How to identify hold on an Exchange Online mailbox - Microsoft Purview (Compliance) (2023)

  • Article
  • 17 minutes to read

This article explains how to identify Exchange Online mailbox holds in Microsoft Purview and Microsoft 365.

Microsoft Purview offers several ways for your organization to prevent mailbox content from being permanently deleted. This allows your organization to retain content to meet compliance standards or during legal and other investigations. Here is a list of retention functions (also known asthey say) no Microsoft Purview e no Microsoft 365:

  • litigation:Holds applied to users' mailboxes in Exchange Online.

  • eDiscovery Attitude:Holds associated with a Microsoft Purview eDiscovery case (default) in the Microsoft Purview compliance portal. eDiscovery holds can be applied to user mailboxes and the corresponding mailbox for Microsoft 365 Groups and Microsoft Teams.

  • keep in place:Holds placed on users' mailboxes using the In-Place eDiscovery and Hold em toolExchange admin centerno Exchange on-line.

    Use

    In-Place Holds have been removed, and you can no longer create or apply In-Place Holds to mailboxes. However, In-Place Holds can still be applied to mailboxes in your organization, so they're included in this article. For more information, seeRetirement of legacy eDiscovery tools.

  • Microsoft Purview retention policies:It can be configured to retain (or retain and delete) content in users' mailboxes in Exchange Online and the corresponding mailbox for Microsoft 365 Groups and Microsoft Teams. You can also create a retention policy to keep Skype for Business conversations stored in users' mailboxes.

    There are two types of Microsoft Purview retention policies that can be assigned to mailboxes.

    • Site-specific retention policies:These are policies assigned to specific user content locations. you use theget mailboxCmdlet in Exchange Online PowerShell to get information about retention policies assigned to specific mailboxes. For more information about this type of retention policy, see the sectionA policy with specific inclusions or exclusionsretention policy documentation.
    • Company-wide retention policies:These are policies assigned to all content locations in your organization. you use theGet-OrganizationConfigCmdlet in Exchange Online PowerShell to get information about organization-wide retention policies. For more information about this type of retention policy, see the sectionA policy that applies to entire sitesretention policy documentation.

  • Microsoft Purview retention labels:When a user applies a Microsoft Purview retention label (one set to retain content or to retain and delete content).somefolder or item in your mailbox, the mailbox is held as if it is in litigation or assigned to a Microsoft Purview retention policy. For more information, seeIdentify mailboxes on hold because a retention label was applied to a folder or itemsection of this article.

To manage archive mailboxes, it might be necessary to identify the type of archive mailbox so that you can perform tasks such as: In these cases, the first step is to identify the mailbox retention type. And because multiple holds (and different types of holds) can be placed on a single mailbox, if you want to remove or change a hold, you must identify all the holds placed on a mailbox.

Cima

(Video) Microsoft Purview and Exchange

If you are not an E5 customer, you can try all premium Microsoft Purview features for free. Use the Purview Solutions 90-day trial to discover how Purview's robust features can help your organization meet compliance and data security requirements. Start now atMicrosoft Purview Compliance Portal Test Center. Learn details aboutRegistration and test conditions.

Step 1 - Get the GUID for holds placed on a mailbox

You can run the following two cmdlets in Exchange Online PowerShell to get the GUID of the Hold Locations placed on a mailbox. Once you obtain a GUID, use it to identify the specific hold in step 2. A Litigation Hold is not identified by a GUID. Litigation holds are enabled or disabled for a mailbox.

  • Get mailbox:Use this cmdlet to determine whether a mailbox is on Litigation Hold and to retrieve the GUIDs for eDiscovery Holds, In-Place Holds, and Microsoft Purview Hold Policies assigned to a mailbox. The output of this cmdlet also indicates whether a mailbox was specifically excluded from an organization-wide retention policy.
  • Get-OrganizationConfig:Use this cmdlet to get the GUIDs for organization-wide retention policies.

For information about connecting to Exchange Online PowerShell, seeConecte-se ao Exchange Online PowerShell.

get mailbox

Run the following command to get information about Microsoft Purview retention policies and holds applied to a mailbox.

Get-Mailbox <Benutzername> | FL LitigationHoldEnabled,InPlaceHolds

Cima

If the InPlaceHolds property contains many values ​​and not all of them are displayed, you can run theGet-Mailbox <Benutzername> | Select-Object -ExpandProperty InPlaceHoldsCommand to display each GUID on a separate line.

The following table describes how to identify different types of withholding based on the amounts inInPlaceHoldsproperty when you run theget mailboxcmdlet.

wait typesample valueThis is how the stop is recognized
litigationRIGHTLitigation hold is placed on a mailbox when theLitigationHoldEnabledproperty is definedRIGHT.
eDiscovery AttitudeUniH7d895d48-7e23-4a8d-8346-533c3beac15dDieproperty InPlaceHoldsContains the GUID of all repositories associated with an eDiscovery case in the Compliance Portal. You can tell it's an eDiscovery hold because the GUID starts with theUniHPrefix (indicating a uniform deposit).
keep in placec0ba3ce811b6432a8751430937152491
o
cld9c0a984ca74b457fbe4504bf7d3e00de		DieInPlaceHoldsThe property contains the GUID of the local hold to be placed on the mailbox. You can tell it's a local hold because the GUID doesn't have a prefix or it starts with thecldPrefix.
Microsoft Purview retention policy applied to mailboxmbxcdbbb86ce60342489bff371876e7f224:1
o
skp127d7cf1076947929bf136b7a2a8c36f:3		DieInPlaceHoldsThe property contains GUIDs for a specific site retention policy applied to the mailbox. You can identify retention policies because the GUID starts withmbxor theto jumpprefix toto jumpThe prefix indicates that the retention policy applies to Skype for Business conversations in the user's mailbox.
Excluded from an enterprise-wide Microsoft Purview retention policy-mbxe9b52bf7ab3b46a286308ecb29624696When a mailbox is deleted from an organization-wide Microsoft Purview retention policy, the GUID of the retention policy from which the mailbox is deleted is displayed in theInPlaceHoldsproperty and is identified by-mbxPrefix.

Get-OrganizationConfig

If heInPlaceHoldsThe property is empty when you run theget mailboxcmdlet, there may still be one or more Microsoft Purview retention policies applied to the organization-wide mailbox. Run the following commandExchange Online-PowerShellfor a list of organization-wide Microsoft Purview retention policy GUIDs.

Get-OrganizationConfig | FL InPlaceHolds

Cima

If the InPlaceHolds property contains many values ​​and not all of them are displayed, you can run theGet-OrganizationConfig | Select-Object -ExpandProperty InPlaceHoldsCommand to display each GUID on a separate line.

The following table describes the different types of holds across the organization and how each type can be identified by the GUIDs they contain.InPlaceHoldsproperty when you run theGet-OrganizationConfigcmdlet.

wait typesample valueDescription
Microsoft Purview retention policies applied to Exchange mailboxes, Exchange public folders, and Teams chatsmbx7cfb30345d454ac0a989ab3041051209:2Organization-wide retention policies applied to Exchange mailboxes, Exchange public folders, and 1xN chats in Microsoft Teams are identified by GUIDs that begin withmbxPrefix. Note 1xN chats are saved to each chat participant's mailbox.
Microsoft Purview retention policy applied to Microsoft 365 Groups and Teams channel messagesgrp1a0a132ee8944501a4bb6a452ec31171:3Organization-wide retention policies applied to channel messages and Microsoft 365 groups in Microsoft Teams are identified by GUIDs that begin withGroupPrefix. Alert channel messages are stored in the group mailbox associated with a Microsoft Team.

For more information about retention policies applied to Microsoft Teams, seeLearn more about Microsoft Teams retention policies.

Understand the format of the InPlaceHolds value for retention policies

In addition to the prefix (mbx, skp, or grp) that identifies an item in the InPlaceHolds property as a Microsoft Purview retention policy, the value also includes a suffix that indicates the type of retention action configured for the policy. For example, the action suffix is ​​highlighted in bold in the following examples:

skp127d7cf1076947929bf136b7a2a8c36f:1

(Video) Microsoft 365 - How to create an eDiscovery case to search, hold and export company data

mbx7cfb30345d454ac0a989ab3041051209:2

grp1a0a132ee8944501a4bb6a452ec31171:3

The following table defines the three possible retention actions:

WertDescription
1Indicates that the retention policy is set to delete items. The policy does not retain any elements.
2Indicates that the retention policy is set to retain items. The policy does not delete items after the retention period ends.
3Indicates that the retention policy is set to store items and delete them after the retention period ends.

Use

Because retention tag policies automatically publish or apply tags that apply actions at the item level, they always display an action value of 1 in the mailbox's InPlaceHolds property.

To determine whether a hold was placed on a folder or item in the mailbox, seeIdentify mailboxes on hold because a retention label was applied to a folder or item.

For more information about hold actions, seeRetain content for a specified period of timeSection.

Step 2 - Use the GUID to identify the hold

After obtaining the GUID of a hold applied to a mailbox, the next step is to use that GUID to identify the hold. The following sections show how to identify the hold name (and other information) using the hold GUID.

eDiscovery dorado

Run the following commands into identify an eDiscovery hold placed on the mailbox. Use the GUID (without the UniH prefix) for the eDiscovery store that you identified in step 1.

For information about connecting to Security and Compliance PowerShell, see.

The first command creates a variable that contains information about the retention. This variable is used in the other commands. The second command displays the name of the eDiscovery case the hold is associated with. The third command displays the name of the hold and a list of mailboxes the hold applies to.

$CaseHold = Get-CaseHoldPolicy <Hold-GUID ohne Prefix>
Get-ComplianceCase $CaseHold.CaseId | FL-Nome
$RetainedCase | FL name, exchange location

keeps in place

Run the following command in Exchange Online PowerShell to identify the In-Place Hold applied to the mailbox. Use the GUID for the local hold identified in step 1. The command displays the name of the repository and a list of mailboxes that the repository applies to.

Get-MailboxSearch -InPlaceHoldIdentity <GUAD de espera> | FL-Nombre, Quellpostfächer

If the local hold GUID starts with thecldPrefix, be sure to specify the prefix when running the above command.

Important

(Video) How Litigation Hold and Retention Hold work in Exchange Online

As we continue to invest in ways to retain mailbox content, we're announcing the removal of in-place holds in the Exchange admin center (EAC). As of July 1, 2020, you will not be able to create new In-Place Holds in Exchange Online. However, you can still manage local holds in the EAC or usingEstablecer MailboxSearchExchange Online PowerShell cmdlet. However, as of October 1, 2020, you will no longer be able to manage local hold. It will only remove them in the EAC or usingSair MailboxSearchcmdlet. For more information about removing in-place holds, seeRetirement of legacy eDiscovery tools.

Microsoft Purview retention policies

and run the following command to identify the Microsoft Purview retention policy (organization-wide or specific location) that applies to the mailbox. Use the GUID (without the mbx, skp or grp prefix or action suffix) that you identified in step 1.

Get-RetentionCompliancePolicy <retain GUID without prefix or suffix> -DistributionDetail | FL Name, *Location

Identify mailboxes on hold because a retention label was applied to a folder or item

Each time a user applies a retention label set todetainedokeep and then deleteContent for any folder or item in your mailbox thatComplianceTagHoldAppliedThe Mailbox property is set toRIGHT. In that case, the mailbox is treated the same as if it were on hold, for example when you've been assigned a Microsoft Purview retention policy or placed on hold due to litigation, but with some limitations. If heComplianceTagHoldAppliedproperty is definedRIGHT, the following things happen:

  • If the user's mailbox or Microsoft 365 account is deleted, the mailbox becomes ainactive mailbox.
  • You cannot disable the mailbox (neither the primary mailbox nor the archive mailbox if it is enabled).
  • Items deleted from the mailbox follow one of two paths, depending on whether they are checked or not:
    • unlabeled itemsit follows the same path that deleted items follow when there are no mailbox retention periods. The time it takes to remove these items permanently is determined by theRetention of Deleted Itemsconfiguration and ifSingle article recoveryenabled for the mailbox or not.
    • Tagged articlesis kept insideRecoverable Items FolderSame as applying a Microsoft Purview retention policy, but at the individual item level. When multiple items have different tags defineddetainedokeep and then deleteContent at different intervals, each item is persisted based on applied tag settings.
  • Other holds, such as Policies such as Microsoft Purview retention policies, eDiscovery holds, or litigation holds, may extend the retention period for flagged items based onretention principles.

To display the value ofComplianceTagHoldAppliedproperty for a single mailbox, run the following command onExchange Online-PowerShell:

Get-Mailbox <username> | FL TagHoldApplied Compliance

For more information about retention labels, seestorage tags.

Manage deferred hold mailboxes

After any lock is removed from a mailbox, awaiting delayIts applied. This means that the actual hold release is delayed by 30 days to prevent data from being permanently deleted (wiped) from the mailbox. This gives administrators the ability to find or recover mailbox items that are deleted after a hold is removed. A mailbox is placed on deferred hold the next time the Managed Folder Assistant processes the mailbox and determines that a hold has been removed. Specifically, a delayed hold is applied to a mailbox when the Managed Folder Assistant sets any of the following mailbox properties toRIGHT:

  • DelayHoldApplied:This property applies to email-related content (generated by people using Outlook and Outlook on the web) stored in a user's mailbox.
  • DelayReleaseHoldApplied:This property applies to cloud-based content (generated by non-Outlook apps such as Microsoft Teams, Microsoft Forms, and Microsoft Yammer) stored in a user's mailbox. Cloud data generated by a Microsoft application is usually stored in a hidden folder in the user's mailbox.

When a delay is put on hold on the mailbox (when any of the above properties are set toRIGHT), the mailbox will continue to be considered on hold for an indefinite hold period, just as if the mailbox were on Litigation Hold. After 30 days, the delay lock expires and Microsoft 365 automatically tries to remove it (using theDelayHoldAppliedoDelayReleaseHoldAppliedproperty forINCORRECT) to remove the lock. After setting one of these propertiesINCORRECT, matching items marked for deletion will be deleted the next time the mailbox is processed by the Managed Folder Assistant.

Use

If the mailbox user's account is disabled, the mailbox will not be processed by the Managed Folder Assistant and the delay lock will remain in effect after the 30 days. For more information, seeDelayed Withholding Considerations.

Run the following command to display the DelayHoldApplied and DelayReleaseHoldApplied property values ​​for a mailboxExchange Online-PowerShell.

Get-Mailbox <username> | FL *Applied Withholding*

To remove the wait delay before it expires, you can run one (or both) of the following commands in Exchange Online PowerShell, depending on which property you want to change:

Set-Mailbox <username> -RemoveDelayHoldApplied

o

Set - Mailbox <user name> - RemoveDelayReleaseHoldApplied

You must be granted the Legal Hold role in Exchange Online to use itRemoveDelayHoldAppliedoRemoveDelayReleaseHoldAppliedParameter.

Run one of the following commands in Exchange Online PowerShell to remove the hold delay for an inactive mailbox:

Set-Mailbox <DN o GUID do Exchange> -InactiveMailbox -RemoveDelayHoldApplied

o

(Video) Microsoft 365 - What NOT to do when Employees Leave!

Set-Mailbox <DN o GUID do Exchange> -InactiveMailbox -RemoveDelayReleaseHoldApplied

Cima

The best way to specify an inactive mailbox in the above command is to use its distinguished name or Exchange GUID value. Using any of these values ​​prevents you from accidentally specifying the wrong mailbox.

For more information about using these parameters to manage late retention, seeSet-Mailbox.

Delayed Withholding Considerations

When managing a mailbox on hold, keep the following in mind:

  • If heDelayHoldAppliedoDelayReleaseHoldAppliedproperty is definedRIGHTand a mailbox (or the corresponding user account) is deleted, the mailbox becomes an inactive mailbox. This is because a mailbox is considered on hold if any of its properties are set toRIGHTand deleting a queued mailbox results in an inactive mailbox. To delete a mailbox and not make it an inactive mailbox, you must set both properties toINCORRECT.
  • A mailbox is considered to be on hold indefinitely ifDelayHoldAppliedoDelayReleaseHoldAppliedproperty is definedRIGHT. However, that doesn't meananMailbox contents are preserved. This depends on the value set for each property. Suppose both properties are set toRIGHTas holds are removed from the mailbox. Then simply remove the delay applied to non-Outlook cloud data (by removing theRemoveDelayReleaseHoldAppliedParameter). The next time the Managed Folder Assistant processes the mailbox, all non-Outlook items marked for deletion will be deleted. Tombstoned Outlook items are not deleted because the DelayHoldApplied property is still set toRIGHT. The converse would also be true: ifDelayHoldAppliedis set toINCORRECTyDelayReleaseHoldAppliedis set toRIGHT, only Outlook items marked for deletion will be deleted.

How to confirm that an organization-wide retention policy is applied to a mailbox

If an organization-wide retention policy is applied or removed from a mailbox, exporting the mailbox diagnostic logs can help you ensure that the retention policy was applied or removed by Exchange Online on the mailbox . To display this information, you must first validate a few things withExchange Online-PowerShell.

Get the GUIDs for all retention policies explicitly applied to a mailbox

Get-Mailbox <Benutzername> | Select-Object -ExpandProperty InPlaceHolds

Get the GUIDs for all organization-wide retention policies applied to mailboxes

Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds

Get Mailbox Diagnostics for HoldTracking

Mailbox diagnostic logs for retention tracking maintain a history of holds placed on a user's mailbox.

$ht = Export-MailboxDiagnosticLogs <nome do usuário> -ComponentName HoldTracking$ht.MailboxLog | convertfrom-json

Use

Retention tracking logs are not available when the user account has been disabled.

Check the mailbox diagnostic log results

If you collect data from the previous step, the resulting data might look like this:

educate: 0001-01-01T00:00:00.0000000hidden: mbx7cfb30345d454ac0a989ab3041051209:1hour: 4LSD: 2020-03-23T18:24:37.1884606ZOSD: 2020-03-23T18:24:37.1884606Z

Use the following table to understand each previous value reported in the diagnostic log.

WertDescription
educateSpecifies the end date, i. h The date the retention policy was disabled. MinValue means the policy is still assigned to the mailbox.
hiddenSpecifies the GUID for the retention policy. This value maps to the GUIDs you've collected for explicit or organization-wide retention policies assigned to the mailbox.
LSDIndicates the latest start date, i. h The date the retention policy was assigned to the mailbox.
OSDIndicates the original start date, i. h The date that the retention policy information was first recorded by Exchange.

When a retention policy is no longer applied to a mailbox, the user is temporarily deferred to prevent content from being deleted. A wait delay can be disabled by runningEstablecer-Mailbox-RemoveDelayHoldAppliedDomain.

Next steps

Once you've identified the retention periods applied to a mailbox, you can perform tasks such as: For example, changing the retention period, removing the retention period temporarily or permanently, or deleting an inactive mailbox from a mailbox retention policy. Microsoft Purview. For more information about how to perform retention-related tasks, see one of the following articles:

  • execute thoseSet-RetentionCompliancePolicy -Identity <policy name> -AddExchangeLocationException <user mailbox>command into exclude a mailbox from an organization-wide Microsoft Purview retention policy. This command can only be used for retention policies where the value for theExchangeLocationequal ownershipan.
  • Change the waiting period for an inactive mailbox
  • Delete an inactive mailbox
  • Delete items in Recoverable Items folder of pending cloud-based mailboxes

Videos

1. What is Litigation Hold and How to turn ON Litigation Hold in Office 365
(The Admin 365)
2. Microsoft 365 Compliance capabilities overview
(Chorus)
3. What's the difference between Legal vs In-Hold in Microsoft 365?
(Graham Hosking)
4. eDiscovery in Microsoft 365 | How eDiscovery works | Step by Step guide to use eDiscovery in M365
(Office 365 Concepts)
5. Inactive Mailboxes - how to deal with them
(Graham Hosking)
6. Core eDiscovery in the Microsoft 365 Compliance Center
(David Dalton)

References

Top Articles
Latest Posts
Article information

Author: Rev. Porsche Oberbrunner

Last Updated: 08/29/2023

Views: 5900

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Rev. Porsche Oberbrunner

Birthday: 1994-06-25

Address: Suite 153 582 Lubowitz Walks, Port Alfredoborough, IN 72879-2838

Phone: +128413562823324

Job: IT Strategist

Hobby: Video gaming, Basketball, Web surfing, Book restoration, Jogging, Shooting, Fishing

Introduction: My name is Rev. Porsche Oberbrunner, I am a zany, graceful, talented, witty, determined, shiny, enchanting person who loves writing and wants to share my knowledge and understanding with you.