The methods available to manage the retention of content stored by end-users in their Office 365 OneDrive for Business (ODfB) accounts are not always well understood.
Organisations may initially default (in their thinking) to backing up the content because that’s what was always done in the past. A change of thinking may be required.
- Explains some of the key differences between ‘home drives’ and ODfB accounts.
- Highlights the need for organisations to understand their business requirements for retention of ‘personal’ content, and not assume traditional backup methods are the only option.
- Also highlights the need for organisations to understand the potential risks (and potentially unnecessary additional costs) associated with backing up Office 365 content.
- Describes two simple options for the retention of content stored in ODfB accounts.
- Suggests that organisations can probably use a combination of a single Office 365 retention policy and a change to the storage retention period for inactive accounts, instead of backups to achieve the same outcome.
What are ‘home drives’?
In many organisations, home drives are usually a dedicated area on a network file share designed to allow end-users to store ‘working’ documents and ‘personal’ content.
Using the network file shares for home drives ensures that the content stored in them is backed up as part of standard disaster recovery processes while the user is still active (for disaster recovery and to recover deleted items) and still accessible (as an ‘archive’) after they leave the organisation.
In some organisations, home drives may instead be an area on the user’s computer (C drive). Any content stored on local computers is not backed up.
Generally speaking, home drives – whether in the NFS or on the user’s computer, are not accessible once the end-user leaves the office. This has given rise to the fairly regular use of USB storage devices or uncontrolled, internet-based, file storage systems such as DropBox.
How is ODfB different from home drives?
In organisations that implement Office 365, ODfB is the replacement for ‘home’ or ‘personal’ drives.
Although they offer similar functionality for end-users (in terms of the ability to access the content from File Explorer), ODfB accounts are fundamentally different in several ways.
- The content can be accessed on almost any device. No VPN is required.
- With Windows 10 devices, the content is synced to and can be accessed via File Explorer. This makes ODfB an almost identical replacement for existing home drives in terms of look and feel, and functionality (plus even more functionality, such as the ability to share directly).
- There is no accessible back up – Microsoft is entirely responsible for disaster recovery. If organisations want to back up ODfB accounts from Office 365, they will need to acquire a third-party product. The ability to establish retention for the content (last two dot points below) may make the need for back up redundant.
- There is a 90 day Recycle Bin accessible via the browser-based interface. This allows end-users to restore the content they deleted themselves within that time-frame.
- Organisations can set a storage retention period that will apply once the end-user leaves and their account is deactivated.
- Organisations can also set a retention policy that will prevent the deletion of content while the user remains active.
Both the last two options are the subject of this post.
Access to and retention of home drives vs ODfB accounts
In many organisations, the content stored by end-users in their home drives is considered to be ‘private’ to them, despite the system being owned by the organisation.
While they can be accessed easily by network administrators with elevated privileges, it is not uncommon (often for audit purposes) for IT to have to seek special approval from someone senior to access the content of a home drive either while the end-user is still employed or after they have left. In these cases, IT will either access the active drive or request the back up tape to restore the content.
The content in home drives, when backed up, remains as long as the backup media is accessible.
In Office 365, Global Administrators can access the ODfB accounts of any active user. They do this by going to the Office 365 Admin portal and, under the ‘Users’ section, clicking the end-user account name and then going to the ‘OneDrive’ tab where the option to ‘Get access to files’ is displayed’. Any access to ODfB accounts, by anyone (including Global Admins) is recorded in the audit logs.
[Note: At at January 2020, the old ‘My Sites’ options in SharePoint still exists. These options allow the Global Admins or SharePoint Admins to assign someone, or a Security Group, as a Secondary Admin for all ODfB accounts. This option is largely redundant because Global Admins can access the content anyway.]
The default retention period for ODfB content is 30 days after the end user’s account is disabled.
What exactly are you trying to achieve?
As noted, there are some fundamental differences between ‘home drives’ and ODfB.
Consequently, organisations ideally should re-examine their business requirements for access to and the retention of ‘personal content’ both while the user account is active and when it is made inactive, and not assume that old backup option remain valid.
For example, consider the use of backup tapes:
- The primary purpose of backup tapes is to support disaster recovery. These made sense when IT owned the servers, but it makes less sense when Microsoft own them and are responsible for disaster recovery. Is Microsoft’s disaster recovery capability sufficient or suitable?
- Backup tapes were (and still are) often used as a type of ‘archive’, allowing organisations to recover data from active and inactive home drives for an indefinite period of time.
The bottom line is – what business outcome/s do you want? Generally, these are likely to be:
- The ability to recover content stored on personal drives after a disaster (not just when the end-user has deleted something).
- The ability to access and retain content while the user is active or after they become inactive.
An additional business requirement might be to reduce the use of ‘home drives’ for business related content.
Retention options for content stored in ODfB
ODfB ships with two default retention options:
- Recycle Bin. Any ODfB content deleted by an end-user goes to the Recycle Bin for 90 days.
- Inactive content retention. When an end-user accounts is deactivated, the content remains accessible for a default period of 30 days.
Neither of these two options on their own, without modification, is likely to meet business requirements to achieve some form of back-up equivalent capability and the ability to access content in ODfB for a period of time.
It is likely that most business requirements (to replace backups) will be met instead via a combination of the following:
- Creating a single Office 365 retention policy applied to all ODfB accounts that prevents content in those accounts from being deleted for a given period of time.
