Moving to Microsoft 365 Retention Policies

When I wrote about Microsoft 365 retention policies last September, I argued that Exchange Online mailbox retention policies offer some advantages over their Microsoft 365 counterparts. Briefly, the advantages boil down to the ability to control retention for default folders like the Inbox and the availability of the move to archive action. Microsoft 365 retention policies operate on a container basis (the mailbox) and don’t include move to archive as a retention action. If you’re in a hybrid organization, being able to apply the same retention settings to on-premises and cloud mailboxes might be deemed another advantage.

Although it might seem a small point, having retention policies move items from primary mailboxes to archive mailboxes on an ongoing basis keeps primary mailboxes uncluttered while preserving the ability to find old items when necessary. You can argue that offloading old email to an archive is more important in on-premises environments where mailboxes are usually smaller than the 100 GB norm for enterprise Exchange Online deployments. This is true, but it still doesn’t get past the point that much inter-organization communication flows via email and it’s usually important to retain these messages for extended periods. Moving to the archive is an effective way to retain email without having old messages get in the way of users.

The downside of focusing on Exchange Online retention is that Microsoft’s attention is fixed firmly on Microsoft 365 retention policies. The addition of adaptive scopes to identify target locations or being able to use the presence of sensitivity labels as a condition for auto-label retention policies are two examples of recent improvements in Microsoft 365 retention.

Maximizing the Benefit of Both Types of Retention

Although acknowledging where Microsoft’s interest lies, it makes sense for customers to consider whether they should leverage the unique abilities and strengths of the two types of retention processing in their information governance strategy. However, we should also begin the conversation about how to transition from Exchange Online mailbox retention policies to Microsoft 365 retention policies. Briefly, the major points of the transition are:

  • Replace Exchange personal tags from mailbox retention policies with Microsoft 365 retention labels. To make the changeover seamless, use the same name for both personal tags and retention labels.
  • Remove Exchange folder tags from mailbox retention policies and replace them with retention policies published to the mailboxes using label publishing policies.
  • Replace default deletion tags in mailbox retention policies with Microsoft 365 retention policies.
  • Limit the use of Exchange Online mailbox retention policies to moving messages into archive mailboxes.

Remember, a mailbox can have just one mailbox retention policy. However, it can come within the scope of multiple Microsoft 365 retention policies. In this strategy, we remove Exchange personal, folder, and default tags from the set of mailbox retention policies assigned to user mailboxes and replace them with retention policies and label publishing policies.

When the process is complete, Exchange mailbox retention policies will only include a default archive tag to control the movement of items into the archive. If you don’t want to use archive mailboxes and intend keeping everything in primary mailboxes you can remove all the mailbox retention policies. At that point, Microsoft 365 retention policies and labels will perform all retention processing for the organization.

It’s important to emphasize that you should not delete any Exchange retention tag (personal, folder, or default) from your organization. Instead, by removing the tags from mailbox retention policies, you make the tags unavailable to users. Existing tags remain stamped on items unless superseded by application of a retention label. As time passes, items will age out, the Mailbox Folder Assistant (MFA) will remove them, and the Exchange tags will disappear from use.

Replace Exchange Personal Retention Tags

Personal retention tags exist to allow users to mark folders (except the default folders such as the Inbox) and individual items for special retention processing. For instance, a personal tag might retain items for ten years. To replace these tags, we:

  • Create replacement Microsoft 365 retention labels with the same retention settings and publish the labels to users.
  • If multiple mailbox retention policies are in use for different sets of users, you might need equivalent Microsoft 365 retention publishing policies to get the right labels to the right users. On the other hand, you might be able to rationalize label publishing to a smaller set of policies.
  • Remove the Exchange personal retention tags from mailbox retention policies.

An item can only ever have a single retention label or tag, either implicit (inherited from the folder or mailbox default) or explicit (applied by the user). If an item comes within the scope of multiple labels or retention policies, the rules of retention apply. Usually, this boils down retention winning over deletion and the application of the longest retention period. No one wants to remove information before its time.

Remove Exchange Folder Tags

Folder tags exist to apply retention settings to default Exchange mailbox folders such as the Inbox, Sent Items, and Deleted Items. As Microsoft 365 retention policies apply the same settings across all mailbox folders, no further need exists for these folder tags, so we can remove the folder tags from mailbox retention policies.

Clients like OWA which support retention policies won’t allow users to apply a retention label to a default folder. Users can apply retention labels to any folder they create.

Replace Default Deletion Tags

A default deletion tag applies retention to any mailbox item which does not come under the control of a more specific tag (personal or folder). Microsoft 365 retention policies taken on the role of default deletion tags, so they are no longer required and can be removed from mailbox retention policies.

