FAQs on Office 365 Retention, Disposal & Archiving
Published May 01 2019 01:39 PM 39.8K Views

With the introduction of Unified Retention & Retention Labels in the Security and Compliance, many customers have questions on the differences between Unified Retention, Retention Labels and MRM retention, configurable parameters and other common scenarios.

Retention or Unified Retention

Retention or Unified Retention is available in Office 365 Security and Compliance portal. Unified retention policy in Office 365 can help you achieve all these goals. Managing content commonly requires two actions:
  1. Retaining content so that it can't be permanently deleted before the end of the retention period.
  2. Deleting content permanently at the end of the retention period.
With a retention policy, you can:
  • Decide proactively whether to retain content, delete content, or both - retain and then delete the content.
  • Apply a single policy to the entire organization or just specific locations or users.
  • Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information.
SCC Retention provides true retention, you can use a single SCC retention policy to perform both deletion and retention and at the same time a single policy can be applied across different workloads. For more details, refer Overview of Retention Policies

Retention Labels

Retention Labels is available in Office 365 Security and Compliance portal. Retention labels in Office 365 can help you take the right actions on the right content. With retention labels, you can classify data across your organization for governance, and enforce retention rules based on that classification. With retention labels, you can:
  • Enable people in your organization to apply a retention label manually to content in Outlook on the web, Outlook 2010 and later, OneDrive, SharePoint, and Office 365 groups. Users often know best what type of content they're working with, so they can classify it and have the appropriate policy applied.
  • Apply retention labels to content automatically if it matches specific conditions, such as when the content contains:
    • Specific types of sensitive information.
    • Specific keywords that match a query you create.
    • The ability to apply retention labels to content automatically is important because:
    • You don't need to train your users on all of your classifications.
    • You don't need to rely on users to classify all content correctly.
    • Users no longer need to know about data governance policies - they can instead focus on their work.
  • Apply a default retention label to a document library in SharePoint and Office 365 group sites, so that all documents in that library get the default retention label.
  • Implement records management across Office 365, including both email and documents. You can use a retention label to classify content as a record. When this happens, the label can't be changed or removed, and the content can't be edited or deleted.
Retention setting in Labels and Unified Retention is same. A single retention labels policy to perform both deletion and retention and at the same time a single policy can be applied across different workloads. There are different ways to monitor the usage of Retention Labels using Data Governance Dashboard, Label Activity Explorer (Available with E5 only), Content Search, Audit log For more details, refer Overview of Retention Labels

Messaging Records Management (MRM)

Messaging Records Management aka Retention Policy is available in Exchange on-premises as well as in Exchange online and available in Exchange Admin Center (EAC). You can use retention policies to enforce basic message retention for an entire mailbox or for specific default folders. Although there are several strategies for deploying MRM, here are some of the most common:
  • Remove all messages after a specified period.
  • Move messages to archive mailboxes after a specified period.
  • Remove messages based on folder location.
  • Allow users to classify messages.
  • Retain messages for eDiscovery purposes.
When you implement MRM policies that remove messages from mailboxes after a specified period it also retains them in the Recoverable Items folder for In-Place eDiscovery purposes, even if the messages were deleted by the user or another process. In Exchange Server and Exchange Online, MRM is accomplished through the use of retention tags and retention policies.
  • Assigning retention policy tags (RPTs) to default folders, such as the Inbox and Deleted Items.
  • Applying default policy tags (DPTs) to mailboxes to manage the retention of all untagged items.
  • Allowing the user to assign personal tags to custom folders and individual items.
Messaging Record Management policy itself doesn’t perform any retention. You need to use a time-based In-Place Hold or Litigation Hold to preserves messages that were deleted for long period of time than the Single Item Recovery period. In this post, we will be referring Messaging Records Management (MRM) as EAC based Retention. For more details, refer Messaging records Management Next, we will answer some of the frequently asked questions around Retention Policies in the SCC and EAC.

