A fairly common requirement in many organisations is to be able to delete something and be sure it is deleted – permanently. When organisations implement retention policies or labels in Microsoft 365, items that are subject to retention hold (via a retention policy or label) cannot be permanently deleted until the hold expires or is removed.
Organisations may have a legitimate reason to permanently delete deleted items. This post explains how to permanently delete ‘deleted’ items that are subject to retention hold.
TL:DR In brief:
- Temporarily disable any retention holds for SharePoint/OneDrive, and also Exchange Online mailboxes and Teams content.
- Close/remove any eDiscovery holds (except for Teams that uses this functionality to purge Teams content, see below)
- Disable DLP policies
- Follow the steps to delete the items describe below, noting that this is easier to do for SharePoint, but more complex for emails and Teams content.
What happens when retention holds are applied?
A retention or eDiscovery hold placed on Exchange Online, Teams, SharePoint or OneDrive will prevent the permanent deletion of content in those workloads until the hold expires or is lifted.
- Emails deleted from, or automatically moved to, the recoverable items folder in Exchange Online mailboxes remain in the hidden ‘Purges’ area of the mailbox. The Purges folder is not directly accessible by anyone but it can be searched.
- Teams chats and posts deleted from the Teams user interface remain in hidden folders. These folders are not directly accessible by anyone but they can be searched.
- Items deleted from SharePoint and OneDrive: (a) appear in the Recycle Bin for 93 days from where they can be restored and (b) are also ‘moved’ to the Preservation Hold library (with a modified file name). This library is only accessible by admins but the items cannot be deleted as long as the hold prevents it.
In all cases above, this ‘deleted’ but hidden content remains searchable and accessible through the Content Search or eDiscovery options in Microsoft Purview. It may also be located in backups, if that option is used.
For the purpose of this post, it is assumed that:
- Retention policies or labels have been applied and there may also be eDiscovery holds.
- Organisations know what retention policies and labels, and any eDiscovery hold, have been created and where they have been applied.
The processes involved in permanently deleting deleted content is as follows:
- Identifying what needs to be deleted and if retention policy or label, or eDiscovery hold may prevent the permanent deletion.
- Disabling any retention policy or labels in Microsoft Purview.
- Removing the location from any eDiscovery holds
- Disabling any Data Loss Prevention (DLP) policies that may prevent deletion.
Identifying what needs to be deleted
There are at least two ways that items may be identified for permanent deletion:
- End-users asking for something to be deleted permanently (or asking IF something has been deleted permanently), from active and/or ‘deleted’ locations. For example, when a purely personal item was accidentally uploaded or received via email or saved to OneDrive.
- Global searches and/or information discovery, including for ‘freedom of information’ type requests. Such searches and discovery may uncover items that were deleted but remain subject to a retention policy and stored in hidden or inaccessible locations.
Disabling retention policies and labels
The process of disabling retention policies or labels is relatively straightforward.
- For retention policies set in the Data Lifecyle Management part of Microsoft Purview, select the relevant policy and then click on ‘Disable policy’.
- For retention labels set in either the Data Lifecycle Management or Records Management parts of Microsoft Purview, select the relevant label policies and then click on ‘Disable policy’.
Note that disabling the policy may not happen immediately. Clicking on the policy will show, on the right of the screen, if the status is Disabled (Pending) or Disabled (Success). This may take an hour or two.
When retention or label policies have been disabled, items in SharePoint or OneDrive can be deleted permanently. Emails and Teams content stored in Exchange Online mailboxes are a bit more complicated – see below.
As will be seen below, eDiscovery cases may also impose holds on content. These holds will also need to be removed.
Deleting permanently from SharePoint and OneDrive
Deleting items from SharePoint or OneDrive libraries (including via the Teams ‘Files’ tab) places them in the Recycle Bin where they will remain for 93 days and then automatically disappear.
- If a retention policy, label policy has been applied, the ‘deleted’ content will be captured in the restricted access Preservation Hold library from where it will need to be deleted first, and then again from the second-stage Recycle Bin.
- If an eDiscovery hold has been applied, it will not be possible to delete the items until the hold has been removed. See below.
