Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Apply a Office 365 Security & Compliance retention policy to specific users

Copper Contributor

We cannot use organization wide retention policies to cover all Exchange Online mailboxes or OneDrive sites because of different needs on different countries.

Is there a way we can apply a retention policy to specific group of users and then also maintain the provisioning of new users and de-provisioning of leavers?

It seems that you can use shell to add mail-enabled group to a retention policy using:

Set-RetentionCompliancePolicy -Identity "Policy_name" -AddExchangeLocation "group_email"

to get the group members extracted and added to the policy. This would be simple enough to schedule to be run and maintain the group memberships in on-prem AD, but it seems that the re-adding the same group does not update the mailboxes affected by the policy. Then again, you cannot just -RemoveExchangeLocation "group_email" since the removal command only takes individual users and not groups. So scheduled task could first find the current individuals affected by the retention policy (how?), remove them and then re-add the group. to get the updates in group memberships. Seems a bit complicated and possibly even risky if you remove users from the policy and re-adding them will not work for some reason leaving users without a hold... has anyone any better ways to automate this?

 

And that's only the Exchange part - the OneDrive needs url of the site and groups can not provide that without some heavy-scripting. Has anyone any great ideas how to handle the provisioning and de-provisioning on those?

1 Reply
best response confirmed by Tero Voutilainen (Copper Contributor)
Solution

Why do you need to remove users though? Generally speaking, the requirements to keep data also apply to leavers, so there should be no need to update the policy every time a person leaves the company. But to answer the question, the way to find out which policies apply to which objects is to look at the corresponding mailbox attributes. For example:

 

[09:57:21]# (Get-Mailbox vasil).InPlaceHolds
mbxda45e521e0314dd19ec276112c2af7b9:2

[09:59:01]# Get-RetentionCompliancePolicy da45e521e0314dd19ec276112c2af7b9

Name          Workload                                                      Enabled Mode
----          --------                                                      ------- ----
PersonalStuff Exchange, SharePoint, OneDriveForBusiness, Skype, ModernGroup True    Enforce

where I've stripped the "mbx" prefix. For company-wide policies, you should look into the output of the Get-OrganizationConfig cmdlets instead.

 

 

I agree, it can be handled in a better manner. And ODFB handling is crap, we've been asking for years now to have it changed based on UPN or something instead of having to always specify the URL.

1 best response

Accepted Solutions
best response confirmed by Tero Voutilainen (Copper Contributor)
Solution

Why do you need to remove users though? Generally speaking, the requirements to keep data also apply to leavers, so there should be no need to update the policy every time a person leaves the company. But to answer the question, the way to find out which policies apply to which objects is to look at the corresponding mailbox attributes. For example:

 

[09:57:21]# (Get-Mailbox vasil).InPlaceHolds
mbxda45e521e0314dd19ec276112c2af7b9:2

[09:59:01]# Get-RetentionCompliancePolicy da45e521e0314dd19ec276112c2af7b9

Name          Workload                                                      Enabled Mode
----          --------                                                      ------- ----
PersonalStuff Exchange, SharePoint, OneDriveForBusiness, Skype, ModernGroup True    Enforce

where I've stripped the "mbx" prefix. For company-wide policies, you should look into the output of the Get-OrganizationConfig cmdlets instead.

 

 

I agree, it can be handled in a better manner. And ODFB handling is crap, we've been asking for years now to have it changed based on UPN or something instead of having to always specify the URL.

View solution in original post