Removing Deleted Mailboxes from Security and Compliance Center Retention Policies

June 18, 2019 Don Young

The retention policies in the Security and Compliance Center of Office 365 are a great and easy way to ensure data in your tenant is being protected. It is very easy to turn on protection for ‘All’, but businesses rarely mean ‘All’. It’s usually ‘All’ with some exceptions. These exceptions are where things get a bit tricky.

As an example, let’s take a policy that handles ‘Exchange email’ only. When you apply the policy to ‘All’, having nothing show up for the ‘InPlaceHolds’ attribute on mailboxes is a good thing. In some weird twist of logic, this actually means the data in the mailbox IS being retained by the policy.

If you exclude a mailbox from one or more policies, the ‘InPlaceHolds’ attribute will show a value that starts with a minus sign (-)

Additionally, there are instances where you need to permanently delete a mailbox. (Microsoft does not make this easy but that’s for another blog). If a mailbox has a hold on it and you delete it, it becomes an ‘Inactive Mailbox’. To avoid this from happening, you need to add the mailbox as an exclusion to the policy.
That is easy enough but once you permanently delete the mailbox, you can no longer remove the exclusion you just added. When you try through the GUI, it looks and acts like it went away but if you go back into the policy you will see the count has reverted and the mailbox you thought was removed is still there. Using Powershell to try to remove it, a generic ‘Warning’ message in yellow is returned. There are 2 possible resolutions depending on 2 different scenarios:

  1. This scenario will use the failure message to determine the GUID of the object that couldn’t be found. That GUID will in turn be used to do the removal of the exclusion<
    1. Collect the ‘Distribution Results’ from the specific Retention Compliance Policy using the PS commands below:
      Get-RetentionCompliancePolicy 'NameofRetentionPolicy' -DistributionDetail | Select DistributionStatus
      1. If the result of the command above shows ‘Pending’, give it a few minutes before continuing
        $results = Get-RetentionCompliancePolicy 'NameofRetentionPolicy' -DistributionDetail | Select DistributionResults $results.distributionResults | Export-Csv .\results.csv -NoTypeInformation
      2. Carefully consider the results before continuing
        Example Output:
      3. To remove a single instance simply do the following:
        Set-RetentionCompliancePolicy 'NameofRetentionPolicy' -RemoveExchangeLocationException 'GUIDofRecipientNotFound' -Force
      4. To remove everything that was failing do the following:
        $results.distributionResults.resultMessage | Foreach{$split=$null ; $split=$_ -split(' ') ; $ToBeRemoved += @($split[3])};Set-RetentionCompliancePolicy 'NameofRetentionPolicy' -RemoveExchangeLocationException $ToBeRemoved -Force
  2. This scenario will use the ‘ImmutableIdentity’ of the object to do the removal of the exclusion. In some instances, an object cannot be removed and also does not show as a failure
    1. Collect the ‘Exchange Location Exceptions’ from the Retention Compliance Policy using the PS commands below:
      $remaining = Get-RetentionCompliancePolicy 'NameofRetentionPolicy' -DistributionDetail | Select -ExpandProperty ExchangeLocationException
      $remaining | Export-Csv .\remaining.csv -NoTypeInformation
      1. This will create a report that includes the ‘ImmutableIdentity’ for the items currently included as exclusions
        Example Output:
    2. Carefully consider the results before continuing
      1. To remove a single item, perform the following:
        Set-RetentionCompliancePolicy 'NameofRetentionPolicy' -RemoveExchangeLocationException 'ImmutableIdentityofObject' -Force
      2. To remove ALL current exclusions, perform the following:
        Set-RetentionCompliancePolicy 'NameofRetentionPolicy' -RemoveExchangeLocationException $remaining.immutableIdentity -Force

Therefore this is something to consider when using the “All” policy in the Security and Retention Center in Office 365. It can be tricky removing deleted mailboxes, and these are the workarounds which will help.

Previous Article
AI, Analytics and the New Machine Age – Book Review
AI, Analytics and the New Machine Age – Book Review

If you are new to the areas of Artificial Intelligence (AI), Analytics and Machine Learning, then this book...

Next Article
What is the business value of data modernization?
What is the business value of data modernization?

These are common phrases you hear around a business: “Why upgrade? It works fine just the way it is.” “If i...