Office 365 retention polices are giving us ability to recover data in the event of data loss. Due to the issues of managing high data volume, ensuring data retention is critical for organizations. Without a robust backup solution, companies expose themselves to a multitude of risks. Usually when organizations need to preserve e-mail or documents, they move copies of the data to external archive system. This was acceptable because products did not have their own archiving capabilities like they have today in Office 365 (e.g. Sharepoint). With this possibility, we don’t need to copy emails and other items to other systems. Cost for third-party software’s are avoided and by not moving content from native storage we increase security by removing the opportunity for content to be compromised when moving it somewhere else.

Retention Policy Licensing?

It is very hard to find clear info about licensing and you will notice that Microsoft don’t enforce licensing requirements, so some functionalities will work even though you might not be properly licensed for them. In general, all the compliance features have traditionally required E3 or the equivalent Exchange Online / SharePoint Online Plan 2, and I don’t believe this has changed. If you have E3 or above you are good to go but to have an official answer you should open a support case.

You will also notice that in some cases it is enough to have only one license in the tenant for some feature to work even if there is a requirement to license all users but as I said these features (Retention policies, holds etc.) need E3/above or the equivalent Exchange Online / SharePoint Online Plan 2.

RETENTION POLICY

There are 2 types of retention policies:

  • LABEL POLICIES –> These policies are used to publish retention labels which users can use to control what happens to content marked with the labels (item-level targeting). Usually you use labels to mark items that you want to keep or remove. If you are used to Exchange retention tags, labels work in the same way. (WE WILL COVER LABELS IN ANOTHER POST)
  • RETENTION POLICIES –> are applying settings to all items in the specific location e.g. Exchange, Sharepoint, Teams etc. We can use these policies to preserve or remove items for the whole company or for a specific group.

THINGS TO KEEP IN MIND REGARDING RETENTION

We have 4 rules when it comes to retention policies. We need to have these rules in case of conflicts where many policies cover same location. We may have for example 2 policies that are applied to a mailbox or sharepoint site. The following order applies:

  • Retention wins over deletion –> Suppose that one retention policy says to delete Exchange email after three years, but another retention policy says to retain Exchange email for five years and then delete it. Any content that reaches three years old will be deleted and hidden from the users’ view, but still retained in the Recoverable Items folder until the content reaches five years old, when it will be permanently deleted. Both policies seem to be respected because users do not realize that the messages are still available, but the longer retention period ensures that the messages stay indexed and discoverable for the full 5 years.
  • The longest retention period wins –> If content’s subject to multiple policies that retain content, it will be retained until the end of the longest retention period. This principle ensures that content is kept for as long as it might be needed.
  • Explicit wins over implicit –> What means by explicit is when someone has marked some content for special retention. If you place a lable on some item that will take precedence over a policy that applies catch-all retention for a complete mailbox or site. If a retention policy includes a specific location, such as a specific user’s mailbox, that policy takes precedence over another retention policy that applies to all users’ mailboxes but doesn’t specifically include that user’s mailbox.
  • Shortest deletion wins –> if content’s subject to multiple policies that delete content (with no retention), it will be deleted at the end of the shortest retention period.

Keep in mind that holds always take precedence over deletion.

Retention Policy Locations

Location that can be covered by retention policy are:

  1. Exchange (mailboxes and public folders)
  2. SharePoint Online (including files owned by Yammer, Teams, and Office 365 Groups)
  3. OneDrive for Business
  4. Skype for Business
  5. Teams (compliance records created in group or personal mailboxes)
  6. Office 365 Groups (conversations in the group mailbox)

Retention Policy Scope

There are 2 scopes:

Organization Wide coverage –> This means that you can apply same settings to all supported locations in Office 365 in one shot. Keep in mind that this is very powerful and (if you don’t plan this carefully) very dangerous because you can easily create a policy that will keep all content for example 1 year and then remove the content afterwards. With this setting you will remove everything from the tenant that is older than 1 year and that is not covered by another policy. We can create up to 10 organization-wide policies.

Non-Organization wide coverage –> This means that you can create policy that will cover specify location / locations. For example we can create policy that will only cover exchange. We can create 1000 non-organization policies.

CREATE RETENTION POLICY

In the Office 365 Admin Center click on Security and Compliance

2019-10-24 14_10_23-Microsoft Edge.png

Under Information Governance click on Retention

2019-10-24 14_11_34-Microsoft Edge.png

Labels will be covered in another post. Click on Create

2019-10-24 14_12_47-Microsoft Edge.png

First thing we need to do is to give our policy a name and description.

2019-10-24 14_24_41-Microsoft Edge.png

Now we come to the part where we need to decide if we want to create a policy that will keep or remove content. We can keep content forever or we can specify how long we would like to keep it (ex 5 years). If you want to remove content after 5 years then you need to specify how will office 365 calculate the age of the items. We can specify by when it is created or when it is modified.

Advanced Option –> gives us ability to keep content that contain specific words or sensitive info.

2019-10-24 14_32_23-Microsoft Edge.png

Next step is to choose location. Here we can choose to apply settings to all supported locations (org-wide) in one shot (First option) or we can select specific locations (non-org wide). With Non-Wide org policy we can select specific or all mailboxes, sites etc. and we can exclude those as well. Do not include public folders in the policy if you don’t use them. It will result in warning with a message Recipient not found. I will create policy that will cover Sharepoint.

2019-10-24 14_55_10-Microsoft Edge.png

Last page is just a review. If all looks to be in order, click Create this policy to instruct Office 365 to begin the publication process to the locations covered by the policy. It can take some time before a retention policy becomes fully effective across all locations

2019-10-24 14_57_48-Microsoft Edge.png

You can check the status by clicking on the policy. Status is pending which means that the Office 365 is enabling the policy in the target locations

2019-10-24 14_59_18-Microsoft Edge.png

PRESERVATION LOCK

Preservation lock is a feature that allows organizations to block removal of the retention policy. What this means is that once activated no one will be able to remove the policy. Once a policy is locked, an administrator cannot disable the policy or remove locations from the policy. It will stay in force and active for all locations under the scope of the policy until the retention period expires. Keep in mind that not even Microsoft can deactivate it once enabled so think twice before you lock it. In most cases you will not need to lock the policy. The only way to activate it is through powershell. Example

Set-RetentionCompliancePolicy -Identity “Sharepoint Retention Policy” -RestrictiveRetention $true

When you run the command you will receive a warning like this:

2019-10-24 15_26_35-● Untitled-8 - Visual Studio Code [Administrator].png

We can verify by running Get-RetentionCompliancePolicy (OBS! This is only a test tenant)

2019-10-24 15_27_50-● Untitled-8 - Visual Studio Code [Administrator].png

Because I created a policy that will keep all content in Sharepoint, If I try to remove a site I will run into an error.

2019-10-24 15_33_32-Microsoft Edge.png

SHAREPOINT PRESERVATION HOLD

When you include a location such as a site or mailbox in a retention policy, the content remains in its original location. People can continue to work with their documents or mail as if nothing’s changed. But if they edit or delete content that’s included in the policy, a copy of the content as it existed when you applied the policy is retained.

For SharePoint site collections, a copy of the original content is retained in the Preservation Hold library when users edit or delete it; for email and public folders, the copy is retained in the Recoverable Items folder. These secure locations and the retained content are not visible to most people. With a retention policy, people do not even need to know that their content is subject to the policy. Preservation Hold is created when the first document is edited or deleted in the site and can be accessed in Site Settings. I created a new site and if I click on the Settings –> Site Content there will be no Preservation Hold

2019-10-24 15_50_54-Test Holding - Home.png

2019-10-24 15_51_35-Site Contents.png

If I go and delete one document from the library that special library will be created.

2019-10-24 15_42_04-Microsoft Edge.png

2019-10-24 15_52_41-Site Contents.png

If you click on it, the document will be there. When the retention period elapses for items the background job removes items from preservation hold as well. Removed items go into the recycle bin from where they are permanently removed after the normal 93-day recycle lifetime expires.

2019-10-24 15_53_23-Preservation Hold Library - All Documents.png

 

Exchange and Retention Policies

For a user’s mail, calendar, and other items, a retention policy is applied at the level of a mailbox. For a public folder, a retention policy is applied at the folder level, not the mailbox level. Both a mailbox and a public folder use the Recoverable Items folder to retain items. By default, if you delete a message in a folder other than the Deleted Items folder, the message is moved to the Deleted Items folder and if you delete an item in the Deleted Items folder, the message is moved to the Recoverable Items folder.

Once the content has reached the end of the retention period, a cleanup job will run. That job takes anywhere to 14 to 30 days before Office 365 deletes the content permanently. The length of the cleanup job depends on the settings you’ve chosen.

Teams and Retention Policies

You can use a retention policy to retain chats and channel messages in Teams. Teams chats are stored in a hidden folder in the mailbox of each user included in the chat, and Teams channel messages are stored in a similar hidden folder in the group mailbox for the team. When you want to protect Teams you will need to create separate policy for it. A retention policy that includes Teams can include only Teams and no other locations. Another limitation is that teams are not included in Organization-Wide policy.

IDENTIFY WHICH HOLD IS APPLIED TO MAILBOX

There are 4 different holds that can be used to retain or to prevent content deletion. Those are:

  • Litigation Hold
  • In-Place Hold
  • eDiscovery Hold
  • Office 365 Retention Policy

You can check if retention is applied by running either Get-Mailbox or Get-OrganizationConfig

  • Litigation Hold -> You can get the status by running Get-Mailbox and the value will be True or False. Example

2019-10-28 15_20_01-● Untitled-8 - Visual Studio Code [Administrator].png

  • In-Place Hold –> IF there is an in-place hold applied to the mailbox it can be retreived by running Get-Mailbox. It will contain the GUID of the In-Place Hold that’s placed on the mailbox. You can tell this is an In-Place Hold because the GUID either doesn’t start with a prefix or it starts with the cld prefix. Example : cld9c0a984ca74b457fbe4504bf7d3e00de
  • eDiscovery Hold –> You can verify it if the GUID starts with UniH prefix (UniH means Unified Hold)
  • Office 365 Retention Policy –> It will also contain GUID and it will start with mbx prefix.

2019-10-28 15_24_37-● Untitled-8 - Visual Studio Code [Administrator].png

2 at the end of the guid means that the retention policy is configured to hold items. The policy doesn’t delete items after the retention period expires.

Once we know the guid we can identify Office 365 retention policy (organization-wide or specific location) that’s applied to the mailbox. Make sure that you copy the guid without mbx prefix.

2019-10-28 15_30_17-● Untitled-8 - Visual Studio Code [Administrator].png

Other GUID values are:

GUID:1 –> Indicates that the retention policy is configured to delete items. The policy doesn’t retain items.

GUID: 3 –> Indicates that the retention policy is configured to hold items and then delete them after the retention period expires.

That’s it. I hope you enjoyed and learned something new.

Stay Tuned!

Cheers,

Nedim