Priority Cleanup Ignores Retention Holds When it Deletes Mailbox Items
Announced in MC971035 (3 January 2025, Microsoft 365 roadmap item 392838) the Purview Priority Cleanup solution is described in as a “new secure workflow to bypass legal holds and retention policies” that allows “administrators to expedite the permanent deletion of sensitive content from Microsoft Exchange [Online] mailboxes, overriding any existing retention settings or eDiscovery holds.” In other words, Priority Cleanup can remove items from mailboxes even if those items are subject to holds imposed by retention labels, retention policies, or eDiscovery cases.
You might wonder why such a capability is needed. After all, compliance search purge actions can hard-delete mailbox items and make those items inaccessible to users. However, the removed items remain in mailboxes and can be found by eDiscovery searches. Priority Cleanup permanently removes the items it finds to make them irrecoverable. Ignoring retention holds is the major selling point for Priority Cleanup.
The public preview of Priority cleanup is now available in the Data Lifecycle Management section of the Purview compliance portal (or via this link). Currently, only purging of items in Exchange Online mailboxes is supported. No date is available when cleanup might be possible for other kinds of data such as SharePoint Online files or Teams messages. The roadmap item currently lists General Availability for September 2025. Documentation is available online.
Tenants that don’t want to use Priority Cleanup can block the feature through the Priority Cleanup settings in the Purview portal (Figure 1).
There is much to discuss about Priority Cleanup. This article introduces the technology, describes the problem Microsoft is attempting to address, and highlights the Microsoft 365 components used in the solution. Preview software always exhibits some flaws, and Priority Cleanup is no different. I’ll come back to the topic in a future article to dive into some aspects in more detail, like validating that items are removed and how auditing captures details of the process.
The Compliance Conundrum
Reading about what Priority Cleanup does will bring a cold shiver to some compliance administrators. The whole point of data lifecycle management is to be able to retain information for as long as that information is required. From an email perspective, that means Exchange retains items in an immutable state until they are no longer required. Some will consider that being able to remove held items undermines the principle of immutability.
Life isn’t perfect, and situations can arise when retention holds stop the removal of email that you really don’t want to keep, such as horrible and misleading spam or, more importantly, confidential or sensitive information that’s shared by accident (“data spillage”). For instance, a senior manager might attach a confidential document detailing future investment plans to a message and send it to an incorrect distribution list.
As mentioned above, compliance search purge actions can find and remove the offending items from destination mailboxes in the same tenant. But if the mailboxes are subject to a retention hold, the removed items end up in the Recoverable Items structure and remain indexed and discoverable. Permanently removing the items even though they are on hold addresses the problem.
During the review cycle, approvers have the option to delete items or retain the items by applying a different retention label. The first option is obviously most useful if you’re interested in blocking data spillage. The exact form of deletion is governed by a policy setting between removing items as quickly as possible and deleting items after a set time (based on when items are created, modified, or labeled).
Although messages within the tenant boundary are removable, nothing can be done for messages that leave the tenant for delivery elsewhere. That information is gone and cannot be retrieved because the organization has lost control of the messages. The solution here is to apply sensitivity labels to all confidential documents to stop unauthorized recipients from accessing the document content.
Assembling a New Solution from Microsoft 365 Components
Leaving the compliance issue aside for a moment, it’s worth noting that Priority Cleanup reuses several Microsoft 365 components familiar to compliance administrators.
Special auto-labeling policies find items in user and group mailboxes using a KeyQL query run against target locations. Mailboxes can be selected individually or identified with an adaptive scope. Dedicated Priority Cleanup retention labels are applied to items found by the policies, overwriting any existing retention label except those used to mark items as records or regulatory records.
The special retention labels share the name of their policies, which means that it’s easy to check which items have been stamped by running a content search with the KeyQL query compliancetag=”name of policy.” You can then review the samples found by the search to ensure that the correct items are found and stamped (Figure 2).
