[Update] This post was updated on October 18, 2017.
Office 365 and on-premises Exchange offer some native means of protection against losing precious data. Lately, a lot of changes have been introduced in the Exchange Security & Compliance Center. A retention policy and a litigation hold can be used to add a layer of protection against data loss. At first glance, they seem similar: they both are accessed from Office 365 Security & Compliance Center and serve the same purpose. However, in the table below you can see that there are some differences and they are not minor.
But before the actual comparison, let us look at those features separately.
Retention policy – basic information
Retention policies do two basic things: they either protect data from deletion or delete unnecessary items. They can be applied to a whole organization, to a group of users and a single mailbox or a site. With the use of advanced options, you can preserve or delete only those elements which contain words or phrases you choose. If you create an organization-wide retention rule, it will be applied to all users, even the newly created. Normally, policies work on both existing and new elements. The only exception is when you choose to apply them to specific types of sensitive information – this functionality bases on mail flow rules, which means that it scans and includes only messages sent or received after the policy is set.
Retention policies used to protect data scan emails and other item types in Recoverable items folder. If there is at least one policy which applies to an item – it will not be deleted. Otherwise, after a set period (by default 14 days but it can be increased to 30 days) items are purged – deleted without any way to recover them. Users can purge items on their own, but with a retention policy protecting such files, the administrator will still be able to access this data using eDiscovery or Search-Mailbox.
As those policies can either preserve or delete content, it is important to know what happens if more than one policy affects a single item. There is a set priority among retention rules: the most important rule is that retention always takes precedence over deletion and if more than one retention applies to an item, the longest period wins. Example: There is an organization-wide retention policy which protects data which is not older five years and an org-wide policy which deletes all items which are older than two years. Items created three years ago will not be deleted because of the first policy, while items older than five years, which are not protected anymore, will be deleted because of the second policy.
There is a very interesting feature of retention policies: a preservation lock. If it is enabled, a retention policy cannot be deleted or made less restrictive. It is a one-way ticket which should not be used unless it is required and you are sure it is well set up.
Only users with required permissions can create and manage retention policies. There are two default role groups which include Retention Management: Compliance Administrator and Organization Management.
Litigation Hold – basic information
Litigation Hold is one of the functionalities of eDiscovery feature in Exchange Online. Putting mailboxes, public folders or sites (e.g. OneDrive, SharePoint) on Litigation Hold prevents users from permanently deleting all or chosen content. Before the recent updates, litigation hold allowed to secure only whole mailboxes. Partial mailbox protection required using In-Place hold. Now, Litigation Hold allows you to use filters and conditions so that you can decide precisely which items to protect and which not.
As the name suggests, the primary function of a Litigation Hold is to protect data in case there is a lawsuit in action, and some emails might be evidence. In fact, that is what the whole eDiscovery is there for. But you can use it, as many other companies do, as a means to backup sensitive data, just in case. Although the storage for protected items is not limited, including all mailboxes is not advisable – it will save all items, including spam emails, making future searches troublesome, to say the least. What is more, if you remove a hold, all purged data is irreversibly deleted. You can export mailboxes to PST files and store them locally. This way, you will increase your data safety although you might find this backup method a bit slow and faulty.
Permissions required to put mailboxes on hold are assigned in Office 365 Security & Compliance Center. The default groups which have all required roles are eDiscovery Manager, Compliance Administrator and Organization Management.
Comparison of Litigation Hold vs retention policy
The following table provides a short comparison between Litigation Hold and retention policy. Note that this applies to Office 365 only and has been tested in Office 365 environment with an E3 plan. There are some important differences between those features in Exchange Online and on-premises servers.
|Litigation Hold||Retention Policy|
|Application to new users||Has to be applied to every new user||Can be applied to new users automatically|
|Apply to all users||No; users have to be added individually||Can be set to all users or individually|
|Usage||Prevents hard-deleting emails by users, enables recovery||Prevents hard-deleting emails by users, moves to archive or deletes items|
|Prevents mailbox deletion||Yes||Yes|
|License||Exchange Online Plan 1 + Exchange Online archiving; Exchange Online Plan 2 or higher.|
(It also seems to work with Plan 1 without EOA.)
|Exchange Online Plan 1 + Exchange Online archiving; Exchange Online Plan 2 or higher.|
(It also seems to work with Plan 1 without EOA.)
|Can recover items purged (hard-deleted) by users||Yes||Yes|
|Reduces resources availability for users||No||No|
|Limitations||1000 mailboxes in a single hold, 10 000 holds for an organization||10 organization-wide and 1000 specific policies per tenant|
|Minimum required permissions||eDiscovery Manager role group in Security & Compliance Center||Compliance Administrator role group in Security & Compliance Center|
|How to search for deleted items||eDiscovery search or Search-Mailbox cmdlet||eDiscovery search or Search-Mailbox cmdlet|
|Setting time limits||Holds can be turned on and off manually||Enables advanced data management by setting limits on how long content should be preserved.|
|How long does it take for changes to apply?||It might take up to 60 minutes to start or finish working.||According to the Office 365 documentation, it may take up to 24 hours for the retention policy to start working.|
Retention policies and holds can co-exist. In fact, it is a common scenario. It is worth mentioning that even if there is a policy which deletes some items, it will not work on the ones which have an active hold.
Third party alternative
There is a third party solution which joins the advantages of the two Office 365 features compared above. CodeTwo Backup for Office 365 creates an incremental offline backup of mailboxes and public folders. Instead of keeping all eggs in one basket, it enables you to store all or chosen users’ data in a secure location, available even when you are offline. Thanks to this backup solution, you can easily browse and restore data in your company straight back to the target location or anywhere else you like.