As long as no holds are in place, it will be possible to permanently delete the item/s from any active library, the preservation Hold library (if a retention hold was previously enabled and the item was deleted), and the second-stage Recycle Bin. Deleting can be done from the SharePoint user interface or using Powershell.
The screenshot below shows that the above item, deleted from the Preservation Hold library, now appears in the second stage Recycle Bin from where it can now be deleted permanently.
The potential impact of eDiscovery holds
eDiscovery holds take precedence over retention holds.
If a SharePoint site (or OneDrive) remains subject to an eDiscovery hold (sometimes referred to a litigation or legal hold), it will not be possible to permanently delete the items until the eDiscovery hold has been removed.
The PowerShell cmdlet ‘Remove-PnPFile’ confirms that the item above remains subject to an eDiscovery hold.
Removing an eDiscovery hold involves closing the case, starting with the removal of any holds. If the case is not closed correctly, an ‘orphan’ hold (invalid policy) may remain on the site.
In the case above, an eDiscovery (Premium) hold was inadvertently applied to ALL locations across the tenant, but the hold remained when the case was closed.
The Microsoft page ‘Can’t delete a site because of an invalid retention policy or eDiscovery hold‘ provided the key to resolving this issue.
The test (which opens in the Microsoft 365 Admin centre) provided the details (and GUID) of the invalid retention policy shown in the screenshot below. It states that an invalid hold relating to a closed eDiscovery case was blocking deletion.
Some additional checking (including via the audit logs, as the eDiscovery case no longer appeared in a search via PowerShell) confirmed that the GUID shown above confirmed that it was the hold for an eDiscovery case that had been closed incorrectly.
Once the invalid retention policy was removed using the tool above, items in the Preservation Hold library could be permanently deleted in the manner described above.
Deleting emails
The process involved in searching for and deleting emails from Exchange Online mailboxes is described in the Microsoft page ‘Search for and delete email messages‘. The steps described require elevated privileges – preferably Global Admin, but see the page for other roles.
Important note
The process described in the Microsoft page above and summarised below does not remove the email from a mailbox immediately (assuming any retention policy has been disabled). Instead, the process places the email in the hidden Purges folder until the Mailbox Folder Assistant removes it. It cannot remove it if a retention policy or other hold remains in place.
For this reason, it may be necessary to exclude the specific mailbox from the retention policy or label policy until the email is permanently removed via the Mailbox Folder Assistant.
According to the eBook ‘Office 365 for IT Pros‘ (August 2023 edition):
‘The goal for the MFA is for it to process mailboxes at least once weekly, but MFA often processes mailboxes more regularly. You can’t affect when mailbox management happens because this happens automatically, but you can affect how MFA processes mailboxes by changing the mailbox properties that govern retention policy.’
Step 1 – Find the emails via a Content Search
The first step in the process is to find the relevant email/s. This can be achieved via a Content Search in Microsoft Purview or via PowerShell (‘New-ComplianceSearch’). A maximum of 10 items can be included in the search. Other limits (such as the number of mailboxes to be searched) are noted in the link.
The following is an example of an email found by the Content Search that needed to be deleted.
Step 2 – Delete the message
Use the PowerShell cmdlet ‘New-ComplianceSearchAction‘ as shown below to delete the items in the Compliance Search. ‘Find specific email’ is the name of the Content Search.
New-ComplianceSearchAction -SearchName "Find specific email" -Purge -PurgeType HardDeleteRun the command a second time to confirm that the job has completed.
According to the PowerShell reference (link above): ‘HardDelete (cloud only): Purged items are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant. If single item recovery is enabled on the mailbox, purged items will be permanently removed after the deleted item retention period expires.’
Step 3 – Check if the email/s still exist/s
As noted above, emails removed in this way are moved to the Purges folder and marked for permanent deletion when the Managed Folder Assistant runs. To check if the email/s has/have been removed, re-run the Content Search.
Deleting Teams content
The process to delete Teams content is described in the Microsoft page ‘Search and purge chat messages in Teams‘ which notes that ‘the capability to search for and remove chat messages is intended to be an incident-response tool’.
The page provides the following overview of the steps involved in deleting Teams content and detailed instructions, which will not be repeated here.
Feature image: Pexels
Records about the world 
Great article. Thanks Andrew