Keep the Default Archive Tag

On the other hand, if you intend to continue moving items from primary mailboxes to archive mailboxes as part of your retention strategy, you must keep the default archive tags in mailbox retention policies. A default archive tag instructs MFA to move items after they reach a certain age. For example, you could have a mailbox retention policy with:

  • A default archive tag to move items into the archive mailbox after a year.
  • A default deletion tag to remove items from the mailbox (primary and archive) after seven years.

In this configuration, items stay in the primary mailbox for a year and then move to the same folder in the archive mailbox and stay there for another six years. When items are seven years old, the MFA removes them from the archive mailbox.

Microsoft 365 retention policies process both the primary and archive mailboxes, so if we leave the default archive tag in place, MFA will respect its instructions to move items to the archive, and then respect the policy settings to remove items.

Making the Changes

To remove the personal tags, access the compliance management section of the old Exchange admin center and select the retention policy to update (Figure 1).

Mailbox retention policies in the old EAC
Figure 1: Mailbox retention policies in the old EAC

Now remove everything from the policy except the default archive tag (Figure 2). We keep this to ensure that MFA continues to move items to the archive mailbox after the tag’s retention period expires (in this case, 1095 days, or 3 years). Note that this policy does not have a default delete tag.

Only a default archive tag remains in the mailbox retention policy
Figure 2: Only a default archive tag remains in the mailbox retention policy

The next time MFA processes mailboxes, it removes the Exchange personal tags and makes the Microsoft 365 retention labels available to users. This can be a gradual process to remove Exchange personal tags and introduce retention labels. MFA makes sure that the set of retention policy labels displayed to users includes both Exchange tags and Microsoft 365 labels. Figure 3 shows OWA displaying a set of labels including both personal tags (like Remove after 1 week) and retention labels (like Formal Company Record and Required for Audit). You can also see two personal tags with move to archive actions listed on the top of the set.

OWA makes both Exchange personal retention tags and Microsoft 365 retention labels available to users
Figure 3: OWA makes both Exchange personal retention tags and Microsoft 365 retention labels available to users

Although MFA hides the Exchange personal tags after their removal from mailbox retention policies, users can still access personal tags through the OWA retention policies option, which lists the set of Exchange personal retention tags not already assigned to the user by policy (Figure 4). After the user selects a tag, it joins the set displayed by OWA and Outlook desktop when the user applies a policy to an item.

OWA's Retention Policies option
Figure 4: OWA’s Retention Policies option

Unfortunately, there’s no way to suppress the display of personal tags through the OWA option. As mentioned above, don’t remove the personal tags from the tenant as this might lead to the unexpected deletion of important items, so it’s best to advise users to avoid using the OWA option.

OWA doesn’t include Microsoft 365 retention labels as part of the set shown to users, so OWA options doesn’t support a switchover to retention labels until Microsoft does the work to upgrade the client.

End Game

After making all the changes, you should be in this position:

  • Exchange mailbox retention policies have a single default archive tag and nothing else.
  • Microsoft 365 retention labels replace the Exchange personal tags.
  • Microsoft 365 retention policies process any mailbox items that don’t have an assigned retention label (or old Exchange retention tag).
  • Users experience no change because clients display the same set of retention labels. There might be a changeover period of a few days when both retention labels and retention tags appear in the lists displayed in clients, but this is a matter of timing (label publication), and MFA will resolve the duplication over time.

There is a small loss in functionality because you no longer assign folder tags to default mailbox folders. However, if retention policies have reasonable retention periods, it’s unlikely that users will notice the difference. In any case, users should receive guidance about how to use retention labels to mark items/folders of particular importance that they wish to keep.

Eventually, Microsoft might provide a Microsoft 365 retention policy setting to enable movement of email into archive mailboxes. At that point, the need for Exchange Online mailbox retention policies will disappear.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. Mike Duffy

    To apply policies to specific default folders, like delete all “Deleted Items” after 30 days or delate all Junk Mail after 30 days, would we have to use Exchange policy for that vs. M365 Retention Policy or Labels?

    1. Avatar photo
      Tony Redmond

      Yes, Exchange mailbox retention policies are the only way to target specific folders. Microsoft 365 retention policies target the entire mailbox.

  2. Sabyasachi Gupta

    Hi Tony,

    I am doing O365 tenant to tenant migration. At Source tenant I have a mailbox with exchange online archiving enabled and the archive mailbox size is 103 MB. Default MRM policy is applied. After the migration I have enabled archive at destination mailbox. I have separately migrated archive mailbox to archive mailbox only 103 MB data. After 10 days I am observing at the destination the archive size is 9 GB but at source its still 103 MB. There can be a change of the Primary mailbox data as new emails are coming in but why will there be so much difference in Archive data.