Deletion and Retention options for Retention. What do they really do?

While creating Unified Retention policy or Retention Labels, the settings below, may not be as clear for some customers. Let’s take a deeper look: retentionfaq1 Option: “Yes, I want to retain” This option means retain content in user’s mailbox (mail folders and Recoverable Items folder) wherever they are located for specified x days/months/years. You also get an option to retain them forever. This setting also applies to content in folders in archive mailbox and its Recoverable items folders. Content deleted from user’s mail folders will be moved to Recoverable items folder and content which is already existing in Recoverable items folder (when policy is applied), will be retained for x days/months/years. In short retention will make sure that the content will not be purged completely from the mailbox for specified number of days/months/years What happens to content when the retention period for emails is expired? It depends on what’ option is selected next; “Do you want us to delete it after this time?” If “Yes” is selected, MFA does the job of cleaning the expired contents from user’s mail folders and from the Recoverable items folders. This also includes expired content in archive mailbox and its recoverable items folders. If “No” is selected, Managed Folder Assistant (MFA) will not clean the expired content (move to recoverable items folder) which exists in user’s mailbox folders. But the expired content in Recoverable items folder older than Single Item recovery period (14 days) will be cleaned, provided there is no other hold applied to this mailbox to retain the content longer. To identify other holds on the mailbox, refer How to identify the type of hold placed on an Exchange Online mailbox. Option: “No just delete content that’s older than” This option indicates delete content in user’s mailbox (users’ mail folders and Recoverable Items folder) which is older than configured x days/months/years, wherever it is located. This also includes content in folders in the archive mailbox and its Recoverable items folder. With this option selected, expired content from user's mail folders and Recoverable items will be deleted permanently (provided that there is no other hold configured to retain content for longer period.) For more details refer Deleting content that's older than a specific age Let’s discuss some of the common scenarios.

Retain and Delete content in the entire mailbox.

If you are planning to use Unified Retention and your requirement is that the mailbox should not hold any content older than 1 year. You can create a SCC Retention as shown below so that any data which is older than 1 year would be deleted from the user's mail folders and Recoverable items folders. retentionfaq2 This option makes sure than there is no content in the mailbox older than 1 year, both in users mail folder and Recoverable items folder, this also includes content in archive mailbox. The expired content is not immediately purged from the mailbox instead it is retained for some more days, it could be because other holds and because of DelayHoldApplied on the mailbox.

Retain the deleted content for a longer period.

If you are planning to use SCC Retention and your requirement is that the content from user's mail folders older than 1 years needs to be deleted and the deleted content need to be retained for 7 years for eDiscovery or recovery. One of the ways to achieved this is by creating two SCC Retention policies One policy to delete email older than 1 year: retentionfaq3 Another policy to retain data for 7 years: retentionfaq4

How is the retention period specified calculated?

The retention period calculation for different types of items varies and is documented in below article. For more details How retention age is calculated Above article applies both the EAC based retention and SCC Retention

Principles of retention.

A mailbox can have multiple Unified Retention or Retention Labels policies applied either implicitly or explicitly. At times in order to meet your compliance requirement, a given mailbox can be subjected to multiple policies, in such cases it’s important to understand which action take precedence, which is explained nicely using “Principles of retention” For more detail on “Principles of retention” refer Overview of retention policies

Should I use the EAC based retention or SCC Retention?

It really depends on your retention requirements. With introduction of auto-expanding archive feature, it is important that you move your old emails from primary mailbox to archive mailbox this includes emails from the user’s folders and Recoverable Items folder of primary mailbox, so that Primary mailbox doesn’t exceed the mailbox quota limits. For auto-expanding archiving feature refer Auto-expanding archiving feature

Automate moving emails to the archive.

What if you want to automate moving emails older than 2 years from primary to archive, the only option to do this currently is using Default Policy tag or Personal tag in MRM 2.0 as these are the only retention tags which support move to archive action. SCC Retention or even Retention Labels doesn’t provide us the same option of moving emails to archive mailbox. So, in this case EAC based retention is the only option (currently). This is probably the only advantage of using EAC based retention.

Does it mean that I can apply EAC based retention and SCC Retention to the same mailbox?

Yes, You can. It's important note that a given mailbox can have only one EAC based retention with multiple tags and at the same mailbox can have multiple SCC Retention policies and Retention labels policies. I would recommend using EAC based retention to meet your archiving (mailbox) needs and SCC retention for your retention needs.

But what about emails in the Recoverable Items folder in Primary mailbox?

As Recoverable items has its own quota, in order to prevent it from being full, you can opt to archive emails from your primary mailbox’s recoverable items to archive mailbox’s recoverable items. There is a special tag called “Recoverable Items tag” in EAC based retention which only support the move to archive action can move emails from Recoverable items folder of Primary mailbox to Recoverable items folder of Archive mailbox. So, if you are planning to use EAC based retention for archiving purpose and SCC retention to meet your retention needs, your sample policies should look as below. retentionfaq5 With above EAC based retention policy in place, emails (as well as other items) older than 180 days in users mail folders will be moved to archive mailbox, at the same time deleted content in Recoverable items of Primary mailbox will be moved to Recoverable items of archive mailbox after 14 days. Also, when you are planning to use SCC retention along with EAC based retention policy it is important to understand how precedence works in EAC based retention like;
  • Default Policy tag (DPT) with move to Archive action always overwrites the Retention Policy tag (RPT) or the Personal tag (PT), when the age limit for retention of DPT is lower than of RPT or PT.
  • Explicitly assign tag wins over an implicit tag
It’s important to plan your policies & test the policies on test mailboxes to understand the behavior. Organizations share a common goal of having consistent approach to categorize, classify important content from its creation, retention and disposal. In achieving this goal it's critical that administrators and Information Management teams carefully plan and test their data governance strategy. Hope this post helps. Big Thanks to Linda Harrell (Supportability PM - Information Protection) & Bhalchandra Atre (Supportability PM - Exchange) for reviewing this post. Vikas Soundade
15 Comments
Not applicable
Great Article Vikas :)
Not applicable
I have one big question that has been keeping me up at night. If you have an EAC or SCC policy to retain email for a certain number of years, what happens with the employee quits the company and the mailbox is deleted. Where does the email go? How can it be found with eDiscovery?
Not applicable
@ Nicholas Barsotti, Retention Policy in EAC doesn't perform any retention. We can use either litigation hold, In-Place hold or SCC Retention to retain data in inactive mailboxes. Deleted data will be retained in the mailbox or recoverable items folder for the hold duration, which can be searched using eDiscovery.
Copper Contributor

Excellent article.  Big question for me is:  How do you recover items that have been deleted from the Recoverable Items folder?

Microsoft

@Patrick Lalande 

You should be able to use the Recover Deleted Items option from Outlook to recover email deleted from Primary mailbox as long as they are in Recoverable Items\Deletions folder or use eDiscovery to recover for delete data retain in the Primary mailbox in other folders ie Purges, DiscoveryHolds.

Important to note that "You can't use the Recover Deleted Items feature to recover an item that was deleted from an auto-expanded storage area." You need to use eDiscovery.

https://docs.microsoft.com/en-us/office365/securitycompliance/unlimited-archiving

Brass Contributor

@VikasSou for a few weeks I opened a support case for a customer because for one Mailbox no mails where moved to archive  through MFA. There is the default policy with "2 years move to archive" aktiv. 

Through SCC was a policy for retention configured. 

Microsoft-Support said, if a retention is active, MRM won´t work: Place a mailbox on retention hold | Microsoft Docs

 

But you said here, that we can use MRM and retention through SCC on the same time. I hope, your Info is correct....

 

Thanks for your help,

 

Markus

Microsoft

@MarkusDi Both MRM and Retention in SCC should work at the same time.

Copper Contributor

Hi all,

 

I've a doubt.

As I can see "With above EAC based retention policy in place, emails (as well as other items) older than 180 days in users mail folders will be moved to archive mailbox". What if I want to archive only mails and not other items such as notes, tasks etc?

 

Is there any way to make it possible ?

Microsoft

@harry4u , When you apply retention policy using Default Policy tag (DPT) to archive, it applies to all the items in all folders ,its not specific to any message class, therefore Calendar , Notes & Tasks will be archived too. Workaround is possible but would not recommend as it involves administrative overhead. It would be better to provide end-user training. 

Refer archive post - http://aka.ms/vikas

Copper Contributor

GDPR Question on Retention

 

We have 2 conflicting company (not SCC) polies we are trying to comply with.

1. Retain all data for 7 years,

2. Prevent any user accidently or on purpose purging emails (Or SP Files) or setting a Label on purpose to purge.

3. Except if we get a DSAR and find some personal data (E.g. Someone passport photo that they accidently sent us years ago), and acting on the "Right to be forgotten" by putting that one email "beyond use" e.g. purged.

 

1.  The SCC 7 Year default retention seems to fit one part of the requirement easily.

2.  Ill not allow any Outlook published policy labels except perhaps archive

3. I can then use eDiscovery to find the example Passport email

 ---- But when I attempt to delete, the default policy surely remains based on the precedence of "longest retention wins"???

 

How do I make this work? Happy to perform Powershell SCC for hard deletes, as long as I can override the default Policy for a single item by force, as admin, etc.

 

Kindest

Martin

Microsoft

@martin, Sorry , not sure I understand your requirement. Can you elaborate a bit.?

Copper Contributor

If I can start more simply, so it can aid my understanding first:

 

CEO would like to use keep ALL emails and SP/OD files for 7 years minimum.

Irrespective to whether a user deletes or not.

I have setup a SCC policy to do this and removed all other policy labels so people cant change the default policy.

 

Is this sufficient to ensure nothing goes astray and that we can eDiscover all these items within the 7 years.

 

If that's a yes, then can I ask if the User can purge or not, because at present I have this policy switched on and a user can purge!  Where is the deleted email retained for eDiscovery?

 

Microsoft

@webforces_mc 

When you configure the SCC Retention Policy to retain (retain only) emails for 7 years and apply the policy to specific or all mailboxes.

This policy retains emails in the mailbox for 7 years.

This policy does not prevent user from deleting email from Inbox or any other folder but the deleted emails are retain in a hidden folder under Recoverable Items\DiscoveryHolds folders. This folder is not visible to user from Outlook. Emails in this hidden folder will be retain for 7 years.

Emails which are not deleted by user, continue to stay in the same folder.

During this time , emails in the DiscoveyHolds folder can be viewed or exported using eDiscovery.

Copper Contributor

Hi

 

I have a SCC retention policy created to delete emails after 90 days. Now my company do not want to delete the items after 90 days. Though I have deleted the SCC retention policy and I can confirm it is deleted, even after 4 days the emails in users mailboxes show the tip at top stating Label: Delete after 90 days.

 

How can I prevent the email from being deleted in this case ?

 

Thanks,

M365 Admin

Microsoft

@M365_Admin Ideally when the 90 days policy is deleted and there is no policy, the items which are already tagged will remain tagged,if you are seeing new emails are also getting tagged with 90 day policy, this could because the PR_ROAMING_XMLSTREAMs property on MRM Config file might contain the stale information of 90 days policy.

If you are seeing the same behavior, then you can delete the config file or open a support ticket.

 

Ideal way to remove a user / users from policy is remove the users from the policy, give enough time for changes to take effect and then delete the policy.

Version history
Last update:
‎Jul 01 2019 04:36 PM
Updated by: