FindTime, your favorite scheduling add-in just got better!
We heard you and so we re-wrote the entire back-end infrastructure for FindTime, we built a new service within the Office 365 compliance boundary! More specifically, the organizer’s poll data is now stored in their mailbox and will not leave your tenant’s environment.Prevent archiving of items in a default folder in Exchange 2010
In Exchange 2010, you can use Retention Policies to manage message retention. Retention Policies consist of delete tags, i.e. retention tags with either Delete and Allow Recovery or Permanently Delete actions, or archive tags, i.e. retention tags with the Move To Archive action, which move items to the user's archive mailbox. Depending on how they're applied to mailbox items, retention tags are categorized as the following three types: Default Policy Tags (DPTs), which apply to untagged items in the mailbox – untagged items being items that don't have a retention tag applied directly or by inheritance from parent folder. You can create three types of DPT s: an archive DPT, a delete DPT and a DPT for voicemail messages. Retention Policy Tags (RPTs), which are retention tags with a delete action, created for default folders such as Inbox and Deleted Items. Not all default folders are supported. You can find a table showing the default folders supported for RPT s in Understanding Retention Tags and Retention Policies. Notably, Calendar, Tasks and Contacts folders aren't supported 1 . Personal Tags, which are retention tags that users can apply to items and folders in Outlook 2010 and Outlook Web App. Personal tags can either be delete tags or archive tags. They're surfaced in Outlook 2010 and OWA as Retention policies and Archive policies. To deploy retention tags, you add them to a retention policy and apply the policy to mailbox users. In Exchange 2010 SP1, we added support for the Notes folder. In Exchange 2010 RTM, items in the Notes folder aren't processed. After you upgrade to SP1, if the user's retention policy doesn't have a RPT for the Notes folder, the DPT from the user's policy will apply to items in that folder. In existing deployments, your users may not be used to their notes being moved or deleted. To prevent the DPT from being applied to a default folder, you can create a disabled RPT for that folder (or disable any existing RPT for that folder). The Managed Folder Assistant, a mailbox assistant that processes mailbox items and applies retention policies, does not apply the retention action of a disabled tag. Since the item/folder still has a tag, it's not considered untagged and the DPT isn't applied to it. Figure 1: Create a disabled Retention Policy Tag for the Notes default folder to prevent the Default Policy Tag from being applied to items in that folder Note: You can create a disabled RPT for any supported default folder. Why are items in the Notes folder still archived? If you create a disabled RPT for the Notes folder, you'll see items in that folder are not deleted, but they do continue to be moved to the archive! Why does this happen? How do you prevent it? It's important to understand that: A retention policy can have a DPT to archive items (using the Move to Archive retention action) and a DPT to delete items (using the Delete and Allow Recovery or Permanently Delete retention actions). Both apply to untagged items. The move and delete actions are exclusive of each other. Mailbox folders and messages can have both types of tags applied - an archive tag and a delete tag. It's not an either/or proposition. If you create a disabled RPT for the Notes folder to not delete items, the archive DPT for the mailbox would still apply and move items. When it comes to archiving, there's only one archive policy that administrators can enforce – the DPT with 'Move to archive' action. You can't create a RPT with the 'Move to archive' action. This rules out using the disabled RPT approach to prevent items from being moved. How do you prevent items in a default folder from being archived? There's no admin-controlled way to prevent items in default folders from being archived 2 , short of removing the archive DPT from a retention policy. However, removing the archive DPT would result in messages not moving to archive automatically unless the user applies a personal tag to messages or folders. The workaround is to have users apply the Personal never move to archive personal tag (displayed as Never under Archive Policy in Outlook/ OWA ) to a default folder. The tag is included in the Default Archive and Retention Policy created by Exchange Setup. You can also add this tag to any Retention Policies you create. Figure 2: Users can apply the Never archive policy to a default folder to prevent items in that folder from being archived 1 Support for Calendar and Notes retention tags was added in Exchange 2010 SP2 RU4. 2 You can apply a disabled move tag to a folder in user's mailbox using EWS code/script. For details, see Using Exchange Web Services to Apply a Personal Tag to a Custom Folder. Applying a disabled archive policy to the Notes default folder You can't use Outlook 2010 or Outlook 2013 to apply an archive policy to the Notes default folder or individual notes items. If your users want to preven Notes items from being moved, they must apply a disabled move tag to the Notes folder using OWA . Figure 3: Apply Personal never move to archive policy to the Notes folder in Outlook Web App in Exchange 2013. The Exchange 2010 Outlook Web App UI differs slightly - it lists archive and retention policies separately. See a screenshot here. Bharat Suneja Updates 1/23/2013: In Exchange 2010 SP2 RU4, we added Calendar and Tasks retention tag support. You can prevent these from being moved or deleted by creating registry values. See Calendar and Tasks Retention Tag Support in Exchange 2010 SP2 RU4. 6/18/2013: Added screenshot - Applying disabled move tag to Notes folder in OWA and link to Using Exchange Web Services to Apply a Personal Tag to a Custom Folder.Preserve mailbox data for eDiscovery using inactive mailboxes in Exchange Online
In Exchange Online and Exchange Server 2013, you can use In-Place Hold or Litigation Hold to preserve mailbox content for litigation or investigations. Many organizations also need to preserve mailbox data for users who are no longer in the organization. In on-premises Exchange deployments, this has typically been done by disabling the Active Directory user account and performing actions such as removing it from distribution groups, preventing inbound/outbound email to and from the mailbox (including setting delivery restrictions and configuring message size limits), hiding the mailbox from the Global Address List (GAL), and also setting an account expiration date on the user account in Active Direcory. Licensing costs are not a concern in this scenario, because you do not need a Client Access License (CAL) for a mailbox that’s no longer active. In Exchange Online, admins remove mailboxes for departed users. However, once you remove a mailbox, it can no longer be included in In-Place eDiscovey searches (Multi-Mailbox Search in the previous version of the service and in Exchange 2010). Additionally, 30 days after you remove a mailbox, it is permanently deleted from Exchange Online and can no longer be recovered. In-Place eDiscovery requires that the mailbox be active, which means an Exchange Online or Office 365 plan is required for the mailbox for as long as you want to preserve data for eDiscovery. Note: You can preserve mailbox data offline by exporting it to a PST file using Microsoft Outlook and then remove the mailbox. However, if you need to perform an eDiscovery search, you would need to inject it back to an Exchange Online mailbox. Inactive