In this article, we will do a deep dive into the various data retention strategies for Exchange Online, including steps on how to configure them and tips on when to use what.
Use the diagram below to navigate to a specific section.
2. Data architecture
Exchange Online is a Microsoft service that provides an integrated system for email, calendaring, messaging, and tasks. A number of Microsoft 365 cloud applications are included in Exchange Online - ToDo, MyAnalytics, Outlook, Contacts, and Calendar. In addition, Teams data such as chats, and call summaries are also stored in Exchange Online. Exchange Online, therefore, serves as a data repository for two “wrapper” applications - Teams and Outlook.
3. Why do you need retention?
Statutory regulation & compliance:
Regulated industries such as healthcare, legal, and finance are required to retain data such as emails or documents for multiple years. The Sarbanes-Oxley Act, for example, specifies the standards for financial document record-keeping.
The mailbox storage limit for Exchange Online is 50 GB per mailbox in the Business Basic, Standard, and E1 subscriptions, and 100 GB per mailbox in the E3 and E5 subscriptions. Employees should not be forced to delete data once the storage limits are reached and at the same time, remove data that’s no longer needed. Implementing retention policies can thus save storage costs by only retaining essential data.
Data retrieval in case of accidental deletion:
When an item is deleted, Outlook only retains your data for 30 days after deletion (check out
this illustration to know more). Using retention helps you manage data deletion and recovery efficiently, thus increasing business productivity.
4. What happens when you delete Exchange Online data?
The diagram below shows the default data retention procedure in Exchange Online and how data can be restored by users and administrators within specific timeframes.
When a user deletes a mailbox item (from any folder other than the Deleted Items folder), it goes to the Deleted Items folder (or the first recycle bin). Here, it stays for 30 days within which a user can restore the item back to its original location.
If the item is deleted from the Deleted Items folder, or the 30-day period is over, it moves to the Recoverable Items folder. However, a user can also choose to soft delete an item (Shift+Delete) in any folder, which bypasses the Deleted Items folder and moves the item directly to the Recoverable Items folder.
The item stays in the Recoverable Items folder for 14 days by default, within which the user or the admin can choose to recover it back to its original location. This time period can be extended from 14 days up to 30 days by the administrator. Beyond that, the item is permanently deleted and cannot be retrieved unless a retention policy or legal hold is created.
When retention settings are applied to Exchange Online data, a timer job periodically evaluates items in the Recoverable Items folder. If an item doesn't match the rules of at least one retention policy or label to retain the item, it is permanently deleted (also called hard deleted) from the Recoverable Items folder. For more information on how the Recoverable Items folder retains different versions of the data, click here.
The sole purpose of the Recoverable Items folder is to quickly recover deleted items within a short period of time. It does not serve as a long-term effective retention strategy. Moreover, once the Recoverable Items folder reaches the storage quota, it cannot store any more items.
To enhance your data retention strategy, Microsoft provides two native Exchange Online retention mechanisms:
1) Messaging records management (MRM)
2) Retention policies and retention labels
In addition, administrators can use
litigation hold to preserve data.
5. Data retention in Exchange Online
Here is a comprehensive flowchart of all data retention methods in Exchange Online:
5.1. Messaging Records Management (MRM)
5.1.1. What is Messaging Records Management?
Messaging Records Management or MRM is a feature of Exchange Online that allows administrators to manage the email lifecycle of their organization and implement effective retention strategies.
MRM in Exchange Online is configured using retention tags and policies in the Classic Exchange Admin Center (Click here to understand the differences between the Classic and New Exchange Admin Center).
Note: Microsoft now recommends using
retention labels and policies instead of MRM. MRM can also be used side-by-side with retention policies and labels. The following section is relevant for businesses that are currently using MRM, as well as organizations that require moving messages to the archive.
5.1.2. How MRM works
188.8.131.52. Retention tags and retention policies
MRM in Exchange Online works using retention tags and retention policies. Administrators can group retention tags into a retention policy, and then apply the policy to a user’s mailbox.
Retention tags are used to apply retention settings to folders and individual items. These settings define the time period for which a message remains in a mailbox, and the action to be taken after the message reaches the specified retention age. When a message reaches its retention age, it is either deleted or moved to the user's
Retention tags can be linked to or unlinked from a retention policy at any time, and the changes automatically take effect for all mailboxes that have the policy applied.
Note: You can only apply one retention policy to a mailbox.
There are three different types of retention tags available: Default Policy Tag, Retention Policy Tag, and Personal Tag.
Default Policy Tag (DPT)
Retention Policy Tag (RPT)
Applies to untagged mailbox items, i.e., those that don't have a retention tag, directly or by inheritance from the folder.
Applies to default folders such as Inbox, Deleted Items, Sent Items, and so on, that are automatically created in a mailbox.
Users can automate tagging by using Inbox rules to either move a message to a folder that has a particular tag or to apply a personal tag to the message.
Where is it applied
Automatically applied to the entire mailbox
Automatically applied to a default folder
Manually applied to items and folders
Who applies it
To learn more about the different retention tags, click here.
184.108.40.206. Actions involved when you deploy MRM
When creating retention tags, there are three actions you can choose from that will take place when the retention period is over. The actions are:
Delete and allow recovery:
This is similar to what happens when a user empties the Deleted Items folder. The items move to the Recoverable Items folder and stay there till the retention period has passed.
Move items to an archive automatically:
This moves the message to the user’s
archive mailbox after the retention age is reached. However, no action will be taken if the archive mailbox has not been enabled. This action is only available for Default Policy Tags and Personal Tags.
If you choose this action, the message will be permanently deleted after the retention period. The only way this data can be found again is if it is placed on
5.1.3. How to deploy MRM?
There are three steps you need to follow to deploy MRM:
Step 1: Create a retention tag
In the Classic Exchange Admin Center, navigate to the ‘Compliance Management’ tab. Under ‘Retention Tags’, click the ‘+’ icon and select the type of retention tag you want to apply.
In the pop-up dialog box, name the tag, choose the retention action, and specify the retention period as shown below:
Step 2: Configure the retention policy
Under ‘Retention Policies’, select the ‘+’ icon.
In the pop-up dialog box, type the name you want to assign the retention policy. Next, click the ‘+’ icon to view all the retention tags available. Select the tags desired and add them to the policy.
Step 3: Apply the policy to mailbox users
Under the ‘Recipients’ tab, navigate to the user’s mailbox on which the policy must be applied and double-click the username. Under the ‘Retention Policy’ drop-down, select the desired policy and click ‘Save’.
To learn about personal tags and how users can self-assign these tags, click here.
5.1.4. Managed Folder Assistant
In MRM, the Managed Folder Assistant (MFA) is a throttle-based assistant that is responsible for processing the policies applied on the user mailboxes. In other words, the MFA inspects the mailbox items for retention policies, and when a policy is detected, it stamps the item with appropriate retention tags. It then takes the specified retention action on items once they are past their retention age.
The MFA does not need to be scheduled or maintained; it is always active. Another thing to note is that at a specified interval (known as the work cycle checkpoint), the MFA refreshes the list of mailboxes to be processed. During the refresh, the MFA checks for newly created or moved mailboxes, and subsequently adds them to the queue. It also inspects mailboxes that haven’t been processed due to failures and adds them higher up in the priority queue.
What happens when there are multiple retention tags applied on a single mailbox item? Microsoft has clearly outlined the priority of the MRM tags to determine which action will be implemented.
When an item is tagged manually using a Personal Tag (PT), it takes the highest priority.
Next, the Retention Policy Tag (RPT) is executed, where the item sits in the folder in which the tag is applied.
Finally, general mailbox policies through a Default Policy Tag will be applied if none of the other two methods had been used to implement the retention policy.
5.1.6. Default MRM policy
The Default MRM policy is automatically applied when a new mailbox is created in Exchange Online. You can change the retention policy applied to a user at any point in time.
Tags included in the Default MRM Policy can be modified according to your business needs. You can change the retention age or retention actions, disable a tag, or modify the policy by adding or removing tags from it. The updated policy is applied to mailboxes the next time they are processed by the MFA.
The Default MRM Policy contains the following retention tags
● 1 Month Delete
● 1 Week Delete
● 1 Year Delete
● 5 Year Delete
● 6 Month Delete
● Default 2 year move to archive
● Junk Email
● Never Delete
● Personal 1 year move to archive
● Personal 5 year move to archive
● Personal never move to archive
● Recoverable Items 14 days move to archive
Click here to learn more about the Default Retention Policy in Exchange Online.
5.1.7. Is MRM your best possible retention solution for Exchange Online?
As mentioned above, Microsoft recommends using retention policies and labels over MRM. However, mailbox archiving is only available in MRM.
Microsoft suggests using MRM for your archiving requirements, and retention policies for your retention needs.
Neither MRM nor retention policies and labels serve as data backup solutions. Microsoft recommends using
third-party backup tools for your backup requirements.
5.1.8. Retention holds in MRM
A retention hold helps you temporarily suspend the MRM retention policies applied to a user’s mailbox. This is useful when an employee is temporarily away such as on a vacation.
For example, let’s say that an employee goes on a three-month leave. The organization has implemented a policy where items are moved to the archive after one month and then deleted after fifteen days. That means that by the time the employee returns after three months, many days of emails will be unavailable and permanently deleted.
Retention holds are designed for this purpose. It suspends the processing of an MRM retention policy by the MFA for that mailbox for a period of time. Apart from temporarily suspending the retention policies, retention holds also allow you to set a retention comment, so everyone knows that the mailbox is on hold.
To learn more about how to create retention holds, click here.
5.2. Retention policies and retention labels
Microsoft 365 retention policies and labels are effective in retaining data in your organization. Both retention policies and retention labels can either be used separately or in a combination, according to the type of data and your business requirements. Before understanding how to create retention policies and labels, it is essential that we understand the key differences between the two, and when to use what.
5.2.1. Retention policies vs. retention labels: Which one should you choose?
Retention policies are used to assign settings at a container level, i.e., at a mailbox level. Retention labels, on the other hand, are used for specific mailbox items such as a particular folder or email.
For example, if you want the entire mailbox of a user retained for five years, it is easier to apply a retention policy on the entire mailbox rather than multiple retention labels on each mail. However, if you want to pick and retain certain mails for five years and some others for three years, you should use retention labels.
Another notable difference is that, unlike retention labels, retention policies are bound to content containers and apply only to the content within. In other words, retention labels apply to the content even after the location is moved, while retention policies apply only to the location in which it is assigned.
Microsoft has put together a comprehensive table explaining different scenarios to help you identify when to use what.
5.2.2. How to create and apply retention policies and retention labels
In the pop-up dialog box, type the name and description of the label you want to create.
Step 2: Retention settings
Next, you must define the period for which the content is retained, the trigger for the retention to start, and the action to be taken when the retention period is over.
Step 3: Review and finish
Review the details of the label in the ‘Review and finish’ section and click ‘Create’.
Step 4: Publish
After creating the label, you can choose to publish it immediately, set an auto-apply rule to a specific type of content, or save it and publish it later whenever ready.
220.127.116.11. How are retention labels applied?
After creating retention labels, you need to publish them. When you publish labels to locations such as Outlook, users can manually apply the labels to the content they wish to retain. Users can also auto-apply labels to content that matches their conditions (e.g., content containing sensitive information).
A single retention label can be used in multiple retention label policies. Retention label policies specify the publish locations of selected retention labels.
The following diagram visualizes the relations between retention labels, retention label policies, and publish locations.
