Licensing and Permissions

If you are only managing data stored in Exchange Online, you could use a Microsoft 365 Business Premium license or an Exchange Online Archiving license.

Create a Retention Policy

To create a retention policy, visit the Microsoft 365 Compliance Center. In the left navigation, click “Information governance.” Click the “Retention” tab.

This tab shows you an overview of all the retention policies currently in your organization, shown in Figure 8-1. It shows you who created the policy and when it was last modified. You can also click “Search” to search through your policies or export a list of retention policies.

To create a new retention policy, click “+ New retention policy.” This click will bring us to a wizard that asks us to name our policy. Be sure to choose a specific name to help you understand what the policy does and what locations it covers. You can also enter a description that only is seen by administrators. Click “Next.”

If you want to retain content, you can choose to keep content for a certain number of days, months, years. By default, you can select 5, 7, or 10 years or custom to choose your duration. You can start the retention period based on the content creation date or the last modified date.

After the retention period is over, we can choose to delete the items automatically. In this case, the content will follow the process we discuss later in this chapter, in the section “How Deletion Works.” Or we can do nothing and leave the content unprotected by a retention period. You can delete unprotected content by a user or an automated process.

If you retain items forever, they will be available to content search and eDiscovery even if an end user deletes the items.

If you want to delete content, you can only delete items when they reach a certain age. Again, we can select days, months, or years, and we can start the retention period based on the date the content creation date or the last modified date. The system will start the deletion process of all content that is older than that period almost immediately after you apply the policy.

You can also use advanced retention settings with retention policies. I will cover these options in the “Automatically Classify Content for Retention” section in Chapter 9. When you finish configuring your settings, click Next.

The wizard will then ask us to choose locations where we want to apply the retention policy, shown in Figure 8-3. Your options are to select all locations, including Exchange email and public folders, SharePoint, OneDrive, and Microsoft 365 groups. I do not see many people using this option. Usually, they select one of the locations instead. These locations include Exchange email, SharePoint sites, OneDrive for Business, Microsoft 365 groups, Skype for Business, Exchange public folders, Teams channel messages, or Teams chats. Soon, you will also be able to choose Yammer groups or Yammer private messages as locations.

Please note that if you choose Teams channel messages or Teams chats as one of the location options, all the rest of the locations will be disabled. You would need to create a separate retention policy to manage content other than Teams.

Let us use an example to explain these further. Say 3,000 people in your organization have a different retention policy than everybody else. You would need to create three retention policies to cover all 3,000 of those accounts because you can only specify up to 1,000 recipients per policy.

If you go that route, I highly recommend that you look at PowerShell to automate this process. Otherwise, it is impossible to keep track of these policies and members manually. Also, note that you can have up to 10,000 retention policies per tenant. However, for Exchange Online, the maximum number is 1,800. These numbers include retention policies, retention label policies, and legal holds.

When you finish configuring your locations, click Done to create your retention policy. The system will apply this policy within 24 hours to all the content locations.

Retention Policies with Preservation Lock

Preservation Lock puts restrictions on how a retention policy or retention label policy can be modified. No one – including a global admin – can turn off the policy, delete the policy, or make it less restrictive. This configuration might be needed for regulatory requirements and can help safeguard against rogue administrators.

To use a preservation lock, first, create the retention policy. You must use PowerShell if you need to use Preservation Lock. Because administrators can’t disable or delete a policy for retention after this lock is applied, enabling this feature is not available in the UI to safeguard against accidental configuration.

For more information about this process, please see http://erica.news/PreservationLock.

Edit or Delete a Retention Policy

If you edit a retention policy, all items governed by the policy will inherit the new settings.

This update can take several days. When the policy replication across your Microsoft 365 locations is complete, you’ll see the retention policy’s status change from On (Pending) to On (Success).

Inactive Mailboxes

Inactive mailboxes retain mailbox content after employees leave the organization. Inactive mailboxes allow you to remove their Microsoft 365 license and account but keep certain content. Without using an inactive mailbox, the system retains the employee’s mailbox data for 30 days after removing the account.

