Unintended Retention in Microsoft 365: What You Should Know

Organizations using Microsoft 365 rely on retention policies to manage their data lifecycle—automatically preserving important information for compliance while deleting outdated content to reduce storage costs and legal risk.  Within Microsoft Purview, administrators can configure these retention policies to specify how long different types of content should be kept before automatic deletion (“Retain Policy”). 

The Redgrave team recently identified a significant issue in a client’s Microsoft 365 environment: soft-deleted or inactive Exchange Online mailboxes were not being removed from the tenant as expected.  Specifically, we found that mailboxes that were not subject to any legal holds (whether set through Purview eDiscovery or Exchange Online) and contained no data matching active retention policies were still being retained indefinitely in the M365 tenant instead of being purged according to Microsoft 365's standard lifecycle rules.  Here's what this means in practice: If your organization has a retention policy that keeps certain content (such as Teams chats, which are stored in the mailbox, or emails) for a specified period—say, 60 days—before deletion, this policy appears to be preventing the entire mailbox from being purged from your M365 tenant, even after all content subject to the retention period has aged out.  For example, if the company has an organization-wide retention policy to retain email for 60 days and then delete, if a user's mailbox has been soft-deleted and contains no messages less than 60 days old, the mailbox should be eligible for removal.  Instead, these mailboxes are being retained indefinitely.

Microsoft confirmed that this behavior is not intended.  According to their specifications, once there are no Purview eDiscovery or Exchange Online holds applied to the mailbox and no data within it matches any active retention policies, soft-deleted mailboxes should be purged from the M365 tenant based on the standard M365 lifecycle. 

Microsoft is actively working on a fix, which is expected to be released between September 30 and October 15, pending successful testing.  In the interim, if you have retention policies set within your M365 tenant to retain data for a specified period of time, there is a high likelihood that you are retaining significantly more data than expected, and that data could be subject to preservation and eDiscovery when obligations arise. 

If you have any questions about this issue, or other Microsoft 365 questions, please reach out to: John Collins, Managing Director [jcollins@redgravellp.com], Staci Kaliner, Managing Director [skaliner@redgravellp.com], Tom Lidbury, Partner [tlidbury@redgravellp.com], or Martin Tully, Partner [mtully@redgravellp.com]. 

Legal 365 for Microsoft 365

Redgrave’s Legal 365 Snapshots provide timely thought leadership and practical insights, which highlight the importance of a combination of deep technical and legal insight when managing Microsoft 365 environments.  Learn more about our Legal 365 for Microsoft 365 services, which help organizations confidently navigate complex M365 governance challenges with defensible, efficient, and legally sound strategies, here.

The views expressed in this article are those of the authors and do not necessarily represent the views of their law firm or any of its clients.