Office 365 litigation hold vs retention policy – what’s the difference

Office 365 and on-premises Exchange offer some native means of protection against losing precious data. Lately, a lot of changes have been introduced in the Exchange Security & Compliance Center. A retention policy and a litigation hold can be used to add a layer of protection against data loss. At first glance, they seem similar: they both are accessed from Office 365 Security & Compliance Center and serve the same purpose. However, in the table below you can see that there are some differences and they are not minor.

Litigation Hold vs Retention policy: comparison

But before the actual comparison, let us look at those features separately.

Retention policy – basic information

Retention policies do two basic things: they either protect data from deletion or delete unnecessary items. They can be applied to a whole organization, to a group of users and a single mailbox or a site. With the use of advanced options, you can preserve or delete only those elements which contain words or phrases you choose. If you create an organization-wide retention rule, it will be applied to all users, even the newly created. Normally, policies work on both existing and new elements. The only exception is when you choose to apply them to specific types of sensitive information – this functionality bases on mail flow rules, which means that it scans and includes only messages sent or received after the policy is set.

Retention policies used to protect data scan emails and other item types in Recoverable items folder. If there is at least one policy which applies to an item – it will not be deleted. Otherwise, after a set period (by default 14 days but it can be increased to 30 days) items are purged – deleted without any way to recover them. Users can purge items on their own and retention policies do not protect from this scenario unless you have Single Item Recovery enabled.

As those policies can either preserve or delete content, it is important to know what happens if more than one policy affects a single item. There is a set priority among retention rules: the most important rule is that retention always takes precedence over deletion and if more than one retention applies to an item, the longest period wins. Example: There is an organization-wide retention policy which protects data which is not older five years and an org-wide policy which deletes all items which are older than two years. Items created three years ago will not be deleted because of the first policy, while items older than five years, which are not protected anymore, will be deleted because of the second policy.

There is a very interesting feature of retention policies: a preservation lock. If it is enabled, a retention policy cannot be deleted or made less restrictive. It is a one-way ticket which should not be used unless it is required and you are sure it is well set up.

Only users with required permissions can create and manage retention policies. There are two default role groups which include Retention Management: Compliance Administrator and Organization Management.

Learn more about retention policies in Exchange online

Litigation Hold – basic information

Litigation Hold is one of the functionalities of eDiscovery feature in Exchange Online. Putting mailboxes, public folders or sites (e.g. OneDrive, SharePoint) on Litigation Hold prevents users from permanently deleting all or chosen content. Before the recent updates, litigation hold allowed to secure only whole mailboxes. Partial mailbox protection required using In-Place hold. Now, Litigation Hold allows you to use filters and conditions so that you can decide precisely which items to protect and which not.

As the name suggests, the primary function of a Litigation Hold is to protect data in case there is a lawsuit in action, and some emails might be evidence. In fact, that is what the whole eDiscovery is there for. But you can use it, as many other companies do, as a means to backup sensitive data, just in case. Although the storage for protected items is not limited, including all mailboxes is not advisable – it will save all items, including spam emails, making future searches troublesome, to say the least. What is more, if you remove a hold, all purged data is irreversibly deleted. You can export mailboxes to PST files and store them locally. This way, you will increase your data safety although you might find this backup method a bit slow and faulty.

Permissions required to put mailboxes on hold are assigned in Office 365 Security & Compliance Center. The default groups which have all required roles are eDiscovery Manager, Compliance Administrator and Organization Management.

Learn more about eDiscovery cases and Litigation Hold in Exchange Online

Comparison of Litigation Hold vs retention policy

The following table provides a short comparison between Litigation Hold and retention policy. Note that this applies to Office 365 only and has been tested in Office 365 environment with an E3 plan. There are some important differences between those features in Exchange Online and on-premises servers.

Litigation HoldRetention Policy
Application to new usersHas to be applied to every new userCan be applied to new users automatically
Apply to all usersNo; users have to be added individuallyCan be set to all users or individually
UsagePrevents hard-deleting emails, enables recoveryMoves to archive or deletes items
Prevents mailbox deletionYesYes
LicenseExchange Online Plan 1 + Exchange Online archiving; Exchange Online Plan 2 or higherExchange Online Plan 1 + Exchange Online archiving; Exchange Online Plan 2 or higher
Can recover purged (hard-deleted) itemsYesNo
Reduces resources availability for usersNoNo
LimitationsNo10 organization-wide and 1000 specific policies per tenant
Minimum required permissionseDiscovery Manager role group in Security & Compliance CenterCompliance Administrator role group in Security & Compliance Center
How to search for deleted itemseDiscovery search or Search-Mailbox cmdleteDiscovery search or Search-Mailbox cmdlet

Retention policies and holds can co-exist. In fact, it is a common scenario. It is worth mentioning that even if there is a policy which deletes some items, it will not work on the ones which have an active hold.

Third party alternative

There is a third party solution which joins the advantages of the two Office 365 features compared above. CodeTwo Backup for Office 365 creates an incremental offline backup of mailboxes and public folders. Instead of keeping all eggs in one basket, it enables you to store all or chosen users’ data in a secure location, available even when you are offline. Thanks to this backup solution, you can easily browse and restore data in your company straight back to the target location or anywhere else you like.

Learn more about Backup for Office 365

Read more

Office 365 litigation hold vs retention policy – what’s the difference by

2 thoughts on “Office 365 litigation hold vs retention policy – what’s the difference


  1. Good source of information, I like the structure. As a side note, Litigation does not necessarily require Exchange Online Plan 2 or higher, it also works with Exchange Online Plan 1 + Exchange Online archiving.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

*