A mailbox will automatically become inactive if the account’s content is subject to a litigation hold or retention policy. The inactive mailbox will continue to exist as long as the content meets one of those two conditions.

You can view a list of inactive mailboxes by visiting the information governance solution and the Retention tab and clicking Inactive mailbox in the toolbar.

This section covered everything you need to know about retention policies. The next section will cover the other method to apply retention or deletion policies – retention labels.

Licensing and Permissions

Create a Retention Label

To create a retention label, go to the Microsoft 365 Compliance Center. In the left-hand navigation, click “Information governance” and click the “Labels” tab, shown in Figure 8-4. Please note that you could also create a label through the Records Management solution from the File plan tab.

To create a new retention label, click + Create a label. This click will bring up a wizard that will ask you to name your label. This label cannot be the same name as a retention policy or sensitivity label. Try to make the name specific and add a description for administrators. You can also add a description to help end users understand when to use this label. Once you complete these fields, click Next.

You may see a screen for the file plan descriptors. I will cover this screen in Chapter 9. Click Next.

Let us start with the option to retain items for a specific period. When selecting this option, by default, you can choose 5, 7, or 10 years or custom to select your duration in days, months, or years. You can trigger retention based on the creation date, the last modified date, the date you label the content, or an event type. We will cover event types and event-based retention in Chapter 9.

Optionally, you can use the label to declare content as a record or a regulatory record. Again, we will cover these topics in Chapter 9.

Our next option is to retain items forever. This option is self-explanatory.

The next option is to only delete items when they reach a certain age. Use this option to enforce the deletion of content rather than retention. Selecting this option allows some additional fields to appear, shown in Figure 8-6. First, decide how old content should be when the system enforces deletion. You can specify the number of days, months, or years. Then, choose how to trigger the deletion period. You can begin based on the creation date, the date last modified, or the date you label the content.

The last option is Don’t retain or delete items. This option is if you want only to label content but not enforce retention or deletion.

When you finish your selection, click Next. Here you can review your label settings and click Create label when you are happy.

Publish a Retention Label

For the label to appear to end users for manual labeling, you need to publish the label. You can publish one or many labels in the same policy. I recommend publishing all the labels for the target location in one policy. You can publish one label by checking the box next to it on the Labels tab and clicking Publish labels. Alternatively, you can publish many labels by clicking the “Label policies” tab and then “Publish labels.” This click will bring up a wizard.

The first step will ask you to choose labels to publish. Click the blue text that says “Choose labels to publish.” This click will bring up a list of all the labels in your environment. Check the boxes next to the labels you would like to deploy and click “Add.” This click will create a list of the labels you wish to publish. When you are happy with it, click “Next.”

You can include or exclude specific locations, such as a site or mailbox, within the preceding locations.

For example, let’s say you have a list of retention labels you want to publish to finance SharePoint sites. In this case, I would turn off all the locations except for SharePoint, and then I would click “Edit” in the Included column next to “All sites.” I would then paste in the URLs for each SharePoint site, one at a time. After going through the remaining publishing steps, within 24 hours, these labels will appear for manual labeling on the finance SharePoint sites.

Maintaining the list of finance sites and updating the policy could get quite tedious. Instead, you could automate managing the site list and policy using PowerShell. Another thing to note is that if you have connected your SharePoint sites to a Microsoft Team or their membership is managed with a Microsoft 365 group, you need to choose Microsoft 365 group as the location as opposed to SharePoint sites. The SharePoint site location will only work for sites that do not have their membership managed by a Microsoft 365 group.

Once you are happy with the locations, click “Next.” Here you will enter a unique name for your policy and a description for admins. Click “Next,” and then review your settings. Click “Submit” when you are happy.

Please note that it will take up to one day for the labels to appear to the end users. Labels will appear only in Outlook mailboxes with at least 10 megabytes of data. Sometimes this requirement confuses people when they are testing labels in a non-production environment. They have fake user mailboxes that do not have 10 megabytes of data in their accounts, and they wonder why their labels do not show up.