- Extending the default retention period for the content in deactivated accounts from 30 days to a much longer period, for example 7 years.
Office 365 Retention Policy
To ensure that content is kept (and accessible, even after being ‘deleted’ by the user) while the user is active, and after they leave, (a) create a single Retention Policy in the Office 365 Compliance portal, ‘Information Governance’ section and (b) apply it to all ODfB accounts by choosing ‘https://tenantname-mysharepoint.com’.
Once published, the retention policy creates a ‘Preservation Hold library’, visible only to the Global Admins, that stores any content that is modified or deleted by the end-user during the retention period.
At the end of the retention period, the content in the Preservation Hold library and anything else that has reached the end of the retention period is sent to the Recycle Bin where it is kept for 90 days before being permanently deleted.
This type of retention policy effectively replaces the need for a back up of home drives, provided the organisation:
- Accepts the risk that Microsoft may not be able to recover all or some of the content in the case of a disaster. Note that this risk also applies to Exchange, SharePoint and MS Teams content.
- Understands that, if it decides to attempt to back up ODfB, restoring from back up may not be as simple as it used to be when the organisation owned and managed the relevant servers. What, exactly, will you back up to, and how will you read the data?
ODfB Storage Retention
The second retention option relates to the ODfB accounts of departed users, or inactive accounts.
ODfB includes the option to retain files in ODfB for a specific period of time after the end-user account is deactivated. This is set in the ODfB Admin portal under ‘Storage’.
At the end of the period of time specified, the content is sent to the Recycle Bin after which it is deleted permanently.
Many organisations are likely to approach the retention of ODfB content in the same way they did for home drive content, by considering backup options first, often ‘because that’s what we’ve always done’.
Organisations implementing Office 365 should:
- Define their business requirements for the retention of home drive/ODfB content
- Examine, understand and consider if retention options in Office 365 result in the same outcome
- Understand the potential risks of relying on Microsoft to provide a reliable service including in a disaster situation
- Understand the complexity (and risks) of backing up (and recovering) content from Office 365.
In many cases, retention options in Office 365 may provide the required outcome at a much lower cost.
9 thoughts on “Managing the retention of content stored in OneDrive for Business accounts”
I am wondering if you can help me, we are Medium sized company based in Tauranga, New Zealand and i have been tasked with finding out some more info regarding replacing Personal (Network share) folders with Onedrive.I have a couple of questions which i am struggling to find answers to on the Web.
– Is there added cost to change the retention period from 30 days to say 7 years?
– Is it possible to control files in OD that haven’t been accessed for 30 days say and stub them for online access only to save space on the local HDD, in other words remove them being accessed locally and only on OD?
– Is there a GPO to change the max file size from 2GB to 500MB, to administer the bandwidth used to sync larger files to OD in the cloud?
Hi Chad, I’d suggest you go to https://techcommunity.microsoft.com/ and ask there. I assume the first question relates to the Storage option in the ODfB Admin portal, which is set to a default 30 days. Your storage limits for everything in Microsoft 365 are set based on your licenses. If you exceed the storage, you can pay to extend it. We extended the default storage from 30 days to 2555 days (7 years), but on the basis that we’d monitor overall storage limits (1 TB per active user seemed to be more than sufficient). With regard to files that have been synced – remembering that not everything is downloaded, only when it is opened – I don’t know. You (obviously) can’t delete them or they will delete the cloud version also. Best to ask about the maximum file size on the site above.
Great article! I have a quick question that you might know the answer of!
Storage that is retained after a users account is deleted, what is that storage counted against? Is it SharePoint storage, or total ODFB storage available for all users?
So if a user is deleted, and we changed that retention to be 365 days, what storage quota is that taken from?
Thank you for the feedback. The best advice I can offer is this site:
(As with SharePoint) ‘OneDrive for Business also counts retained files against storage, but it’s not an issue because of the way storage is managed.’
I hope this helps. The key point the author makes is that retention WILL cut into your storage quotas, but on the positive side, it is possible to continue to extend the storage size as required (at a cost).
I have a questions. Can Retention Labels be applied to Corporate Shared Drives such as S: Drives and U:Drives?
Hi Mark, no. You would have to migrate that content to SharePoint to use M365 retention labels.
Hi, if we enable retention policy, we can´t delete folders with files from Onedrive Online, seems to be a design miss. Is this a common problem?
Works fine from the client.
Hi Magnus, OneDrive accounts are ‘owned’ by individuals with an M365 licence. As with SharePoint, when a retention policy is applied (creating a Preservation Hold library), you cannot delete a folder unless you delete the contents of that folder first. This seems odd, I agree, but I think it’s a deliberate design, perhaps to help the accidental deletion of a very large volume of content within a folder structure.
first of all thanks for the great article.
I’ve stumbled upon the same problem where one user has a folder of approx. 300GB in size. Now the retention policy applied by our company of course blocks the deletion of this folder (“You have to delete all the files in this folder before you can delete this folder”).
But what if it is really wanted that this folder is being deleted.. Is there currently any way to go because deleting every file/subfolder inside a 300GB folder obviously is a rather time consuming process?!
What I also think is kind of strange is that deleting OneDrive folders from within the Windows File Explorer mostly works when in the web interface the above mentioned message is shown.. I yet have not figured out if this is wanted or not because in my eyes this is an inconsistency and should actually not be possible..
Do you have any advice on this? 🙂