Skip to main content

Meeting Compliance Rules in Office 365

By October 14, 2015September 11th, 2020Blog, Microsoft

If you’re a business in the financial or health market you’re already familiar with the laundry list of compliance rules you must legally meet. But you may not understand how those rules fit with the cloud, and whether or not you can be compliant in Office 365. Today we’re going to tackle one of the most common questions PEI receives when discussing compliance.

“At my company, we are required to keep email for 3 years and then it must be permanently deleted. Is there any way to stop users from deleting email? How can I ensure that email is deleted at the 3-year mark and not before?”

  • This is a very common requirement for companies with SEC regulation and one which can be successfully implemented in Office 365
  • First let’s talk about user’s deleting email. There is no way to prevent a user from “deleting” their email in Outlook or OWA, but the reality is that email deleted by the user is not permanently gone.
  • At stage 3 the message is in the Recoverable Items folder, which can be accessed in Outlook or OWA. Messages will stay in this folder for a default of 14 days (can be extended to 30 by an administrator). The user is also able to “delete” items in this folder which looks like permanent deletion to the user, since they no longer have access to that item
  • At stage 4 when the message is removed from the Recoverable Items folder it goes into the Purges folder which is NOT visible to the user
  • The Purges folder will respect retention policies applied to the user’s mailbox, since it’s basically a normal folder in the user’s mailbox (albeit one that the user cannot see or interact with). So if you have a default retention policy applied to the mailbox that policy will kick in even for messages that are stored in the Purges folder
  • The Purges folder also has a separate size quota from the user’s mailbox is that is by default set to 30gb. In the case that you need to silently turn on litigation hold for a user, this is the ideal dumping ground for email the user thinks is “deleted”. There is no UI to tell the user how much quota has been used in the Purges folder, it is up to the Exchange administrator to watch for quota warnings from Exchange regarding the Purges folder (on a per user basis)
  • What about the archive mailbox? The nice thing about Online Archives is that they are fully fledged Exchange mailboxes with their own Recoverable Items and Purges folders, so all the statements above equally apply to the Online Archive as well
  • If, for instance, you had a policy to move items to the archive after 30 days, and then permanently delete from the archive after 3 years, items living in the Purges folder in the user’s mailbox would be moved to the Purges folder in the Online Archive after 30 days, and then would be deleted from the Purges folder after 3 years (assuming the Purges folder doesn’t run out of space before that time)

Hopefully that clears up any confusion about how retention policies work with email deletion in the cloud. If not, what questions do you have? Let us know, and we can help you answer specific compliance questions about your company.

Allison Sousa, PEI

Leave a Reply