Manually Apply a Retention Label

What do these retention labels look like to the end users? Figure 8-8 shows what the end user sees when they apply a retention label to a SharePoint document library.

The labels appear as a dropdown, just like any metadata in the property pane of the file. You can also show the retention label as a document library column. Please note that for SharePoint and OneDrive, any user in the default members group, which has the edit permission level, can apply a label to content.

In Outlook, users can label one email at a time, shown in Figure 8-9. To do this, right-click an email and choose “Assign policy.” Then select the retention policy from the list that appears.

You can also manually apply labels in OneDrive. From OneDrive, select one or more documents. End users can choose the labels from the “Apply Retention Label” dropdown in the document property pane, similar to SharePoint.

The Principles of Retention Policies

What if content qualifies for more than one retention policy? In that case, the system follows the principles of retention to decide what retention period and deletion action to apply to the content.

For information about how Microsoft resolves conflicts between two auto-apply retention labels, please see Chapter 9.

We start at the top of the list, shown in Figure 8-10. If one of the principles resolves the conflict, we can stop, and we do not need to consider the rest of the principles. For example, the first principle states that retention wins over deletion. If you have one policy that retains content and one policy that deletes content, the former will be applied. The principles err on the side of caution.

If the first principle does not resolve the conflict, we go to the next principle: the longest retention period wins. If you have one policy that retains content for three years and one policy that retains content for seven years, the seven-year retention policy will apply.

The next principle states that explicit inclusion will always win over implicit inclusion. This principle means that the most specific policy will win. Because the previous principles have determined that the conflicting policies have the same retention period, this principle determines when to delete content. For example, let us say we have a retention policy of three years that applies to all content in all SharePoint sites. We also have a retention label of three years used on individual documents within sites. The retention period applied via the label will take precedence because it is more specific.

Finally, if none of the preceding principles resolve the conflict, the shortest deletion period would win. For example, let us say we have a policy that deletes Teams chats after 60 days. We have another policy that says to delete them after 30 days. The 30-day deletion policy will win .

How Deletion Works

Let us go into how deletion works with retention labels and policies, starting with SharePoint and OneDrive . This process utilizes a document library called the preservation hold library. The system creates this library when you enable retention on a site or OneDrive if it does not already exist. Only site collection administrators can see the library.

The system only retains the latest version of each file unless we preserve the file using records versioning, which we will discuss later in this chapter. The system names each file in this format: [Title GUID Version#]. If a document is not deleted or modified while in a document library, then a version of the file will not be kept in the preservation hold library, shown in Figure 8-12 below.

Remember that you cannot do a disposition review on content preserved using a retention policy. You can only do a review using a label. Therefore, once the retention period on the file has passed, one of two things will happen. The file in the preservation hold library will be moved to the second-stage recycle bin where it will stay for 93 days. The system permanently deletes the data after 93 days.

Files that exist only in the document library will be moved to the first-stage recycle bin. They will stay there until an end user empties the first-stage recycle bin or for 93 days. When we empty the first-stage recycle bin, the files are moved to the second-stage recycle bin until the end of the 93 days. Also, note that files in either recycle bin are not indexed in search and therefore are not available for eDiscovery.

If you’re using a retention label, the preservation and deletion process is more straightforward. If a document is retained in SharePoint or OneDrive using a retention label, the end user will get an error if they try to delete the document, shown in Figure 8-13 below. The error says, “The label that’s applied to this item prevents it from being edited or deleted. Check the item’s label for more details.” Honestly, I hate this error and wish that record labels used the preservation hold library method instead. An end user isn’t going to understand that message and can’t look up any information about labels. They won’t even know whether it’s a sensitivity or retention label that’s causing the error.

Now let’s put the information about retention principles and the deletion information together into one scenario. This scenario is useful if you are concerned about the exact location of the file throughout this process. What if a retention label and a retention policy cover the same file? Where does the file physically live in the site? An excellent article covers these scenarios in detail authored by Stefanie Bier and the technical editor for this book, Ryan Sturm. I encourage you to check it out: http://erica.news/LabelsAndPolicies.

This chapter has discussed retention policies, retention labels, and retention label policies. Additionally, we talked about how content is deleted from Microsoft 365 when it is subject to a retention policy and what happens when one document qualifies for two different retention periods. Next, we will switch gears to talk about how to import PST files into Microsoft 365 and how to enable an archive mailbox and unlimited archive.

Permissions and Licensing

Also, note that to use the drive shipping option, you must have a Microsoft Enterprise Agreement. Drive shipping is not available through Microsoft Products and Services Agreement.

Using a network upload to import PST files is free, but drive shipping is not. We will get into the specific pricing structure for drive shipping in the “Drive Shipping” section later in this chapter.

Use Network Upload

Network upload is unfortunately not available everywhere. It is only available in the United States, Canada, Brazil, the United Kingdom, France, Germany, Switzerland, Norway, Europe, India, East Asia, Southeast Asia, Japan, Republic of Korea, Australia, and United Arab Emirates (UAE). Network upload will be available in more regions soon. You can import content into either an active or an inactive mailbox. If you are in an Exchange hybrid environment, you can import it into an online archive mailbox.

Before you begin, you must collect all the PST files for the import into one location. You must locate the PST files in a file share or file server in your organization.

There is some information to consider before we start. The speed of the upload depends on the capacity of your network. It typically takes several hours for each terabyte of data to be uploaded to the Azure storage area for your organization. If, for example, you are trying to upload 100 TB of data, that could take anywhere from 10 days to 100 days, depending on network capacity. This situation is where drive shipping might be a better option. After you copy the PST files to the Azure storage area, the system imports a PST file to a Microsoft 365 mailbox at a rate of at least 24 gigabytes per day. This rate is the same, whether you are using the network import or the drive shipping option.

If you import different PST files to different target mailboxes, the import process from Azure to the mailbox occurs in parallel, meaning it introduces each PST mailbox pair simultaneously. Likewise, if you import multiple PST files to the same mailbox, it will import them simultaneously. Each one of those different import threads has a rate of 24 gigabytes per day.

The Azure storage location keeps the data for 30 days, after which the system deletes the content. You can import up to 500 PST files per import job. Each PST file cannot be larger than 20 GB. The maximum message size is 35 MB. Watch the Exchange online mailbox size. You may need to turn on the archive functionality or auto-expanding archive if you import a large amount of data into already full mailboxes. You can import a maximum of 100 GB into one archive mailbox. We cover the archive mailbox functionality in the next section.

To start an import PST process, visit the Microsoft 365 Compliance Center. In the left navigation, click Information governance. Then click the Import tab, shown in Figure 8-16. Here, you can see a breakdown of how much data is currently in your organization, including PST imports and third-party connectors. You can also see a list of previous PST imports, including the name, creation date, status, and progress information. You can also download a list of past import jobs or a list of the PST files contained in the import. Lastly, you can search for an import or refresh the list.

To start an import, click New import job. This click will bring you to a wizard where you first are asked to provide a name for your job. This name needs to be 2–64 lowercase letters, numbers, or hyphens. It must start with a letter and contain no spaces. Once you complete the Name field, click Next. Now, you will choose whether you want to upload or ship your data. In this example, we will choose to upload our data. Click Next.

The next screen has the steps you need to complete to import your data, shown in Figure 8-17. First, you will want to review the companion guide or Microsoft’s instructions for uploading email PST data. You can click the first blue link to read that information.

Next, you will get your SAS URL key for the network upload. This SAS URL is the password that allows you access to your data, so please keep this confidential just as you would with any other password. Click Copy the secure storage key and then Copy to clipboard.

Now, you need to use the Azure AzCopy tool to upload your files. The link provided in the instructions is for AzCopy 8.1, but unfortunately, you need to use AzCopy version 10. You can download version 10 here: http://erica.news/AzCopy10.

If there are any errors here, it will tell you why so you can resolve them.

When you finish, check the two boxes for “I’m done uploading my files” and “I have access to the mapping file.”

The next screen will ask you to select the mapping file. Click Select Mapping File and browse to the file. Click the Validate button, which checks for common errors. It will turn green if there are no errors. Click Save. Now, you will see a screen that says, “Success! You have added an import job into Microsoft 365.”

Now the process shows a screen that says status = analysis in process. You can walk away from the process and come back later. Click the import job name to check the status. When status = analysis complete, click the blue button that says Import into Office 365. This click will show you a screen with statistics about your data, asking you if you would like to filter it before importing it into Microsoft 365, shown in Figure 8-18. Select Yes or No and click Next.

When you are happy, click Next. The next screen asks you to confirm your filter settings or your decision not to filter data. If you are happy, click Import data. The next screen tells you the job scheduled successfully, how much data it will import, and that you can check the progress column on the import page to see your import’s progress. Go ahead and close this wizard.

Now, we go back to the Import tab. Here you can see your import job, the current status, and the current pace. You can always click that job to have an information panel that shows you more detailed status information.

You can also see a summary of your data filters, the last modified time, the job type, and who created the job.

When you load your data into Microsoft 365, a few things happen. First, the PST import process checks for duplicate items and does not copy the items from a PST file to the mailbox or archive if a matching item exists in the target location.

If a PST file contains a mailbox item that is larger than 150 megabytes, the object will be skipped during the import process. The process does not change the original message metadata during the import process, and you cannot import a PST file that has 300 or more levels of nested folders.

Once the system completes the import, you can navigate to one of the mailboxes to view the files. Here I can see that I have my imported PST mailbox, shown in Figure 8-20.

The Microsoft 365 import service enables the retention hold setting for an indefinite duration after importing the PST files to a mailbox. The system does this hold, so the newly imported emails are not deleted right away by a retention policy. For example, let us say you have a retention policy on your mailbox that deletes emails older than three years. If you import emails older than three years and the system did not turn on the retention hold setting, it would delete all your newly imported emails.

If you’re happy having this hold on the mailboxes, you can leave it on indefinitely. You can turn this setting on or off or set a different retention period using PowerShell. You can also configure the retention hold, so it turns off on some date in the future. You need to set the number of days in the future that you want it turned off. For example, take today’s date, and if you wish to have it turned off in 120 days or four months, you will specify 120 days in the setting.

Drive Shipping

Now, let us talk about the drive shipping import option. Drive shipping is a way you can import PST files at scale to Microsoft 365. You must have an Enterprise Agreement with Microsoft to use this method. With drive shipping, you physically ship the hard drive to a Microsoft data center. When Microsoft receives the hard drive, data center personnel will upload the PST files on the hard drive to your organization’s temporary Azure storage location. After your hard drive is received, it can take seven to ten business days to upload the PST files. Like the network upload process, Microsoft 365 would then analyze the data and the PST files and set filters to control what data gets imported. Subsequently, Microsoft would ship the hard drive back to you with the data intact.

The cost to use drive shipping to import PST files to Microsoft 365 is $2 USD per gigabyte of data. If you want to upload a terabyte of data, that would be $2,000. You can work with a partner to pay the import fee; you do not pay that directly to Microsoft. They only accept 2.5-inch solid-state drives or 2.5-inch or 3.5-inch SATA 2 or SATA 3 internal hard drives. They do not allow external hard drives. You can use hard disks up to 10 terabytes, and for import jobs, they will only process the first data volume on the hard drive. You must format your data volumes within NTFS, and you can ship a maximum of ten hard drives for a single import job, which equals an overall maximum of 100 terabytes for a single import job. You or your organization must have an account with FedEx or DHL because Microsoft will bill that account for the shipping cost when Microsoft returns it to you.

If you’re going to use this option, there are a lot more details you should know. Check out the documentation here: http://erica.news/DriveShipping.

Lastly, I will mention that if you want to import files and documents to SharePoint sites or OneDrive accounts, you can do that. There are several methods available that do not involve the Compliance Center. Microsoft provides a free SharePoint migration tool. You can also migrate using PowerShell. Or you could always use a third-party migration tool to move that data.

