Time to Phase out Exchange Online Retention Policies for Office 365 Retention Policies?
Exchange mailbox retention policies were introduced in Exchange 2010. They are still a popular method to control what users can keep in both on-premises and cloud mailboxes, but as time goes by, Office 365 tenants might consider moving to Office 365 retention policies to enforce a common retention framework across all workloads.
Because Exchange mailbox retention policies are designed to process email, they offer different functionality to the general-purpose Office 365 retention policies. By their very nature, compromises exist in any policy that applies across multiple Office 365 workloads like Exchange Online, SharePoint Online, and Teams. One such compromise is the inability of users to assign personal retention tags to items.
How Exchange Makes Personal Retention Tags Available
Personal retention tags allow users to define different retention behavior for items stored outside system folders (like the Inbox). For example, you might define a retention tag to keep items for ten years and make it available to users to assign to items that they don’t want removed from their mailbox. Personal retention tags are published to users through the mailbox retention policies assigned to their mailboxes. Users can also browse available personal retention tags through the Mail section of OWA options (Figure 1) and add tags that are not included in their policy which they would like to use. When they select a personal tag, Outlook adds it to the set defined in their assigned mailbox retention policy.
But I Don’t Want People Using Personal Retention Tags
Recently I heard some people questioning why users should be able to add personal tags through OWA options. The logic here is that the organization wants to exert complete control over the retention of mailbox items and don’t want users deciding to do anything different. You might decide to follow the same course if you’re preparing to switchover to Office 365 retention policies and don’t want to confuse people when they then can’t use personal tags.
Just like mailbox retention policies, Exchange 2010 introduced role-based access control (RBAC). Each mailbox is assigned a user role assignment policy to control what options are available to the mailbox. Many tweaks can be made to user role assignment policies to control features down to individual PowerShell cmdlet parameters (all Exchange management functionality is built on top of PowerShell), but in this case all we need to do is create a new user role assignment policy and remove the retention policy option.
Go to the Permissions section of the Exchange Admin Center (EAC), select User roles, and create a new policy. Give the policy a name and then check off the different user roles you want to include in the policy. Some of the roles (like MyTextMessaging) are antique memories of a long-past time and can be excluded without affecting user functionality. To remove the ability to select personal retention tags, uncheck the MyRetentionPolicies role (Figure 2) and save the new policy.
Assign the New User Role Assignment Policy
After making sure that the settings in the new policy are correct, you can assign it to mailboxes. Do this by selecting mailboxes in EAC and assigning the policy to them (Figure 3) or with PowerShell (below).
# Assign user role assignment policy to mailbox
Set-Mailbox -Identity "Oisin Johnston" -RoleAssignmentPolicy "Restricted Retention Tags"
After assignment, wait at least fifteen minutes for OWA to refresh its settings (or sign the user out and back into OWA) before checking that the retention policies option is unavailable in OWA settings.
A lot of Exchange Online mailbox management has its roots in the on-premises mechanisms. We cover this information in two chapters in the Office 365 for IT Pros eBook, suitably updated for the cloud of course…