SOLVED

Granting access to messages under retention policies within Exchange Online

%3CLINGO-SUB%20id%3D%22lingo-sub-2205097%22%20slang%3D%22en-US%22%3EGranting%20access%20to%20messages%20under%20retention%20policies%20within%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2205097%22%20slang%3D%22en-US%22%3E%3CP%3EWithin%20Microsoft%20365%2FExchange%20Online%2C%20how%20(and%20where%20exactly)%20could%20you%20grant%20an%20auditor%20read%20only%20access%20so%20they%20can%20view%20copies%20of%20messages%20in%20Exchange%20Online%20that%20are%20subject%20to%20a%20specific%20retention%2Flitigation%20policy%20for%20a%20specific%20mailbox.%20This%20is%20%26nbsp%3Brequirement%20so%20auditors%20and%20other%20named%20staff%20can%20be%20sure%20they%20are%20viewing%20%E2%80%98the%20original%E2%80%99%20version%20of%20some%20crucial%20authorization%20type%20messages%2C%20and%20not%20some%20form%20of%20tampered%20version%20of%20the%20original%20message.%20The%20mailboxes%20will%20relate%20to%20senior%20employees%20within%20the%20organization%20so%20the%20need%20to%20preserve%20confidentiality%20of%20the%20wider%20mailbox%20will%20be%20of%20the%20utmost%20importance.%3C%2FP%3E%3CP%3EIt%20is%20desirable%20that%20the%20auditor%20should%20only%20be%20able%20to%20view%20messages%20under%20the%20retention%2Flitigation%20policies%2C%20and%20not%20be%20granted%20full%20access%20to%20the%20users%20entire%20mailbox.%20%26nbsp%3BIt%20was%20recommended%20for%20email%20messages%20that%20require%20a%20high%20level%20of%20integrity%20and%20proof%20for%20accountability%20purposes%2C%20to%20ensure%20they%20cannot%20be%20edited%20or%20deleted%20%E2%80%98at%20rest%E2%80%99%2C%20%26nbsp%3Bthat%20retention%2Flitigation%20policies%20could%20be%20put%20in%20place%20within%20Exchange%20Online%20and%20the%20policies%20applied%20to%20messages%20%E2%80%98on%20demand%E2%80%99%20(through%20some%20form%20of%20tagging%20mechanism%20so%20the%20officer%20tags%20certain%20emails%20which%20then%20subsequently%20ensures%20they%20are%20preserved%20through%20an%20appropriate%20retention%2Flitigation%20hold%20whereby%20the%20original%20is%20safely%20filed%20in%20a%20%E2%80%98preserved%20original%20version%20of%20messages%E2%80%99%20folder.%20My%20understanding%20that%20granting%20access%20to%20this%20hidden%20%E2%80%98preserved%20original%20version%20of%20messages%E2%80%99%20folder%20is%20not%20really%20achievable%20and%20access%20should%20really%20be%20granted%20via%20the%20relevant%20MS365%20compliance%20centers%20if%20possible.%3C%2FP%3E%3CP%3EIf%20the%20viewing%20of%20any%20emails%20located%20within%20the%20%E2%80%98preserved%20original%20version%20of%20messages%20folder%E2%80%99%20could%20also%20be%20captured%20in%20an%20audit%20trail%20for%20further%20accountability%2C%20to%20ensure%20such%20access%20is%20not%20being%20misused%2C%20that%20would%20also%20be%20a%20nice%20bonus.%20%26nbsp%3B%3C%2FP%3E%3CP%3EAlternatively%2C%20if%20granting%20auditors%20permissions%20to%20view%20the%20messages%20subject%20to%20retention%20policies%2Flitigation%20holds%20for%20only%20a%20specific%20mailbox%2Fmailboxes%20is%20going%20to%20prove%20a%20nightmare%20to%20implement%2C%20how%20else%20could%20an%20administrator%20with%20the%20necessary%20admin%20roles%20over%20Exchange%20Online%20provide%20evidence%20to%20the%20auditor%20that%20gives%20them%20assurance%20that%20they%20are%20viewing%20the%20original%20untampered%20with%20version%20of%20a%20specific%20message%3F%20Is%20there%20any%20sort%20of%20tag%2C%20attribute%20or%20certificate%20within%20a%20message%20for%20a%20365%20Exchange%20Online%20mailbox%20that%20could%20be%20provided%20to%20the%20auditor%2C%20that%20reliably%20demonstrates%20%E2%80%98this%20is%20the%20unaltered%20original%20version%20of%20this%20message%E2%80%99.%20The%20concern%20with%20not%20subjecting%20these%20critical%20emails%20to%20retention%2Flitigation%20policies%20is%20the%20key%20emails%20could%20be%20purposely%20or%20accidentally%20deleted.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2205097%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EeDiscovery%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Within Microsoft 365/Exchange Online, how (and where exactly) could you grant an auditor read only access so they can view copies of messages in Exchange Online that are subject to a specific retention/litigation policy for a specific mailbox. This is  requirement so auditors and other named staff can be sure they are viewing ‘the original’ version of some crucial authorization type messages, and not some form of tampered version of the original message. The mailboxes will relate to senior employees within the organization so the need to preserve confidentiality of the wider mailbox will be of the utmost importance.

It is desirable that the auditor should only be able to view messages under the retention/litigation policies, and not be granted full access to the users entire mailbox.  It was recommended for email messages that require a high level of integrity and proof for accountability purposes, to ensure they cannot be edited or deleted ‘at rest’,  that retention/litigation policies could be put in place within Exchange Online and the policies applied to messages ‘on demand’ (through some form of tagging mechanism so the officer tags certain emails which then subsequently ensures they are preserved through an appropriate retention/litigation hold whereby the original is safely filed in a ‘preserved original version of messages’ folder. My understanding that granting access to this hidden ‘preserved original version of messages’ folder is not really achievable and access should really be granted via the relevant MS365 compliance centers if possible.

If the viewing of any emails located within the ‘preserved original version of messages folder’ could also be captured in an audit trail for further accountability, to ensure such access is not being misused, that would also be a nice bonus.  

Alternatively, if granting auditors permissions to view the messages subject to retention policies/litigation holds for only a specific mailbox/mailboxes is going to prove a nightmare to implement, how else could an administrator with the necessary admin roles over Exchange Online provide evidence to the auditor that gives them assurance that they are viewing the original untampered with version of a specific message? Is there any sort of tag, attribute or certificate within a message for a 365 Exchange Online mailbox that could be provided to the auditor, that reliably demonstrates ‘this is the unaltered original version of this message’. The concern with not subjecting these critical emails to retention/litigation policies is the key emails could be purposely or accidentally deleted.  

2 Replies
I should have added the MS articles aren't the most helpful in facilitating view access to these secure hidden locations that keep original versions of messages under retention policies. That is ultimately what we need to achieve.
"These secure locations and the retained content are not visible to most people. In most cases, people do not even need to know that their content is subject to retention settings."

best response confirmed by CB1 (Occasional Contributor)
Solution
Have you looked at the eDiscovery solution within O365? It pretty much checks all the boxes above. You can create "cases" that cover specific messages (based on a search criteria) within specific mailboxes, make sure that any matching content is preserved immutably and delegate specific users permissions to run such queries and review any messages found. In addition, you can also configure the so-called "compliance permission filters" to ensure that the auditors can never look into mailboxes they're not supposed to, or even apply a query-based criteria to limit it to matching messages only.
You definitely dont need to play with the RecoverableItems subtree yourself, the preview/export experience will let you access the messages.