Mailboxes In the new Exchange Online, we’ve introduced the concept of inactive mailboxes to handle departed users. When a user leaves the organization and you need to retain their mailbox data for some time to facilitate eDiscovery (or meet retention or business requirements), you can place the mailbox on In-Place Hold or Litigation Hold before removing the Office 365 user. This preserves the mailbox, but prevents it from sending/receiving messages, hides it from users so it's no longer visible in the GAL and other recipient lists. You can add inactive mailboxes to In-Place eDiscovery searches. After you've made a mailbox inactive, you no longer require an Exchange Online or Office 365 plan for it. When your eDiscovery, retention or other business requirements are met and you no longer need to preserve the mailbox content, you can remove the mailbox from In-Place Holds or Litigation Hold. After you remove hold, the normal mailbox removal behavior of Exchange Online will resume for the mailbox - which means, if the mailbox was removed more than 30 days ago, it will be permanently deleted. If it was removed less than 30 days ago, it will be permanently deleted after 30 days of removal. For more details, see Overview of inactive mailboxes (short url: aka.ms/inactivembx) in Exchange Online documentation. Inactive mailboxes are available in March 2013 in the E3, E4, E5, A3, A4, G and Exchange Online P2 plans. Note: An inactive mailbox cannot exist without a Hold. To place a mailbox on hold, you require an Exchange Online Plan 2 license (standalone, or through Office 365 E3 or E5 plans). Customers with an Exchange Online Plan 1 can assign an Exchange Online Archiving (EOA) license to place a mailbox on hold. After you place a mailbox on hold and remove the user account, you can reassign the license. This preserves the mailbox data as long as it remains on hold. See Exchange Online service description for licensing and availability of features. Migrating inactive mailbox data to Exchange Online If you already have inactive mailboxes in your on-premises Exchange 2010 or Exchange 2013 environment or a third-party archive, you can move the data to inactive mailboxes in Exchange Online by first provisioning an Exchange Online mailbox, which requires a plan subscription, importing the data to the Exchange Online mailbox, placing the user on In-Place Hold or Litigation Hold and then deleting the user account, making it an inactive mailbox. You do not require a plan subscription for that mailbox after you make it inactive. However, you will need a subscription during the provisioning and data import process. If you have a large number of inactive mailboxes, you can provision them in batches using a smaller number of subscriptions. Note, the Product Usage Rights (PUR) states that licenses can only be reassigned once every 90 days. How long can a mailbox be inactive? You can preserve data in inactive mailboxes for as long as you need to, based on your organization's retention and eDiscovery requirements. Of course, you would need to continue to be an Office 365/Exchange Online customer. Do both primary and archive mailboxes become inactive mailboxes? When you place a mailbox on hold in Exchange, you're actually placing the user on hold. Both primary and archive mailboxes are placed on hold, and become inactive after you remove the Office 365 user. When you use Office 365's eDiscovery tools to search the (now inactive) user, both mailboxes are searched. How can you remove data from an inactive mailbox? If you've specified a hold duration using In-Place Hold or Litigation Hold, items older than the hold duration are removed when the Managed Folder Assistant (MFA) processes the mailbox. Can you search inactive mailboxes using Office 365 eDiscovery tools? Yes. Inactive mailboxes are visible to Office 365 eDiscovery tools - In-Place eDiscovery in Exchange Online, the eDiscovery Center in SharePoint Online, and eDiscovery or Content Search in the Office 365 Security and Compliance Center (SCC). No additional licenses are required to include inactive mailboxes in eDiscovery searches. What happens after July 1, 2017, when you'll no longer be able to create new In-Place Holds? As noted in Inactive mailboxes in Exchange Online and elsewhere in Exchange Online documentation: On July 1, 2017, you'll no longer be able to create In-Place Holds in Exchange Online (in Office 365 and Exchange Online standalone plans). You'll still be able to modify existing In-Place Holds, and creating new In-Place Holds in Exchange Server 2013 and Exchange hybrid deployments will still be supported. And, you'll still be able to place mailboxes on Litigation Hold. As an alternative to using In-Place Holds, you can use eDiscovery cases or retention policies in the Office 365 Security & Compliance Center. To make a mailbox inactive, you can use Litigation Hold, eDiscovery cases or Retention Policies in Office 365. Bharat Suneja Updates 3/16/2015: Changed the highlighted verbiage (in Migrating section) from "placing the user on In-Place Hold or Litigation Hold and then removing the subscription, making it an inactive mailbox" to "deleting the user account". Added links to In-Place eDiscovey and Litigation Hold. 5/23/2013: Added info about migrating inactive mailbox data to Exchange Online. 6/18/2013: Added note about Product Usage Rights (PUR). 3/5/2014: Added info about how long a mailbox can be inactive and included Litigation Hold. 4/14/2014: Added clarification about how you can remove data from inactive mailboxes (and hold duration specified for In-Place Hold or Litigation Hold has no impact.) 1/27/2016: Updated above clarificaiton about how you can remove data from inactive mailbox to state it is processed by MFA and items older than LitigationHoldDuration are removed. Removed: All content in an inactive mailbox is on hold until you remove the hold from the mailbox. 2/7/2017: Added following Q&A about archive mailboxes: Do both primary and archive mailboxes become inactive mailboxes? 5/22/2017: Added following Q&A about eDiscovery: Can you search inactive mailboxes using Office 365 eDiscovery tools? Added E5 plan to list ("Inactive mailboxes are available in March 2013 in the E3, E4, E5, A3, A4, G and Exchange Online P2 plans"). 6/19/2017: Added information regarding changes on July 1, 2017, when you'll no longer be able to create new In-Place Holds. 4/23/2020: Added note about licensing with link to service description and changed "Inactive mailboxes do not require an Exchange Online or Office 365 plan" to "After you've made a mailbox inactive, you no longer require an Exchange Online or Office 365 plan."Data immutability and Office 365 tenant lifecycle