An auto-label policy works in the background to find items that match the policy query. Finding ten or twenty items and making them available for review might take a few hours, but if hundreds or thousands of items are involved, reviewers will likely be asked to deal with multiple batches. Each batch could include several hundred items. This issue becomes more pronounced as the number of items to find increases.
Items stamped with a Priority Cleanup retention label go through a special form of disposition review. Disposition review is a standard end-of-retention period action meaning that a designated reviewer must check an item to decide what should happen to the item. In Figure 3, we see the options available to a first-stage reviewer to either dispose (delete) or relabel an item. Items can be disposed of individually or in batches. The Deleted Items tab lists items subject to the policy that have been through a complete review cycle and are awaiting deletion or have been deleted.
Items processed by policies remain in user mailboxes until the Managed Folder Assistant removes them following approval. During this period, Outlook updates the retention policy banner to show that the item is expired (Figure 4).
If items marked for removal have previous retention labels, are within the scope of a retention policy, or are required for an eDiscovery case further approval is necessary from a different reviewer. These reviewers are defined in the policy settings (Figure 5). Like normal disposition reviews, Purview sends reminder messages to reviewers when they have items to deal with.
Purview compliance RBAC roles are implemented to manage policies and disposition. Reviewers at each stage of the process must hold specified Purview roles like Priority Cleanup Admin and Priority Admin Viewer. The easiest way to assign these roles is to create custom role groups and add the reviewers to the relevant role groups. The administrator who creates a policy is not allowed to approve items for disposition.
Separate RBAC roles and reviewer responsibilities exist to stop a rogue administrator from launching a cleanup to remove embarrassing or compromising evidence of some undesirable activities. However, an administrator with sufficient privileges can always create some accounts, assign reviewer roles to the new accounts, and dispose of evidence that way. If no one checks the audit log for cleanup activities, the removal of items might remain undetected.
The final step happens when the Exchange Online Managed Folder Assistant (MFA) removes any items approved for permanent deletion. MFA processes mailboxes on a workcycle basis, meaning that it’s a little unpredictable when items might finally disappear from a mailbox. Microsoft’s documentation states that you should “Allow up to seven days for items to be permanently deleted.”
Advantage and Downside of Component Reuse
The advantage of reusing existing components is that the software is tried and trusted. Retention processing by the MFA has been around since Exchange 2010. Auto-label policies since 2016, adaptive scopes since 2021, and disposition reviews since 2017. The downside is that these are not fast processes. Running a simulation to verify that the KeyQL query to find items is accurate and finds the desired items can take several attempts over some hours. This is a critical piece of the puzzle because the last thing anyone wants is for a policy to find information that the organization wants to keep that might be removed accidentally in the disposition review stage.
Auto-label policies search for items in batches and it can take several days to find and label all items identified by the query. Things are even slower if an adaptive scope must be created to find target mailboxes. Build in the additional step of a multi-stage disposition review and it could take up to two weeks before MFA removes items. Even a relatively small expungement involving 52 items took six days end-to-end to remove all items despite care being taken to process items through the stages as quickly as possible.
Microsoft will argue that this view is pessimistic and that the cleanup cycle is faster. I’m sure that this is possible. If everyone is ready and processes items as soon as they are found the complete process might take a few days. But that’s still not quick and probably won’t live up to the expectations of someone who wants confidential information deleted as quickly as possible.
By comparison, the now deprecated Search-Mailbox cmdlet could remove mailbox items in a matter of minutes. Even if some moderately complex scripting is needed to make compliance search purge actions work smoothly, the operation won’t take more than an hour or so. If a tenant uses Priority Cleanup, a pragmatic approach is to use a compliance search purge action first to remove items from the user view. Priority Cleanup can then run to process the items afterward. Such an approach raises the question of whether permanent removal is really necessary, but that’s a debate that will differ from situation to situation and cannot be resolved here.
