Planning for data governance and retention is a crucial task for Microsoft 365 compliance administrators and it is vital to have the correct strategy in place to ensure that your organization is protected and compliant. There are a number of ways to govern and retain data that is hosted in your Microsoft 365 environment in order to ensure that the content cannot be lost either accidentally or due to the actions of a malicious insider.
In this chapter, we will introduce you to the principles of data governance and retention. You will learn how to configure retention tags and policies, how to use supervision policies to capture employee communications, and how litigation holds can be used to preserve electronically stored information. We will also explain how data such as user .pst files can be imported into Office 365 using the Security & Compliance Center, as well as show you how to configure in-place archiving and manage any inactive mailboxes.
We will cover these topics in the following order:
Planning for data governance in Microsoft 365 requires compliance administrators to understand any internal organizational policies that must be adhered to, along with any applicable industry regulations.
These requirements will obviously differ depending on the nature of the organization, but overall, the principles of governing your data to ensure that you can appropriately retain, or retain then delete, the content within emails and documents are essentially universal.
The logical starting point for compliance administrators when starting on this journey is retention. Having the correct set of retention policies configured and applied will enable the other components of data governance to logically fall into place. With retention policies in Microsoft 365, you can apply actions organization-wide or to specific locations or users, which will either retain or delete content in line with set retention periods.
When an email or a document is targeted by a retention policy, the user who is working on that content can make any necessary changes unimpeded, but the retention policy will make a copy of the original document and this will be retained for the duration of that retention policy. This works across the various Office 365 services, as follows:
Should your organization be bound by more restrictive regulations, then you may be required to configure retention policies using the Preservation Lock feature. When Preservation Lock is applied to a retention policy, the policy cannot be turned off or set to lesser restriction settings by anyone (including Office 365 administrators).
Once a retention policy has been applied to OneDrive or SharePoint Online content, the following scenarios are possible.
If changes or deletions are made to the content while a retention period is in effect and the retention policy is set to delete any data that is subject to that retention period at the end of the retention period, a copy of the original content is placed in the Preservation Hold library. The Preservation Hold library is scanned periodically to identify content whose retention duration is complete. That content is then moved directly to a second-stage recycle bin. Site collection administrators can restore content from here; otherwise, it is permanently deleted and unrecoverable after a period of 93 days.
If no modifications are made to the content while a retention period is in effect and the retention policy is set to delete that content at the end of the retention period, the content is moved to a first-stage recycle bin when the retention duration is completed. Users will be able to purge the first-stage recycle bin, which moves the contents to the second-stage recycle bin. Users do not have access to the second-stage recycle bin. These two stages of recycle bins combined have a retention period of 93 days, after which the content is permanently deleted and unrecoverable.
When working with retention policies concerning mailbox and public folder content, the Recoverable Items folder within the user's mailbox is regularly inspected and any content within it that is no longer subject to a retention period is permanently deleted 14 days after the end of the retention period that applied to that item.
Important note
Only users who have the eDiscovery role can view items in other users' recoverable items folder.
In this section, you have learned that retention is a core principle when it comes to data governance in Office 365. Once you have your retention policies defined and deployed, you can leverage further powerful features of Office 365 data governance, such as configuring inactive mailboxes and setting in-place and litigation holds. We will explore all of these features in detail later in this chapter, including how to configure retention tags and policies.
Next, we will show you how to view data governance reports and dashboards.
Microsoft provides administrators with a great deal of information relating to data governance, which can be accessed from the Security & Compliance Center. Regularly viewing this information enables you to stay one step ahead in ensuring that your organization meets its compliance and regulatory obligations, as well as allowing you to make logical adjustments to the existing compliance settings that you have already configured. The Microsoft 365 information governance dashboard provides you with visibility on the following details:
In order to view this information in the Security & Compliance Center, we need to take the following steps:
So, as you can see, there are a number of ways that you can keep track of your organization's compliance settings by accessing the reports and dashboards we described.
In this section, we introduced you to the information governance dashboard, which can be found in the Security & Compliance Center. This dashboard provides administrators with quick and easy access to a range of information and reports on how the compliance principles you applied to your Office 365 locations are enforced.
Next, we will show you how to set up retention tags and policies.
When working with retention in Office 365, there are two distinctly different methods that you can use.
For Exchange Online email content, you can configure retention tags and retention policies using the Compliance section of the Exchange admin center. This method is particularly relevant to the settings that are applied to users when they have an online archive enabled for their mailbox (which we will examine in more detail later in this chapter).
It is also possible to configure retention policies for Exchange Online and other locations in Office 365, including SharePoint Online, OneDrive, and Teams, from the Security & Compliance Center.
While using the Security & Compliance Center is now the preferred method of creating retention policies, the Exchange admin center method remains important as it is the only way that retention tags can be configured. In this section, we will show you how to create a retention policy using both of the methods described here.
Creating a retention policy from the Exchange admin center allows you to manage the email life cycle of your Office 365 users by creating retention tags, associating these tags with retention policies that are then applied to your email users. To create retention policies using this method, you must have the Messaging Records Management permissions, which are assigned to the Compliance Management, Organization Management, and Records Management roles.
The policy can be created by first creating or using an existing retention tag by completing the following steps:
For this example, we will select the option to create a personal retention tag that users can choose to apply to email items and folders. When applied, this tag moves items from the user's mailbox to their archive mailbox (if enabled) after a period of 2 years. This, and the other available retention tag options (such as Delete and Allow Recovery and Permanently Delete), are shown in the following screenshot:
New-RetentionPolicyTag -Name "Personal-2-year-move-to-archive" -Type All -AgeLimitForRetention 730 -RetentionActionMoveToArchive
New-RetentionPolicy "Sales-Team" -RetentionPolicyTagLinks" Personal-2-year-move-to-archive","Deleted-Items"
Now that you have a retention policy with retention tags created, you can associate it with your chosen mailbox users from either the Exchange admin center or Exchange Online PowerShell. Details on how to complete this process can be found in the References section at the end of this chapter.
Creating a retention policy from the Security & Compliance Center allows you to apply retention principles to all of your Office 365 locations, not just Exchange Online. The principles of retention using this method are described in the Understanding data governance and the retention requirements for your organization section of this chapter.
To create retention policies using this method, you need to complete the following steps:
The preceding steps show you how to create a simple retention policy. In the Settings section of the preceding setup wizard, you can also choose Advanced settings, which gives you additional options, as in the following screenshot:
Important note
If you wish to set up a retention policy to apply to Teams channel messages and Teams chats, you need to set up a separate retention policy for Teams only. If you select the option to protect Teams content with a retention policy, you will see that the other Office 365 locations are automatically deselected.
Let's now learn how to create a supervision policy.
With Supervision in the Security & Compliance Center, you can define policies to record email and third-party communications so that they can be reviewed at a later time. In order to configure a supervision policy, we need to complete the following steps:
Important note
Any emails in policies will be processed in close to real time, while chats in Teams may take up to 24 hours to be visible to a reviewer.
In this section, we showed you how retention policies can be used to retain, or retain then delete, content across your Office 365 locations based on the criteria that you set in your policies.
You learned that email-specific retention policies can be configured in the Exchange admin center and set to use retention tags. We also showed you how you can use the Security & Compliance Center to set retention policies for the other Office 365 locations, including SharePoint Online, OneDrive, and Teams.
Finally, we showed you how reviewers can use supervision policies to monitor email and third-party communications in your organization.
Next, we will look at in-place holds and litigation holds and how these can be used to preserve or recover data.
The requirement to preserve electronically stored information is something that compliance administrators in any organization need to be prepared for. In-Place Hold and Litigation Hold are features that enable you to achieve the following:
Important note
As of April 2020, the ability to create new in-place holds will be removed by Microsoft. From July 2020, the ability to manage existing in-place holds will also be removed. Therefore, in this section, we will only examine the process of configuring litigation holds
With Litigation Hold, you can preserve the content of your users' mailboxes. The preservation of content applies not only to the users' inbox and sent items but also to their deleted items and to the original versions of any items that may have been modified. Should the user have an archive mailbox, this will also be placed on hold.
