Forum Discussion

dbecker88's avatar
dbecker88
Copper Contributor
Jan 20, 2026

Different Retention Policies for Active/Inactive Mailboxes

Cloud Environment:

Azure GOV tenant, GCC-High.

 

Users are licensed with:

MS365 E3 - GCCHIGH

MS Defender for Office365 (Plan 1) - GCCHIGH

Windows 10/11 Enterprise E5 - GCCHIGH

 

Hybrid Identity:

Users are synced from AD DS to Entra ID, via Entra Connect. Thus, we set various identity attributes, like "Department" using the AD DS attribute editor. Confirmed the "Department" attribute is syncing correctly to Entra ID.

 

Purview Adaptive scopes:

Active Mailboxes (user), oPATH query: (IsInactiveMailbox -eq "False")

Inactive Project Staff (user), oPATH query: (IsInactiveMailbox -eq "True") -and (Department -eq "project staff")

Inactive Contract Staff (user), oPATH query: (IsInactiveMailbox -eq "True") -and (Department -eq "contract staff")

 

Purview Data Lifecycle Management, Retention policies:

Default Data Retention (Exchange mailboxes) - Adaptive scope "Active Mailboxes", Retention: Keep content for 7 years, then do nothing.

Inactive Project Staff (Exchange mailboxes) - Adaptive scope "Inactive Project Staff", Retention: keep items for 3 years, then delete items automatically.

Inactive Contract Staff (Exchange mailboxes) - Adaptive scope "Inactive Contract Staff", Retention: keep items for 1 years, then delete items automatically.

 

Desired Outcome:

  • All active staff, regardless of Department attribute have the "Default Data Retention" policy applied to mailbox, so when their account is deleted in AD DS, (soft deleted in Entra ID after Entra Connect sync), their mailbox goes to inactive state.
  • Then, when the mailbox is inactive, the "Inactive" retention policy is automatically applied depending on what their Department attribute was, before their Entra ID identity got soft deleted by Entra Connect sync.

Problem/Questions:

We tried this for 1 user account, and although the Default Data Retention policy was applied before the user was soft deleted, the Inactive Project Staff policy was never applied (waited 4 days).

  • This test user didn't have any licenses assigned to them when we tried this, unfortunately. Could this be the reason why the Inactive Project Staff policy was never applied? When they were soft deleted, their mailbox was visible in Purview "Inactive mailboxes".
  • Will adaptive scope retention policies still be applied to inactive mailboxes, if that adaptive scope relies on an Entra ID attribute, like "Department"? I assume this Entra ID attribute is somehow stored in the now, inactive mailbox.

2 Replies

  • dbecker88's avatar
    dbecker88
    Copper Contributor
    Feb 06, 2026

    Hey Nikki - thanks for your reply. 

    The issue I was running into was patience...everything mentioned above is working fine now. After the AD DS "Department" attribute is set then synced to Entra ID, it is properly being detected by the various Adaptive Scopes. 

    After deleting a user, the "Inactive" retention policy kicks in after a few days. I've tested with 2 different user's now and for both it worked as expected. 

    Licensing is so difficult to figure out, esp. when working in a black box environment like GCC High, where specific documentation is rarely found. Who knows what license is req. for what functionality; it varies wildly. I've learned to skim the support doc briefly for those purple boxes FIRST, and look for gotchya's with regard to GCC High. I don't know how many times I've been excited to try something in Azure or Office365, only to be let down by a purple box "Not implemented/possible in GCC High".

    Don't even get me started with differences in Copilot rollout in GCC/Commercial vs. GCC High. There is absolutely no way to determine what's possible in GCCH/Copilot, without just paying for a license. We did that, and discovered, Agents aren't even possible yet, not to mention all the other neat features that are being marketed. My guess is 2027 at the earliest.

  • nikkichapple's avatar
    nikkichapple
    MVP
    Feb 06, 2026

    You do not have the required licensing to use Purview adaptive scopes. The official documentation states

    If the retention policy uses an adaptive policy scope, then one of the following licenses is required to provide user rights:

    • Microsoft 365 E5/A5/G5
    • Microsoft Purview Suite/EDU/GOV/FLW and Microsoft Defender + Purview Suite FLW
    • Office 365 E5/A5/G5
    • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance

     

    See Microsoft Purview service description - Service Descriptions | Microsoft Learn.

    For testing, make sure you have an active user with a license.

    Check that they are in the adaptive scope of the active user

    Then check that the active retention policy is applied to the user (this can take up to 7 days to apply)

    Only once this is confirmed can you delete the user.

    The user should switch to the inactive users' adaptive scope and switch retention policies. Again, this may take a week.  

    Patience is required when testing retention policies and labels.

    I do not have a GCC tenant, but this is the adaptive scope query I  use. 

    RecipientTypeDetails -eq "UserMailbox" -and IsInactiveMailbox -eq "True"