Enable Exchange Online Archive Mailboxes and Archive Policies for all users – part 1

Exchange logo

An in-depth yet accessible guide on how to configure and enable archive mailboxes, archive policies in Office 365. Whilst we are at it we will also increase the recoverable items time from 14 to the maximum of 30 days. Currently, this has to be done in the Exchange Admin Center (EAC) and PowerShell and not the Security & Compliance Center (at the time of writing).

This article assumes that you have relatively straightforward requirements, i.e. you need to apply the same archive settings to all users. Also note that this configuration is separate to any retention policies that you may have set in the Security & Compliance Center, and can be used in conjunction with those. For example, if you set a retention policy to keep all email data for 6 years for compliance reasons, even though users will not be able to see items once the Exchange retention period has passed, compliance administrators will still be able to find the emails.

If you follow this guide you will end up with the following functionality:

      • All users will have an archive policy which moves email to their archive mailbox after 6 months.
      • Items will be kept in deleted items for 30 days, after which they will be moved to recoverable delete items.
      • Recoverable deleted items will be available for an additional 30 days.

Prerequisites

You need to have mailboxes in Office 365/Exchange Online, as well as E3 or Exchange Online Plan 2 licenses in order to take advantage of archive mailboxes.

Background

Firstly, you need a basic level of understanding of retention tags and policies in Exchange. These were introduced in Exchange 2010 as a way of automatically tagging emails and apply actions based on those tags, as well as allowing users to tag their own emails from a set of pre-configured personal tags.

The following principles apply to retention policies and tags:

      1. Retention policies are set per mailbox
      2. You can only have one retention policy per mailbox. However, the policy can have multiple tags.
      3. An item can only have one retention tag applied at a time. If there are conflicts, the longest retention period will take priority.
      4. Retention tags are only applied to items that are younger than the retention period. i.e. if you create a 30-day archive policy, items younger than this will be tagged and then archived after 30 days old, items which were already over 30 days old will not be affected.

Out of the box, there are a number of default tags, and also a Default MRM Policy.

clip_image001

In Exchange Online, the Default MRM Policy is applied to every user as above, and this has many tags set already. This may be confusing since it seems that all of these settings are already, the policy contains all of the tags below. Navigate to Exchange Online > Compliance Management > Retention Policies:

clip_image002

The tag details are shown on the Tags tab:

clip_image003

However, all the tags which show Personal do not do anything by default. These are available to users to use if they wish via Outlook, using the Assign Policy button (as long as this has not been removed via Group Policy).

clip_image004

If you create a new tag you can see what the tag types actually do. Only Default and folder tags automatically process emails on their behalf.

Tags can be the following types:

      • Applied to the entire mailbox (default) – deletion, retention, and archive
      • Applied to default folders – deletion and retention only
      • Personal (applied by users) – deletion and retention only

clip_image005

So in the list of default tags in the Default MRM Policy, only Default 2 year move to archive, Deleted Items, and Junk Email do anything automatically for users mailboxes. Of course, you may not want these settings.

Create and apply Retention Tags and Retention Policies

So if you want to change the archiving policy, or create your own, there are 2 approaches:

      1. Edit the Default MRM Policy to suit your requirements by modifying the tags. This is already applied to all users.
      2. Create your own policy, apply it to existing users, and then change the mailbox plan to apply to future mailboxes.

We are going to go with the first approach since it requires fewer steps.

For the second method, follow this until the end and then click on the link at the end for Part 2. Don’t rename the default policy.

The Default MRM Policy will be applied to any existing users, and will also apply to all new users. The advantage of using this is that you will never have to worry that the policy is not applied to some users since it will automatically apply to every user. So this is one less thing for your service desk to do when they create users, and therefore less chance of something going wrong and users not being compliant with your policy. For this reason, I would recommend editing the default policy. You can also rename it without any issues.