In order to place a mailbox on Litigation Hold, you need to complete the following steps:
You can also enable Litigation Hold on a user mailbox by using the Exchange Online PowerShell. To do this for our example user, Jane Bloggs, we need to run the following command:
Set-Mailbox [email protected] -LitigationHoldEnabled $true
As the preceding command does not specify a hold duration, the mailbox will be placed on indefinite hold. Should we wish to specify a hold duration, we would enter the command as follows:
Set-Mailbox [email protected] -LitigationHoldEnabled $true -LitigationHoldDuration1000
The preceding command places the mailbox on hold for 1,000 days. Should you wish to place all of your user mailboxes on hold, you could use the following command:
Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" | Set-Mailbox -LitigationHoldEnabled $true -LitigationHoldDuration2000
Once Litigation Hold is enabled on a mailbox, any items that are purged by the user are automatically preserved in accordance with the hold duration settings that were specified when the hold was enabled. Should no hold duration have been specified, then the item will be indefinitely preserved.
Important note
In order for a user mailbox to be successfully placed on litigation hold, the user must be assigned at least an Exchange Online (Plan 2) license.
In this section, we described the principles of Litigation Hold and how it can be used to preserve the content within users' mailboxes in Exchange Online, even if they were deleted and purged by the user. We showed you how to use the Exchange admin center and Exchange Online PowerShell to enable or disable the Litigation Hold feature for either single users or all Exchange Online users.
You also learned that hold durations can be applied in days and if no duration is specified, then the content is preserved indefinitely or until the hold is explicitly removed.
Next, we will show you how to import data into Office 365 using the Security & Compliance Center.
When you have all of your mailboxes migrated to Exchange Online, it is possible—and highly likely—that some users in your organization will have one or more .pst files stored on their local computers. This is due to the fact that archiving older mailbox content from Exchange on-premises mailboxes used to be a standard operating procedure for most organizations due to the limited storage capacity of Exchange Mailbox databases.
This creates an issue in that although your users' main mailbox has been migrated and now resides in Exchange Online, there could also be a significant amount of mailbox data scattered across various devices within your environment and, as such, this data is not protected by the compliance features available within Office 365.
In order to help IT administrators solve this problem, Microsoft has provided the Import feature, which can be found in the Information governance section of the Security & Compliance Center, as shown in the following screenshot:
To use the Import feature, click on Import PST Files and you will then see the following options to import your PST files to Exchange Online:
To run an import job from the Security & Compliance Center, you need to complete the following steps:
AzCopy.exe /Source:<PST file folder> /Dest:<SAS URL> /V:<Log file folder> /Y
An example of how this might look is as follows:
AzCopy.exe /Source:"\Filesharearchivepsts" /Dest:"https://3c3e5952a2764023ad14984.blob.core.windows.net/ingestiondata?sv=2012-02-12&se=9999-12-31T23%3A59%3A59Z&sr=c&si=IngestionSasForAzCopy201601121920498117&sig=Vt5S4hVzlzMcBkuH8bH711atBffdrOS72TlV1mNdORg%3D" /V:"c:uploadupload.log" /Y
The import job will now be shown as analyzed, as shown:
The process of using AzCopy and the .csv mapping file is quite complex, and more detailed instructions for both of these upload options can be found in the References section at the end of this chapter.
Important note
In order to create import jobs from the Security & Compliance Center, you must use an administrative account that includes the Mailbox Import/Export permission
In this section, we described the available options to upload .pst files to temporary Azure storage, then imported these into the required user mailboxes in Exchange Online. You learned that there are two methods available to upload the .pst files to the Azure Storage location; these are network upload and drive shipping. Importing stray .pst files into Office 365 will ensure that the .pst files are subjected to your organization's compliance policies and settings.
In the final section of this chapter, we will examine the archiving options available within Microsoft 365.
The Microsoft 365 platform now also provides administrators with the means to import and archive third-party data. Much like the Import function of .pst files that we described in the previous section, this feature can be accessed from the Security & Compliance Center by navigating to Information governance | Import.
Choosing Archive third-party data will now direct you to the dedicated Microsoft 365 compliance center, which can be accessed at https://compliance.microsoft.com.
By choosing Data connectors, you will see the options in the following screenshot:
By clicking on Add a connector, you will see the options displayed in the following screenshot:
When you import third-party data, it can be subject to Microsoft 365 compliance principles, such as Litigation Hold and In-Place Archiving. Further details on how to complete the import of third-party data into Microsoft 365 can be found in the References section at the end of this chapter.
In addition to the ability to archive third-party data, administrators can also enable the In-Place Archive feature for users. Also referred to as Unlimited Archiving, this provides users with additional storage that is separate from their main mailbox. When enabled, the online archive triggers a retention policy tag in the default retention policy that is set to move mailbox items that are over 2 years old to the Archive mailbox. The In-Place Archive feature can be enabled from the Security & Compliance Center by navigating to Information governance | Archive. This will show you the full list of all the mailbox users in your Office 365 tenant. By selecting a user, you can click to enable the online archive, as in the following screenshot:
Once the online archive is enabled for a user, they will see it appear in their email profile beneath their main mailbox in Microsoft Outlook. It is also accessible via Outlook on the web. As this is an online archive only, it is not possible to cache the contents of this mailbox; therefore, you must have an internet connection in order to view the contents of your online archive.
In this section, we explained how you now have the option to archive third-party data from the Security & Compliance Center so that content that is imported can be protected by the Microsoft 365 compliance features.
We also explained that the online (or in-place) archive can be enabled for your Exchange Online users to provide additional mailbox storage for your user mailboxes.
Important note
In order for a user to have an online archive enabled, they must be assigned either an Exchange Online (plan 2) license or an Exchange Online (plan 1) license with an Exchange Online Archiving license.
In this chapter, we introduced you to the principles of data governance and retention within a Microsoft 365 environment. We explained how to plan for the data governance and retention requirements for your organization by understanding your internal policies and industry obligations. We showed you how to navigate the Security & Compliance Center to view and interpret data governance reports and dashboards, and you also learned how retention policies can be applied from both the Exchange admin center and the Security & Compliance Center.
In addition, we explained how Litigation Hold can be used to preserve Office 365 data, even if a user has deleted it, how to import .pst files and third-party data into Office 365 via the information governance Import feature, and how the online archive can increase the capacity of Office 365 mailbox users with a separate archive mailbox.
In the next chapter, we will demonstrate the search and investigation tools available in Microsoft 365. You will learn how to use eDiscovery to carry out content searches, how to delegate eDiscovery permissions where appropriate, and how to manage eDiscovery cases.
a. Information governance | Archive
b. Records Management | Archive
c. Permissions | Archive
d. Mail flow | Archive
a. True
b. False
a. The Exchange admin center
b. The Security center
c. The Compliance center
d. The Security & Compliance Center
a. The hold will not be enabled.
b. The hold will be enabled with a hold duration of 365 days.
c. The hold will preserve content indefinitely.
d. The hold will be enabled, but will not apply.
a. True
b. False
a. The Security & Compliance Center
b. The Exchange admin center
c. The Compliance center
d. The Security center
a. You will receive a warning that you should create separate retention policies, but you will be allowed to proceed.
b. The retention policy will successfully be applied to all selected services.
c. The other services will be automatically de-selected from the policy.
d. The Teams selections will automatically be de-selected from the policy.
a. True
b. False
a. Globally
b. At the user level
a. Records Management
b. Mailbox Import/Export
c. Discovery Management
d. Recipient Management
Please refer to the following links for more information:
18.220.127.68