How Does Microsoft 365 Data Retention Work and What Do Organizations Need to Avoid Accidental Data Loss?

Data retention is critical to many organizations — supporting compliance initiatives, litigation preparedness, and security investigations. Whether the risk is accidental or willful data destruction, organizations must evaluate their retention requirements before data is lost rather than after. For organizations implementing Microsoft 365 retention policies and the licensing and configuration strategies that protect critical data, eMazzanti Technologies works with businesses across New Jersey and the NYC metropolitan area to develop retention strategies, deploy appropriate licensing, and configure Microsoft Purview policies that meet compliance and legal requirements.

How Does Microsoft 365 Handle Deleted Data by Default?

Understanding default deletion behavior is essential before implementing retention controls — the defaults are more permissive than most organizations assume.

By default, Microsoft 365 email and Exchange Online allow users to delete emails from their mailboxes, including the ability to hard delete emails so they are purged immediately from the system. Emails not hard deleted transition through the Deleted Items folder to the Recoverable Items folder before being purged irrevocably. This process typically takes between 20 and 30 days, after which the deleted data is permanently destroyed.

Similarly, for SharePoint and OneDrive libraries, deleted files are sent to a Deleted Items folder where they are recoverable for up to 30 days before being purged by the system.

When a User Is Deleted or Licensed Removed:

When a user account is deleted or their Microsoft 365 license is removed, all their mail data and documents in Microsoft 365 are queued for 30-day destruction unless an override is in place. Organizations that routinely convert departed employee mailboxes into shared mailboxes to preserve alumni data should recognize that shared mailbox accounts are generally not covered by any retention or hold policies — this data cannot be retained by the Microsoft 365 system and is at risk of destruction.

What Are Microsoft 365 Retention Policies and Litigation Hold Capabilities?

Microsoft 365 provides two primary mechanisms for preventing data destruction: retention policies and litigation holds.

Retention Policies:

A retention policy can be applied to Exchange mailboxes and SharePoint libraries to govern how long data is kept — whether permanently or for a defined period. When a finite retention period is defined, data is automatically purged according to that policy when the period expires.

Multiple policies can be created for different user groups, enabling different retention schedules for executives versus regular staff. This feature operates in conjunction with retention labeling, which tags individual documents with specific retention periods. Users subject to retention policies may continue to delete documents and emails; however, these items are retained within special retention folders that are inaccessible to the user but available to auditors and system administrators.

Litigation Hold:

A litigation hold policy operates similarly to a retention policy, with the critical exception that all information is retained indefinitely for the individual until the litigation hold is explicitly removed. This ensures that no data relevant to pending or anticipated legal proceedings can be destroyed, regardless of user action.

What Licensing Is Required and What Are the Key Steps for Implementation?

One of the most consequential factors governing the ability to deploy litigation hold and retention policies is the licensing level applied to Microsoft 365 accounts.

Entry-level licensing — Business Basic, Business Standard, and Exchange Online Plan 1 — does not include the Microsoft Purview license necessary to enable retention. Organizations that have not verified their licensing level may believe their retention policies are active when in fact the required license is absent.

Four Key Implementation Steps:

Develop a formal document and email retention policy that identifies all data types, their retention requirements, and retention schedules. This information should be published and incorporated into employee training plans.

Deploy the correct licenses within Microsoft 365 to enable retention and establish procedures to enforce corporate retention policy. Business Premium licenses, Enterprise licenses, and Exchange Online Plan 2 licensing include the necessary Purview capabilities.

Ensure that common information assets — shared mailboxes and resources — are protected, or that retention exclusions for data within these accounts are deliberately addressed. The default absence of retention coverage for shared mailboxes creates a gap that many organizations discover only after data loss has occurred.

Prepare proper offboarding procedures that provide information transference and ensure data is retained when employees depart. A formal offboarding process that considers data retention and preservation should address both information transfer to successors and organizational data retention requirements.

Third-Party Backup Considerations:

As an alternative to retention policies, third-party Microsoft 365 backup solutions can provide permanent retention. However, these backups typically provide blanket retention without granularity for automated selective destruction of specific information. They also generally do not provide the search and eDiscovery tools needed to make backed-up data accessible for legal discovery, requiring additional restoration steps before data can be reviewed.