One of the more common questions about Office 365 has been – what happens to my data after my organization’s Office 365 subscription ends? The most common answer circulated in the community refers to a grace period of 30 days, during which you can still retrieve your data. The answer’s not wrong, but here’s some more detail about the tenant lifecycle after an Office 365 subscription is cancelled, as it relates to the organization’s data. During the first 30 days after an Office 365 subscription ends, the Office 365 tenant account is in this grace period, known as expired state. During this period, users can still access data. If the subscription ended unintentionally, a rare event I’d argue given the many alerts you get to prevent termination of subscription due to issues such as non-payment, this is a good time to set things right. After 30 days, the tenant account enters disabled state for 90 days. During this period, users no longer have access to data. The admin can still log in, backup data if required, or reactivate the subscription. At the end of the disabled state, which is 120 days after your subscription has expired, the account enters the deprovisioning state. This is when the data – from user accounts to email data and documents, is deleted permanently. State of subscription When What happens Expired 1-30 days after end of subscription All users have access Disabled 31-120 days after end of subscription Admin has access Admin can reactivate and backup data Deprovisioned After 120 days of end of subscription All user data is deleted (User data, documents, email, including mailboxes on hold and inactive mailboxes) Expedited deprovisioning Within 3 days of end of subscription All user data is deleted You can request expedited subscription deprovisioning by calling Support. Support will generate a lockout code. You must enter the lockout code in the admin portal. User data, documents, email, including mailboxes on hold and inactive mailboxes, are deleted. The tenant is removed as per normal tenant lifecycle. See What happens to my data and access when my Office 365 for business subscription ends? in Office 365 documentation for details. There are a few compliance-related questions arising out of end of subscription. 1. How quickly will you delete data after my organization’s Office 365 service ends? Some time after 120 days. The jobs that delete data do so based on service load. You can expect data to be permanently deleted in a reasonable timeframe after the 120 days have elapsed. 2. How can I ensure my organization’s Office 365 data is deleted quickly after service ends? Many security and compliance-minded organizations want to ensure there’s no residual data in a cloud service after they end service. Office 365 customers can request expedited deprovisioning by calling Support. Expedited deprovisioning ensures your users' data is deleted within 3 days. 3. Is data immutability maintained after service ends? (In other words, are mailboxes placed on In-Place Hold or Litigation Hold retained after service ends?) By far one of the most frequently asked questions. Data immutability refers to the ability to preserve data – in essence, protecting it from destruction and tampering. See links to additional resources on Immutability, In-Place Hold and Litigation Hold below. No. Microsoft’s responsibility as a service provider ends after your service ends, which is when you stop being a customer/subscriber of the service. As noted above, data is permanently deleted when your tenant account enters the deprovisioning state, within a reasonable time after 120 days of end of subscription, or within 3 days if you request expedited deprovisioning. Mailboxes placed on In-Place Hold or Litigation Hold, including inactive mailboxes, are also deleted as part of deprovisioning. Immutability in Office 365 and Exchange Since publishing this post, I've received some questions about how we achieve immutability in Office 365 and Exchange. Check out the following resources for answers: Blog and whitepaper: Office 365 Exchange Online Archiving now meets SEC Rule 17a-4 requirements Whitepaper: Achieving Immutability with Exchange Online and Exchange Server 2013 AskPerry blog: Immutability in Exchange Blog: In-Place eDiscovery and In-Place Hold in the New Exchange – Part II Documentation: In-Place Hold and Litigation Hold Bharat Suneja Updates 3/16/2017: Added following clarification about expedited deprovisioning: You can request expedited subscription deprovisioning by calling Support. Support will generate a lockout code. You must enter the lockout code in the admin portal. User data, documents, email, including mailboxes on hold and inactive mailboxes, are deleted. The tenant is removed as per normal tenant lifecycle. Changed "All customer data is deleted" to "All user data is deleted" in table.Litigation Hold and In-Place Hold in Exchange 2013 and Exchange Online
In Exchange 2010 and Exchange Online, we introduced Litigation Hold to allow you to immutably preserve mailbox content to meet long term preservation and eDiscovery requirements. When a mailbox is placed on Litigation Hold, mailbox content is preserved indefinitely. Placing a mailbox on Litigation Hold You can place a mailbox on Litigation Hold by using the Exchange Administration Center (EAC) or the Shell (set the LitigationHoldEnabled parameter). In Exchange 2010, you can also use the Exchange Management Console (EMC) to do this. Figure 1: Enabling Litigation Hold for a mailbox using the EAC in Exchange 2013 and Exchange Online Figure 2: Adding a note and a URL to inform & educate users placed on Litigation Hold Preserving items for a specified duration To preserve items for a specified period, we added the LitigationHoldDuration parameter to Exchange Online. This helps you meet your compliance needs by preserving all items in a mailbox for the specified duration, calculated from the date the item was created (date received in case of inbound email). For example, if your organization needs to preserve all mailbox data for seven years, you can place all mailboxes on Litigation Hold and set the LitigationHoldDuration to 7 years (in days). This functionality is also available in Exchange 2013, allowing you to preserve items for a specified duration in your on-premises organization – one example of how developments in Exchange Online benefit Exchange Server on-premises. In-Place Hold in Exchange 2013 and Exchange Online In Exchange 2013 and the new Exchange Online, we introduced In-Place Hold, which allows more flexibility in preserving your data. Hold functionality is integrated with In-Place eDiscovery to allow you to search and preserve using a single wizard or a single cmdlet (New-MailboxSearch). You can use the In-Place eDiscovery & Hold wizard or the cmdlet to search for and preserve items matching your query parameters, known as a query-based In-Place Hold, preserve items for a specified period, known as a time-based hold, and also preserve everything indefinitely, which emulates the old Litigation Hold feature. Check out In-Place eDiscovery and In-Place Hold in the New Exchange - Part I and Part II for more info. Using Litigation Hold in Exchange 2013 and Exchange Online If you tried placing a mailbox on Litigation Hold using the EAC or the Shell, both the interfaces displayed an alert message with a recommendation to switch to the new In-Place Hold feature. This recommendation was also reflected in the product documentation. Figure 3: Warning displayed when using Litigation Hold in the EAC in Exchange 2013 Litigation Hold isn't going away: Since the release of Exchange 2013 and the new Exchange Online, we've received a lot of questions and feedback from you about whether Litigation Hold will be removed. We want to clarify that we do not plan to remove Litigation Hold from Exchange Online or Exchange 2013. We've removed the alert from Exchange Online and in Exchange 2013 SP1. We've also removed the recommendation from Exchange Online and Exchange 2013 documentation. Use the hold feature that best meets your needs You can use either hold feature to preserve mailbox data in Exchange 2013 and Exchange Online, based on your preservation needs. Here are some scenarios to help you choose between the two holds. You want to… Use Litigation Hold Use In-Place Hold Preserve all items in a mailbox Yes Yes. To preserve all items, don’t specify any query parameters. Preserve all items in a mailbox for a specific duration Yes. Specify the LitigationHoldDuration parameter for the mailbox using the Shell. Yes. Create a time-based In-Place Hold. Specify the duration in the In-Place Hold settings in EAC or ItemHoldDuration parameter from the Shell. Preserve items matching query parameters No. Litigation Hold preserves all items. Yes. Create a query-based In-Place Hold. Specify query parameters such as start date, end date, sender, recipients and keywords. Specify types of items to preserve (such as email, calendar, notes) No. Litigation Hold preserves all items. Yes. You can use the EAC or the MessageTypes parameter from the Shell. Specify hold settings for members of a distribution group Yes. Use the Get-DistributionGroupMembercmdlet in the Shell to pipe distribution group members to the Set-Mailbox cmdlet. 