How to retain Exchange Online content – An overview of the different compliance options in Microsoft 365

Recently Nils and Kristian, my colleagues who help our Enterprise Customers Operation Teams when there are serious Exchange problems, told me about a case where the mailbox of a user reached the 100GB limit of his Exchange Online Mailbox. The user tried to delete stuff, but that was also not possible…

To keep your attention I will skip a big part of my initial introduction which explains how this situation leads us to write this article. (If you read the headline and think about the error, you might have an Idea of what happened. If you’re interested in it you might check the appendix.)

In general, when we talk with our customers about retention, the requirements that the customer brings in are often broad and not only about audit-proof/legal archiving. For example, they want to retain items to allow long-term recovery possibility (backup & recovery requirements), or they want to relieve primary storage. It is important that the customer clearly defines which legal requirements they have and which functional additions they want to address additionally. Then you try to categorize them into their category (e.g. archiving, backup & restore, user self-service improvement), to be able to handle them accordingly. Maybe you can solve the different requirements all with one approach, but it’s important to have the requirements clear to be able to change the scope of the solution in the future.

But this article is not so much about defining the requirements, it was written to help admins and other IT staff to understand the different possibilities to fulfill the collected requirements.

Following we will explain different technologies that were used by our customers to fulfill Exchange legal archiving requirements. You will see that some of them are not built for it, but nevertheless, I’ve listed them because they were often included in the game somehow.


Exchange MRM

Exchange Message Records Management distributes Tags to Mailboxes which could be used in an automated or interactive way to delete tagged items after a specific time period. Alternatively, messages tags can also result in moving the tagged items to the user’s archive mailbox

The default Junk-Mail rule which deletes all mails older than 30 days from the junk mail folder is based on MRM technology
Personal help to automatically delete informational emails like Message Center notifications

MRM is a well-known and mature method to organize mailboxes. This technology is only feasible for Exchange mailbox items

Exchange MRM
targetable itemsE-Mails only (IPM.Note*), User  & Shared Mailbox (limited functionality)
Available ActionsDelete Messages after X Days
Permanently delete Messages after X Days
Move Messages to Archive Mailbox after X Days
User InteractionUsers can use provisioned Personal Tags to apply or modify a delayed action (move to archive-mailbox, delete) to E-Mails.
System ProcessingAdmins can deploy a default Policy Tag to apply a delayed action (delete) to all items that were not explicitly tagged.
Admins can deploy one Retention Policy Tag to specific default Mailbox Folders which to apply a delayed action (delete) to all items in the folders
Use casesHelp users to clean up their primary user mailbox
License requirements in M365MRM can be used with an „Exchange Online Plan 1“
Docs LinkMessaging records management in Exchange Online | Microsoft Learn

MRM is not really helpful if you try to achieve legal retention requirements, it’s more about organizing and cleaning up mailboxes.


Exchange Litigation Hold

This Mailbox Setting enforces the preservation of all mailbox items for an unlimited or a specific time range. The items were preserved in the original mailbox.

Customers often use this method as an easy but not well-thought approach to solve GoDB requirements. For example, you will get in trouble if you’re using this approach and there also exists PII Data (think about GDPR) in the targeted mailboxes.

Exchange Litigation Hold
targetable itemsAll items in the Mailbox configured for Legal Hold were affected
Available ActionsRetain unlimited
Retain for a specific Time Period
User InteractionNo interaction. A user handles the mail as before. A special system folder „Purges“ keeps items that were deleted by the user. Only Admins were able to find and restore the items from that folder to *
System ProcessingAdmins can enable and disable litigation hold per Mailbox. The litigation hold could be set to only preserve items for a specific time range.
Use casesAd-Hoc preservation requirements for specific mailboxes.
Temporary admin tool to avoid accidental deletion while doing some crazy stuff in production.
License requirements in M365Litigation Hold can be used with an „Exchange Online Plan 2“
Docs LinkCreate a Litigation hold – Microsoft Purview (compliance) | Microsoft Learn

Journaling

Every incoming and outgoing mail will be ‚copied‘ into a journal mailbox.
This journal mailbox is not allowed to be stored in Exchange Online.