Compliance and retention are two cornerstones of ensuring organizations meet federal and state regulatory requirements or internal auditing, compliance, and legal obligations. Microsoft 365 provides all the tools organizations require to satisfy these needs — provided they are properly defined, licensed, and deployed. Organizations like eMazzanti Technologies can assist with developing retention strategies and ensuring those strategies are deployed correctly across the Microsoft 365 environment.

---

FAQ: Microsoft 365 Data Retention and Compliance

Q: What is Microsoft Purview and why is it required for data retention in Microsoft 365?

A: Microsoft Purview (formerly Microsoft Information Protection and Compliance) is the compliance and governance platform integrated into Microsoft 365 that provides data retention policies, litigation hold, eDiscovery, audit logging, and information protection capabilities. Purview capabilities are not included in all Microsoft 365 license tiers — they require Business Premium, Enterprise (E3/E5), or Exchange Online Plan 2 licensing. Organizations with entry-level licenses (Business Basic, Business Standard, or Exchange Online Plan 1) cannot configure retention policies or litigation holds through the standard Microsoft 365 compliance tools. This licensing gap is one of the most common compliance vulnerabilities in small and mid-sized business Microsoft 365 deployments, because organizations may assume their data is protected when the license required to enable that protection is absent.

Q: What is the difference between a retention policy and a litigation hold in Microsoft 365?

A: A retention policy defines specific rules about how long data is kept and what happens when that period expires — data can be retained for a defined period and then automatically deleted, or retained permanently, or subject to other configured behaviors. Retention policies can apply different rules to different groups of users and can be granular to individual document labels. A litigation hold preserves all data for a specific individual indefinitely, regardless of user actions or other retention policies, until the hold is explicitly removed by an administrator. Litigation holds are typically applied when legal proceedings are anticipated or ongoing and all potentially relevant data must be preserved. The key practical difference: retention policies enforce a defined schedule; litigation holds preserve everything with no scheduled deletion.

Q: What data risks arise when converting a departed employee's mailbox to a shared mailbox?

A: Shared mailboxes in Microsoft 365 are not covered by retention policies or litigation holds under standard configurations — they fall outside the Microsoft Purview compliance framework that applies to licensed user mailboxes. When an organization converts a departing employee's mailbox to a shared mailbox to preserve access for colleagues, that data loses its retention policy protection. If no alternative retention mechanism is in place, that data is at risk of destruction through normal deletion processes or if the shared mailbox is subsequently deleted. Organizations with departed employee data that must be retained for legal, regulatory, or operational reasons should either maintain the original mailbox with an appropriate license and retention policy or implement an explicit retention strategy for the shared mailbox data before conversion.

Q: How does Microsoft 365 retention interact with eDiscovery for legal proceedings?

A: Retention policies and litigation holds in Microsoft Purview are directly integrated with Microsoft 365's eDiscovery tools. Data retained under a litigation hold or retention policy is preserved in special hidden folders (the Recoverable Items folder in Exchange and the Preservation Hold Library in SharePoint) that users cannot access or delete but that auditors, administrators, and legal teams can search through the Purview compliance portal. This integration means that when legal proceedings require document production, retained data can be searched, reviewed, and exported without requiring system restoration from backup. Third-party backup solutions, by contrast, typically require restoration of backup data to a recoverable state before eDiscovery searches can be performed — adding time and complexity to the discovery process.

Q: What should a Microsoft 365 data retention policy include to be legally and operationally effective?

A: An effective Microsoft 365 data retention policy should identify all data categories held in Microsoft 365 (email, documents, Teams conversations, SharePoint sites) and their applicable retention periods based on regulatory requirements, industry standards, and organizational needs. It should define distinct retention schedules for different data types and user groups — executive communications, financial records, HR data, and general correspondence typically have different legal and operational retention requirements. The policy should address offboarding procedures that ensure departing employee data is handled according to policy rather than being inadvertently destroyed. It should be documented, published to employees, and incorporated into training so that users understand their obligations. Finally, it should be technically implemented through Microsoft Purview with the appropriate licensing, with configurations verified periodically to ensure they remain aligned with policy requirements as the organization and regulatory environment evolve.