The other option you have is what to do about the personal tags. This is one of those features that I have never seen anyone use. Who on earth is going to tag an email because they want it to be deleted in 1 week? Either an email is deleted or kept and the time of reading. There is no harm in leaving them, but it does make the policy somewhat confusing to look at. So I recommend making a note of the default policies and then deleting any personal policy. You could export the config to a CSV file:

So let’s go ahead and modify the tags to suit your needs. As with many things in Office 365, this can be done using the portal or PowerShell, so we’ll cover both.

Delete existing tags

Delete any personal tags using the portal, or with PowerShell:

First, connect to Exchange Online using PowerShell – see here for a quick guide: https://cloudrun.co.uk/powershell/connecting-to-office-365-using-powershell/

Backup the current policies and tags

First, connect to Exchange Online using PowerShell – see here for a quick guide: https://cloudrun.co.uk/powershell/connecting-to-office-365-using-powershell/

First, let’s take a note of the Retention Policies and Tags in case we ever need them.

1
2
3
4
Get-RetentionPolicy|ft -wrap Name,RetentionPolicyTagLinks | out-file c:\temp\retention_policies.csv

Get-RetentionPolicyTag|ft -wrap Name,Type,RetentionAction,AgeLimitForRetention,Comment `
| out-file c:\temp\retention_policy_tags.csv

Delete the personal tags

1
2
3
4
5
6
7
8
9
Get-RetentionPolicyTag -Types Personal | Remove-RetentionPolicyTag

Confirm

Are you sure you want to perform this action?

Removing the retention policy tag named "Never Delete". This will remove the tag from all mailbox items which have this tag applied, but will not delete the items.

[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"):

Now you are left with just 3 tags. a default archive tag, a deleted items tag, and a junk email tag. If you are using an external email filtering service, you may not need the junk email tag so I would delete that as well. You will end up with just 3, which makes it a log easier to see what is going on:

clip_image006

Delete the RecoverableItems tag

There is an extra tag which cannot be seen in the console, so this has to be done using PowerShell.

There is one tag which is not visible using the web admin console. If you look at the tags with PowerShell you will see an extra RecoverableItems tag:

1
2
3
4
5
6
7
8
9
10
11
12
13
Get-RetentionPolicyTag |ft -auto

Name Type Description

---- ---- -----------

Recoverable Items 14 days move to archive RecoverableItems Managed Content Settings

Junk Email JunkEmail Managed Content Settings

Deleted Items DeletedItems Managed Content Settings

Default 2 year move to archive All Managed Content Settings

I am not sure of the point of this Recoverable Items 14 days move to archive tag, but it is included in the Default MRM Policy. The archive has a separate recoverable items folder and therefore this could cause some confusion, even if the recoverable items age is increased from 14 days, users won’t be able to see them. I therefore recommend removing this:

1
Remove-RetentionPolicyTag -Identity "Recoverable Items 14 days move to archive"

Modify the Retention Tags

You could create any extra tags you need for the default policy at this point. If you are happy with the tags you have left, we can then modify them as required.

First, check the retention age settings:

1
Get-RetentionPolicyTag |fl Name,AgeLimitForRetention

First, edit the archive policy, change the name and the retention period:

clip_image007

Using PowerShell:

1
Set-RetentionPolicyTag "Default 2 year move to archive" -Name "6 months move to archive" -AgeLimitForRetention 183

Modify the deleted items tag:

1
Get-RetentionPolicyTag -Identity "Deleted Items" -AgeLimitForRetention 30

Delete the Junk email tag if you don’t want it or modify as above:

1
2
3
4
5
Remove-RetentionPolicyTag -identity "Junk Email"

-or-

Set-RetentionPolicyTag -Identity "Junk Email" -AgeLimitForRetention 30

Now, you have a policy that suits your requirements and is already applied to all users since it is the Default MRM Policy. now we just need to enable the archive mailbox for users.