18.104.22.168. How to create a retention label policy and publish retention labels?
5.2.4. Limitations of using retention policies and labels
It is a common misconception that the retention features offered by Microsoft are enough to safeguard your data. If you plan to use retention labels and policies for your business, here are some limitations you should be aware of.
Retention features are part of the Compliance Center which is only available in the advanced E3 and E5 subscriptions of Microsoft 365. These plans are priced higher than the standard Microsoft 365 plans.
Calendar items and tasks with no end date are not retained under retention policies and labels.
A maximum of 10,000 policies can be included in a tenant. This includes all the different policies available, including DLP policies.
The maximum number of retention policies for Exchange Online (per workload) is 1800.
Since retention policies and labels can be configured to scope your retention settings to specific users, specific Microsoft 365 Groups, or specific sites, you need to be aware of the maximum number of items per retention policy:
1,000 mailboxes (user mailboxes or group mailboxes)
1,000 Microsoft 365 Groups
5.2.5. What happens when an item under retention policy is deleted before the retention period - Principles of retention
Most organizations have multiple retention policies applied to different content on a daily basis. There are also possibilities of the same content being subject to different retention policies.
Here is a comprehensive flowchart by Microsoft, to help you determine what policies take precedence over others without worrying about one policy setting overwriting the others.
5.3. Other methods of retaining data
5.3.1. Archive mailboxes
In Microsoft 365, archive mailboxes refer to the additional mailbox storage space provided to users. Keep in mind, the user’s archive mailbox needs to be enabled to use archive mailboxes.
After the archive mailbox is enabled, up to 100 GB of additional storage is available per user. Earlier, once the 100 GB storage quota was reached, organizations had to contact Microsoft to request additional storage space for an archive mailbox. However, users can now make use of a new feature called auto-expanding archiving (also called unlimited archiving) that provides additional storage in the archive without contacting Microsoft.
Note: Starting November 1, 2021, Microsoft is implementing a storage limit of 1.5 TB for the unlimited archive. In other words, users cannot add more data to the archive mailboxes once the 1.5 TB quota is reached.
Pro tip: Archiving has multiple limitations including storage limits. Third-party solutions such as SysCloud provide unlimited storage in the backup archives, in addition to hassle-free backup and restore capabilities.
For step-by-step instructions on how to turn on auto-expanding archiving, click here.
To understand unlimited archiving in detail, click here.
22.214.171.124. Can you use the archiving feature as a retention method for Exchange Online?
Though archive mailbox helps retain important mailbox items, it is not a reliable long-term solution. Here are a few limitations:
The archive mailbox has a storage limit of 100 GB, after which auto-expanding archives must be used. Auto-expanding archives are only supported in the Microsoft 365 E3 and E5 subscriptions.
Microsoft’s recently announced that starting November 1, 2021, the auto-expanded archive will also have a storage limit of 1.5TB.
Expanded archiving cannot be enabled using the admin centers. Administrators must use PowerShell to enable the feature.
Auto-expanding archive is only supported for mailboxes with a growth rate that does not exceed 1 GB per day. This applies to both user and shared mailboxes.
The auto-expanding feature prevents you from recovering or restoring an inactive mailbox. Click here to know more.
You can't delete a folder from the archive mailbox after an auto-expanded storage area has been provisioned.
If an item is deleted from the auto-expanded storage area, it is lost forever. There is no way to retrieve it.
5.3.2. Litigation holds
Litigation Hold helps you place user mailboxes on hold, i.e., retain all the contents of a mailbox, including deleted items and the original versions of modified items. It is a functionality of the eDiscovery feature in Exchange Online that is helpful in freezing crucial data. When a mailbox is placed on litigation hold, Items in the user's primary and the archive mailboxes (if enabled) are retained.
When you create a litigation hold, you can specify the time duration for which you want the items retained, after which they will be deleted. You can also just place an infinite hold on the mailbox, wherein the content will be retained indefinitely unless you remove the hold.
126.96.36.199. Litigation holds vs. retention policies
While both litigation holds and retention policies perform similar functions, their usage and feature sets are different. It is essential for administrators to be aware of when to use what. Here is a comprehensive table we have put together for your understanding:
Retention policies are used to protect valuable data from data loss such as accidental deletion.
Litigation hold is a functionality of the eDiscovery feature that is helpful in preserving data for legal compliance.
Retention policies can be automated for new users.
Litigation holds have to be manually applied to every new user.
Retention policies allow you to set time limits on data preservation, after which specific actions will be implemented.
Time-based holds must be turned on and off manually, after which no automatic actions will be implemented.
To get a complete understanding of why holds are different from retention policies and labels, check out this article.
188.8.131.52. Does litigation hold qualify as a backup solution?
The purpose of a litigation hold is to preserve data for long-term purposes such as legal compliance. However, due to its retention capabilities, litigation hold is often misunderstood as a backup solution. There are significant limitations in using litigation hold as a backup solution.
Cross-user restore is not available. In other words, if an employee quits, litigation hold doesn’t allow you to transfer the data to another user. Moreover, litigation hold let you remove users while preserving their data forcing you to continue paying for Microsoft licenses for inactive users.
SysCloud’s cross-user restore feature helps admins easily transfer data from one user to another, thereby saving license costs for employees who may have left the organization.
Data that is on litigation hold cannot be deleted. As a result, your storage requirements and costs increase exponentially over time.
If the contents of a user’s mailbox are affected by ransomware, the data stored in litigation hold also gets infected. There is no guarantee that you will get your data back.
SysCloud automatically inspects your backup archives for ransomware and phishing and immediately notifies the administrator.
Litigation hold is only available in the E5 edition of Microsoft 365.
5.3.3. eDiscovery holds
Core eDiscovery is a basic eDiscovery tool that organizations can use to search and export content in Microsoft 365. However, it can also be used to place holds on content locations such as Exchange mailboxes, SharePoint sites, OneDrive accounts, and Microsoft Teams.
To learn more about eDiscovery Holds, and how it does NOT serve as a backup solution, check out this article.
5.3.4. Third-party backup solutions
184.108.40.206. Why third-party backup solutions?
While the native settings offered by Microsoft are helpful in retaining your data, they do not serve as a backup solution. Microsoft is not responsible for backing up your data and they recommend using third-party apps for backup. Don’t take our word for it; here is an extract from their Services Agreement (Section 6.b).
WE STRIVE TO KEEP THE SERVICES UP AND RUNNING; HOWEVER, ALL ONLINE SERVICES SUFFER OCCASIONAL DISRUPTIONS AND OUTAGES, AND MICROSOFT IS NOT LIABLE FOR ANY DISRUPTION OR LOSS YOU MAY SUFFER AS A RESULT. IN THE EVENT OF AN OUTAGE, YOU MAY NOT BE ABLE TO RETRIEVE YOUR CONTENT OR DATA THAT YOU’VE STORED. WE RECOMMEND THAT YOU REGULARLY BACKUP YOUR CONTENT AND DATA THAT YOU STORE ON THE SERVICES OR STORE USING THIRD-PARTY APPS AND SERVICES.
Here is a comprehensive list of why having a third-party backup solution is an absolute necessity.
Limitations of native retention settings: The native retention settings offered by Microsoft
do not serve as an effective data backup and recovery option . Having an independent backup of your data stored off-site is an effective bulwark against data loss incidents.
Easy restoration: Third party tools such as SysCloud, help you easily restore specific or all emails in just a few clicks.
Save license costs: Third-party solutions allow you to retain safe copies of organizational data even after employee exits and account deletions, thus saving license costs.
With simple GUIs, no technical or coding expertise is required to backup and restore data.
Fast backups: Take faster backup even for large teams.
Protection against ransomware and phishing: Cloud security concerns have sky-rocketed in the pandemic. Tools like SysCloud secures data being backed up from ransomware and phishing.
220.127.116.11. SysCloud vs. native Exchange Online retention