How does Purview/data lifecycle management on Mailboxes work for deleted mailboxes?
I have an inkling that it more or less keeps the Mailbox in the Recoverable Items set//folder/dimension, but I don't want to guess. We do not have a license for Purview, I just have discovered that we have policies in here setup and forgotten about (or migrated Compliance and Security, and forgotten about). I say this because I don't fully understand Purview (because I don't want to use it, and we don't have it), yet I have a 'keep forever' policy set on ALL Exchange Mailboxes, but it doesn't actually prevent me from Deleting them. Reading https://learn.microsoft.com/en-us/purview/retention-settings#configuration-information-for-exchange-mailboxes-and-exchange-public-folders and https://learn.microsoft.com/en-us/purview/retention-policies-exchange#whats-included-for-retention-and-deletion doc, the word 'mailbox' appears 54 times. I have responsibilities and a life, but I did manage to find out when MAIL is deleted from Deleted Items, it goes to 'recoverable items' - a folder that exists in (somewhere). What I don't know is what happens if the entire Mailbox is deleted. I have archiving turned off. I notice that there is a separate 'https://learn.microsoft.com/en-us/purview/inactive-mailboxes-in-office-365' article. I genuinely do not have the time or patience to read these massive docs, or the 100 other docs they link to, for a platform way outside my scale, that I don't intend on using. Anyone know? I need to understand how this works before I get approval on removing it.Retention policy to remove older than 30 days items from the Deletd Items folder "doesn't work "
Recently I worked with this scenario and faced the following "issue": After a hybrid Exchange migration, we needed to replicate the onprem retention policies. Basically, enforce a policy that removes all the messages older than 30 days from all the mailboxes Deleted Items folder. That's something quite easy to configure, ( done thousand times ), and will not get deeper in this technical details. The case is that, after the setup, we noticed that many old items, ( even from last year and older ), were still in the user's Deleted Items folder without any action from the policy. Of course that I know that the Managed Folder Assistant, ( in charge to check those policies and apply any action if required ), runs automatically once por week +- and we can force it with the cmdlt: Start-ManagedFolderAssistant <UserEmailAddress> And in order to recalculate all retention tags and apply them to the required folders, we can run: Start-ManagedFolderAssistant <UserEmailAddress> -FullCrawl But even running both commands and waiting more than 48 hours nothing happend. After further investigations and the help of a MS engineer we got the point: The retention age is calculated based on "Date of delivery or creation unless the item was deleted from a folder that does not have an inherited or implicit retention tag. If an item is in a folder that doesn't have an inherited or implicit retention tag applied, the item isn't processed by the MFA and therefore doesn't have a start date stamped by it. When the user deletes such an item, and the MFA processes it for the first time in the Deleted Items folder, it stamps the current date as the start date." https://learn.microsoft.com/en-us/exchange/security-and-compliance/messaging-records-management/retention-age In fact, we verified that with some random old messages in some mailboxes and all those had the first MFA run as the start date stamped. After waiting 30 days the messages were correctly deleted. Hope that this helps someone facing the same behavior, avoiding spend so much time as I spent on this 🙂How to "bypass" an Exchange Retention Policy Preservation Lock
I have a scenario with a complete Exchange Retention policy with a preservation lock. As you already know, once a preservation lock is in place, nobody can turn off the policy, delete the policy, or make it less restrictive, ( neither the Global Admin ). Now we need to modify it for a couple of mailboxes, but as those mailboxes, ( like all the mailboxes ), are included in the locked retention policy, there's "no way" to do it. Well, I figured out one chance... 😉 Here starts to play the principles of retention. As the mentioned retention policy is applied to the whole Exchange environment, and as per the principles of retention explicit wins over implicit for deletions, we can create a new policy that applies to the required specific mailboxes in order to delete the content sooner. " If a retention policy for a location uses an adaptive scope or a static scope that includes specific instances (such as specific users for Exchange email) that retention policy takes precedence over a static scope that is configured for all instances for the same location ". https://learn.microsoft.com/en-us/microsoft-365/compliance/retention?view=o365-worldwide That should solve the issue "bypassing" the locked policy. But note that this principle only takes advatage in the case of deletions. For only retention, that wins always over deletions. Maybe not the best solution, but people should be aware about such kind of things before locking a retention policy. Feel free to let me know your thoughts.
