Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How to achieve a proper retention

Iron Contributor

Hi there,

As I'm just trying to learn how to utilize O365 after 10 years OnPrem I have some question marks how to achieve a proper retention. A lot of customers utilize an archive solution together with journaling OnPrem. In Office 365 journaling is limited somehow, everybody can guess why, it would simply double the needed amount of storage. So I guess we don't have to talk about that selecting an OnPrem mailbox is no option. Microsoft is enforcing the companies so vehemently to migrate to O365 that all customers believe that they will have all solutions out-of-the-box. For sure they are planning to deprovision their OnPrem services one by one.

 

So the only option is a third party service or the legal hold. From my experience a lot of companies have  a high auditing acceptability with journaling and a secure (items cannot be deleted by user) archive.

Can I achieve that with the in-place / litigation hold? For a good reason there is the requirement that a user cannot delete emails from the very first second, maybe in his view, but not in the backend.

That would mean after creating a user and assigning the required licenses I would set the in-place hold immediately. What about storage consumption?

Thanks for your help.

Kind regards,
Christian

4 Replies
Hi @woelki,

Yes, you can achieve that with Office 365 if you have an Office 365 Plan which includes Exchange Online Plan 2 (I.e. Office 365 E3).

It is explained here

https://docs.microsoft.com/en-us/Exchange/policy-and-compliance/holds/holds?view=exchserver-2019

This is probably the most relevant paragraph

'There are two types of holds available in Exchange Server: Litigation Hold and In-Place Hold. Litigation Hold uses the LitigationHoldEnabled property of a mailbox. When Litigation Hold is enabled, all mailbox all items are placed on hold. In contrast, you can use an In-Place Hold to preserve only those items that meet that the criteria of a search query that you define by using the In-Place eDiscovery tool. You can place multiple In-Place Holds on a mailbox, but Litigation Hold is either enabled or disabled for a mailbox. For both types of holds, you can also specify the duration period to hold items. The duration is calculated from the date a mailbox item is received or created. If a duration isn't set, items are held indefinitely or until the hold is removed. If you remove a Litigation Hold from a mailbox, but one or more In-Place Holds are still placed on the mailbox, items matching the In-Place Hold criteria are held for the period specified in the hold settings'

-----------------

Because of In Place and Litigation Hold it is not recommended to try the old style practice of journaling into a mailbox within the organisation. You can, however, integrate third party applications to journal such as Global Relay or Mimecast. A reason to do journaling I find is that organisations want to have a tamperproof copy of the mail for compliance purposes - the important part being copy, so if for some reason the hold was removed, you would have the data whatever happens. However, when discussing with customers, in place archive and litigation hold is more than enough in 99% of cases. It will certainly do what you need it to do above.

In terms of storage consumption, Litigation Hold and In-Place Hold use the Recoverable Items folder to preserve items. It uses the mailbox limits.

Hope that answers your question.

Best, Chris

Hi @Christopher Hoard,

 

this answers my question well enough. I know the shared document, I only thought ok, this is explained very well, but can I transfer this approach to the whole company? So it seems, yes.

 

Furthermore I found this helpful...

Exchange Online Limits

 

I just want to be on the save side....

A mailbox with Exchange Online Plan 2 which is not on hold could have up 30 GB for the dumpster. So if the user is deleting a lot, he can only use up to 70 GB, right?

 

And if the mailbox is on hold (without archive) it could utilize even more. So if the user is deleting comprehensively maybe his regular inbox might take only 5 GB and the dumpster 95 GB.

 

So if I understand correctly without hold the maximum dumpster size is static and with hold it is dynamic. But everything plays in the maximum mailbox size limits, right?

Kind regards,
woelki

 

 

 

 

 

A mailbox which is on litigation hold uses the recoverable items folder which is 30Gb static size. So it means if users are deleting lots of mail it may fill up quickly.

https://docs.microsoft.com/en-us/Exchange/policy-and-compliance/holds/litigation-holds?view=exchserv...

Litigation Hold preserves items in the Recoverable Items folder in the user's mailbox. The default size for this folder is 30 GB. Depending on number and size of items deleted or modified, the size of the Recoverable Items folder of the mailbox may increase quickly. The Recoverable Items folder is configured with a high quota by default. We recommend that you monitor mailboxes that are placed on Litigation Hold on a weekly basis to ensure they don't reach the limits of the Recoverable Items quotas.

In place hold activates the archive and gives another 50/100Gb dependent on your plan. You can configure policies to move information to the archive if required.

You are correct everything plays into the maximum limits as outlined in the articles. In other words, litigation hold where everything is preserved has a hard ceiling of 30Gb and is not unlimited.

So, if you wanted an unlimited archive meaning unlimited storage and unlimited preservation of mail then this would be the point to consider a third party journaling solution.

Hope that clarifies

Best, Chris

@Christopher Hoard wrote:

Hope that clarifies

Almost. As I can read from the Exchange Online limits doc, having an E3 or E5 plan means that the recoverable items are unlimited in the archive. As I know from OnPrem the archive is a second mailbox.
So I would guess we have two dumpsters in this case. One limited dumpster in regular mailbox, one in the dumpster.

So combining litigation hold together with a suitable archive retention policies should be a rock solid solution, right?

 


@Christopher Hoard wrote:

In place hold activates the archive and gives another 50/100Gb dependent on your plan. You can configure policies to move information to the archive if required.


Is that true? So if I got an E3 or E5 plan and I activate litigation hold the archive will be enabled automatically (I guess with default MRM policy)?

Kind regards,
woelki