Issue with retention policy with adaptive scope

Copper Contributor

Dear community,

We created an adaptive scope and a retention policy about two weeks ago. If I check the scope details on the Purview portal, the adaptive scope shows 9602 users, but the policy shows only ~9150 users. I tried to investigate the issue, but I haven't found an error message or a list of users missing from the policy. I must find a way to list out the users who are not covered by the policy.

What I have done in a nutshell is: 

- Get-ComplianceRetentionPolicy does not see this policy. We have a few other policies with static scope, and they appear on the output, but the one we want to check is not.

- I collected all the mailboxes and checked the InPlaceHolds, but there is no such policy either. This is weird since we should have 9150 users covered by this policy.

- I checked a user who has this policy with the "Policy lookup" feature on the Purview portal, and it showed that the user is covered by the policy.

I googled, Copiloted, and ChatGPTd my question, but I still have no clue what to do.

 

The main question is: How can I query a list of users missing from a retention policy with adaptive scope? 

 

Thank you for your help in advance! 

 

7 Replies

@rodoj 

 

you could validate the adaptive scope with the following PowerShell script publicly available. I know it works and should further provide the number of matching objects.

 

https://aka.ms/ValidateAdaptiveScopeOPATH

 

Please do not hesitate to ask for additional questions, if necessary.

 

Thanks.

Hi @rodoj 

I guess that you should be able to identify it checking for the mailboxes In-Place holds. 

Get-Mailbox <username> | Select-Object -ExpandProperty InPlaceHolds

FcoManigrasso_0-1721394734980.png

To get all organization-wide Microsoft Purview retention policies you can run:

 

Get-OrganizationConfig | FL InPlaceHolds

 

And once you have the GUID, somthing like this should work to get all the mailboxes with that policy applied:

 

Get-mailbox -Resultsize Unlimited | Where {$_.InPlaceHolds -like "*GUID*"}

 

You can get more information here: How to identify the hold on an Exchange Online mailbox | Microsoft Learn

 

Hope this helps.

Have a good day.

 

Best Regards,

 

Francisco Manigrasso.

 

Thanks, but actually the adaptive scope is okay. I could export the members and check them with PowerShell. The problem is that we have 9600 users in the scope and 9150 in the policy and we cannot export the users from the policy.
Thanks for the suggestion, but that was the second point in the original article that I tried. I cannot see the GUID of this particular policy. I checked it in our test environment and there I saw the same result. I can't see the policy that is retaining Teams chats. Neither in the mailbox attributes nor by issuing the Get-ComplianceRetentionPolicy command.

@rodoj 

 

I would recommend you filter out the objects that are not covered by the policy as they might not be applicable such as service accounts. Moreover,

 

  1. How are you determining the number of user objects in your environment?
  2. Is it a hybrid environment?

 

Hi @rodoj 

That´s strange. You may need to open a support case.

Do you see al correct in the policy details?

FcoManigrasso_0-1721402919876.png

When you click on Policy details you should find the "Locations" section.

On the other hand, if you know that the scope is working properly, you can identify the mailboxes running something like this, (adapt to your scope):

 

$attribute = "Department"
$value = "Sales"
Get-Mailbox -Filter "{$attribute -eq '$value'}" | Select-Object DisplayName, PrimarySmtpAddress

 

Thanks for the comment. We have already opened a support case, but there is no progress so far... We are sure that the problem is on MS' side. We tried everything that we could. The scope is okay, but the policy does not cover all the accounts from the adaptive scope, even though the policy details say the status is Enabled (Success). But if I query the policy from powershell it says SyncTimeout.