A complete guide to Microsoft Exchange retention policies

Key Takeaways

• Exchange retention policies enable Messaging Retention Management (MRM) archiving and deletion.
• Compare MRM and Office 365 retention methods for hybrid vs cloud-only needs.
• MRM uses retention tags, policies, and Managed Folder Assistant to enforce schedules.
• Deploy by creating tags, configuring policies, applying single policy per mailbox.
• Implement retention actions and holds to automate archiving, deletion, and legal preservation.

_____________________________________________________________________________________________________________

Exchange Retention is the ability to retain and delete information in Microsoft Exchange Online. There are two ways that you can do this.

1. Messaging Retention Management (MRM), which helps you keep, archive, and delete information in exchange mailboxes. This approach works for both Exchange Online and Exchange on-premise for versions 2010, 2013, 2016, and 2019.
2. Office 365 Retention Labels and Retention Policies functionality that is available in the security and compliance center. This method uses a unified label to manage retention, deletion, disposition reviews, event-based retention, and more. You can use this for Exchange Online and other Office 365 services.

It’s important to note that both of these methods can work together, and you don’t have to choose one or the other. In this presentation, we are going to be covering messaging retention management.

We have an article focused on Office 365 Retention Labels and Policies, which you can find here.

Why is retention important?

An organization collects sensitive information as a part of running its business. While it can be tempting to keep information forever, such an approach brings several regulatory, security and organizational risks.

• Regulatory risks – Most jurisdictions with privacy and data regulations state that personal information should not be kept longer than is necessary for the purpose it was obtained. Failure to comply can cause significant financial penalties and reputational damage.
• Security risks – The more data you possess, the more that can be exposed in a data breach or ransomware attack. There are many examples of companies whose failure to follow retention schedules has led to former customers' details being leaked. In addition, improperly keeping outdated file formats can open the organization to additional security risks or more general system failures.‍
• Process risks – When you have less data to search, you can make decisions faster, basing them on relevant, correct information. Keeping outdated information raises the chance of making poor decisions based on outdated information, causing legal, financial, and reputational damage.

Retention schedules allow you to defensibly dispose of data in line according to applicable privacy and data regulation, and business needs. Such a process is referred to as data minimization.

Message Retention Management vs Office 365 Retention for Exchange

So, what is the difference between MRM retention and Office 365 retention? If you are running in a hybrid Exchange environment with both Exchange Online and Exchange on-premises, then you will want to use MRM because Office 365 labels only work with Exchange Online.

If you would like to use the expandable archive functionality in your organization, and you want to automate moving messages from email inboxes, set items, folders, and others to the expandable archive, you will need to do that using MRM. That functionality is not available in Office 365.

If you want to create a single retention policy that can work across all the primary Office 365 workloads, then you will want to look at Office 365 policies. Also, if you want the option to have multiple policies for one Exchange mailbox, then that is Office 365 retention.

Next, if you want to retain data in inactive mailboxes, your only option is Office 365 retention. If you use MRM retention, you will need to put them in the active mailbox on legal hold to ensure that you do not delete information.

Finally, if you want to manage retention for mail, calendar, public folders, conversation history, and more, that functionality is available in both MRM and Office 365.

It is important to note that Microsoft recommends using MRM retention to meet your mailbox archiving needs, but for everything else they recommend Office 365 retention for managing the retention and deletion of information.

What is Messaging Retention Management?

Now, let us focus more on messaging retention management and how it works. Firstly, what is Messaging Retention Management (MRM)? MRM manages retention, archiving, and deletion of mailbox items.

If you would like to configure Messaging Records Management, you would do that in the Exchange admin center found in the tenant administration area of Office 365.

Some things that you can do with MRM include:

1. Remove all messages after a specified period.
2. Move messages to an archive mailbox after a specified period.
3. Remove messages based on the folder location.
4. Allow users to classify messages.
5. Retain messages for eDiscovery purposes.

Now, you can do much more with MRM depending on your business needs, but these are just some common scenarios to get you started.

How Messaging Retention Management works in Exchange

Now, let us look at how MRM works. Firstly, you have the user mailbox. The user mailbox would have a retention policy applied to it. Within that retention policy, you might have a Retention Policy Tag that applies to the archive folder, for example.