Enable archive mailboxes

Use a script similar to below on a regular basis to enable archive mailboxes for users:

For cloud only accounts:

1
Get-Mailbox -Filter {ArchiveStatus -Eq "None" -AND RecipientTypeDetails -eq "UserMailbox"} | Enable-Mailbox -Archive

For hybrid accounts synced from on-premises AD, you need to use the on-premises Exchange PowerShell console:

1
get-mailbox | Enable-RemoteMailbox -Archive

Get everyone with no archive:

1
Get-Mailbox * | Where-Object {$_.ArchiveStatus -eq "None"} | select UserPrincipalName,ArchiveStatus | ft -wrap

Get the archive status for all users:

1
Get-Mailbox * | select UserPrincipalName,ArchiveStatus | ft -wrap

Export a CSV with the archive status for all users:

1
Get-Mailbox * -resultsize unlimited | select Name,UserPrincipalName,ArchiveStatus | export-csv c:\temp\archive.csv

Set the recoverable items time

The other thing which needs setting is the deleted items recovery time. This is a per mailbox setting, and it is not currently possible to create a policy which will set this for all users. So you will need to set run this script periodically or as part of your joiners process (or both).

Check the setting for all users:

1
Get-Mailbox | ft Name,RetainDeletedItemsFor

Increase to the maximum of 30 days for all users:

1
Get-Mailbox | Set-Mailbox -RetainDeletedItemsFor 30

We can also change the mailbox plan so that we don’t need to do this again, all new users will inherit this setting. First, check your mailbox plans:

1
2
3
4
5
6
7
8
9
10
11
12
13
Get-MailboxPlan |fl Name,IsDefault

Name IsDefault

---- ---------

ExchangeOnlineEnterprise-4e092a37-86b6-4515-89cf-aaac3ff03c35 True

ExchangeOnlineEssentials-c8d28329-b18a-428b-addd-aaa08df9c3b6 False

ExchangeOnline-6f05d9da-2049-4370-8dfb-aaaf049e3add False

ExchangeOnlineDeskless-78ce0cad-247c-495d-b735-aaa46093da0c False

You can see that the ExchangeOnlineEnterprise plan is the default and the one that we want to change. Check the current value:

1
2
3
4
5
Get-MailboxPlan -Identity ExchangeOnlineEnterprise* |fl Name,RetainDeletedItemsFor

Name : ExchangeOnlineEnterprise-4e092a37-86b6-4515-89cf-2b2c3ff03c35

RetainDeletedItemsFor : 14.00:00:00

Now change the setting:

1
Get-MailboxPlan -Identity ExchangeOnlineEnterprise* |set-MailboxPlan -RetainDeletedItemsFor 30

Now you can use the previous command to check whether the setting has applied. An interesting point to note here is that if you do Get-MailboxPlan -Identity ExchangeOnlineEnterprise* |fl Name,Retention* you will see that the default retention policy is blank, even though it is setting the Default MRM Policy for all new mailboxes.

Note that mailbox plans only apply to new mailboxes at the time of creation.

Hit up Paul Cunningham’s excellent blog here for more details on mailbox plans: https://practical365.com/exchange-online/controlling-exchange-online-mailbox-features-mailbox-plans/

Now, you have 2 options with regards to the policies as already mentioned:

  1. Continue to use the Default MRM Policy and optionally rename it
  2. Create a new policy, see part 2 of this post here.

Rename the default Retention Policy

Now we can rename the default policy either using the console or PowerShell:

1
get-retentionpolicy -Identity "Default MRM Policy" | Set-RetentionPolicy -Name "Cloudrun All Users MRM Policy"

Start processing emails

You can either wait some time for Exchange to start processing your rules, or do it now for all users, this has to be done in a loop rather than piped:

1
2
3
$mailboxes = Get-Mailbox

foreach ($mailbox in $mailboxes) { $mailbox.name; Start-ManagedFolderAssistant –Identity "$mailbox" }

Note that this command will often result in errors, if so just wait or run it again several times. This is a known issue, see https://answers.microsoft.com/en-us/msoffice/forum/all/rpc-error-when-using-powershell-command-start/4ab08cca-7215-4295-90e5-85c2fa584e93

There’s more information here:

https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-an-archive-and-deletion-policy-for-mailboxes

Posted in Exchange Online, Office 365

Related Posts

1 Comment

  1. Pingback:Enable Exchange Online Archive Mailboxes and Archive Policies for all users - part 2 - Cloudrun

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: