Forum Discussion

Bixby1960's avatar
Bixby1960
Copper Contributor
Feb 28, 2025

Purview Retention Policies Best Practices

I have tasked with creating retention policies to delete Exchange online emails older than 5 years. I also have a requirement to create another policy that will delete emails older than 7 years and apply that to a small number of users.

We started this process by creating a policy that applied to everyone and deleted emails older than 10 years. That is currently running and seems to be working. Our next step is to go to the 5 and 7 year policies. 

What is the best practice to be used in this situation? Is it as simple as applying the 5 year policy to the entire organization and excluding the small group? Shold I be applying a policy to the entire organization (mailboxes, shared mailboxes, etc.)?

Can't afford to get this wrong and lose 2 years of email for the select few.

 

  • nikkichapple's avatar
    nikkichapple
    MVP
    Mar 11, 2025

    You need to understand the rules of retention as this is really important. If your retention policies are only configured to delete, then the shortest deletion will win. Read: Learn about retention policies & labels to retain or delete | Microsoft Learn 

    Therefore, you must set the longest deletion as the default for all users; e.g., the organization-wide policy must be deleted after 7 years.

    Then, create a second retention policy for deletion after 5 years and add a subset of users. Important

    • If you use static scopes and add users' emails to a policy, then this policy can include up to 1,000 users. If you need more than this, you will need to create several policies. Read Limits for Microsoft 365 retention policies and retention label policies | Microsoft Learn
    • Remember that with static scopes, if you delete the last user from this policy, then this policy will be reverted to all users. Therefore, you could be at risk of deleting content after 5 years. Read Configure Microsoft 365 retention settings to automatically retain or delete content | Microsoft Learn
    • If you have E5 licenses, then create Adaptive Scopes, which are dynamic groups of users based on the user properties. For example, if department = ABC, or CountryorRegion = ABC, or use your own data with the custom properties. Then, you create the second retention policy (the shorter policy, delete after 5 years ) based on the Adaptive scope. This way you are never at risk of reverting back to all users. 

     

     

Resources