“What happens if you place an Exchange mailbox on legal hold that also has a retention policy applied to it – does the retention policy conflict with the legal hold?” this was a question posed to me on a recent training course. To answer this, we’ll look at the function of each technology and also how they interact.
A retention policy can take one of three actions on an email:
- Move to archive mailbox
- Soft delete
- Hard delete
The purpose of placing a mailbox on legal hold is to have email data preserved immutably. Once a mailbox is placed on legal hold, the user can still make changes and delete items, but unaltered copies are preserved and available to an eDiscovery search. The mechanisms that achieve this work, in part, because there are areas of a user’s mailbox they cannot access. Each Exchange mailbox has a Recoverable Items folder, which contains the following four sub-folders:
- Deletions folder: this holds emails deleted by the user from their Deleted Items folder. The mailbox user can recover items from this folder.
- Purges folder: this holds emails purged from the Deleted Items folder by the user. The email server runs a schedule that removes messages from this folder. However, when you place a mailbox on legal hold, items are not purged from this folder.
- Versions folder: for a mailbox on legal hold, when a user or process changes specific properties of a mailbox item, a copy of the original item is placed in this folder before the change is committed. These copies remain in this folder until the hold is removed.
- Discovery Holds folder: if a user is placed on in-place hold, deleted items are moved to this folder.
The mailbox user has no access to Purges, Versions, or Discovery Holds folders. The Microsoft article here provides further details on the mechanisms involved.
To answer the original question: When a mailbox is placed on legal hold, any associated archive mailbox is also placed on hold. Therefore, if a retention policy moves an email to the user’s archive mailbox, the protection provided by the legal hold is still in place.
If a retention policy soft deletes an email, it is moved to the Deletions folder described above. In the case of a hard delete by the retention policy, the email is moved to the Purges folder, where it is inaccessible to the user. For both types of deletion by a retention policy, the protection provided by the legal hold is still in place, as the email is both unchanged and still accessible to an eDiscovery search.
As the above scenarios cover all the actions that a retention policy can take, we can conclude that there is not a conflict between retention policies and the implementation of legal hold.