The usual reason for placing a mailbox on hold is to retain its contents for some legal or regulatory purpose. However, the situation might arise when it is necessary to remove some items from a mailbox that is on hold. For instance, someone might successfully sue your company to demand the removal of all information pertaining to them or some particular activity. If ordered to permanently remove the material, there is little you can do but comply.
Neither Exchange on-premises (2010, 2013, or 2016) nor Office 365 offer the ability to selectively delete items contained in on-hold mailboxes. This is by design and is not a limitation because the compliance features of Exchange and SharePoint are designed to make information immutable (cannot be modified after creation) when required. Ensuring that users cannot interfere with messages or documents after these data have been put on hold is a critical part of creating a solid compliance framework.
That being said, it is possible to create a selective and short-term release of the hold to allow items to be removed by executing a number of steps in strict order. As always when dealing with operations that remove data belonging to users, you should run the process in a test environment before attempting to delete information from a production tenant. In addition, you must take care that the steps you take are documented (insofar as is possible) and will stand up in court to prove that only the targeted information was removed and that all other information was preserved.
Clearly, this is an activity that you want to undertake with the support of your company’s HR and legal departments, preferably in the form of an authorization that lays out the reason why the data is being removed and the characteristics of the items (subject, date, author, terms contained in the body, and so on). The authorization should also provide details of the repositories to be searched (user mailboxes, shared mailboxes, SharePoint sites, etc.).
Follow this process to remove items from a mailbox that is on legal hold or subject to an in-place hold:
-
Ensure that no clients are connected to the mailbox. You might need to lock the user out of their account temporarily to prove that they did not have the means to remove information when the legal/in-place hold is released. Exchange 2010 only supports legal (or litigation holds); Exchange 2013, Exchange 2016, and Exchange Online support in-place holds too, as do SharePoint 2013 and SharePoint Online.
-
Put the mailbox on retention hold to prevent the Managed Folder Assistant (MFA) processing it and removing items (according to the retention policy assigned to the mailbox) after the legal/in-place hold is released. See the important note below about MFA processing.
-
Ensure that mailbox auditing is enabled for the mailbox. Auditing is enabled by running the Set-Mailbox cmdlet. For instance:
Set-Mailbox –Identity "TRedmond" –AuditEnabled $True -
Remove the legal/in-place holds that apply to the mailbox. A legal hold is easily removed by running Set-Mailbox to set the LitigationHoldEnabled parameter to $False. Removing the in-place holds requires you to identify the holds that apply to a mailbox (easily done by viewing mailbox properties from EAC) and then editing the underpinning searches to remove the mailbox from the set of search queries. An example of a mailbox with five holds is shown in the screen shot below. Two of these holds (the ones identified by GUIDs rather than human-friendly text) belong to holds managed by the SharePoint eDiscovery Center. Tracking down which searches these holds relate to can be tiresome.
-
Use the Search-Mailbox cmdlet or create a search in the Office 365 Compliance Center to locate the items that you want to remove from the mailbox. When you are happy that the search is accurate and only finds the desired items, you can use the purge capability available in both Search-Mailbox (for both on-premises and cloud platforms) and Compliance Center searches (only available in Office 365 - and not yet available to all tenants) to remove the items.
-
Reinstate the original hold on the mailbox and then remove the retention hold placed in step 2.
-
Create an auditing report to prove what happened to the mailbox (this article provides some guidance).
An example of the Search-Mailbox cmdlet in action is shown below. In this case, we search one mailbox to look for messages that have “Rea” in the subject field, were sent from a particular address, contain the text “Horrible” in the message body, sent on a particular date, and contain a certain XLS attachment (this search query is formatted in KQL syntax and applies to Exchange 2013, Exchange 2016, and Exchange Online). This search only logs what is found in the specified folder in the target mailbox.
Search-Mailbox –Identity TRedmond -SearchQuery {Subject:"Rea*" From:"[email protected]" Body:"Horrible*" Sent:"06/27/2015" attachment:Horrible.XLS} –TargetMailbox “Compliance Searches” –TargetFolder “Search” –LogOnly –LogLevel Full
When you’re happy with the search results, you remove the LogOnly and LogLevel parameters and replace them with the DeleteContent parameter. You’ll be asked to confirm that the deletion should go ahead before Search-Mailbox will proceed. Only users who hold the RBAC “Mailbox Import Export” role are allowed to delete items using Search-Mailbox. Note that the Office 365 Compliance Center uses a completely different set of permissions to the RBAC management roles used to manage Exchange Online. You need to be a member of the Compliance Center Organization Management or Discovery Manager role groups to be able to remove items using a Compliance Center search.
MFA processing: When you place a retention hold on a mailbox, it prevents MFA processing the retention policy that's applied to the mailbox. However, MFA still removes items in the Recoverable Items folder that are past their deleted items retention period and so might remove on-holditems that you want to retain. As described in this article, in an on-premises environment, you can prevent this happening by halting MFA processing on the server where the database holding the mailbox is currently active. Administrators can't control MFA processing within Exchange Online and the possibility therefore exists that MFA might process the mailbox while you are searching for and removing the target items. As the workcycle that controls MFA causes it to process mailboxes daily, you can minimize the possibility that it will interfere with your work by executing the steps described above soon after MFA processes the source mailbox(es). You can force MFA to process a mailbox by running the Start-ManagedFolderAssistant cmdlet. Leave the mailbox alone for a few minutes to allow MFA complete and then check the ElcLastRunSuccessTimeStamp on the mailbox as described in this article. When you are happy that MFA has successfully processed the mailbox (the last run date is soon after the time you started MFA), you can proceed with the steps to remove on-hold items.
SharePoint has no equivalent of the Search-Mailbox cmdlet nor can Compliance Center searches purge SharePoint or OneDrive information. You can create compliance searches to locate documents, lists or other data in sites but will then have to manually remove the items from SharePoint after releasing any holds that exist on the sites that contain the information. The relative lack of PowerShell support within SharePoint makes these kind of administrative operations difficult to script
Microsoft is aware that the process outlined here is imperfect because it is prone to human error and that competitor products allow for the selective removal of on-hold data. Until a similar feature is made available in Exchange and Office 365, great care needs to be taken to ensure that the data held in mailboxes and libraries is not fatally contaminated in terms of its usability for legal purposes.
Follow Tony @12Knocksinna