In this section, we reviewed why you would want to import data into Microsoft 365. We went into details about how to do a network import job and briefly discussed drive shipping and file imports. Next, we will cover archive and unlimited mailboxes .

Licensing and Permissions

A user must be assigned an Exchange Online Plan 2 license to enable the archive mailbox. Microsoft includes this license by default in all E3 and E5 plans. If a user is assigned an Exchange Online P1 license, you would need to assign them an additional separate Exchange Online Archive license to enable their archive mailbox. Auto-expanding or unlimited archiving also supports shared mailboxes. An Exchange Online P2 license or an Exchange Online P1 license with the Exchange Online Archiving license is required to enable the archive for a shared mailbox.

You must be a global administrator in your organization or a member of your Exchange Online Organization Management role group to enable auto-expanding archiving for your entire organization or specific users. Alternatively, you must be a member of a role group assigned the Mail Recipients role to enable auto-expanding archiving for particular groups.

Enable Archive Mailboxes

Now let us look at how to enable archive mailboxes. You can find archive mailboxes in the Microsoft 365 Compliance Center. In the left-hand navigation, click Information governance and then the Archive tab.

Here you see a list of the organization’s users, their email address, and whether their archive mailbox is enabled or disabled, shown in Figure 8-21. The Export button downloads a report of all the users and whether their archive mailbox is enabled or disabled. You can refresh or search the list. Lastly, you can group the list by whether the archive mailbox is enabled or disabled.

If you would like to enable the archive mailbox, select one or more of the people in the list and click the toolbar’s Enable archive text. A warning will appear saying, “If you enable this person’s archive mailbox, items in their mailbox that are older than two years will be moved to the new archive. Are you sure you want to enable this archive mailbox?” Click Enable. You can also enable the archive through PowerShell.

You can disable archive mailboxes by selecting a user or multiple users and clicking Disable archive. In this case, Microsoft 365 will keep the archive for 30 days. If you reenable the archive within those 30 days, it will restore the archive to its prior state. After 30 days, the system deletes all content in the archive mailbox, and you cannot restore it. If you reenabled the archive after 30 days, it creates a new archive.

You can also view mailbox information for each of the users to decide whether you should enable their archive. To do this, click a user from the archive location. A pane will open, shown in Figure 8-22. Here you can see their mailbox usage, including their quota information. If they already have an archive mailbox, you can see usage information for that too. Lastly, you can see their recoverable item usage.

Users can access the archive folder in Outlook client or web app . They cannot access the archive folder in the Outlook mobile client on a phone. Users can move content to and from the archive. When using content or eDiscovery search, it will automatically search both the archive and primary mailboxes for a user. The archive mailbox honors hold and retention policies.

There is a Default Exchange MRM Policy automatically assigned to the mailbox when the archive is enabled. This policy moves items older than two years to the archive. It also moves items in the Recoverable Items folder after 14 days to the archive Recoverable Items folder. You can replace this default policy with a custom MRM policy with any duration from the Exchange admin center.

Unlimited Archiving

After you enable archiving on a mailbox, the admin can also turn on an unlimited or auto-expanding archive. You will see the terms unlimited and auto-expanding used interchangeably in this section, Microsoft documentation, and other information, but they mean the same thing. Archive mailboxes start with a 100 GB quota, with a warning at 90 GB. Suppose a mailbox is placed on hold or assigned to a retention policy. In that case, the storage quota for the archive mailbox increases to 110 GB with a warning at 100 GB.

Once you have enabled unlimited archive, when the archive mailbox plus the Recoverable Items folder reaches 90 GB, it converts the mailbox to an unlimited archive. This conversion can take up to 30 days. Once that is achieved, the system automatically adds additional storage in 10 GB increments.

Sometimes the system moves folders and items in these folders to the auto-expanding archive. This move is so Microsoft can optimize storage. If it moves the whole folder, the folder name will remain the same. If it only moves a portion of the folder, the system will modify the folder name to be <folder name>_yyyy (Created on mmm dd, yyyy h_mm), for example, Project Falcon_2020 (Created on Dec 01, 2020 8_02).