Forum Discussion
Retention Compliance Policy exemption group honoring
Hello,
My company is starting down a path to enact a Data Lifecycle Management policy, starting with our EOL email. The desired state outcome is a policy that deletes all email older than 7 years, applied to all mailboxes, with certain exemptions to named users/individuals (execs, etc.). I created a mail-enabled security group for the named exempt individuals, sync'ed into EntraID.
I was able to use powershell to create a retention compliance policy (in a disabled state for now) + corresponding retention compliance rule that is targeted to EOL, but I can't see to get the configuration to honor the exemption group I've specified. I'm typically PIM'ed up to Compliance Administrator to do these manipulations, though I've also tried with Global Admin to no avail. Whether via the powershell based attempts or via the Purview GUI, the exempt group listing just doesn't seem to take/appear after I've submitted the change to enact on it.
Is there anything special needed to get the Purview system to honor a group specified for named users/mailboxes for exemption? I understand that it can take up to 7 days for a change to take hold, but I was under the impression that changes that are submitted should at least be visible via the admin interface of choice (powershell, Purview web GUI) once submitted.
Thanks
3 Replies
Not sure I understand the above, are you saying that the UI/PowerShell does not reflect the exclusions you've configured? You should be able to see the (expanded) group reflected under exclusions in the UI, but IIRC, if the policy is disabled, you cannot even launch the wizard to get to that page. If you are looking at the right nav pane, it does not show exclusions.
If using PowerShell, look under ExchangeLocationException (you must use the -DistributionDetail switch though).
My thanks for your reply.
These were the powershell commands I was using to craft up the new policy and corresponding rule (sanitized):
# Sanitized
New-RetentionCompliancePolicy -Name "<policy name>" -Enabled $false -ExchangeLocation All -ExchangeLocationException "<mail enabled group identifier>" -Comment "<comment>"
New-RetentionComplianceRule -Name "<rule name>" -Policy "<corresponding policy name>" -RetentionDuration 2555 -RetentionComplianceAction Delete -ExpirationDateOption ModificationAgeInDaysThere was a mail enabled group name filled into the command when I ran the completed policy command line.
I'm able to see the disabled policy in the Purview Policies subsection. But when I edit it and traverse through to the section on the policy details, the "excluded" column is blank
That's what makes this so confusing. It looks like it took the command, it looks like it took the mail-enabled group name for the Exception. But the GUI shows that the group isn't there
The Get-RetentionCompliancePolicy powershell command also shows that the exception group hasn't been set:
Any thoughts?
The group itself will not be reflected, neither in the UI nor via PowerShell. Its members will, so the question here is was the membership populated at the time you configured the policy? Keep in mind that this is a one time operation, the current membership of the group will be stamped under ExchangeLocationException and no future changes will be reflected.
