A common question many of my customers ask is how Exchange Online can be configured to comply with their retention requirements. Exchange has gone through many iterations of Legal Hold over the years to help organizations protect their data and make it available for legal discovery. A few years ago we took a major step forward in creating a robust and flexible method for retaining data for legal compliance.

The answer to this question is to leverage a combination of retention policies, the Exchange Online Archive and legal hold. Before I go through the steps involved to configure this let's take a little deeper look into how Legal Hold works.

**Note Legal Hold is only available to the Exchange Online Plan 2 and higher.

First let's discuss a typical end user scenario. When a user deletes a message it is moved to their Deleted Items folder in their mailbox. Items will sit in their Deleted Items folder until the user empties the folder or the folder is automatically purged via policy. The automatic purge would be something pre-configured by the exchange admin and is not configured out of the box. After a user empties their Deleted Items folder they can still recover those items for up to 14 days without having to contact the helpdesk. To do this they would right click the Deleted Items folder and select Recover Deleted Items… This is because deleted items are moved to a hidden folder known as Recoverable Items that maintains a copy of deleted messages for up to 14 days (again a pre-configured number of days in Exchange).

Alternately, users can use the Shift+Delete key sequence to permanently delete a message or all messages from their deleted items. When a user does this the messages go to a hidden folder called Deletions within the Recoverable Items bucket. These messages are no longer recoverable by the end user but are maintained for 14 days from the point of deletion and can be recovered by an administrator.

Finally, users can manually purge items in their Recoverable Items folder by clicking the Folder tab, selecting Recover Deleted Items and selecting Purge Selected Items. For light users (those who only use Office Web Apps) they could use Outlook Web App by clicking Deleted Items, then Recover Deleted Items and selecting Purge Selected Items. Once this is done the items move from the Recoverable Items folder to another subfolder called Purges which is emptied after 14 days. Once this is done the user no longer has the ability to recover these items. However the administrator can still search and recover these items for up to 14 days.

When a mailbox is put on legal hold, Exchange online retains the items in the Purges folder for the length of time determined by the administrator (default 14 days), which could be indefinite. Not only does Legal Hold keep the items in the Purges folder for the pre-determined length of time defined by the administrator, but it also protects the original version of each mail item by storing an unaltered copy in a folder called Versions within the Recoverable Items folder. A copy is made to this folder if any of the below properties are changed:

  • Subject
  • Message Body
  • Attachments
  • Senders and/or Recipients
  • Sent and/or Received dates

The Versions folder is not accessible by end users, however the information is available to administrators running an e-discovery search. This data can then be stored as part of a legal discovery. Below is an excellent diagram from the original blog posting that details the message flow through its lifecycle:

Notice in the image above it state Purged messages are retained for 14 days. This isn't true when a mailbox is on Legal Hold, in this case the data is retained for the number of days defined in the legal hold. The question then becomes: How does your agencies retention policy play into legal hold and data retention? Well, the answer is that retention policies are still applied to mailboxes on legal hold. Here is an example to show how everything works together:

Agency retention policy:

  • Mailbox on Legal hold for 7 years
  • Retention policies move messages older than 1 year to Archive

In this case all mail, including the recoverable items must be available and searchable for 7 years from their creation date. Additionally messages older than 1 year will be moved from the user's mailbox and into their archive mailbox, which is still covered under the legal hold tag.

I have had the question quite a bit from my customers about the size of the Recoverable Items folder and if it counts against their total mailbox size. The good news is the Recoverable Items folder does not count against the user's primary mailbox. However, if the user is not on legal hold the maximum size of the Recoverable Items folder is 30GB. As soon as a user's mailbox is put on legal hold this limit is increased as needed, essentially creating a Recoverable Items folder with unlimited size.

OK, so now that we have the background covered let's look at how we can enable this. As of right now this has to be done on a per-user basis through the GUI, however it can be automated through PowerShell. If you want to take this route you can follow these steps:

  • Log into Portal.microsoftonline.com
  • Select Manage under Exchange Online
  • Select Manage My Organization > Users & Groups > Mailboxes
  • Search for and select the mailbox you want to put on Legal Hold and click Details
  • Expand Mailbox Features, select Legal Hold and click Enable
  • In addition to this you can create a note that will notify the user about the legal hold or put the company corporate policy to inform them
  • Additionally you can specify a URL that may have your legal requirements listed for further reading
  • Once the mailbox has been put on legal hold it may take up to 60 minutes to take effect

Now for the fun stuff, PowerShell!

This example sets a single user to a 7 year legal hold. It is important to note the mailbox won't be on Legal Hold for 7 years, this is actually a tag stating any new message will be retained for 7 years once created or received by the mailbox. So a message that arrives on 8.20.2014 will be kept until 8.20.2021.

Set-Mailbox –identity jodiaz@office365ninjas.com –LitigationHoldEnabled $True –LitigationHoldDuration 2555

That was fun wasn't it? Nah, not so much on a per-user basis, so let's take a look at automation:

This example searches for all mailboxes and sets the Legal Hold to 7 years:

Get-Mailbox –resultsize unlimited | set-mailbox –LitigationHoldEnabled $True –LitigationHoldDuration 2555

Or filter it down to users in a specific department:

Get-Mailbox –resultsize unlimited | where{$_.Department –eq "IT"} | set-mailbox –LitigationHoldEnabled $True –LitigationHoldDuration 2555

As you can see PowerShell can help you automate the process and provide a robust compliance program to suit your company's needs. By leveraging various filters you can create multiple policies based on specific groups, types of users or pre-defined attributes within each user account such as department. Happy Coding!