Journal Archives were often combined with third-party archiving solutions that can be used to retain the data as needed.
Another often used approach is to create one journal mailbox per year/month and use those mailboxes to retain.

The journaling repository needs to be outside of M365. This Method only extracts data from Exchange Online to anywhere.

Journaling
targetable itemsMails (* / internal / external) send From or to a specific user (max 300 rules)
Mails (* / internal / external) send From or to *
Available Actionsjournal
User InteractionNo interaction with the journaled items is possible for the Enduser
System ProcessingIf the journal Mailbox is hosted on an Exchange OnPrem Server, Admins can use e.g. search-mailbox to find and extract content.
A third-party app or process could fetch items from the journal mailbox to extract and retain the journal mailbox content.
Use casesFunctional archiving of all outgoing and incoming mails.
License requirements in M365Journaling can be used with an „Exchange Online Plan 1“
Docs LinkJournaling in Exchange Online | Microsoft Learn

„Anywhere“ you then have to care about classifying, retention and deletion.


In-Place Hold

An administrative action enforces the preservation of items that fit a search query. The items were retained for a specific time or until the time-based hold is over.

Customers use this method for legal case handling. Something has happened and all related communication should be preserved until the case was closed.

This Exchange-only content hold method is deprecated. Soon you will use an M365 eDiscovery (Standard) case to get this done. The functionality for Exchange content is the same.

In-Place Hold (Part of eDiscovery Hold)
targetable itemsItems that match a search query were targeted. The query can be scoped to one or more mailboxes
Available ActionsRetain unlimited
Retain for a specific Time Period
User InteractionNo interaction. A user handles emails as before. A special system folder „Purges“ keeps items that were deleted by the user. Only Admins were able to find and restore the items.
System ProcessingAdmins define a query for the search and scope it to specific or all users mailboxes.
Use casesSearch existing content that is related to a legal case and preserve it until the case is closed.
License requirements in M365In-Place Holds can be used with an „Exchange Online Plan 2“
Docs LinkIn-Place Hold and Litigation Hold in Exchange Online | Microsoft Learn

M365 Retention Policies

M365 Retention Policies allow retention and deletion in various containers. One targetable container is an Exchange Online Mailbox. By applying retention policies to a container they can result in different retention settings for different information types inside the container 

Our customers use this as a replacement for the MRM Method which can not enforce retention.
A basic retention and deletion Feature with a small policy set to fulfill basic legal requirements.
Only retain specific Mails, identified by a keyword for a specific period.
Delete PII in specific mailboxes after a period of time.

Retention Policies can be used for Exchange, Teams, SharePoint&OneDrive containers.

M365 Retention Policies
targetable itemsAll or specific items in Mailboxes
Available ActionsRetain items for a specific time period.
Retain and delete items after the retention time is over.
Delete items after a specific time period without enforcing retention.
User InteractionNo interaction. A user handles the emails as before. A special system folder „Purges“ keeps items that were deleted by the user but should be retained by definition. Only Admins were able to find and restore the items.
System ProcessingAdmins can build very specific targeting rules for the content in the containers to e.g. retain some items longer than others by using keywords / metadata.
Use casesRetain and delete items in their original location according to regulatory/organizational requirements
License requirements in M365Retaining Exchange only Content with Policies starts with Exchange Plan 2. If you also want to handle e.g. Teams then you have to use an O365 E1 and higher. When you’re using more specific automated policy assignments you will end up in an E5 plan.
Docs LinkLearn about retention policies & labels to retain or delete – Microsoft Purview (compliance) | Microsoft Learn

M365 Retention Labels

M365 Retention Labels, combined with Label Policies allow to retain and delete content based on labels that were assigned manually or automated to single items within a mailbox.
A big difference to retention policies is the possibility for user interaction. Another is the fact that the labels travel with the labeled item. This point is valuable if you want to retain e.g. SharePoint Content, in Exchange, this advantage is not really feasible because forwarded or answered emails are new items that have to be labeled again.