You might have a tag that applies to the inbox, or one that applies to deleted items. There also might be Personal Tags that the Exchange administrator has made available to users so they can tag items that have meanings to them themselves.

Another option is to set what is called a Default Policy Tag on the entire mailbox. This approach is useful when you want to have a policy that covers items which have not been tagged by Personal Tags or Retention Policy Tag. It will cover all those non-tagged items.

Then there is something called the Managed Folder Assistant. It continually checks user mailboxes for new emails and items. When it finds one, if there is a retention policy that applies, it will tag each item with the specifics of the retention policy. It then watches the items, and when the retention period has passed, it will act specified in the tag.

The three action options are:

1. In place archive.
2. Permanently delete the item.
3. Delete and allow recovery.

So, you apply a Retention Policy to a mailbox. The tags define the retention period. The Managed Folder Assistant is that thing that applies retention, and it is the one that makes sure that actions happen at the appropriate time.

How to deploy messaging records management

There are three steps you need to follow to deploy MRM. Firstly, you need to create a retention tag. You will need to choose the tag type, name the tag, choose the retention action, and specify the retention period.

Next, you will need to configure the retention policy. This approach is how you link tags that you created in the first step to an overall retention policy.

Next, you would apply the policy to mailbox users and note that there is a limit of one policy per mailbox.

So let’s look at these steps in detail. Firstly, creating your retention tag. You will want to name the retention tag, choose one of the three retention actions, and then set the retention period in days.

What are MRM retention tags?

Here are the three types of MRM retention tags that are available.

Firstly, is the Default Policy Tag. This tag would apply automatically to the entire mailbox. It only applies to untagged items, which are mailbox items that do not have a retention tag applied directly or by inheritance from the folder. Only administrators can set up Default Policy Tags.

Next, we have Retention Policy Tag. These tags are applied automatically to a default folder instead of to the entire mailbox. For example, default folders are created automatically in all mailboxes, and they might include things like your inbox, deleted items, and sent items. These are also can only be created and applied by an administrator.

Lastly, we have a Personal Tag. This tag is used to manually label items and folders. Users can automate tagging by using inbox rules to either move a message to a folder that has a tag or to apply a personal tag to the message.

‍

To summarize this information, you might have a Retention Policy for Tag important folders such as the inbox and sent items. The Retention Policy Tag might set a stricter retention period to those two locations.

You can then have a Default Policy Tag that would apply to all the items in the mailbox except for the inbox and sent items folder.

Finally, you can have Personal Tags available to users that they can use to take individual messages either manually or to tag things that are in a user-created folder automatically. It is also important to note that the three retention actions are available in both the Default Policy Tag and the Personal tag. Retention Policy Tag cannot be used to move items to the archive.

Types of Exchange retention actions

Lastly, let us look at the three types of retention actions.

Firstly, you can use a retention action is to move items to an archive automatically. So, this would move the message to the user’s archive mailbox. However, if you have not set up archive mailboxes for your users, then no action would be taken. Just a reminder, the move to archive action is only available in a default policy in a personal tag.

The next possibility is to delete the item but allow recovery. So this is the same action as if a user clicked delete and empty their deleted items folder. In this case, if a retention period applies, those items are moved to the recoverable items folder in Exchange. This folder is a hidden folder that can be accessed by administrators and by eDiscovery. It will stay in the recoverable items folder until the retention period has passed.

Finally, you could have an action that permanently deletes the item. In this case, there will be no way to recover the message. It would not be available for eDiscovery or other purposes. The only exception is if you place the item or the mailbox on an in-place hold or a litigation hold to preserve the items for legal action.

Messaging Retention Management Retention Policies

Now, let us talk about MRM Retention Policies. There are some limits to what you can include in a retention policy. Firstly, remember that you can only apply one retention policy to a mailbox.

Within a policy, you can have one default Retention Policy Tag per folder. The Retention Policy Tag folders are listed in the right of the image and include things like calendar, drafts, notes, sent items, RSS feeds, conversation history, clutter archive, and more.

Next, you can have one Default Policy Tag that moves items to an archive. This tag applies to everything in the mailbox that you did not tag with a personal tag or a Retention Policy Tag.

Additionally, you can have one Default Policy Tag that can delete items, and then you can have one Default Policy Tag that deletes voicemail messages.

Moreover, then you can have any number of Personal Tags available. Keep in mind that users have a challenging time choosing between more than five to seven options, so you will want to ensure that between all these tags, there are not more than five to seven options per mailbox.

The managed folder assistant

Next, let us learn more about the Managed Folder Assistant. So this is the assistant that’s always running. It does not need to be scheduled or maintained, and it is what drives the retention actions.

Firstly, the managed folder assistant inspects the mailbox items. If it finds an item that should be subject to the retention period, it will stamp that with the proper retention policy.

Then within a work cycle, it will look for a new or move to mailboxes and then inspect new items as they enter the queue.

Finally, it periodically checks if the retention period on an item has passed. If it has passed, it will execute retention actions.

What retention policy has priority?

Now, it is logical that through this method, there may be more than one retention policy that could apply to an item. This diagram shows how we resolve these conflicts.

Firstly, if the item has a tag that has been explicitly used, meaning an end user manually tagged that item with a personal tag, then that will always be respected.

Next, if there is a folder in which the item sits that has a retention policy through a Retention Policy Tag, then that will have the next highest priority.

Finally, general mailbox policies through a Default Policy Tag would be applied if none of the other two methods had been used to implement the retention policy.

The default MRM policy

It is also important to note that when you first start with Exchange, there is a default MRM policy containing default tags that are available to all your users. If you do nothing, then these tags will still be available to users in their inbox.

These are the default tags. Keep in mind that you are able to delete these, modify them, or add new tags to the policy as long as it doesn’t violate the limits we described earlier.

How deletion of content works in Exchange

Next, let us look at how deletion works in Exchanged mailboxes and public folders.

Number one, the items are in the user’s email inbox or folders. If during the retention period, the content has been modified or deleted by the user, it will move it to the recoverable items folder for the duration of the retention period. However, if the content has not been modified or deleted during the retention period, it’ll just stay in the user’s mailbox.

Once the retention period has passed, there is a cleanup process that runs. By default, this cleanup process is 14 days, but you can configure it to be up to 30 days if you’d like to have more time. After the time has passed, it will permanently delete the object, and you will not be able to recover it.

What are retention holds?

Finally, there is a concept of retention holds that you will want to understand if you deploy MRM in your organization. This feature is meant to suspend retention when an employee has a long absence. This approach is because if you have policies that either move items to an archive or automatically delete messages, it is possible that retention will delete the emails by the time they return.

For example, let us say that an employee goes on a year parental leave. The organization has a policy that items are moved to the archive after three months and then deleted after nine months. That means that by the time the employee returns after a year, many months of emails will be unavailable and permanently deleted.

Retention holds do three things. Firstly, it suspends retention policies from processing on a mailbox. Secondly, it allows you to set a retention comment so everyone knows the mailbox is on hold. And third, you’ll want to set a beginning and end date for your retention hold. Keep in mind that you’ll want to set the end date to allow time to pass after the employee has returned to the organization. This approach gives the employee time to sort through their emails before you turn retention back on, and all the emails are archived or deleted.

‍

🎧 LISTEN

Why records managers must play a key role in reducing risk | Anne Cornish, RIMPA

‍

‍

How tags are applied manually to content

Now that we have discussed the administration of email retention, let us look at the end user’s experience.

End users can manually tag items with retention policies.

If they right click on an email, select assign policy, they will be able to see all the available retention policies. This list will contain both MRM retention policies as well as Office 365 retention policies. So again, please keep that in mind when planning your deployment.

Once you tag an item, a banner will appear in the email that names the retention policy, says the expiration date, and then states how many days before the item will expire.

You can apply a retention policy using rules. To do this, open the rules wizard, select the criteria to trigger the rule. Next, choose the action, apply retention policy.

You can click retention policy, and it will open a dialog box that lists all of your MRM and Office 365 retention policies. Now, whenever something meets the criteria of the rule, it will be labelled appropriately with the right retention period.

‍