STALE-FORGOTTEN/ABANDONED existing sensitive emails with sensitive information

Hello team, 

In my company we have stale emails from 200 which contain sensitive data like: SINs, Driver Licenses, invoices, etc.
the users reject to delete those emails as they may needs for reference.
i.e.: 
Use case: HR needs to keep sensitive email as reference if end-user update life insurance beneficiaries, this email must be kept as evidence of the user's request update. this kind of emails can't be removed.

However, this emails without protection in the user's mailbox is only meat for the attackers.

unfortunately, we can`t protect existing emails with auto-labeling.

So, what is the best practice to take backup emails, secure the emails and remove those from un-secure storage like user`s mailbox.

This case apply almost 100% to any organization, this is a problem for everyone.


------------------------------------------------------------------------------------------------------------------------------------------
My approach:
eDiscovery download all sensitive emails discovered.
Apply label using AIP UL client to the download *.msg which put the files *.pfile

Create folder in HR user's OneDrive which the email will be removed.
If the user needs to search for any email's metadata, he can search directly, or if they need to search using email's content, he manually should remove sensitivity label to all items inside the folder.

After the search content in *.msg, the user should apply protection again.

Fallback: If the user forget protect the sensitive emails, the idea is to run schedule script to check for *msg, if found, it will apply label using PS.

I want to check any other approach best practice is recommended?

Backup & Setup

• Global Admin (GA) prepares local backup: export saved as native *.msg files.

Create & Secure the Evidence Folder

• GA connects to user’s OneDrive.
• GA creates folder: ArchivedSensitiveEmails.
• GA applies retention label (Record) to folder → prevents rename/move
• GA breaks inheritance → only the OneDrive owner (Edit)

Upload & Protect

• GA uploads the backup emails (*.msg) into the new folder.
• GA applies sensitivity label (Viewer-only) → user can open but not print/copy/forward.
• Now all items are protected as *.msg.pfile.

User Workflow (On-Demand Search)

• User may remove protection on a file/folder to perform keyword search on native .msg.
• User is required to reapply protection after finishing the search (via Purview client).

Automatic Weekly Enforcement

• Scheduled PowerShell job runs weekly across all OneDrives.
• Script scans ArchivedSensitiveEmails folder for unprotected .msg.
• If found → automatically applies encryption using the GA’s published sensitivity label.
• Access rights: only the OneDrive owner (Viewer) — optional HR group can also be added.
• Script deletes original .msg after creating .msg.pfile to enforce security.
• CSV log maintained for audit of actions (protected, skipped, errors).

------------------------------------------------------------------------------------------------------------------------------------------
So, what is the best practice or recommendation from Microsoft to protect the existing sensitive emails?