Troubleshooting Compliance Retention Policies in Exchange Online
Published Feb 27 2023 01:53 PM 15.3K Views

In Part 1, I provided steps to troubleshoot the Legacy Exchange Retention policies, and in this part, Part 2, I delve into Compliance Retention policies. I look at two different scenarios that may impact a mailbox, providing step-by-step guidance on how to navigate and resolve issues you may encounter.

Scenario 1: Clearing the Recoverable Items Folder

Picture this: a user is trying to schedule a meeting, but they get an error message:

'554 5.2.0 STOREDRV.Deliver.Exception:QuotaExceededException.MapiExceptionShutoffQuotaExceeded; Failed to process message due to a permanent exception with message.” 

After some investigation, we discover that the root of the problem is a full recoverable items folder.

Identify the Compliance Retention Policy

The first step to resolve this issue is to identify the compliance retention policy that is applied to the mailbox. This can be done by using the Policy lookup tab under Data lifecycle management > Microsoft 365, and you'll have access to all the policies associated with your mailbox.

02mrm01.jpg

Or you use PowerShell:

 

Get-Mailbox <Identity> | fl InPlaceHolds

 

02mrm02.jpg

Examine the Compliance retention policy which will be found under InPlaceHolds parameter. For more info, see Learn about retention policies & labels to automatically retain or delete content.

Verify compliance retention rule applied to your mailbox, and what it does

This only applies if a compliance retention policy has been assigned under the InPlaceHolds parameter.

To identify the compliance retention rule, run the following command to obtain the rule, the retention actions, and the duration for this rule. Using the policy GUID acquired from the previous command (Get-Mailbox | fl InPlaceHold), you can retrieve the compliance rule and action on this policy:

 

Get-Mailbox | fl InPlaceHolds
Get-RetentionComplianceRule |? {$_.Policy -match “18aec5b1-04d8-40e4-8290-7b35f9834f24”}| fl Name, Retention*

 

02mrm03.jpg

In the above example, the items will be kept for five years (1825 days) before being deleted. You can also review the policy using Microsoft Purview under Data lifecycle management - Microsoft 365.

At this point, you have two options:

  1. Archive the items in the recoverable items folder using a legacy retention policy, or
  2. Permanently delete the data after consulting with your compliance team.

In this case, my customer decided to permanently delete the recoverable items, knowing that the data would be forever erased and unrecoverable. To do this, we exclude the mailbox from the compliance retention policy.

If you find that a compliance policy is the primary cause of the high quota due to retaining items and preventing MFA from purging them, you can follow the steps below to exclude that mailbox from the policy:

To exclude your mailbox from the compliance policy, go to the Purview Admin center and find the retention policy tab under Data lifecycle management. Locate the compliance policy from the previous step and click on it to edit. Follow the prompts by clicking "Next" until you reach the location tab. On the location tab, you will find an exclusion button which you can use to exclude your mailbox from the policy.

02mrm04.jpg

Alternatively, you can use Set-RetentionCompliancePolicy -Identity <policy name> - AddExchangeLocationException "Jane Doe". It can take up to a day for an exclusion to be applied. For more information, see How long it takes for retention policies to take effect.

To confirm that the policy was distributed correctly after the exclusion, use the following command:

 

Get-RetentionCompliancePolicy <Policy Name> -DistributionDetail | fl *distribution*, *exchangelocation*

 

02mrm05.jpg

If there is an error in the distribution status, use the following command to redistribute the policy:

 

Set-RetentionCompliancePolicy -Identity <policy name> -RetryDistribution 

 

The RetryDistribution switch specifies whether to redistribute the policy to all Exchange Online and SharePoint Online locations. You do not need to specify a value with this switch.

Check the delayed hold. After any type of hold is removed from a mailbox, a delay hold is applied. This means that the actual removal of the hold is delayed by 30 days. This gives admins an opportunity to search for or recover mailbox items that will be purged (purged) from the mailbox.

DelayHoldApplied will be True after the hold is removed; therefore, you need verify this parameter and disable it, if necessary, to clean the recoverable items folder.

 

Set-Mailbox <username> -RemoveDelayHoldApplied

 

This scenario might apply to any folder, such as the Inbox or any other folder that you wish to clear using the legacy retention policy, but the compliance retention policy prevents MFA from doing so.

Scenario 2: Restoring bulk deleted items that were deleted by mistake

Accidentally applying a compliance retention policy to the wrong mailbox or multiple mailboxes can result in bulk deletion of items. For example, one of my customers applied a policy that deletes content after six months to the entire company instead of a single user, resulting in the bulk deletion of items older than six months. However, there is a way to recover these deleted items.

To avoid any interference with the mailbox during the restore process, it is important to first disable email lifecycle (ELC) processing for the entire organization or for the specific affected mailbox, depending on the scope of the problem. This can be done by running the following command:

Set-OrganizationConfig –ELcProcessingDisabled $True

Next, you can use PowerShell to recover deleted emails from the recoverable items folder and restore them to their original location. You can restore the mail items based on the deletion date, for example:

Get-RecoverableItems -identity <User> -ResultSize unlimited -FilterItemType IPM.Note - FilterStartTime “dd/mm/yyyy” | Restore-RecoverableItems

This command will restore all email items that were deleted on the date specified by FilterStartTime.

It's important to note that, once the items are restored, you should check if there is any retention policy applied that could cause bulk deletion again and make sure to exclude the affected mailbox or mailboxes to prevent this scenario from happening again.

For more information on this process, please refer to the following:

Conclusion

In conclusion, troubleshooting retention policies in Exchange Online can be a complex task that requires a deep understanding of the different types of policies and their effects on a mailbox. By following the steps outlined in these articles, you will be able to identify and fix any issues related to legacy retention policies, tags, and compliance retention policies.

It's important to start by identifying the retention policy assigned to the mailbox, checking the retention tags actions included in the policy, and forcing the MFA to process the mailbox. Remember to always double-check that the correct policies and tags are applied and to give the process enough time to complete. By following these steps, you will be able to effectively manage your mailbox and ensure that your messages are being properly retained and processed.

Mustafa Nassar
Exchange Support Engineer

6 Comments
Co-Authors
Version history
Last update:
‎Feb 27 2023 01:53 PM
Updated by: