A critical issue has been reported with the behavior of litigation hold in Exchange Server 2013 and Office 365.
In short, if a mailbox is enabled for litigation hold a delegate of the mailbox is able to use OWA to permanently delete folders (and their items) from the mailbox, without them being preserved correctly by the litigation hold.
The issue impacts Office 365 and all supported versions of Exchange Server 2013 on-premises. The bug does not exist when mailboxes are accessed via Outlook or other clients, only when accessed via OWA.
Update: the status from Microsoft has been updated.
This problem has been identified and corrected in Office 365. A supported fix for on-premises customers will be available in Cumulative Update 7 for Exchange Server 2013.
Tony Redmond has a detailed write up here, including an explanation of the expected behavior:
As you might recall, when a mailbox is placed on litigation or comes under the control of an in-place hold, Exchange is supposed to maintain copies of items subject to the hold if the user attempts to delete them from the mailbox. The retained copies are held in the Deletions sub-folder of the Recoverable Items folder away from the prying eyes of the user while still remaining indexed and therefore discoverable through eDiscovery searches.
Microsoft has released KB2996477 which also describes the issue:
This problem occurs when a user uses OWA to delete or move a folder from a delegated mailbox that is on hold to another mailbox if that mailbox is also open in OWA but is not on hold. The items are preserved according to the hold settings of the delegate’s own mailbox, not the settings of the delegated mailbox. The delegate can move or delete individual items inside a folder, and the items are preserved as expected.
Non-delegated scenarios, in which one user is the sole owner of a mailbox, are not affected by this issue. This problem also does not occur in the Outlook client.
Microsoft offers two workarounds:
- Put a hold on all users who are participating in delegated scenarios.
- Disable OWA for users who have delegated access to their mailbox.
First, it’s worth verifying whether any mailboxes in your organization are enabled for litigation hold.
[PS] C:\>Get-Mailbox | where LitigationHoldEnabled Name Alias ServerName ProhibitSendQuota ---- ----- ---------- ----------------- Alan.Reid Alan.Reid ex2013srv2 Unlimited Help Desk helpdesk ex2013srv2 Unlimited
If disabling OWA is a practical solution for your organization this can easily be performed, for example:
[PS] C:\>Get-Mailbox | where LitigationHoldEnabled | Set-CASMailbox -OWAEnabled:$false
Of course, if the mailboxes are under investigation it may not be wise to tip off the mailbox owner by disabling OWA. In that case enabling litigation hold for the other users with access to the mailbox would be the better approach.
I would also add the recommendation to enable mailbox audit logging to track any deletes that delegates perform.