Doing eDiscovery, Litigation Hold, and Addressing Journaling in Office 365

Retaining and “journaling” content has been a key requirement of organizations for years, however as organizations have migrated to Office 365, plus with Microsoft’s shift to new and improved eDiscovery tools, the process of “holding” and “searching” for content has changed.

This article covers a whole new series of best practices that EVERY legal department, compliance officer, and content / Office 365 administrator needs to read, understand, and ensure they have Office 365 setup properly so that when the time comes and they need to do eDiscovery of content, that the information they are looking for has actually been held and managed for future look-up.

This document clarifies what’s included “in the box” in Office 365 with the E3 (or higher) license, the “Advanced eDiscovery” functions you get with Office 365 with the E5 license, and goes through the step by step procedures for setting up what is necessary to retain content and detailed procedures on how to query and look up information.

Basic Background

To be able to retrieve information for legal or official purposes, information must be properly retained (lawyers may say-LMS-"preserved) so that the integrity of the information retrieved is valid (lawyers will request an "audit trail" to verify and authenticate the information by showing the "chain of custody" and who, and how, it was "preserved and collected"). As an example, if the Human Resources department, Legal department, or outside Legal Counsel wants to gather information, it’s not good enough to just go into a user’s mailbox and extract information because the information in a mailbox is considered “fragile.” It is fragile because a user can easily “delete” a key message or the user can even go in using the Microsoft Outlook client and complete EDIT and CHANGE a message. If someone opens a user’s mailbox, the messages in the Outlook client can be tampered (LMS-modified) and are NOT considered valid evidence (even if modified accidentally).

In the past with Exchange 2013, Exchange 2010, or earlier, it required specific technologies and practices to protect the messages from tampering. The old way of doing things was to enable “Journaling” and/or buy a 3rd party archiving product like Symantec Enterprise Vault, Iron Mountain / Mimosa NearPoint for Exchange, EMC EmailXtender, Zantaz EAS, or the like. The 3rd party tools required a separate server, typically a special agent to be installed on all Exchange servers and clients, and a relatively high expense to manage, maintain, and support the archiving server and services.

Replacing Journaling with Office 365 Mailbox Hold

As previously mentioned, for older email systems, organizations would commonly enable “Journaling” on their email system that effectively captured each and every email message and stored a copy of those email message in a completely separate server or storage system. However in Office 365, it is no longer a best practice to Journal messages, primarily because there are better ways of addressing the exact same business and legal need, without having to duplicate each and every email message.

With Office 365, organizations simply enable retention of the mailbox (or mailboxes) of users that the organization wants a legal history of each and every message in and out of a user’s mailbox. Many organizations enable all mailboxes for this type of hold, which in Office 365 is fine considering the organization no longer has to manage the growing storage of retained content.

AND better yet, since Office 365 includes more than just email, the same retention (and the same eDiscovery search that we’ll cover later in this article) can retain the history, state, and perform search on content stored as files in OneDrive, content stored in SharePoint Online, and Instant Message communications in Skype for Business. So when properly configured, an organization gets content retention and search across emails, files, and communications!

Say goodbye to the concept of journaling, and welcome in a better way of getting the exact same results that now spans more than just incoming and outgoing emails!

Archiving and Email Retention in Office 365

Archiving and Email Retention are related to this whole topic of Litigation Hold and eDiscovery, but address a different business need.

When email archiving became available in Exchange 2010, some mistakenly believed they must create an “Archive Mailbox” for all users to preserve data, that is not true. An Archive Mailbox creates a 2nd mailbox store for a user to move content out of their Primary mailbox and into the Archive mailbox. Back in the “old day” (prior to 2010), email servers had limits on how large their server databases could be, and thus organizations put arbitrary limits on how much email a user could store (6-months, 2-years, 256mb, 2gb, etc) information in their “primary mailbox” and when they ran out of space, they were required to delete emails.

Users not wanting to delete emails got creative and used mechanisms like “PST files” to export messages to files, however having users with USB thumb drives and laptops full of old emails became an even bigger problem when performing eDiscovery. These archives mailboxes in Exchange provided a secondary location for users to move their content to, that were still subject to eDiscovery search by the organization.

However today with Office 365, each user’s primary mailbox (with an E3 or higher license) can store at least 50GB of emails which is 20-30 times more mailbox space than most organizations even allowed just a few years ago, and since Microsoft  pays for and manages storage, the need for an organization to export messages or move messages to archive mailboxes is no longer a business requirement.

And with a Microsoft Office 365 E3 license for a user, that user can have a 2nd mailbox, called the Archive Mailbox, if needed that effectively has an unlimited amount of storage, but again, it is not as common for organizations to have Archive mailboxes for all users as 50GB is plenty of storage space for almost all users.

As for as eDiscovery, Litigation Hold, Retention policies, or the like, whatever is done to a user’s Primary mailbox is also applied to their Archive mailbox, so from a legal or functional basis, it doesn’t matter if a user has just a Primary mailbox, or if they have both a Primary and Archive mailbox.

Archiving for the sake of archiving into a separate mailbox is no longer the motivating factor, as such, organizations that used to have archiving policies need to rethink whether they are applicable these days.

That said though, there are reasons an organization would want users to get rid of information, but instead of setting the limit at a completely arbitrary amount (by age or by storage limit), an organization’s retention policy these days (if they implement one) really HAS to be done based on a legal requirement. This might be tax or accounting records should be retained for 7-years, or content deemed applicable to the Sarbanes-Oxley Act (SOX) should be retained for 7-years, or the like. But there’s no magical age or size limit that is a “best practice”. Some might argue that emails should be kept for 2-years, or emails should be removed after 6-months, but those are again typically best practices of a decade ago when organizations solely wanted to remove content to fit within the technical storage limits of the email server systems themselves.

I cover how to create effective Electronically Stored Information (ESI) policies in my book “Handling Electronically Stored Information (ESI) in the Era of the Cloud” that can be purchased in print form off Amazon.com, or downloaded for free as a PDF or Kindle/Mobi format off my company website http://www.cco.com/our-publications.htm And to apply ESI policies in Office 365 through the use of Microsoft Messaging Records Management (MRM) policies will be a topic of a future article where I’ll get into the creation of granular policies based on content aging or keywords. For now, this article here will focus solely on enabling mailbox content retention and eDiscovery search as the foundation of Litigation Hold and eDiscovery practices.

What Can be Done “In the Box” in Office 365

While an organization can continue to buy 3rd party products as well as do Journaling with Office 365 (either with a Hybrid configuration with an Exchange server on-premise, or through a 3rd party Journaling server or cloud service), the easier and better way of handling message retention and legal recovery (LMS-"collection") is to just set the proper configuration settings in Office 365.

When a user deletes a message from their mailbox, the message is not really deleted but instead moved to the Deleted Items folder and sits in the Deleted Items folder until the message is fully deleted from the Deleted Items folder. When a user deletes an item from the Deleted Items folder or empties the Deleted Items folder, the message disappears from the Deleted Items folder and it appears to be “gone”, but the message has actually just been moved to a hidden Recoverable Items folder. The Recoverable Items folder replaces the feature formerly known as the Dumpster in previous versions of Exchange. The Recoverable Items folder is hidden from the default view of Microsoft Outlook, Outlook WebApp, and other e-mail clients so the user no longer sees removed messages, but the messages are still sitting up in Office 365 for a short period of time.

Items in the Recoverable Items folder are retained for the deleted item retention period configured in Office 365. By default, the deleted item retention period is set to 14 days (or 30GB of storage, whichever comes first). While this retention period can be extended by the administrator in Exchange on-premise, the Office 365 administrator no longer has the ability to change the retention period beyond 30-days, and quite frankly with other options available in Office 365, no one needs to tinker with the retention period because there’s a better way of handling content retention (the whole focus of this article), so read on.

Enabling Litigation Hold

With Office 365, in lieu of Journaling (to retain a copy of all messages) or extension of the Retention period (longer than 14-days), the best practice in Office 365 is to enable mailbox In-Place Hold or Litigation Hold. This process effectively retains an immutable record of all email messages (and with In-Place / Litigation Hold placed on other Office 365 workloads like SharePoint Online, OneDrive, and Skype for Business), core content will be retained in Office 365 beyond just emails as well!

To put a Mailbox on Litigation Hold, the person making that decision needs to be part of the “Discovery Management” Role in Exchange. By default, no one in the organization, including the Office 365 Administrator, has this Discovery Management role. But the Office 365 Administrator has the permission to put users (including themselves) into this Discovery Management role.

For an individual (administrator, HR personnel, legal counsel) to be given the rights to make In-Place Hold and Litigation Hold changes to a user’s mailbox, do the following:

1. Logon to the Office 365 Admin Portal (https://portal.office.com) with a user logon that has rights to the Office 365 admin center.

2. On the lefthand side, scroll down to Admin and click on Exchange

10 admincenterexchange

3. In the Exchange admin center, click on “permissions”

4. On the “admin roles” page, double-click on “Discovery Management” and under Members, click the + button and add the users you want to give rights to Discovery Management in Exchange (emails) to this list of members, then click Save.

20 discovery management

This individual (or individuals) now have the ability to proceed with actually putting a mailbox (or mailboxes) on In-Place Hold / Litigation Hold.

To put a mailbox on Hold in Office 365, an individual you added to this Discovery Management role needs to do the following:

1. Logon to the Office 365 Admin Portal (https://portal.office.com) with a user logon that has rights to the Office 365 admin center.

2. On the lefthand side, scroll down to Admin and click on Exchange

3. In the Exchange admin center, click on “recipients”, double-click on the user you want to put their mailbox on hold, click on “mailbox features”, scroll down to “Litigation hold”

25 litigation hold

4. For the “Litigation Hold” option, click Enable, that’ll pop up a new window. You can choose to enter the # of days you want a mailbox to be put on hold (ie: 365 for a year) or if you are looking to put the entire mailbox on hold indefinitely for “journaling” type of long term tracking, just leave the # of days blank and click Save.

27 litigation hold days

Note: It may take upwards of an hour before Litigation Hold takes effect on a user’s mailbox. This is because the policy needs to be enacted on all messages and folders in the user’s mailbox and the policy needs to be replicated through any replica instances of Office 365. You can see the status of Litigation Hold on a user’s mailbox by going back and looking at the “Mailbox Features” and it may show Litigation Hold “Enable – Pending” when it is in the process of enabling Litigation Hold. When the mailbox is fully held, the Mailbox Features will simply show “Litigation Hold: Enabled”

28 lit hold enabled


To put a mailbox on Hold in Office 365 via PowerShell, an individual you added to the Discovery Management role needs to run the following PowerShell command against the Office 365 environment:

1 2 3 Page 1
Page 1 of 3
The 10 most powerful companies in enterprise networking 2022