain information for inactive mailboxes for a certain time (for example 5 months). Is it possible to see the remaining time of the hold? If you have an inactive mailbox with an InPlaceHold (inactive mailboxes in scope) in place with the setting of retain for 5 months, then do nothing. The mailbox will be deleted after 5 months, correct? Is it possible to view the date of the deletion / expiration of the hold? 

    Going to Data lifecycle management > Retention > Inactive mailboxes I can see the 'Inactive since' date of the account in question (more than a year ago). The retention policy have the setting "When items were created" enabled. So it would be useful to see if the counter has started or on what date the hold will be released.