[Update]: This post was updated on July 27, 2022 to reflect the latest developments in Microsoft 365.
Office 365 and on-premises Exchange offer some native means of protection against losing precious data. A retention policy and a litigation hold can be used to add a layer of protection against data loss. At first glance, they seem similar: they both serve the same purpose. However, in the table below you can see that there are some differences and they are not minor.
But before the actual comparison, let us look at those features separately.
Retention policy – basic information
Retention policies do two basic things: they either protect data from deletion or delete unnecessary items. They can be applied to a whole organization, to a group of users and a single mailbox or a site. With the use of advanced options, you can preserve or delete only those elements which contain words or phrases you choose. If you create an organization-wide retention rule, it will be applied to all users, even the newly created. Normally, policies work on both existing and new elements. The only exception is when you choose to apply them to specific types of sensitive information – this functionality bases on mail flow rules, which means that it scans and includes only messages sent or received after the policy is set.
Retention policies used to protect data scan emails and other item types in Recoverable items folder. If there is at least one policy which applies to an item – it will not be deleted. Otherwise, after a set period (by default 14 days but it can be increased to 30 days) items are purged – deleted without any way to recover them. Users can purge items on their own, but with a retention policy protecting such files, the administrator will still be able to access this data using eDiscovery or Search-Mailbox.
As those policies can either preserve or delete content, it is important to know what happens if more than one policy affects a single item. There is a set priority among retention rules: the most important rule is that retention always takes precedence over deletion and if more than one retention applies to an item, the longest period wins. Example: There is an organization-wide retention policy which protects data which is not older five years and an org-wide policy which deletes all items which are older than two years. Items created three years ago will not be deleted because of the first policy, while items older than five years, which are not protected anymore, will be deleted because of the second policy.
There is a very interesting feature of retention policies: a preservation lock. If it is enabled, a retention policy cannot be deleted or made less restrictive. It is a one-way ticket which should not be used unless it is required and you are sure it is well set up.
Only users with required permissions can create and manage retention policies. There are two default role groups which include Retention Management: Compliance Administrator and Organization Management.
Learn more about retention policies in Exchange Online
Litigation Hold – basic information
Litigation Hold is one of the functionalities of eDiscovery feature in Exchange Online. Putting mailboxes, public folders or sites (e.g. OneDrive, SharePoint) on Litigation Hold prevents users from permanently deleting all or chosen content. Before the recent updates, litigation hold allowed to secure only whole mailboxes. Partial mailbox protection required using In-Place hold. Now, Litigation Hold allows you to use filters and conditions so that you can decide precisely which items to protect and which not.
As the name suggests, the primary function of a Litigation Hold is to protect data in case there is a lawsuit in action, and some emails might be evidence. In fact, that is what the whole eDiscovery is there for. But you can use it, as many other companies do, as a means to backup sensitive data, just in case. Although the storage for protected items is not limited, including all mailboxes is not advisable – it will save all items, including spam emails, making future searches troublesome, to say the least. What is more, if you remove a hold, all purged data is irreversibly deleted. You can export mailboxes to PST files and store them locally. This way, you will increase your data safety although you might find this backup method a bit slow and faulty.
Permissions required to put mailboxes on hold are assigned in the Microsoft Purview compliance portal. The default groups which have all required roles are eDiscovery Manager, Compliance Administrator and Organization Management.
Learn more about eDiscovery cases and Litigation Hold in Exchange Online
Comparison of Litigation Hold vs retention policy
The following table provides a short comparison between Litigation Hold and retention policy. Note that this applies to Office 365 only and has been tested in Office 365 environment with an E3 plan. There are some important differences between those features in Exchange Online and on-premises servers.
Litigation Hold | Retention Policy | |
---|---|---|
Application to new users | Has to be applied to every new user | Can be applied to new users automatically |
Apply to all users | No; users have to be added individually | Can be set to all users or individually |
Usage | Prevents hard-deleting emails by users, enables recovery | Prevents hard-deleting emails by users, moves to archive or deletes items |
Prevents mailbox deletion | Yes | Yes |
License | Exchange Online Plan 1 + Exchange Online archiving; Exchange Online Plan 2 or higher. (It also seems to work with Plan 1 without EOA.) | Exchange Online Plan 1 + Exchange Online archiving; Exchange Online Plan 2 or higher. (It also seems to work with Plan 1 without EOA.) |
Can recover items purged (hard-deleted) by users | Yes | Yes |
Reduces resources availability for users | No | No |
Limitations | 1000 mailboxes in a single hold, 10 000 holds for an organization | 10 organization-wide and 1000 specific policies per tenant |
Minimum required permissions | eDiscovery Manager role group in the Microsoft Purview compliance portal | Compliance Administrator role group in the Microsoft Purview compliance portal |
How to search for deleted items | eDiscovery search or Search-Mailbox cmdlet | eDiscovery search or Search-Mailbox cmdlet |
Setting time limits | Holds can be turned on and off manually | Enables advanced data management by setting limits on how long content should be preserved. |
How long does it take for changes to apply? | It might take up to 60 minutes to start or finish working. | According to the Office 365 documentation, it may take up to 24 hours for the retention policy to start working. |
Retention policies and holds can co-exist. In fact, it is a common scenario. It is worth mentioning that even if there is a policy which deletes some items, it will not work on the ones which have an active hold.
Third party alternative
There is a third party solution which joins the advantages of the two Office 365 features compared above. CodeTwo Backup for Office 365 creates an incremental offline backup of mailboxes and public folders. Instead of keeping all eggs in one basket, it enables you to store all or chosen users’ data in a secure location, available even when you are offline. Thanks to this backup solution, you can easily browse and restore data in your company straight back to the target location or anywhere else you like.
Learn more about Backup for Office 365
Hi. Just a quick thanks for writing this with such clarity. Why can’t Microsoft provide this same quality of work for their documentation one wonders.
Thank you! I’ll be sure to keep on writing high-quality content.
Thank you for the article. Regarding the line “Now, Litigation Hold allows you to use filters and conditions so that you can decide precisely which items to protect and which not.” I cannot an article with references that level of filtering. Do you know where that is documented?
Hi Ben,
I am not sure about the documentation, the article is based mainly on my own experience.
You can take a peek at the available filters in this video about eDiscovery. Mind that the eDiscovery wizard’s layout has changed, but the way it works has not changed. If you want to check all litigation hold’s filters and conditions, you should go to the Office 365 Security and Compliance Center and discover what options are available.
Most helpful and informative article.
Adam, what your view on O365 new retention policy feature as a good alternative solution to a corporate compliance on Journaling and Backup.
Hi Lawrence,
Thank you! I’m glad you find it helpful.
When it comes to my opinion: while the retention policy is a quite reliable way to ensure compliance, it is still keeping “all eggs in one basket”. With the GDPR coming soon, it is worth taking the risk-based approach and keeping a local backup of Office 365 mailboxes.
How does this affect mailbox content after the Exchange Online license has been removed? With Litigation Hold, a license may be reclaimed from the associated account, but the Litigation Hold enabled mailbox content is preserved for eDiscovery.
According to Office 365 Support, both litigation holds and retention policies can be used to cause mailboxes to become inactive when an Office 365 user’s account is removed. Inactive mailboxes will not receive emails and will not be visible in GAL. At the same time, their contents are retained and they do not require ongoing licenses. It means that licenses from inactive mailboxes can be reassigned to other users.
For more information on this topic, see Overview of inactive mailboxes in Office 365 and Manage inactive mailboxes in Office 365.
It is important to point out that Office 365 has introduced Preservation which works in conjunction with Retention to allow for flexible rules to preserve and retain data. Preservation is an alternative to Litigation hold. Read more here:
https://support.office.com/en-us/article/Overview-of-preservation-policies-9c3b1d52-40ce-4ba3-a520-9ae0be15538a
Specifically:
Preservation policy vs. eDiscovery hold
While it’s true that both of these features hold content, these features should not be confused because they serve different purposes:
If you need to preserve content as part of a retention requirement, use a preservation policy. For example, if you need to retain content for seven years as part of your retention plan, use a preservation policy. A preservation policy can preserve content for a specific time period, and at the end of that time period, the content’s automatically released from the policy. The policy can also be locked so that no one can turn off the policy or make it less restrictive. An eDiscovery hold cannot be locked or specify a time period. Also, a preservation policy commonly has a duration of years, while an eDiscovery hold is temporary and commonly lasts only the duration of a legal case.
In addition, you can create a preservation policy without the additional steps that eDiscovery may require, such as creating cases, adding members, or doing content searches.
If you need to hold content as part of a legal or eDiscovery requirement, use an eDiscovery hold. For example, if you need to hold content in specific locations as part of a legal request, use an eDiscovery hold. In eDiscovery, the content relevant to a case is typically sensitive or privileged, so different cases can be restricted to different members. In addition, eDiscovery supports content searches that can be saved, previewed, analyzed with Advanced eDiscovery, or have the results exported.
Unlike a preservation policy, an eDiscovery hold cannot specify a time period – an eDiscovery hold is in effect until you turn it off or delete it. Also, an eDiscovery hold cannot be locked.
Thanks for your efforts, but I don´t think all of your conclusions are correct.
Afaik, If a user hard deletes an item while the box is targetted by a retention policy, that item is kept in the Recoverable items folder and more specifically in the DiscoveryHolds subfolder.
Could you please clarify in which scenario You´ve seen that the retention policy fails to retain deleted items?
Hi Tobbe,
Thank you very much for your response, and you are absolutely right. I have just tested retention policies and they do retain purged items. When I had tested this before publishing the article, it was not the case. I do not know whether something changed with the recent updates, or if my retention policy did not kick in the last time (after all, according to the Office 365 documentation it needs up to 24 hours to distribute the changes). Sorry for the confusion, I have updated the article so that it states the correct information.
I just added a hold to a user with Business Essentials (Exchange Plan 1 inside) without EOA license. Microsoft changed something, indeed.
Did it in Security & Compliance. When I check in EAC, it says that user is under one hold…
I am confused.
You are right, I have tested it, and Exchange Online Plan 1 without Exchange Online Archiving seems to support both retention policies and litigation holds. However, I was not able to find out if it is supported or if the documentation has not been updated yet. I added this piece of information to the table.
Yep. Has worked with P1 plans (or any plan including that) for a long time now. I REALLY hope they don’t stop supporting this because it is a MAJOR advantage to Office 365 and those that have compliance requirements, small staff, and even smaller budgets.
Good source of information, I like the structure. As a side note, Litigation does not necessarily require Exchange Online Plan 2 or higher, it also works with Exchange Online Plan 1 + Exchange Online archiving.
Thank you, I added your suggestion to the table.