  3. RichE

    Hi Tony, thank you for this article. I am with a small company of 200+ users. We currently do not have Archiving enabled for any users (except myself for testing). I was testing with the old retention policies and retention tags to start implementing in our environment, but after reading this article, I wonder if I should start with Microsoft’s new method. We use Exchange online and based on our licensing, our users get 50GB of space, but we have some users approaching that limit and many need to save emails from 10-20 years. I wanted to enable Online archiving for users that are reaching their limit, but create a new retention policy and change the Default from “Default 2 year move to archive” to “Default Never Delete”, so that the users have control and can then assign the tag of their choice on all of their Outlook folders (Inbox and other), however I am having trouble understanding how to implement that strategy with the new Microsoft retention policies.

    1. Avatar photo
      Tony Redmond

      I think you should start with Microsoft 365 retention policies and use them to control the retention/deletion of email. You can supplement those policies with EXO mailbox retention policies that have a single default archive tag (remove all the other tags if you want to use the Default Mailbox Retention Policy). In other words, the EXO policies do nothing but control movement of items from primary to archive mailboxes. Items should move to the archive first (say after two years) and remain there until removed by the Microsoft 365 retention policies.

      1. Rich E

        Makes sense. Thank you. Is there a way to force the new M365 retention policies to take effect instead of waiting 7 days? I tried the Start-ManagedFolderAssistant PowerShell command but that doesn’t seem to do anything with the new policies.

        1. Avatar photo
          Tony Redmond

          The Start-ManagedFolderAssistant cmdlet forces the MFA to process a mailbox, but the point of delay is getting the Microsoft 365 retention policies published to Exchange Online. This can take up to a week.

          1. Heck P

            Do you know if the MFA is still applicable for Microsoft 365 retention policies OR is there a different process altogether that’s used to process Microsoft 365 retention policies? If it’s the latter, do we have any way to force that process to initiate without having to wait a week?

  4. Bill M

    Hi Tony. Thanks for this! Can you elaborate on if there are competing Exchange Online Retention Tags and M365 Retention Labels, which takes precedence?

  5. Renato Romanello

    Great article but I need more clarification.

    License:
    I have read everything about licensing. To use retention policy for shared mailbox it’s needed to assign a license: https://docs.microsoft.com/en-us/microsoft-365/admin/email/about-shared-mailboxes?view=o365-worldwide#:~:text=If%20you%20want%20to%20apply%20advanced%20features%20such%20as%20Microsoft%20Defender%20for%20Office%20365%2C%20Advanced%20eDiscovery%2C%20or%20automatic%20retention%20policies%2C%20the%20shared%20mailbox%20must%20be%20licensed%20for%20those%20features.
    According the Information Governance licensing schema the shared mailbox needs Exchange P1 + Online Archiving.

    Is it wrong?

    Archive & Retain
    I have some customer that they want to move to archive oldest messages and retain everything for some years. We have set archiving policy on legacy portal and Retantion policy on Compliance portal. This configuration brake the archiving policy because MFA can’t delete move messages from main mailbox. MS give us a solution after a lot of tentatives but I’m not convinced about the solution. What you think about?

    Thank you a lot.
    Renato

    1. Avatar photo
      Tony Redmond

      You only need an archiving license if you plan to archive items from a shared mailbox. You need the Exchange Online P1 license too. This would use a mailbox retention policy because Microsoft 365 retention policies don’t have the ability to move items to the archive.
      You do not need a license to use Microsoft 365 retention policies unless you use advanced features like auto-label retention policies. “If you want to apply advanced features such as Microsoft Defender for Office 365, Advanced eDiscovery, or automatic retention policies, the shared mailbox must be licensed for those features.”

      You’ll have to give more details of your configuration and tell what broke and the Microsoft recommendation for me to be able to comment further.

  6. Kevin

    Is there any licensing implications with retention policies, in particular for shared mailboxes?

    1. Avatar photo
      Tony Redmond

      Retention policies are covered by Office 365 E3 or above (Exchange Online Plan 2). You don’t need anything special for shared mailboxes unless you use a feature which requires licenses, like an archive.

  7. Andrew Woodward

    Great article. I did notice when I published retention labels to Exchange Online, they took 6 days to show in supported Outlook clients. This is expected behaviour though as MS indicate it can take up to 7 days. They were available within one day when published to OneDrive, SharePoint & Groups.

    1. Avatar photo
      Tony Redmond

      The Managed Folder Assistant must process a mailbox to refresh its set of retention labels (and tags). MFA runs on a weekly workcycle basis, so it can take up to 7 days before new labels show up. OWA should pick them up within a few hours, as do the other browser interfaces for SPO, etc.

  8. Gerard Toscano

    Thank you Tony! Your suggestion to make 365 retention labels the same as those in Exchange On Prem worked for me. For weeks now I’ve been wondering why my retention policy in 365 has been moving at a snails pace. Once I synced the naming and cleaned up those ineffective tags the results were almost immediate. Great article!

Leave a Reply