Simulating Before Starting
Policies can run in simulation mode to allow administrators to test if the correct items are found by a handcrafted KeyQL query (why the query wizard used in content searches and eDiscovery searches isn’t used is a mystery). Some fit and finish gaps are obvious in the simulation mode where the query found Exchange Online and SharePoint Online items (Figure 6). Sample items are displayed for review to ensure that the KeyQL query works as expected.
It’s not good when SharePoint items surface unexpectedly in search results. I suspect that this is an oversight. To stop the query from finding SharePoint items, I adjusted the KeyQL query (Figure 7) to specifically look for email items. The final query was:
(subject:"Incompatible sensitivity label detected") AND (from:Customer.Services@office365itpros.com) AND (kind:email)
The query is intended to find emails sent by SharePoint Online when a mismatch is discovered between the sensitivity label assigned to a site and the labels assigned to documents uploaded to the site. A bug caused many such notifications to be generated and removing those items seemed like a good test case. According to a content search, 19,010 matching items exist. This might seem like a high number for a cleanup, but it’s conceivable that such a volume might need to be processed to remove items subject to a GDPR Data Subject Request. Other scenarios, like removing an email circulated in error, will likely involve lower numbers of items.
Several simulation runs might be needed to tweak the query to find all the targeted items. Sometimes the best query might not be the most obvious. For instance, it seems reasonable to include keywords to find responses and forwards sent in addition to the original email. For example:
(subject:"My resignation" OR subject:"RE: My resignation" OR subject:"FW: My resignation") AND (from:Rene.Artois@office365itpros.com) AND (kind:email)
The problem here is that the query will find everything sent from a specific address. It won’t find responses or forwards sent by recipients. A better query uses text that exists in all forms of the message together with a tight date range to search within:
(received>=2025-03-19 AND received<=2025-03-30) AND (kind:email) AND ("I resign because of the horrible pressure")
KeyQL queries do not support all email properties. See the Microsoft documentation for details and examples.
When you’re happy that the query works, you can turn on the policy to make it active. Like any Purview policy, it can take some time before processing begins.
The Licensing Issue
Selecting existing components means accepting existing licensing arrangements. Because Microsoft has chosen to use auto-labeling policies, Office 365 E5 or Microsoft 365 E5 compliance licenses. Microsoft’s position is that Priority Cleanup delivers significant value by being able to remove items subject to retention holds. That’s true, but the counterargument is that in most cases the need is to remove problem items from user view and that it’s enough to purge the items and allow them to remain in the Purges folder in Recoverable Items for the duration of whatever retention hold applies to the items.
Compliance search purge actions are covered by Office 365 E3, so customers with these licenses face the prospect of having to upgrade licenses for every mailbox that comes within the scope of policies to use the new feature. Of course, if an organization already has E5, the cost issue doesn’t arise, unless the tenant has a mixture of licenses and needs to upgrade the accounts that don’t have E5.
Auditing
As you’d expect from any process that deletes data permanently, Microsoft incorporates extensive auditing for Priority Cleanup. Audit events are captured when administrators create, update, or remove policies, including running simulations for policies. Events are also captured when policies label items and when disposition reviews process items, including the eventual deletion of items.
An Expensive and Complex Solution
Priority Cleanup will probably appeal to some Microsoft 365 tenants because of its unique ability to remove on-hold items. For me, this solution is too complex, too expensive, and too slow to make it a must-have capability. Policy processing needs to be faster and more responsive all round, and the composition of KeyQL queries is an area that needs attention to help administrators create effective queries to find items.
Given the need to remove items to fix data spillage, I’ll continue to recommend compliance search purge actions to remove items from user mailboxes. After all, in most situations that I have encountered where mail is in the wrong place or malware is circulating, the immediate need is to remove items from user view. Compliance search purge actions can do that faster, more simply, and cheaper than the current implementation of Priority Cleanup can.
Permanently removing items that are on hold does have value, so this is a solution that tenants should consider in the light of their own requirements and operating procedures before deciding if they can use Priority Cleanup.