1 Yes. Easily specify distribution groups in the In-Place eDiscovery and Hold wizard in the EAC or in the SourceMailboxes parameter in the Shell. 2 Max users on hold No. Litigation Hold is a mailbox parameter. No maximum limits apply. You can use the Shell to quickly place all users in an organization on hold. You can specify a maximum of 10,000 users per In-Place Hold object. To place additional users on hold, you must create another hold. Place multiple holds on a mailbox No Yes. You can place a user on multiple In-Place Holds, for example when a user is subject to multiple investigations or legal cases. Make mailboxes inactive to preserve data in Exchange Online Yes 3 Yes Archive Lync conversations and meeting content to Exchange Yes Yes 1 Distribution group is expanded when you run the command. Future changes to the group require running the command again. 2 Distribution groups are expanded only when you create or refresh the In-Place Hold. Future changes to the group require refreshing the search object. 3 Inactive mailboxes is an Exchange Online feature. The linked documentation is being updated to clarify you can also use Litigation Hold to make a mailbox inactive. Bharat Suneja Updates 12/11/2013: Added 'Specify types of items to preserve' row to comparison table. 12/11/2013: Added 'ItemHoldDuration' parameter to comparison table. 8/12/2014: Updated max mailboxes per In-Place Hold limit to 10,000 mailboxes. Added link to Place all mailboxes on hold. Added another row to table for archiving Lync content to Exchange. 6/3/2015: Changed the Litigation Hold column for "Archive Lync conversations and meeting content to Exchange" row in table to "Yes". Litigation Hold also enables you to archive Lync content in Exchange. Removed the following text: "To archive Lync Online IM conversations to Exchange Online, you must place a mailbox on In-Place Hold. In on-premises deployments, you can configure Lync Server to archive to Exchange Server without placing the user on In-Place Hold."Using Exchange Web Services to Apply a Personal Tag to a Custom Folder
In Exchange 2010, we introduced Retention Tags, a Messaging Records Management (MRM) feature that allows you to manage email lifecycle. You can use retention policies to retain mailbox data for as long as it’s required to meet business or regulatory requirements, and delete items older than the specified period. One of the design goals for MRM 2.0 was to simplify administration compared to Managed Folders, the MRM feature introduced in Exchange 2007, and allow users more flexibility. By applying a Personal Tag to a folder, users can have different retention settings apply to items in that folder than the default tag applied to the entire mailbox(known as a Default Policy Tag). Similarly, users can apply a different tag to a subfolder than the one applied to the parent folder. Users can also apply a Personal Tag to individual items, allowing them the freedom to organize messages based on their work habits and preference, rather than forcing them to move messages, based on the retention requirement, to an admin-controlled Managed Folder. You can still use Managed Folders in Exchange 2010, but they’re not available in Exchange 2013. For a comparison of Retention Tags with Managed Folders and migration details, see Migrate Managed Folders. If you like the Managed Folders approach of being able to create a folder in the user’s mailbox and configure a retention setting for that folder, you can use Exchange Web Services (EWS) to accomplish something similar, with some caveats mentioned later in this post. You can write your own code or even a PowerShell script to create a folder in the user’s mailbox and apply a Personal Tag to it. There are scripts available on the interwebs, including some code samples on MSDN to accomplish this. For example: Stamping Retention Policy Tag using EWS Managed API 1.1 from PowerShell (Exchange 2010) 5 Lesser Known Operations in Exchange Web Services on Exchange 2013, Exchange MVP Glen Scales’ post on the MVP Program Blog, which uses a simpler method to do this on Exchange 2013. Note: The above scripts are examples for your reference. They’re not written or tested by the Exchange product group. But is it supported? We frequently get questions about whether this is supported by Microsoft. Short answer: Yes. Exchange Web Services (EWS) is a supported and documented API , which allows ISV s and customers to create custom solutions for Exchange. When using EWS in your code or PowerShell script to apply a Personal Tag to a folder, it’s important to consider the following: For Developers EWS is meant for developers who can write custom code or scripts to extend Exchange’s functionality. As a developer, you must have a good understanding of the functionality available via the API and what you can do with it using your code/script. Support for EWS API is offered through our Exchange Developer Support channels. For IT Pros If you’re an IT Pro writing your own code or scripts, you’re a developer too! Above applies to you. If you’re an IT Pro using 3rd-party code or scripts, including the code samples & scripts available on MSDN, TechNet or elsewhere on the interwebs, we recommend that you follow the general best practices for using such code or scripts, including (but not limited to)the following: Do not use code/scripts from untrusted sources in a production environment. Understand what the script or code does. (This is easy for scripts – you can look at the source in a text editor.) Test the script or code thoroughly in a non-production environment, including all command-line options/parameters available in it, before installing or executing it in your production environment. Although it’s easy to change the PowerShell execution policy on your servers to allow unsigned scripts to execute, it’s recommended to allow only signed scripts in production environments. You can easily sign a script if it's unsigned, before running it in a production environment. So should I do it? If using EWS to apply a Personal Tag to custom folders helps you meet your business requirements, absolutely! However, do note and consider the following: You’re replicating some of the functionality available via Managed Folders, but it doesn’t turn the folder into a Managed Folder. Remember - it’s a Personal Tag! Users can remove the tag from the folder using Outlook or Outlook Web App. If you have additional Personal Tags available in your environment, users can change the tag on the custom folder. Users can tag individual items with a different Personal Tag. There is no way to enforce inheritance of retention tag if Personal Tags have been provisioned and available to the user. Users can rename or delete custom folders. Unlike Managed Folders, which are protected from changes or deletion by users, custom folders created by users or by admin are just like any other (non-default) folder in the mailbox. Provisioning custom folders with different retention settings (by applying Personal Tags) may help you meet your organization’s retention requirements. As an IT Pro, make sure you understand the above and follow the best practices. Bharat SunejaIn-Place eDiscovery and In-Place Hold in the New Exchange – Part II