We’ve seen/implemented this method for customers that want to enable users to choose and enforce different retention/deletion times to their content.

M365 Retention Labels
targetable itemsAll or specific items in a Mailbox.
Available ActionsRetain items for a specific time period
Retain and delete items after the retention time is over.
Delete items after a specific time period without enforcing retention.
Trigger a disposition review.
User InteractionAdmins can publish labels to let users assign them themselves. Users can use Outlook to assign labels.
System ProcessingAdmins can publish labels to let users assign them themselves.
Admins can assign labels based on Keywords, sensitive information types, and trainable classifiers.
Use casesRetain and delete items in their original location according to legal/organizational requirements
License requirements in M365You can start using Retention labels and labels using an Office 365 E1 license. You will end up here with an E5 license fast when you start with automated or event based assignments.
Docs LinkLearn about retention policies & labels to retain or delete – Microsoft Purview (compliance) | Microsoft Learn

If a company and its users have already practiced using labels (e.g. they already use sensitivity labels to protect documents) it should be not so hard to implement this approach. If not, implementing this method can result in a project not being underestimated.

Retention Labels can be used for Exchange Online, Office 365 Groups, SharePoint & Onedrive. If you use them for all these services and the included data they can be really powerful.


Non-listed Exchange features

As you see there are a lot of possibilities that can help you to fulfill Exchange retention requirements. Maybe you miss the options In-Situ Archiv and the Outlook Archiving Feature. I don’t list these options because from my point of view they do not fulfill any retention requirement. The In-Situ Archiv is just a secondary mailbox that users can use to handle huge masses of emails (1.5TB). The Outlook Archiving Feature is also just a method for users to organize the mailbox by providing them a folder named archive and a button that moves emails to this folder. Both options could be combined with MRM, but they are no solutions that I would list here seriously.

Third-Party Software

Of course, there are a lot of third-party tools available out there to fulfill exchange requirements. There might be reasons why you should also consider them. Reasons for that could be that you need strictly separated management, integrated Line of Business Apps, and a specific repository (location). Also, the combination of journaling and third-party archiving software is often used.

But in General, I see big advantages in using the built-in retention features, especially M365 Retention Policies and Labels. The biggest advantage – in my eyes – is that the data is never leaving its boundaries which is great from a data protection perspective. Another reason is cost. Often we see that customers were using M365 E3 Licenses without using all features that are available within. With the E3 you already have a lot of the features listed above licensed. Mostly it’s less expensive to use the Microsoft Licenses to retain data, instead of buying additional third-party licenses. Other cost considerations of third-party systems are the operation costs. You need additional storage, application servers (or services), and trained admins and users to operate them.


Summary

Exchange MRM and Exchange Litigation Hold are valuable and well-known tools that Exchange admins use for a decade. Unfortunately, they were often misused and do not really help if you need to fulfill legal archiving requirements.

Journaling and In-Place Hold (or eDiscovery Hold) could be parts of an earnest archiving approach. The Journaling approach is also often not thought through to the end. It’s hard to build up a system with this option that supports different retention times, handles exceptions, and fulfills auditors‘ requirements. Mostly you have to use a third-party archiving tool additionally here.

Microsoft 365 Retention Policies allow you to build up a strong archiving solution. It’s easy to find a start here. It’s a kind of MRM 2.0, with the big advantage that you can also handle information and data included in other M365 Services.

Microsoft 365 Retention Labels are the premier class in Microsoft 365 Information Governance. With a specific regulatory record, paired with the eDiscovery Suite label this method is nearly bulletproof. If you have to handle more than just Exchange, and you are aware of what a labeling technology means for your users, the business, and the project plan, you should try to use retention labels and label policies to fulfill the requirements.

