How to prevent email deletion in Exchange for legal and compliance needs?
Litigation holds ensure that the whole mailbox content along with the original versions of modified items and deleted items are retained to comply with legal obligations. Enabling litigation hold in Office 365 helps to investigate any intentional or unintentional destruction of evidence.
Let's see how to set up litigation hold in Microsoft 365 using the Exchange admin center and PowerShell.
Place a mailbox on litigation hold using EAC
- Navigate to the Mailbox section in the Exchange admin center.
- Select the desired mailbox and go to the Others tab. Then, select the Manage litigation hold option.
- Enable the Litigation hold toggle and enter the Hold duration in the respective field. Leave the duration field blank for an indefinite hold (the mailbox will remain on litigation hold until removed).
- Enter a Note and a Web page URL to display to the user, or leave these fields empty if not needed.
- Finally, click Save to apply the hold.
Enable litigation hold for mailboxes using PowerShell
- Use the following PowerShell command with appropriate placeholders to enable litigation hold for a mailbox in the Exchange Online.
Set-Mailbox -Identity <Mailbox UPN> -LitigationHoldEnabled $true -LitigationHoldDate <MM/DD/YYYY> -LitigationHoldOwner <Hold Ownerâs Name> -LitigationHoldDuration <Hold Duration>
- To enable the litigation hold for all mailboxes, use the following command in the Exchange Online PowerShell.
Get-Mailbox -ResultSize Unlimited | ForEach-Object { Set-Mailbox -Identity $_.UserPrincipalName -LitigationHoldEnabled $true -LitigationHoldDate <MM/DD/YYYY> -LitigationHoldOwner <Hold Ownerâs Name> -LitigationHoldDuration <Hold Duration>}
Note: To enable litigation hold on a mailbox, it must be assigned with an Exchange Online P2 license.
What happens when a user deletes emails from a mailbox placed under litigation hold?
When a litigation hold is turned on for a mailbox, users can remove items from their mailbox, but those items are still retained by Microsoft 365. Admins can identify these deletions during a Microsoft 365 forensic investigation.
The following occurs when a user deletes an email from a mailbox with litigation hold enabled.
- Deleted items are moved to the âRecoverable Itemsâ folder, specifically to the 'Deletions' subfolder (not visible to users).
- If a user deletes an item from the 'Deletions' subfolder (Recoverable Items in the UI), it is moved to the 'Purges' subfolder. Items in the 'Purges' subfolder are retained until the litigation hold gets removed or the hold duration expires.