Forum Discussion
eDiscovery hold for changing list of users
Hello.
We have a policy to hold all email for individuals in certain roles in the org. The list of users needs to be continuously updated due to standard turnover. I attempted to use a dynamic group but that is evidently not supported. Any suggestions?
Thanks for your post!
Dynamic groups are not supported for Microsoft Purview retention policies or eDiscovery holds.Recommended Approach: Adaptive Scopes with Custom Attributes
Since dynamic groups can’t be used in Microsoft Purview retention policies, the best alternative is to use adaptive scopes based on custom attributes. This allows you to automatically include users in a retention policy based on their role or other metadata.
How to Set It Up:
- Assign a custom attribute (e.g., CustomAttribute13 = "LegalHold") to users in the relevant roles.
- Create an adaptive scope in Microsoft Purview that targets users with that attribute.
- Apply a retention policy to that scope.
- Automate attribute updates using PowerShell, Power Automate, or integration with your HR system to reflect role changes.
This setup ensures that as users move in and out of roles, the retention policy updates automatically—no manual group management needed.
Timing: How Long It Takes
- Scope Evaluation: Adaptive scopes are evaluated once every 24 hours.
- Policy Propagation: After a user is included in the scope, it can take up to 7 days for the retention policy to fully apply.
- Auto-Labeling (if used): Also follows a similar delay, depending on content volume and indexing.
Verification: How to Confirm It’s Working
- Compliance Portal (GUI): The only supported method to verify adaptive scope membership is through the Microsoft Purview Compliance Portal. There’s no PowerShell or Graph API support for checking scope membership directly.
- Mailbox Hold GUID: For Exchange Online, you can inspect mailbox properties to confirm that a retention policy is applied by checking the hold GUIDs.
- Audit Logging: If you’re using automation to update user attributes, log those changes to track who should be in scope.
- Test Accounts: Assign the attribute to a test user and monitor when the policy takes effect.
Resources:
- Adaptive scopes | Microsoft Learn
- Using Adaptive Scopes with Microsoft 365 Retention Policies for Users and Groups | Microsoft Community Hub
- Automatically retain or delete content by using retention policies | Microsoft Learn
- How to identify the hold on an Exchange Online mailbox | Microsoft Learn
I hope that helps! 😎✌️
2 Replies
BrianStephenMicrosoft
Thanks for your post!
Dynamic groups are not supported for Microsoft Purview retention policies or eDiscovery holds.Recommended Approach: Adaptive Scopes with Custom Attributes
Since dynamic groups can’t be used in Microsoft Purview retention policies, the best alternative is to use adaptive scopes based on custom attributes. This allows you to automatically include users in a retention policy based on their role or other metadata.
How to Set It Up:
- Assign a custom attribute (e.g., CustomAttribute13 = "LegalHold") to users in the relevant roles.
- Create an adaptive scope in Microsoft Purview that targets users with that attribute.
- Apply a retention policy to that scope.
- Automate attribute updates using PowerShell, Power Automate, or integration with your HR system to reflect role changes.
This setup ensures that as users move in and out of roles, the retention policy updates automatically—no manual group management needed.
Timing: How Long It Takes
- Scope Evaluation: Adaptive scopes are evaluated once every 24 hours.
- Policy Propagation: After a user is included in the scope, it can take up to 7 days for the retention policy to fully apply.
- Auto-Labeling (if used): Also follows a similar delay, depending on content volume and indexing.
Verification: How to Confirm It’s Working
- Compliance Portal (GUI): The only supported method to verify adaptive scope membership is through the Microsoft Purview Compliance Portal. There’s no PowerShell or Graph API support for checking scope membership directly.
- Mailbox Hold GUID: For Exchange Online, you can inspect mailbox properties to confirm that a retention policy is applied by checking the hold GUIDs.
- Audit Logging: If you’re using automation to update user attributes, log those changes to track who should be in scope.
- Test Accounts: Assign the attribute to a test user and monitor when the policy takes effect.
Resources:
- Adaptive scopes | Microsoft Learn
- Using Adaptive Scopes with Microsoft 365 Retention Policies for Users and Groups | Microsoft Community Hub
- Automatically retain or delete content by using retention policies | Microsoft Learn
- How to identify the hold on an Exchange Online mailbox | Microsoft Learn
I hope that helps! 😎✌️
Interesting. I will definitely look into Adaptive Scopes.
Thank you for the suggestion.
