Complying with Retention Policies in a Tenant-to-Tenant Migration
If you perform a tenant-to-tenant migration for a company that retains content for deleted users, the client might ask whether this content can move to a new tenant to maintain compliance. In this article, we discuss how to identify Exchange Online inactive mailboxes and deleted OneDrive for Business accounts and review the processes available to migrate this content.
When an administrator deletes a user account using an Exchange Online mailbox and OneDrive, the action releases any licenses assigned to the account and soft deletes the user mailbox and OneDrive for Business account. The Azure AD Account and the soft-deleted mailbox are retained for a period of 30 days. During this period of 30 days, the account can be restored if needed. Deleted OneDrive for Business accounts are also retained for a specified number of days based on a setting in the SharePoint admin center. Refer to the article below to set the retention period for deleted users.
Once the soft delete retention period expires, the mailbox and OneDrive account are permanently deleted.
In some cases, the business may require retaining the user’s Mailbox and OneDrive account for legal and compliance reasons for a period longer than 30 days. In such cases, if you have an Enterprise subscription like Office365 E3 and above, you can retain the deleted user’s mailbox as an Inactive mailbox and can retain the OneDrive account belonging to deleted users for an extended period by defining a retention policy. Using Microsoft 365 retention policy ensures that the content is retained even though the users have left the company.
For a review of how to permanently remove mailboxes and the impact of retention, check out Tony Redmond’s article: Why Permanently Removing an Exchange Online Mailbox Is Complex (practical365.com).
Migration of Inactive Mailboxes
During a Tenant-to-Tenant migration, you must decide on a strategy based on either migrating or exporting the content of inactive mailboxes and deleted OneDrive accounts. Microsoft 365 offers a few options to cover the need.
For Inactive mailboxes, you can perform a content search from the Microsoft Purview compliance portal and export results to a PST file. Alternatively, the inactive mailbox can be restored/recovered to another source mailbox (may require a new license) which can then be migrated as part of the normal migration process to the target tenant. The business can decide if a content search, export to PST, and import to a mailbox in the target tenant will meet their compliance requirements or if the inactive mailbox must be migrated to the target tenant. Some firms prefer to use inactive mailboxes so they can use the same tools for everyone and not have to track down archived copies or another solution.
If the business decides to migrate all inactive mailboxes to the target tenant, then you must devise a plan for your Office 365 migration. The following steps provide a high-level process for identifying and migrating inactive mailboxes.
Step 1: Get a list of all Inactive Mailboxes in the source tenant
You can get a list of all inactive mailboxes from the Microsoft Purview compliance portal – Data Lifecycle Management – Inactive Mailboxes and can export the list of inactive mailboxes. Alternatively using PowerShell, you can export a list of inactive mailboxes.
Get-Mailbox -InactiveMailboxOnly | ft DisplayName,PrimarySMTPAddress,WhenSoftDeleted | Export-Csv InactiveMailboxeslist.csv -NoType
Step 2: Recover the Inactive mailboxes
Tenant -to -Tenant Migration solutions do not provide direct options for the migration of inactive mailboxes as migration solutions leverage EWS (Exchange Web Services). EWS (Exchange Web Services) requires the mailbox to be active or it cannot be accessed; therefore, the inactive mailbox must be recovered first to a mailbox in a source tenant.
When an inactive mailbox is recovered, the mailbox is converted to a new mailbox and the new mailbox is linked to a new user account. You can use PowerShell to recover an Inactive Mailbox as below:
$InactiveMailbox = Get-Mailbox -InactiveMailboxOnly -Identity <identity of inactive mailbox> New-Mailbox -InactiveMailbox $InactiveMailbox.DistinguishedName -Name JohnDoe -FirstName John -LastName Doe -DisplayName “John Doe” -MicrosoftOnlinServicesID email@example.com -Password (ConvertTo-SecureString ‘******’ -AsPlainText -Force)
Once the new account is created, you must license the account. (Exchange Online Plan)
Step 3: Migrate the New Recovered Mailbox to a mailbox in the target tenant
Using your defined migration process, migrate the new recovered mailbox to a matched target mailbox. Later, depending on business preferences, the migrated mailboxes can be made into Inactive mailboxes by applying a hold and then deleting the corresponding Azure AD account retained in the target tenant.
Migration of OneDrive content for Deleted Users
When a user is deleted in Microsoft 365, the OneDrive account of the user is retained for the number of days set in the default file retention for deleted OneDrive users. During this time, folders and files shared earlier with other users can still be accessed by those users. After this period, the OneDrive account is soft deleted and retained for another 93 days before its permanent removal. A SharePoint Administrator or Global Administrator can restore the account during this period.
Note: Retention policies, In-Place holds, and retention labels always take precedence over the standard OneDrive deletion process, so content could be retained for longer than the standard OneDrive retention period. Likewise, if a OneDrive is put on hold as part of an eDiscovery case, managers and secondary owners will be sent an email about the pending deletion, but the OneDrive will not be deleted until the hold is removed.
For more info, see Overview of retention policies: OneDrive retention and deletion – OneDrive | Microsoft Docs
Deleted OneDrive’s older than 30 days can be restored using PowerShell by following the steps below:
- Get a list of all Deleted OneDrives in the source tenant
- Restore the OneDrive to an active State
- Assign an administrator to the restored OneDrive
You must use the SharePoint Online Management Shell and run the following commands below:
Get-SPODeletedSite -IncludeOnlyPersonalSite | ft url Restore-SPODeletedSite -Identity <URL> Set-SPOUser -Site <URL> -LoginName <UPNofAdmin> -IsSiteCollectionAdmin $True
Step 4: Migrate the restored OneDrive’s to the target tenant using Migration Software
Using your defined migration process, migrate the restored OneDrive account to a matched target user. Later, depending on business preferences, the target user can be deleted, and the migrated OneDrive account will be retained based on the retention settings in the target tenant.
When working on Tenant-to-Tenant Migrations, you can plan to migrate both Inactive mailboxes and deleted OneDrive accounts ensuring that the data is retained for legal and compliance reasons. Make sure you understand any additional costs and effort involved in migrating inactive and deleted content, including Microsoft licensing, migration tool licensing, effort to perform the recovery and migration steps outlined above, and effort to reconfigure holds in the target tenant (if required). Before deciding on a migration strategy, it is best to work with the Legal department to understand what content needs to be retained before selecting the appropriate solution.
Top Five Ways to Prepare for Your Next Office 365 Tenant Migration
Make sure your next Migration is your best Migration!