Microsoft 365 Exchange Online (EXO) mailboxes and OneDrives assigned to individual end users have one thing in common – they may contain the only copy of corporate records (and other content) that cannot be easily accessed or managed as records.
Organisational efforts to encourage end users to save emails (and other potential records) to a paper or electronic recordkeeping system have not always been successful. Partially in response to this issue, the United States National Archives and Records Administration (NARA) developed the ‘Capstone‘ approach (link is to a PDF on the archives.gov website).
According to the Capstone Bulletin in the link above:
‘(Capstone establishes) an additional means of managing and scheduling email records where final disposition is determined by the role or position of the account user, rather than the content of each individual email. This allows email disposition to be carried out in a systematic way, where email within accounts designated as permanent (or other individual emails categorized as permanent, regardless of account status) are transferred to the legal custody of the National Archives, and email within accounts designated as temporary are eligible for eventual destruction. This eliminates the email-by-email review by individual end-users within agencies.’
Some Australian jurisdictions have already started to recommend the Capstone approach, at least for emails and Teams 1:1 chats for selected staff. See, for example, the Queensland State Archives guidance ‘Manage your records and Microsoft 365‘ (updated 5 July 2021, accessed 25 August 2022).
- Briefly describes how Microsoft 365 retention policies can be assigned to EXO mailboxes as well as OneDrives to ensure that any records in those locations are retained and therefore protected from disposal for minimum periods of time.
- Details the key difference between the two disposal actions of ‘Delete automatically’ and ‘Do nothing’, especially in relation to the mailboxes or OneDrives of long-time employees.
- Recommends that records managers be involved in planning for and establishing/configuring these policies in collaboration with their IT/ICT departments who would have typically deployed backup, so-called ‘archiving’, solutions for this content.
Microsoft 365 retention policies
Microsoft 365 retention policies are created and configured in the Microsoft Purview Compliance admin center. These policies work behind the scenes as a kind of safety net, preventing the complete deletion of content stored in Exchange Online mailboxes and OneDrives (and also Teams chats/posts and SharePoint sites), including end-user deleted items, for minimum periods of time.
Note: Organisations may also decide to deploy retention labels published as label policies but the focus of this post is retention policies.
Creating a new retention policy
While it is possible to group EXO mailboxes, SharePoint sites, OneDrives and Microsoft 365 Groups (including both the mailbox and site) in a single policy, it may be more practical to create separate retention policies for each Microsoft 365 workload, named accordingly, e.g., ‘EXO mailboxes – All Staff – 7 years’, ‘OneDrives – All Staff – 5 years’. The description should provide additional information about the policy and its intended purpose.
It may be useful to create more than one retention policy for the same workload. For example, (a) EXO mailboxes for senior managers/executives (retain permanently) and (b) EXO mailboxes for all other staff (7 years).
Retention policies may use static (manually set) or adaptive scopes (although the latter requires an E5 licence).
Each retention policy has three retention settings:
- A retention period – defined in days, months or years.
- A trigger – one of either ‘date created’ or ‘date modified’. The latter is likely to be more useful for OneDrive content.
- An action – usually either ‘delete automatically’ or ‘do nothing’. There are also two other options: (a) ‘Retain items forever’ and (b) ‘Only delete items when they reach a certain age’. Neither of these two are recommended for records retention purposes.
Retention actions and outcomes
‘Delete automatically’ means that, at the end of the retention period, individual items in the mailbox or OneDrive (including those that were ‘deleted’ already by end users) will be deleted automatically by the system account based on either date created or date modified as set in the policy. Aside from a mention in the audit logs, there is no other record retained of this deletion action.
When applied to an active EXO mailbox or OneDrive, a retention policy with the ‘Delete automatically’ option will begin to work immediately on whatever is stored in those locations.
If, as shown in the example below, the mailbox or OneDrive contains content that is older than the minimum retention period, that content will be deleted automatically. While this may be acceptable from a minimum records retention point of view, it may be of concern to longer term employees who want to continue to be able to access that content.
When accounts are deactivated (and the policy is already in place) the policy will delete – and continue to delete over time – any content older than the defined retention period, based on the date created or modified. In other words, the content of the mailbox or OneDrive will be progressively deleted automatically by the system, without any approval process.
At the end of the retention period, when the last item in the mailbox or OneDrive is no longer covered by the retention period and is automatically deleted, the mailbox or OneDrive will be deleted by the system as no retention ‘hold’ applies.
‘Do nothing’ means that individual items in the mailbox or OneDrive that are (b) no longer covered by the scope of the retention and (b) not already deleted by the end user, will still exist and can be deleted.
When applied to an active mailbox or OneDrive, a retention policy with the ‘Do nothing’ option will begin to work on whatever is stored in those locations. All content in the mailbox or OneDrive that is older than the retention period coverage will remain in place unless deleted by the end user. This may be a more acceptable solution for both the organisation and long-term employees.
When accounts are deactivated (and a retention policy is already in place) all the content in the mailbox and OneDrive, except for those items already deleted by the end user that are no longer covered by the retention policy, will be retained.
- The retention of items an end-user deletes from their email or OneDrive before they depart will be retained based on the original date created or modified. However, those items will be automatically deleted once they reach the end of the retention period.
All the content that remains in deactivated account mailboxes and OneDrives can be searched and accessed via the Content Search function in the Compliance admin center.
At the end of the retention period, when the last item in the mailbox or OneDrive ceases to be covered by the retention period, the mailbox or OneDrive and all the content in it will be automatically deleted by the system.
If there is a requirement to retain this content beyond the retention period, records managers will need to ensure that any content (or the entire mailbox/OneDrive) is exported, extracted or isolated in advance.
Retention policies retain content for the period of time defined in a retention policy.
Depending on the action selected (Delete or Do nothing) the content may be either automatically deleted or continue to be retained and be accessible during the retention period.
If there is a requirement to access all the content in the mailbox or OneDrive of a departed employee (deactivated account) for a minimum period of time, the retention policy setting ‘Do Nothing’ will ensure that the content that is not already deleted will be retained and can continue to be accessed via the Content Search option.
The ‘Do nothing’ option may be more suitable for organisations wanting to be able to access the content in employee mailboxes and OneDrives for set periods of time both while they are active and after they are deactivated. There may be a requirement to export, extract or isolate this content if it needs to be retained for longer.
Feature image: Pexels.
One thought on “Delete or do nothing – retention policy outcomes on Exchange Online mailboxes and OneDrive accounts”