Here is a try to break the whole content down to one table, maybe this helps you to „retain“ the overview:

Exchange MRMExchange Litigation HoldIn-Place HoldJournalingM365 Retention PoliciesM365 Retention Labels
Functional DescriptionDelete or move to archive mailboxKeep all Items in a Mailbox.case based retention of specific items„BCC“ for every mailRetain all or specific mails in mailboxes – on containerlevelRetain all or specific mails in mailboxes – on itemlevel
License-requirements in M365EXO P1EXO P2EXO P2EXO P1EXO P2 – O365 E5O365 E1 – O365 E5
targetable itemsE-Mails only All items (Mail, Cal. etc.)Search Query is scoped above mailboxesevery In-/Out-going E-MailAll or specific mailsAll or specific items
Available ActionsMove Items, Delete ItemsRetain Items (period or unlimited)Retain Items (period or unlimited)journalretain, retain&delete or delete itemsretain, retain&delete or delete items
User InteractionPersonal Tags in Outlookno interaction no interaction no interaction no interactionIn addition to automatic labels, the user can manually tag items
System ProcessingDefault Policyenable or disable with an optional timespanadmin defined queryhas to be done elsewherecontent-/ metadata- based processing
content- /metadata- / event- based processing
Use casesClean up mailboxesPrevent deletion of itemslegal casearchive every E-MailRetain in original Location until a specific dateRetain in original Location until a specific date – enable users to improve results
M365 overall considerations
Will be replaced through eDiscovery Hold

Archiving out-side from M365

More information

Maybe you want to dive deeper into specific approaches. Here are some valuable Links which you could use:

Service Description: The Exchange Online Service description contains information which plans you need for the archiving possibilities included in Exchange Online: Exchange Online service description – Service Descriptions | Microsoft Learn

Compliance Licensing: This docs article explains the license requirements for various M365 compliance Features: Microsoft 365 guidance for security & compliance – Service Descriptions | Microsoft Learn

Compliance Licensing Comparision: An Excel Sheet with Links and licensing requirements notes for various compliance tools: microsoft-365-compliance-licensing-comparison.xlsx (live.com)

Functional Differences between Retention Labels and Policies: Learn about retention policies & labels to retain or delete – Microsoft Purview (compliance) | Microsoft Learn

Joanne C Klein’s Blog: If you’re interested in more than just retaining Exchange content, you should use definitely know Joannes Blog Joanne C Klein – Compliance in Microsoft 365. Here you will find very valuable real-life information about M365 Retention Policies & Labels.


Appendix

As spoilered before I want to explain the motivation for this article. To repeat:

A User reached the 100GB Limit of his Exchange Online Mailbox. The user tried to delete stuff, but that was also not possible.

How on Earth the user has, you might ask yourself as an Exchange Admin, got this done. It was a tricky situation. The user’s mailbox in Exchange Online was enabled for litigation hold. The user was responsible for a shared Mailbox on an Exchange OnPrem Environment. He cleaned up this „well matured“ > 100GB in preparation for a migration to Exchange Online.
He was able to identify and delete masses of items in the mailbox one day. The next day he received a system notification that informed him that his personal mailbox is full and under limitation now (Exchange Online limits – Service Descriptions | Microsoft Learn).
Ok, no problem! I’m experienced in cleaning up mailboxes“, he said to himself and started to tidy up. Unfortunately, he wasn’t able to do this. Every time he tried to delete something from his mailbox he received an error message.

The reason for this stalemate situation was first, the fact that the deletion of items in a shared mailbox, uses the deleted items folder of the processing user. And second: The mailbox of the processing user was enabled for litigation hold. So the Exchange Service could not clean up messages in the deleted items folders to allow new items to be deleted.

Because of that finding and an ongoing Teams Project where we also have to deal with retention requirements, we discussed the topic again in general with the customer. I must say, also if I have a lot of experience with retention requirements and solutions, especially within the Microsoft cosmos, I’m still confused sometimes about the different methods, their requirements, technological specifications, and license requirements. This blog article should help to clarify the options which were available with their pros and cons. It’s focused on the retention of Exchange Content, but also includes notes about their role in the M365 Context


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert