Data Retention in Microsoft 365

Data retention is important to many organizations, from supporting compliance initiatives to litigation and security investigations. Whether the issue is accidental or willful data destruction, organizations should evaluate their retention needs.  Consider that while Microsoft 365 provides sophisticated retention and litigation hold capabilities, lack of proper licensing or configuration can render data susceptible to destruction.  

By default, Microsoft 365 email or Exchange Online allow users to delete emails from their mailboxes, including the ability to hard delete emails, so they are purged immediately from the system.  If they are not hard deleted, emails will transition through the Deleted Items folder to the Recoverable Items folder before being purged irrevocably from the system.  This process typically takes between 20 and 30 days, at which time the deleted data is permanently destroyed.   

Similarly, for SharePoint and OneDrive libraries, deleted files are sent to a Deleted Items folder, where they are recoverable for up to 30 days before being purged by the system. When a user is deleted, or their M365 license is removed, all their mail data and documents in Microsoft 365 are queued for 30-day destruction, if not overridden.  

Organizations can mitigate the risk of allowing important information to be destroyed using Microsoft 365 retention policies. A retention policy can be applied to Exchange Mailboxes and SharePoint libraries and can govern how long data is kept — whether it be permanently or for a finite amount of time.  When a finite amount of time is defined, the data in the system is automatically purged according to that policy. It is possible to also create multiple polices for different user groups, as a way to apply a different retention policy to executives, as opposed to regular staff.  This feature operates in conjunction with retention labeling to tag documents with individual retention periods.  A litigation hold policy operates in a similar way to a retention policy; with the exception that all information is retained indefinitely for that individual until the litigation hold policy is removed.  

Users subject to Litigation Hold or Retention Policies may continue to delete documents and emails, however, these items will be retained within special retention folders that are inaccessible to the user, but available to auditors and system administrators.  

One of the main factors governing the ability to deploy litigation hold and retention policies is the level of licensing applied to Microsoft 365 accounts. Entry level licensing, such as Business Basic, Business Standard and Exchange Online Plan 1, do not include the necessary Microsoft Purview license to enable retention. In addition, shared mailbox accounts are generally not covered by any retention or hold policies.  

If your organization is in the habit of converting departed employee mailboxes into shared mailboxes to share and retain alumni data, it should be recognized that this data cannot be retained by the Microsoft 365 system and is at risk of destruction.    Formal offboarding processes that consider your organization’s data retention and preservation policies should be developed that address both information transference and organization retention.  

For organizations that wish to retain information, there are some key steps to take. 

1. Develop a formal document and email retention policy that identifies all data types, their retention requirements and retention schedules.   This information should be published and incorporated into employee training plans.
2. Deploy the correct licenses within Microsoft 365 to enable retention and set up procedures to enforce your corporate retention policy.  This includes Business Premium licenses, Enterprise Licenses and Exchange Online Plan 2 licensing.
3. Ensure that common information assets, such as shared mailboxes and resources, are protected; or there are retention exclusions to the data within these accounts.
4. Prepare proper off-boarding procedures that can provide information transference, and that will ensure the data is retained.
5. As an alternative to retention policies, third-party Microsoft 365 backup solutions can be utilized. However, these backups typically provide nothing more than permanent retention of data, and do not provide any granularity for automated selective destruction of information within the backup. In addition, this backup does not provide the tools to search or provide eDiscovery on data in backup, thereby requiring additional steps to restore and make that data available for discovery.

Compliance and retention are two cornerstones of ensuring that organizations either meet Federal or State regulatory requirements, or are necessary for your organization’s internal auditing, compliance, legal and other requirements.  Microsoft 365 has all the tools that organizations should require to satisfy these requirements, providing they are properly defined, licensed and deployed. eMazzanti Technologies can assist customers with developing strategies around information retention, ensuring those strategies are deployed correctly.