Retention policies created as labels in the classification section of the Office 365 (O365) Security & Compliance admin centre can be applied to content in Exchange Online (EXO) mailboxes.
It may not be possible to apply more than one Office 365 retention policy to EXO mailboxes because, unless the mailbox is dedicated to a specific subject (for example, ‘Customer Complaints’), or using a dedicated Office 365 Group’s mailbox:
- Emails generally contain content about multiple subjects.
- The way the content is categorised in mailboxes , including through the use of rules and/or folders, varies between users.
- The retention and disposal of records relies largely on the ability to assign retention policies to categories or groups of records, not individual records.
- Organisational policies may require all user emails to be kept (‘archived’) for a period of time after they leave the organisation.
Unless emails are moved to a different storage location such as SharePoint, it may be necessary to continue apply a single, but shorter, O365 retention policy to mailboxes.
Exchange Messaging Records Management (MRM) policies
Until Office 365 retention policies appeared as an option, MRM policies applied in EXO were likely based on an organisational business requirement to keep the mailboxes (and other content) of departed users for potential legal or compliance reasons.
MRM policies in EXO are found under the ‘Compliance Management’ section of the EXO admin portal.
When this section is opened, the following message may appear:
The default MRM policy has the following options. These may be modified, or additional retention tags created, as required.
If the default MRM policies have not been changed (by the Exchange administrator), the default policy/ies will apply. This means that users can use the ‘Assign Policy’ option on folders and emails to decide how long they should be kept.
Emails that are deleted before a backup is made may not be retained.
Some organisations may decide to retain all emails and the mailboxes of departed users ‘forever’. They can do this by removing all the options except ‘Never Delete’.
How O365 Retention Policies are applied to Exchange
Retention labels created in Office 365 can be used to manage the retention of emails, including (to some degree) emails that have content that meets certain pre-defined conditions.
Retention labels are created in the Office 365 Security and Compliance admin portal under the ‘Classifications’ section. This section has three options:
- Labels. This section is used to create both ‘Sensitivity’ and ‘Retention’ labels. There is also an ‘Auto-apply’ option in the Retention section.
- Label policies. This section partially duplicates the options in the previous option (except the ‘Create’ option), and lists the labels that have been published.
- Sensitive info types.
Auto-apply, as its name suggests, auto-applies an existing label based on certain conditions. The conditions are as follows:
- Apply label to content that contains sensitive info. The sensitive info types are pre-defined options for (a) Financial data (e.g., credit card numbers), (b) Medical and Health (e.g., predefined health records), (c) Privacy (e.g., personal and sensitive information. There is also the option to create a Custom setting.
- Apply label to content that contains specific words or phrases, or properties. This option works by looking for specific words or phrases.
New labels must be published before they appear or apply anywhere in Office 365.
During the publish process, policies must specify where (in the ‘Locations’ section) the policy is to be applied.
The default option is ‘All locations. Includes content in Exchange email, Office 365 groups, OneDrive and SharePoint documents.’ Alternatively, the policy may be set to specific locations including
- The Exchange mailboxes of all or specific recipients, or excluding specific recipients.
- All or specific SharePoint sites, or exluding specific sites.
- All or specific OneDrive accounts, or excluding specific accounts.
- All or specific Office 365 Groups, or excluding specific groups.
Note that content in Microsoft Teams is included in the Office 365 Groups options which includes both the SharePoint content and email/Teams chat content.
Mixing MRM and O365 retention policies – maybe not a good idea
If the default MRM policies are not removed, any O365 retention policy that is applied to EXO will appear in the list of retention tags under the default MRM policy, as can be seen in the screenshot below which shows three options in addition to the original MRM policies: ‘Temporary records – 7 days’, ‘Financial Records’, and ‘Company records – 7 years’. If nothing is changed in the environment, these policies can be applied by users to folders and emails.
If the organisation has decided to remove all retention tags except ‘Never Delete’ and a new O365 retention policy is applied to EXO, the ‘Never Delete’ option will prevail and the O365 policy will not work.
Accordingly, careful consideration needs to be given to the creation of O365 retention policies that may be applied to EXO records.
Should user mailboxes be kept ‘forever’?
Many IT departments keep user mailboxes of departed staff (and most other content on the network) for a long time, usually on backups, ‘just in case’ they may be required for legal or compliance requirements, including investigations into misconduct.
Recent personal experience with subpoenas for mailboxes of departed staff indicates that 10 years is likely to be the maximum retention requirement for these types of records. There may be a case to keep certain individual mailboxes for much longer, which the O365 policy allows for.
What happens when emails reach the end of their O365 retention policy period?
O365 retention policies define how long records are to be retained before they are either deleted or ready for review (via the Records Management – Dispositions section of the O365 Security and Compliance admin portal).
The following options define what happens when retention is enabled:
- Retain the content (a) for a specific period (n days/months/years) or (b) forever. Option (b) is the same as the MRM policy ‘Never Delete’.
- Action to be taken at the end of the period (except ‘forever’): (a) Delete the content automatically, (b) Trigger a disposition review (i.e., notify specific people), or (c) Do nothing, leave the content as is.
- Don’t retain the content, just delete it if it’s older than n days/months/years.
- Retain or delete the content based on: (a) When it was created, (b) When it was last modified, (c) When the label was applied, (d) based on an event.
The three actions above define the options for records managers:
- Allow the emails to be deleted automatically. This is possibly the easiest and most efficient option but it will result in the deletion of any emails when they reach the end of the retention period – if they are kept in Exchange. Importantly, if a specific period of time (e.g., 7 years) is set for email retention, this could start to delete the emails of users who are still with the organisation after that period expires. This fact may affect the retention period that is set.
- Trigger a disposition review – see below. This option would be onerous to implement; it would take a lot of effort to review the individual emails of a departed user as part of a disposition review. It would, however, allow for selective review by using the ‘filter’ option in the Dispositions area.
- Do nothing. This option may be useful for specific types of records, but not emails.
Emails that are subject to a disposition review will appear in the Records Management – Dispositions section of the O365 Security and Compliance centre. Note that the ‘Type’ must be changed from ‘Documents’ to ‘Emails’ to see the emails that are due for disposal. As noted above, while it is possible to filter by user to review the emails, this process could be quite onerous.
The nature of email makes it almost impossible to categorise them into categories that map to different retention and disposal policies.
Most mailboxes will be subject to a single retention policy.
Office 365 retention policies can and probably should replace the default EXO MRM policies that govern the retention of emails.
Retaining emails in the mailboxes they are stored in ‘forever’ is not a practical retention model. 10 years is a reasonable maximum period, but exceptions may be required.
If O365 retention policies replace EXO MRM policies, records managers need to specify (a) how long emails need to be kept for and (b) whether they can simply be deleted when they reach the end of the retention period or need to be reviewed before deletion.
‘Overview of Retention Policies’ https://docs.microsoft.com/en-au/office365/securitycompliance/retention-policies (accessed 9 August 2019)
‘Set up an archive and deletion policy for mailboxes in your Office 365 organization’
https://docs.microsoft.com/en-au/office365/securitycompliance/set-up-an-archive-and-deletion-policy-for-mailboxes (accessed 6 August 2019)