In Part I of this post, we covered what’s new in In-Place eDiscovery in the new Exchange. In this post, let’s take a look at how the new Exchange retains data immutably. One of the first steps you must take when reasonable expectation of litigation exists or when served an eDiscovery request is to preserve messaging records so they can be produced when required. Before Exchange 2010, this was generally achieved using different methods, including archiving data to an external system, suspending automated deletion mechanism (such as Exchange’s Messaging Records Management), or in some cases - by instructing users to not delete records. Failure to preserve records required for litigation may expose your organization to legal and financial risk. In Exchange 2010 and Office 365, we introduced Litigation Hold to enable you to preserve messaging records. Litigation Hold is a mailbox property – placing a mailbox on litigation hold places all items in a mailbox on hold indefinitely (or until hold is removed), resulting in accumulation of a large volume of data – all of which may not be required to be preserved. In the new Exchange, you can use In-Place Hold to retain items immutably. In-Place Hold is integrated with In-Place eDiscovery, allowing you to perform both search and hold using the same interface and the same query parameters. You can use In-Place Hold in the following scenarios. Indefinite Hold: You can create an In-Place Hold without any query parameters and without a hold duration to hold all items in a mailbox indefinitely or until the hold is removed. This emulates the behavior of litigation hold. Query-Based Hold: Using In-Place Hold, you can create a search query and specify the source mailboxes and parameters such as keywords, senders and recipients, as well as start and end dates. You can also specify the type of items to search – email messages, calendar items such as meetings and appointments, tasks, notes, or Lync content archived in Exchange mailboxes. Time-Based Hold: Whereas Litigation Hold placed all mailbox contents on hold indefinitely or until you remove the hold, In-Place Hold allows you to specify a duration of time for which to hold items. The time is calculated based on the received date or the date the item was created in the mailbox (for items such as appointments, tasks and notes that are not sent/received). One of the more common feature requests in Exchange 2010 was to be able to specify a definite time period for which an item is retained. Whereas retention policies allow you to specify the email lifecycle and automatically delete items when the specified period is reached, they don’t guarantee retention for that period. In other words, you could specify items will be kept for a maximum of 7 years, but you couldn’t guarantee items won’t be deleted before that period by a user or a process. The commonly recommended workaround to meet this requirement was to use configure the Deleted Item Recovery period to the minimum period you want an item to be retained for. In this example, setting the deleted item retention period to 7 years means if a user deletes an item before 7 years, it is retained in the Recoverable Items folder for 7 years. However, the period for Deleted Item Retention is calculated from the date of deletion. If a user deletes an item after 6 years, it is retained for an additional 7 years in the Recoverable Items folder, resulting in a total retention period of 13 years. In others words, you can guarantee an item will be retained for a minimum of 7 years, but not the maximum retention period. In the new Exchange, when you create a time-based In-Place Hold, because the hold period is calculated from the item received/creation date, you can guarantee the item won’t be held beyond that period. You can combine a time-based In-Place Hold with a Retention Policy (that has a single default policy tag) to ensure items in the mailbox are deleted by the Managed Folder Assistant (MFA) after 7 years, and items deleted by a user or a process before that period are retained for at least the specified duration. You can also combine a query-based In-Place Hold with a time-based hold to preserved items matching query parameters for the specified period. You can also place a user on multiple holds - for example, when a mailbox may contain records pertaining to multiple cases or investigations. In-Place Hold & Permissions Like In-Place eDiscovery, In-Place Hold can be used by authorized users with delegated Discovery Management permission. However, there’s a slight twist. The Discovery Management role group is assigned the Mailbox Search and Litigation Hold management roles. The former allows an authorized user to create a mailbox search for In-Place eDiscovery and Hold. The latter actually allows you to place mailbox content on hold. If a user is only assigned the Litigation Hold role, for example by creating a custom role-based access control (RBAC) role group or via membership of a role group such as Organization Management that has the Litigation Hold role assigned, the user is able to use In-Place Hold - but only to place all mailbox content on hold. The user can’t specify query parameters. In other words, the user can’t create a query-based In-Place Hold. Creating an In-Place Hold Let’s go back to the query Robin created in Part I of this post. When creating the In-Place Hold, on the Mailboxes page Robin must select Specify mailboxes to search and select the mailboxes or distribution groups. If she selects Search all mailboxes, the option to place content on hold will not be available. You must specify mailboxes or distribution groups to place on hold. If you select Search all mailboxes, the option to place content on hold will not be available. Figure 1: To create an In-Place Hold, you must select Specify mailboxes to search Note: If you select a distribution group, the hold applies to mailbox users that are members of the group when the hold is created. On the Search query page, Robin can use the same query she used for the In-Place eDiscovery. Figure 2: Messages matching query parameters are preserved She can also select the message types to place on hold. Figure 3: You can specify the message types to hold or hold all message types Placing archived Lync content on hold If the new Lync is enabled to archive Instant Messaging and meeting content into the new Exchange, Lync content is archived in the user’s mailbox and automatically placed on hold. You need to configure OAuth authentication between Lync and Exchange to enable this. Additionally, the mailbox must be located on a Mailbox server in the new Exchange. On the In-Place Hold settings page, Robin selects the option to Place content matching the search query in selected mailboxes on hold. She can then select Hold indefinitely to hold content indefinitely (or until the In-Place Hold is removed or a mailbox is removed from the search). To hold items for a specific period, she can select Specify number of days to hold items relative to their received date and specify the number of days. Figure 4: You can specify a hold duration or hold items indefinitely It’s important to reiterate here that for the time-based hold, the duration is calculated from the date a message is received/created. How In-Place Hold Works Let’s take a look at what happens under the hood. When a user deletes a message, it goes to the Deleted Items folder. When the Deleted Items folder is emptied or messages are deleted from it, or the user uses Shift-Delete to delete a message, it is moved to the Recoverable Items\Deletes folder. Contents of this folder are exposed when the user uses Recover Deleted Items in Outlook or Outlook Web App. If the user doesn’t do anything, messages from the Deletes folder are purged when the Deleted Items Retention period configured for the mailbox database or the user expires. If the user deletes a message from this view, few things can happen: If Single Item Recovery is enabled for the mailbox, the item is moved to the Recoverable Items\Purges folder and retained until the deleted item retention period expires. This provides the administrator the capability to recover items without having to recover from backups. If the mailbox is placed on Litigation Hold, the items is moved to the Recoverable Items\Purges folder and retained until the hold is removed. If the mailbox is placed on an In-Place Hold, the item is moved to the Recoverable Items\DiscoveryHolds folder. Figure 5: Deleted items and original copies of modified items are preserved in the Recoverable Items folder of each mailbox When the MFA , a mailbox assistant that processes mailboxes and expires content, processes the mailbox, it checks if messages meet the query parameters of any In-Place Holds the user is placed on. This evaluation is done for up to 5 queries, beyond which all items are retained – emulating the same behavior as litigation hold. If the number of holds is brought below 5, the MFA again reverts to the query-based In-Place Hold behavior. When the In-Place Hold is removed, messages placed on hold are removed if they no longer match query parameters of any other In-Place Hold that the user may have been placed on. In-Place Hold and Immutability When talking about preservation, the concept of immutability invariably comes up. Immutability means messages placed on hold must be preserved without alteration. Not only should we prevent them from deletion (even if the user placed on hold thinks they’ve successfully purged the message), but the messages should also be prevented from tampering or alteration. Immutability is not a product feature but a combination of feature and the hold processes your organization implements. In-Place Hold also helps you preserve content from intentional tampering or modification. This is achieved by performing a copy-on-write (COW) – when the user or any process attempts to modify a message, before the modified message is saved a copy of the original message is made and saved in the Recoverable Items\Versions folder. Items captured in the Versions folder are also indexed and returned in an In-Place eDiscovery search. When the hold is removed, the copies made in the Versions folder are also removed by the Managed Folder Assistant. Together, In-Place Hold and In-Place eDiscovery provide an easy-to-use mechanism for authorized legal, human resources or other non-technical personnel to easily search and immutably preserve messaging records. Bharat Suneja and Julian Zbogar-SmithIntroducing Data Loss Prevention in the New Exchange
The Data Loss Prevention (DLP) feature in the new Exchange will help you identify, monitor, and protect sensitive information in your organization through deep content analysis. DLP is increasingly important for enterprise message systems because business critical email includes sensitive data that needs to be protected. It’s the financial information, personally identifiable information (PII) and intellectual property data that can be accidently sent to unauthorized users that keeps the CSO up all night. In order to protect sensitive data without affecting worker productivity, the new version of Microsoft Exchange Server 2013 integrates DLP features so you can manage sensitive data in email more easily than ever before. You can be comfortable getting started with DLP in Exchange because Microsoft has included a simple management interface that allows you to: Start with a pre-configured policy template that can help you detect specific types of sensitive information such as PCI-DSS data, Gramm-Leach-Bliley act data, or even locale-specific personally identifiable information (PII). Use the full power of existing transport rule predicates and actions and add new transport rules Test the effectiveness of your DLP policies before fully enforcing them Incorporate your own custom DLP policy templates and sensitive information types Detect sensitive information in message attachments, body text or subject lines and adjust the confidence level at which Exchange takes action Add Policy Tips, which can help reduce data loss by displaying a notice to your Outlook users and can also improve the effectiveness of your policies by allowing false-positive reporting Review incident data in message tracking logs or add reporting by using a new generate incident report action Using the Microsoft-supplied DLP policy templates are an easy way to get started. DLP policies are packages of transport rules with new features that you can customize. These rules include classification types that define the type of content you are looking for in the DLP policy. You can use the Exchange management shell or the Exchange Administration Center (EAC) or even your own XML file editor to start incorporating DLP policies into your messaging environment. The image here shows the data loss prevention management interface. Figure 1: Managing Data loss prevention (DLP) using the EAC A number of new transport rule conditions and actions have been created in Exchange Server 2013 in order to accomplish new DLP capability. One key feature of the new transport rules is a new approach to detecting sensitive information that can be incorporated into mail flow processing. This new DLP feature performs deep content analysis through keyword matches, dictionary matches, regular expression evaluation, internal functions such as validate checksum on credit card numbers, and other content examination to detect specific content types within the message body or attachments. Policy Tips to inform your workers in real time With the new DLP features, you can inform email senders that they may be about to pass along sensitive information that is detected by your policies—even before they click send. You can accomplish this by configuring Policy Tips. Policy Tips are similar to MailTips, and can be configured to present a brief note in the Microsoft Outlook 2013 client that provides information about your business policies to the person creating a message. You can configure Policy Tips that will merely warn workers or block their messages, or even allow them to override your block with a justification. Policy tips can also be useful for tuning your DLP policy effectiveness, as they allow end users to seamlessly report false positives. Here’s a screenshot that shows the Policy Tip in action. Figure 2: A Policy Tip informs email senders about sensitive information before they send the message Begin by establishing policies that protect your sensitive data Three different methods exist for you to begin using DLP: Apply an out-of-the-box template supplied by Microsoft The quickest way to start using DLP policies is to create and implement a new policy using a template. This saves you the effort of building a new set of rules from scratch. Import a pre-built policy file from outside your organization You can import policy templates that have already been created outside of your messaging environment by independent software vendors. In this way you can extend the DLP solution to suit your business requirements. Create a custom policy without any pre-existing conditions Your enterprise may have its own requirements for monitoring certain types of data known to exist within a messaging system. You can create a custom DLP policy entirely on your own in order to start checking and acting upon your own unique message data. Sensitive Information Types in DLP Policies When you create DLP policies, you can include rules that include checks for sensitive information. The conditions that you establish within a policy, such as how many times something has to be found before an action is taken or exactly what that action is can be customized within your new custom policies in order to meet your business requirements. Sensitive information rules are integrated with the transport rules framework by introduction of a condition that you can customize: If the message contains…Sensitive Information. This condition can be configured with one or more sensitive information types that are contained within the messages. To make it easy for you to make use of the sensitive information-related rules, Microsoft has supplied policy templates that already include some of the sensitive information types. An inventory of the sensitive information types supplied out of the box is provided on the TechNet Library. A brief sample can be seen here: Information type Primary region Category ABA Routing Number United States finance Australia Bank Account Number Australia finance Credit Card Number All finance EU Debit Card Number European Union finance France Social Security Number (INSEE) France PII German Driver's License Number Germany PII Japan Passport Number Japan PII SWIFT Code All finance U.K. National Health Service Number United Kingdom health Data loss prevention in Exchange 2013 is one of several new features that are focused on helping to solve compliance issues in email. Check out In-Place eDiscovery, In-Place Archiving, Retention policies, and the new additions to transport rules, and information rights management too. We hope you become more productive and safe with the new DLP features that help you protect your organization’s sensitive data. John AndrillaIn-Place eDiscovery and In-Place Hold in the New Exchange - Part I
When faced with eDiscovery requests, organizations need to be able to preserve email records, search relevant records and produce them for review. In Exchange Server 2010 and Office 365, Litigation Hold makes it possible to preserve mailbox items. When a user or a process attempts to delete an item permanently, it is removed from the user’s view to an inaccessible location in the mailbox. Additionally, when a user or a process modifies an item, a Copy-on-write (COW) is performed and a copy of the original item is saved right before the changed version is committed, preserving original content. The process is repeated for every change, preserving a copy of all subsequent versions. Using Multi-Mailbox Search, also new in Exchange 2010, delegated legal, human resources or IT personnel (referred to as discovery managers because they need to be assigned Discovery Management permissions) can search mailbox content across their entire Exchange 2010 organization. Messages returned from a search can be copied to a Discovery mailbox, which is a special type of mailbox with higher mailbox quotas and no capability to send or receive messages. What's New in In-Place eDiscovery & Hold in Exchange 2013 Since the release of Exchange 2010 and Office 365, we have received a lot of feedback from organizations of all sizes about the messaging policy & compliance features, including archiving, eDiscovery & hold. When planning the evolution of compliance features, we’ve kept your feedback front and center. Let’s take a look at what has changed. A new name In the new Exchange, Multi-Mailbox Search is known as In-Place eDiscovery. A new search engine In-Place eDiscovery still uses the search indexes generated by Exchange Search, but under the hood Exchange Search has been retooled to use Microsoft Search Foundation. The content indexing function was previously performed by Windows Search. Microsoft Search Foundation is a rich search platform that comes with significantly improved indexing and querying performance and improved search functionality. A new way to preserve In the new Exchange, you can use In-Place Hold to place searched content on hold. In-Place Hold is integrated with In-Place eDiscovery, allowing you to simultaneously search and hold content using the same easy-to-use interface. Integrating hold with eDiscovery allows you to be very specific as to what you hold using a query. Reducing the volume of data you preserve lowers the cost of reviewing the data later. A new UI The new Exchange sports a brand new, unified web-based admin tool, the Exchange Administration Center (EAC). Discovery Managers use the new In-Place eDiscovery & Hold wizard to perform eDiscovery searches. Keyword statistics After you create an In-Place eDiscovery search, you can get detailed keyword statistics showing you the number of items matched for each keyword. You can use this information to determine if the query has returned the number of messages you estimated. Depending on whether a query is too broad or too narrow, the search may return too many or too few messages. Use this information to fine-tune your query. eDiscovery Search Preview After you’ve created an eDiscovery search, you can quickly preview search results. Messages returned from each source mailbox are displayed in search preview. Being able to quickly preview messages allows you to ensure your query returns the content you’re searching and further fine-tune your query. Integration with the New SharePoint Exchange offers an integrated eDiscovery & Hold experience with the new SharePoint. Using the eDiscovery Center, you can search and hold in-place all content related to a case -– SharePoint web sites, documents, file shares indexed by SharePoint, mailbox content in Exchange and archived Lync content from a single location. You can export content associated with case, including files, lists, web pages and Exchange mailbox content. Mailbox content is exported as a .PST file. An XML manifest that complies with the Electronic Discovery Reference Model (EDRM) specification provides an overview of the exported information. To search Exchange content, SharePoint uses Exchange’s Federated Search API. Regardless of whether you search Exchange content from the EAC or using SharePoint, the same search results are returned. The new SharePoint and Exchange both use the same underlying indexing and querying engine – Microsoft Search Foundation, which allows you to use the same search query for both SharePoint and Exchange content. Performing an In-Place eDiscovery search Let’s take a look at how one discovery manager performs an In-Place eDiscovery search. Robin works on the legal team at marketing firm Contoso. Contoso receives a request from a company called Tailspin Toys to assist with a marketing campaign for a new toy they are producing. Contoso is known for doing great toy marketing campaigns since they do a lot of work in the toy industry. This is great for business but they also have to be careful because many of the toy companies with which they work are competitors. Contoso just finished a highly successful marketing campaign with another toy company called Wingtip Toys and Robin wants to ensure that there's no confidential information that may accidentally get past from one customer to another through his team. To that end, Robin wants to search through her company's email and documents with the help of her legal team to make sure there are no potential issues. To use In-Place eDiscovery, a user must be delegated the Discovery Management role group. You can delegate the role to authorized legal, compliance management or human resources personnel. Robin is one of those legal team members. This ability to have scoped roles in the new Exchange 2013 allows IT Pros to delegate compliance responsibilities to folks like Robin without giving them full access to all Exchange server functionality. Robin starts by navigating to the Exchange Administration center Center. The EAC ’s Compliance Management tab is where you can manage compliance features in the new Exchange. Because Robin doesn’t have any other Exchange administrator roles, she only sees the interface relevant to the Discovery Management role group. On the compliance management tab, she can only see In-Place eDiscovery & Hold. Figure 1: In-Place eDiscovery and Hold tab is accessible to users with delegated Discovery Management permissions She clicks on the Add button to start the New new In-Place eDiscovery & Hold wizard and enters a name and an optional description for the search. Figure 2: Create an In-Place eDiscovery search using the new In-Place eDiscovery & Hold wizard in EAC Robin can search all mailboxes in the Exchange organization or select the mailboxes she wants to search. Figure 3: Specify mailboxes (to search or search all mailboxes) On the Search query page, Robin can select the option to return all mailbox content or just specific content. Robin wants to find specific content related to work done between hers team members and WingTip Toys. She has the option to perform a simple search by just entering in a few key words or more complex search if she wants with Boolean operators like ANDs, ORs, parenthesis, etc. so she can be very specific as to what she is looking for. This can be a big time and cost savings for her since multiple gigabyte mailboxes are very common and she wants to reduce that set of content down to the minimum amount she needs to look at to find what she wants. Figure 4: Specify a search query, including keywords, start and end dates, sender and recipients In addition to using Boolean logic she’s also using the proximity operator (NEAR), which allows her to find words that are close to each other. You can also see her using a wildcard character so in this case she is looking for the word wingtip within three words of toy, toys, toymaker or anything similar. In this particular case, Robin wants to look for these keywords anywhere in a given email, but if she wants to be more specific, for example search for a phrase only in the message subject, she could type in Subject: and then her phrase right after it. Depending on how specific she wants to be, she can create complex queries. You can use several hundred keywords in a query. She can also choose specific types of messages. An Exchange mailbox has email but also calendar items, tasks, notes and other items related to personal information management. The new Exchange allows her to search all of those items or she can narrow the query down to specific types of items. She selects email and also meetings so she can track which ones of her employees met with Wingtip and read the meeting invites to find out what was discussed. Figure 5: Select all message types or specify the message types to search Once Robin has created hers query to define what content is important to her, she has a few options in terms of what to do with the results. If she feels it's important to protect this content she has the option to place it on hold. When content is placed on hold, Exchange automatically captures any attempts to edit or delete or delete data and stores those items in a hidden folder in the mailbox. It's completely invisible to the end-users so it doesn't interrupt their daily workflow, but it does keep that important data for recovery later. Figure 6: Placing search results on an In-Place Hold We will talk more about In-Place Hold in Part II of this post. Robin clicks Finish. The search is running against Exchange 2013 mailboxes and placing items on hold. When the search is complete, Robin takes a look at the total size and item count to see if it’s manageable. If there are a million items, her query is likely too broad;, if there are no items, it may be too narrow. If she wants to dig into the details, she can view the search statistics to see exactly how each keyword contributed to the overall result set. That lets her really be targeted about the way she's tweaking her queries so she can quickly get a result set down to a manageable size. Figure 7: Use search estimate and keyword statistics to fine-tune search queries Once she is done tweaking her query, she can stop the search and discuss with her team or legal counsel whether the query is correct. She can also create additional eDiscovery searches and use different query parameters. She can also choose to preview messages returned in the search. Figure 8: eDiscovery Search Preview to preview messages and determine query effectiveness The eDiscovery Search Preview displays message count and total size for each mailbox searched. The preview functionality is built on Outlook Web App, which shows the message in its native format without any changes. Figure 9: eDiscovery Search Preview displays live message preview without copying messages to a Discovery mailbox Robin can quickly scroll through all of her results to view additional items that came back with her search. Since she is using the full- fidelity Outlook Web App preview, she can also view attachments. Once Robin has previewed her results and she's happy with them, she can make a copy for of them for later review, or export them so that she can export them to handoff to her outside legal counsel. To do that, she simply clicks on the Copy search results link. Figure 10: Copying messages returned by the search to a Discovery mailbox When copying messages to a discovery mailbox, she has the following options: Include unsearchable items She can choose whether she wants to include "unsearchable" items, items that our indexing system may not be able to handle, such as a corrupted item, a password-protected zip attachment, or an item encrypted with something other than Information Rights Management. This check box gives her the option to include those two in case she wants to review them manually just to make sure she's doing her due diligence and not missing anything. Enable de-duplication She also has the option to enable de-duplication. As you know, it's very common to send email to multiple people at once. De-duplication allows her to reduce that down to only one copy so there are fewer messages to review. Enable full logging She can also keep a full log of research results of she wants, which includes a complete list of every item she found. This is especially useful for de-duplication, since if you duplicate you only keep one copy of a message that multiple people may have. Later on, you she may have a need to know if one person had it in his inbox and it was flagged as important, but another person moved it into his deleted items folder and never read it. All that information is in that log. Email notification She can also choose to have an email sent to her when the copy process completes. If search results return 20-30 GB of data, it can take a while to copy them to a discovery mailbox. The last thing Robin will pick is the Discovery mailbox into which she wants to put her search results. After copying is completed, Robin can see that the copy operation is complete and she has a link to the mailbox where the results are stored. Robin can now navigate to the copy of her search results to view them. In this view, she does have the ability to perform a review on her items, she can tag items that are important, or if she decides some are not important, she can take them and move them to the deleted items folder so that they are no longer in her view. Once that's done, if Robin needs to share the consolidated results with an outside counsel, she can use her Outlook client to export the consolidated results list to a PST file. We’ve provided you with an overview of the In-Place eDiscovery & In-Place Hold functionality in the new Exchange. In Part II of this post, which is scheduled to be published shortly, we will dig deeper into In-Place Hold. Bharat Suneja and Julian Zbogar-Smith Go to In-Place eDiscovery and In-Place Hold in the New Exchange – Part II
