Skip to main content

Introducing new learning courses and educational videos from Apress. Start watching

Book cover

Office 365 pp 429–481Cite as


Office 365 Compliance and Data Loss Prevention

  • Chapter
  • Open Access
  • First Online:


Office 365 is a suite of software products that Microsoft Offers as a service subscription. The basis for the service is to reduce the IT costs for business implementation. The major benefit of using Microsoft Office 365 services is that businesses are more focused on the building the business, rather than building IT cost centers.


  • Prevent Data Loss (DLP)
  • Exchange Admin Center (EAC)
  • eDiscovery
  • Tag Retention
  • User's Mailbox

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Office 365 is a suite of software products that Microsoft Offers as a service subscription. The basis for the service is to reduce the IT costs for business implementation. The major benefit of using Microsoft Office 365 services is that businesses are more focused on the building the business, rather than building IT cost centers.

There are three plans of Office 365: Professional, Mid-Size Businesses, and Enterprise. Compliance, data loss prevention, encryption, and rights management are available only in the Enterprise plan. If you are not on the Office 365 Enterprise plan, the contents of this chapter will not apply to your Office 365 subscription.

This chapter is a compilation of the best-known methods in use to implement a compliant cloud storage system that meets the needs of various regulation entities. It comprises two parts: the compliance capabilities of Office 365 and later implementation. We encourage you to reach out to a Microsoft Tier 1 Champion Partner and engage it as a licenses advisor to help with these features in Office 365.

Overview of Office 365 Compliance and Discovery

Office 365 is built on the principle that the information contained in the cloud service is owned by the business. The data your company places in Office 365 is your data. Microsoft has as strict policy not to mine or process your data for any business purpose. If you choose to leave Office 365 for some other service, the data you leave behind will be destroyed within 90–120 days of your subscription termination.

There are two parts to compliance: Microsoft’s management of the Office 365 service, and your business processes in the management of your Office 365 data. Microsoft’s management of Office 365 service and their service standards are published on the Microsoft “trust” website (see Figure 9-1, ). If you are looking for a HIPAA (Health Insurance Portability and Accountability Act of 1996) Business Associate Agreement certification or request a copy of the service audit logs, you can request those directly from Microsoft. Microsoft is transparent in its process on Office 365 and built the service around the protection of your company information. This is in contrast to other cloud services that require an intellectual property rights assignment, which allows them to use your information to sell advertising, among other things.

Figure 9-1.
figure 1

Office 365 Trust Center ( )

Compliance Settings

When we refer to Office 365 compliance, we are referring to the capabilities of Office 365 data governance to preserve and manage information. Compliance and regulatory settings are the services you enable on the Office 365 site and that meet your business need or regulatory requirements. As an example, you can group information into three different categories: compliance, information review, or business data retention:

  • Compliance (HIPAA as an example)

    • Rights management and the protection of personal information

    • Encryption of personal information external to your organization

  • Information review (regulatory like FINRA (Financial Industry Regulatory Authority – ) or judicial order)

    • Litigation hold and eDiscovery

    • Email review to meet FINRA requirements

  • Business data retention

    • Business processes on age of data

    • Data management: how to archive, how to delete

All information that you keep falls into these categories. For example, HIPAA requires you to manage certain types of data in a way to protect information. To meet HIPAA requirements, you must protect personal information by encrypting the information before it is sent externally to the organization. One of the HIPAA requirements is that the service you are using provides a Business Associates Agreement (BAA) for their services.

Information review typically means that the information is subject to an audit and is immutable—meaning it cannot be changed or deleted by the users or the organization—prior to review. Any type of regulator review requires that the data is immutable. The most common is litigation. When an organization enters into litigation, all information is frozen at that period in time. We refer to that as litigation hold. Regulator reviews such as FINRA are nothing more than an extension of a litigation hold.

Business data retention is nothing more than the business processes used to maintain information, subject to the regulatory requirements. As an example, if the business policy (or user policy) deletes information subject to the retention policy, the information is deleted from the user perspective, but may be kept for a very long time subject to the compliance needs of the organization. The user may delete information, but the compliance setting keeps the information in an area where it is immutable and fully searchable and hidden from the user.

The Office 365 administrator has complete control over the configuration of the compliance and retention polices. The administrator can enable these settings and all actions are auditable. The settings can be changed by using the Exchange Admin Center or using PowerShell commands. As Microsoft enhances the Office 365 service, these settings are simplified in an easy-to-use graphical interface.

The rest of this chapter discusses these concepts and provides a step-by-step implementation with examples of data loss protection (compliance), regulatory review (discovery), and business data retention policies. These three areas make up Office 365 data governance.


If you find that you need to perform discovery or mailbox searches, all users subject to search must be on Enterprise Subscription “Exchange Plan 2,” and there needs to be at least one E3 subscription to use the Electronic Discovery Center.

Data Governance Concepts

Microsoft provides the management service on Office 365 that meets or exceeds the regulatory compliance. The management of the data in Office 365 (and the subscription types) are managed and owned by the individual users. The Office 365 business owners need to look at the business and decide what makes business sense based on the needs of the business. To put this in perspective, when an external entity looks at email storage, it is considered modifiable by the user and is noncompliant to certain regulations. A compliant systems requires that the mail and document storage systems must be incapable of being modified, or immutable. The owner of a mailbox must not be able to go in and delete the information or document. These capabilities are options in the Office 365 enterprise plan and are include at no charge in some of the subscriptions suites (such as the Enterprise E3 subscription).

You are probably familiar with the various CSI and NCIS shows. A key message that these shows highlight lies in the evidentiary collection of information, and that there must be a “chain of custody” regarding information collected. Think of data governance in the same context as you would a murder with the collection of information for the legal prosecution of the suspect. It is all about chain of custody. Data governance on Office 365 is the same. Access to information that is under discovery or access cannot be tampered with. Further, access is recorded and auditable for all those who access the information. This is the data governance model of Office 365.

Archive and retention policies are implementations of our ability to manage the data to meet our data governance needs. Traditional approaches, such as journaling, record information external to the organization structure, and mostly just contain copies of the email communications. This archaic journaling approach does not address the changing landscape of data governance and data management. Journaling does not link data from storage sites and draft documents in an integrated form. Even an archive is nothing more than another mailbox that is used to store information.

Immutability, audit policy, archive/retention, and data loss prevention are all part of the Office 365 data governance structure. It is designed around chain of custody and the preservation of information—information that cannot be tampered with. If it is tampered with, then a full audit trail of access, as well as the original information that was modified, is created.

Before we discuss the practical aspects of the configuration of retention policy and eDiscovery, we need to frame the discussion with a definition of each of the four key areas of data governance to put them in perspective.


There has been much written about information immutability, and there are many misconceptions as to what this is and how it is managed in Office 365. The definition is simple: the preservation of data in its original form cannot be changed and is kept in a form that is discoverable.

Recall the discussion of chain of custody. The information that you are accessing and providing for data governance needs not only cannot be changed, but you must not have the ability to change it. In addition, any access to the information must be fully traceable. If you access information, the information that you extract will not change the underlining information.

The best example is to look at an email that flows in or is created by a user in the cloud (see Figure 9-2). In this case, information that arrives or is in a user mailbox can be changed and modified by the user. This is the normal process that we use in writing an email. An email that is immutable, on the other hand, keeps all parts of the message in a form that can be fully discoverable through searches. When an email message is drafted, all changes and drafts are kept and not deleted. Nothing is purged—all information is fully discoverable.

Figure 9-2.
figure 2

Life of an email message

When we refer to compliance, we are referring to our ability to access communications and documents that are immutable. Retention rules are based on business policies in the management of email communications, specifically what email is visible to the user in the mailbox, and what is kept in the archive. For example, you may have a business policy that dictates the movement of email from a user mailbox to an archive if the email is too old, or if the user deletes an email. One company has a retention policy of 90 days; after 90 days, user incoming email is moved into the compliance archive. These retention rules move the mail from the user mailbox (or delete folder) into the archive. These rules can be systems level (user has no control), or they can be local level (user has complete control), or any combination.

Litigation hold is an action that is placed on a mailbox to meet compliance requirements for future discovery and searching. What litigation hold does is to ensure that the data in a user mailbox is immutable. As an example, if the user tries to delete an email, the email is deleted (or purged) from the user’s view, but the litigation hold function blocks the email from being deleted in the system and is fully discoverable by the administrator (or compliance officer).

Referring back to Figure 9-2, we see the life of an email in a user mailbox. In Figure 9-2, the user only sees the message in steps 1–3. The compliance officer has access to all transactions in steps 1–6. When a discovery action—a search—is executed, all information is displayed in the search request, including the information in the deleted items, purges, and draft folders.

Audit Policy

Companies in the cloud need to know who has access to their company data. The ability to monitor and produce the necessary reports are part of the Office 365 audit capability. Companies need to do the following:

  • To verify that their mailbox data isn’t being accessed by Microsoft.

  • To enforce compliance and privacy regulations and access by nonowners.

  • To have the ability to determine who has access to data at a given time in a specific mailbox.

  • To have the ability to identify unauthorized access to mailbox data by users inside and outside your organization.

The ability to monitor the mailbox data is a fundamental part of the Office 365 organization (see Figure 9-3). Once the audit capabilities are enabled (via PowerShell), the audit reports can be generated by the administrator or an individual who has been given this capability.

Figure 9-3.
figure 3

Audit and retention capabilities

The audit reports are displayed in the search results in the Exchange Administrator Panel. However, if the audit reports are not enabled, the information is not logged. Each audit report contains the following information:

  • Who accessed the mailbox and when

  • The actions performed by the nonowner

  • The affected message and its folder location

  • Whether the action was successful

The first step in setting up a compliant organization is to enable the audit capabilities to ensure that you have a complete record of all accesses to user mailbox data by nonowner users. This information is used to supplement future reports. Figure 9-4 provides a descriptive explanation of the terms in the audit reports.

The audit reports that are generated contain detailed information about who has accessed the information and how they have changed it. As you’ll see in Figure 9-4, users have different levels of access, and that access can be tracked in audit logs. If a legal hold was placed on the user mailbox, then the search of the user mailbox will show the history non-mailbox owners access. The areas marked “Yes” are those that can be tracked in the audit logs. This is different than the tracking of the information in the discovery center. The discovery center can track all information that is placed on legal hold. The audit logs track the non mailbox owners who access information.

Figure 9-4.
figure 4

Office 365 audit information (courtesy of Microsoft)

Information Immutability

Information immutability takes this one step further and integrates Lync Communications, and SharePoint documents (as well as SkyDrivePro document synchronization), into the equation. The Office 365 approach is designed to shrink and reduce the amount of information by removing duplicate information. This reduces the complexity of the searches and allows the compliance officer to clearly see the thread of the information and the root cause (if any) of the discovery request. The searched data can be exported in the industry standard Electronic Discover Reference Model (EDRM) standard in an XML format to provide content to a third party. The Office 365 approach is designed to remove duplicate data from searches and does not remove any data from the user SharePoint or email mailbox. The data stays where it is and is immutable.

In Office 365, data governance and compliance is simplified. The scope of the discovery is reduced to the specific set of key words and can be easily restricted to a few users in questions. It is not uncommon that an eDiscovery request on Office 365 would cost 90 percent less than an eDiscovery request using an older journaling system for email communication management.

As you read the rest of this chapter, the discussion on archive and retention polices are built around data immutability to manage an organization’s compliance needs. In Office 365, this is referred to as compliance management. Administrators are enabled to set up controls based on the business polices of the organization.

Office 365 Archiving and Retention

The term archive is overused. It often implies more than what it really is. Archive is nothing more than a second mailbox designed for long-term storage. The relevancy of an archive is based on the business process rules that are used to manage it. This is where immutability and retention policies come into play. Immutability refers to how information is retained (in a form that can’t be changed) in the mailbox and the archive. Retention polices (see Figure 9-5) describe the length of time you need to keep the data that is not subject to any legal action (legal hold to guarantee immutability).

Figure 9-5.
figure 5

Sample retention policies

There are two types of archive in Office 365: personal archives and server archives (see Table 9-1). Server archives can be immutable (meaning they can be configured to ignore any change using litigation hold or in-place hold). Personal archives are stored locally on the user desktop and are not immutable (users can change the contents). The retention policies only refer to the moving of data from the user mailbox to the archive.

Table 9-1. Archive Size
Retention Policy

Retention policy is nothing more than the business processes that define the movement of data. Retention polices are a set of rules that are executed concerning a message (see Figure 9-6). Retention policy is a combination of different retention tags, which are actions placed on a message. You can have only one retention policy applied to a mailbox. In an organization where you have compliance requirements, retention tags are used to manage the user mailbox information and to control mailbox sizes.

Figure 9-6.
figure 6

Office 365 retention tags (courtesy of Microsoft)

Retention tags define and apply the retention settings to messages and folders in the user mailbox. These tags specify how long a message is kept and what action is taken when a message reaches the retention age. Retention tags are used to control the amount of information that is on the user’s desktop. Typically this means that the message is moved to the archive folder or it is deleted. Looking at Figure 9-6, you can see three types of retention tags: Default retention tags, Policy retention tags, and Personal retention tags (described below):

Default: The default policy applies to all items in a mailbox that do not have a retention tag applied.
Policy Policy tags are applied to folders (inbox, deleted items, and so on) and override the default policy tags. The only retention action for policy is to delete items.
Personal Personal tags are only used for Outlook clients to move data to customer folders in the user’s mailboxes.

The best way to understand retention policy is to follow the example in our implementation section (later in this chapter). Keep in mind that the implementation of a retention policy directly effects the amount of information kept in a user mailbox. Retention tags (which make up the retention policy) are just another tool used for information management. Depending on your business needs, you may have different retention polices to manage information of different groups in your organization. In one organization we managed, the data retention policy was 90 days, unless the mailbox was placed on in-place hold for litigation or discovery.

Compliance archives may or may not have a retention policy applied to them, but they will have the mailbox placed under litigation hold and the data retention policy of the SharePoint site also placed under litigation hold. User mailboxes that are placed under litigation hold with the external audit enabled meet all compliance requirements, because the data is immutable.

Data Loss Prevention

Data loss prevention (DLP) operates with either a template rule (see Figure 9-7), or with a trigger from the Rights Management Service based on business policy. The purpose of DLP is to execute an action based on rules. DLP does not prevent an individual from doing something bad. All DLP does is to limit the information flow in case someone sends electronic communications to a third party that violates business policy.

Figure 9-7.
figure 7

Data loss prevention (DLP) templates

What DLP does is minimize mistakes that individuals make in sending information to individuals that do not have a business need to know the information. Add to this capability auditing and discovery, and you will be able to determine which individual had last access to the information.

There are many rules that you can select to implement in addition to the rights management rules on Office 365.Figure 9-7 shows the different templates that can be managed in your organization to control information to meet federal and state regulations. Rights management is the extension of DLP to manage internal documents and information using Active Directory. DLP functions are managed using both the Office 365 interface and PowerShell commands (Figure 9-8)

Figure 9-8.
figure 8

Rights management capabilities (courtesy of Microsoft)

Setting Up Office 365 Compliance, Discovery, and Retention Policy

Office 365 is very flexible in how the different policies for the management of information can be set up. The problem is where to start. Earlier, we reviewed the different capabilities that you have in Office 365. There are three different areas that need to be configured before you can begin to use the services. The following section outlines the steps required to set up the 365 organization for compliance, discovery, and retention policy. Follow the steps to set up the different features. Note: you will find additional details about compliance steps described in the section “Configuring Compliance.”

There are many different views of eDiscovery. What you are trying to avoid is the generation of document pursuit in paper and electronic form to a request. Figure 9-9 is a sample of the old way of producing documents for eDiscovery. This is a sample of what you want to avoid. Litigation is expensive and discovery is very expensive process (from $1–$2) a page. In this example, there were 200,000 pages of documents generated to satisfy a request. Costwise this was $250,000–$400,000 worth of work. Office 365 allows you to create a “discovery center,” where you can process the queries, and generate a Sharepoint library that has the information requested in the response. (Recall that we discussed sharing information earlier in Chapter 2 and Chapter 5.) In this case, information was generated for the other side’s attorneys that was responsive to the judicial order. Access to the discovery search results can be shared with the other Side’s attorneys. This discovery center approach is a lot lower in cost than the traditional document production shown in Figure 9-9.

Figure 9-9.
figure 9

Document production in response to judicial discovery order (approximately 200,000 documents produced)

Compliance Setup

Compliance management seems very complex, but in reality it is very simple to set up. The starting place is the business process requirements—what information to keep, what types of audits you want, etc. Once these issues are known, then it is a straightforward implementation process.

The process steps are outlined below and described in greater detail later in the “Compliance Example” section:

  1. 1.

    Determine the compliance requirements.

  2. 2.

    Define the users who will manage the compliance activity.

  3. 3.

    Enable encryption (if required by business policy).

  4. 4.

    Enable audit (if required by business policy).

  5. 5.

    Test out the compliance policy with tool tips.

  6. 6.

    Enforce the compliance policy.

Compliance configuration is a simple two-step process: determine the business needs and then implement those business needs. Our compliance example looks at the requirements of HIPAA in the protection of personal information under federal regulation. Compliance can also be used to manage information in an organization, such as with documents that are tagged as confidential.

Discovery Site Setup

Discovery management is more about business process and the collection of information as required by either federal or state regulation, or judicial order. The steps outlined below are described in detail in the section “Discovery Site Example” and require that you have a SharePoint Plan 2 license (for the search query and the reviewer) and the email accounts are Exchange Plan 2. Plan 2 licenses are automatically part of the E3 subscription. The steps to complete the discovery search are outlined below:

  1. 1.

    Define the business policy for the search (regulation review or judicial)

  2. 2.

    Enable auditing

  3. 3.

    Identify who will perform the discovery and review functions

  4. 4.

    Enabling in-place hold (or legal hold) for immutability

  5. 5.

    Compliance and Discovery—using the eDiscovery Search Tool

  6. 6.

    Case-creation process

  7. 7.

    Build the search query

  8. 8.

    Review the information

  9. 9.

    Export the data for review in Outlook

The “Discovery Site Example” section provides a detailed step-by-step example of what is needed to perform a search on the data in an organization to meet regulatory requirements or judicial orders.

Retention Policy Setup

Retention policy refers to how long data is kept in your mailbox before it is moved to the online archive. The way in which retention policy works in conjunction with compliance management seems very complex, but in reality it is very simple to set up. The issue is the business processes in place in the organization to manage information. The steps outlined below are described in detail in the section “Compliance Configuration”:

  1. 1.

    Determine the business retention policy

  2. 2.

    Define the retention tags

  3. 3.

    Implement the retention policy rules

Retention policies are business polices. These polices are overridden by any compliance or regulatory requirements for the management of data. The best example of an override policy is how deleted information is handled. The retention policy will delete the information, so the user sees the information deleted in the inbox, but the litigation hold policy will keep the information in place. The deleted information is never deleted; it is just hidden from the user. The hidden information is fully discoverable.

Compliance Example

As discussed earlier, compliance is a combination of regulatory monitoring and business process. In this section, we will walk through the compliance setup for a regulatory problem, protection of personal information. Here are the steps:

  1. 1.

    Select the compliance requirements

  2. 2.

    Define the users who will manage the compliance activity

  3. 3.

    Enable encryption

  4. 4.

    Enable audit

  5. 5.

    Test out the compliance policy with tool tips

  6. 6.

    Enforce the compliance policy

Let’s follow the steps for implementation of the compliance policy.

Step 1: Select the Compliance Policy

Depending on the industry that you are in, there are different compliance requirements. To access the Office 365 compliance center, login to Office 365 and follow these steps (see Figure 9-10)

  1. 1.

    Select the Exchange admin center

  2. 2.

    Select data loss prevention

  3. 3.

    Select the “+” sign; select the New form template option

  4. 4.

    Select HIPAA template for data loss prevention

  5. 5.

    Select PI template for personal information

  6. 6.

    Select “test with policy tips” (this will be changed to “enforce” once we are competed our testing)

Figure 9-10.
figure 10

Data loss prevention templates

Select the polices that you wish to use. You can only add one policy at time. Office 365 will process the polices in the order that they are listed. In our example, we selected the HIPAA and PII (personal information), and then we chose the deploy these policies with “tips” (see Figure 9-11). Tips are notifications to the user that if they continue to send the email, they will be violation of state and federal laws. Office 365 will keep track of the violations in the exchange admin center (under data loss prevention) and on the Office 365 administrator dashboard (under mail control)

Figure 9-11.
figure 11

HIPAA and PII with policy tips enforcement

After you have selected the new DLP policies, then return to exchange admin center, and the “mail flow, rules” screen (Figure 9-12). Verify the order of the rules. Adjust the rules based on your business requirements.

Figure 9-12.
figure 12

Office 365 DLP policy rules

Step 2: Define the Users Who Will Manage the Compliance Roles

Compliance management is role based. To enable and review the information, you must be in the compliance role. To add a user in the compliance role, go the exchange admin center, select permissions, and then admin roles. Select compliance management, and add the user to the compliance management group (see Figure 9-13). Select the pencil icon to edit the compliance roles, then add the compliance officers into the exchange compliance and management roles fields.

Figure 9-13.
figure 13

Adding a user to a compliance role

Step 3: Enable Encryption

Depending on the industry you are in, you will need to enable the encryption of email when information is being sent externally from Office 365. The encryption option is standard in the Enterprise subscriptions, such as E3 and E4, but is optional for other plans.

Any time there is personal information distributed to a party outside of your company, the information should be encrypted. To set up Office 365 encryption, go to the exchange admin center, and select “rules.” Create a new rule, then select “apply rights protection to messages” (see Figure 9-14).

Figure 9-14.
figure 14

Accessing data rights management rules

After you have selected the rights protection, enable Office 365 encryption (see Figure 9-15) and apply it to the different transport rules you have in place. Review the policy rules (Figure 9-12 above) and edit the transport rules that you wish to modify. Add an “action” of encryption to those rules. (Transport rules are discussed in detailed in Chapter 10.)

Figure 9-15.
figure 15

Enabling Office 365 encryption (courtesy of Microsoft)

Step 4: Enable Audit (Optional)

To start using the tracking methods in Office 365, the first step is to enable external auditing. After this is enabled, you can access audit reports from the Office 365 Exchange control panel. Chapter 6 provides information about setting up PowerShell on your system. The current version of Office 365 does not have an integrated user interface to enable the audit capabilities, so these capabilities must be enabled through PowerShell. You only need to do this to turn the capabilities on, or to disable them. You do not need to perform this function each time you use the search capabilities of Office 365.

To enable mailbox audit logging for a single mailbox, run the following Windows PowerShell command:

Set-Mailbox <Identity> -AuditEnabled $true

For example, to enable mailbox auditing for a user named Sam Sneed, run the following command:

Set-Mailbox "Sam Sneed" -AuditEnabled $true

To enable mailbox auditing for all user mailboxes in your organization, run the following commands:

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}

$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}


Please refer to Chapter 8 for details on installing PowerShell.

Step 5: Test the Compliance Policy with Tool Tips

The first step in compliance policy rule testing is to test out the policy with tool tips. Tool tips inform the user of the DLP rule and request an override before sending the email, as shown in the example in Figure 9-16. The DLP rule that was invoked was about the protection of personal information. The user was sending out the email, and a notice was generated to the user to stop the behavior.

Figure 9-16.
figure 16

DLP toot tip notice (courtesy of Microsoft)

Step 6: Enforce the Compliance Policy

Compliance enforcement is simply about preventing the information from being sent by the user. When the enforcement policy is sent, the user is allowed to send the information, but the email is not actually sent. It is instead rejected with an unauthorized notice and returned to the user. To enforce the compliance policy, modify the DLP rules (Figure 9-11 above), and select the “enforce” option.

Discovery Site Example

The discovery process is an eight-step process. There are two ways to complete discovery. You can use either the SharePoint Discovery site or use a PowerShell script. The PowerShell script is used for Office 365 organizations that do not have a SharePoint configuration. This method is discussed in the email scanning example. The steps to use the SharePoint Discovery site are described below:

  1. 1.

    Define the business policy for the search (regulation review or judicial)

  2. 2.

    Enable auditing

  3. 3.

    Identify who will perform the discovery and review functions

  4. 4.

    Enabling in-place hold (or legal hold) for immutability

  5. 5.

    Compliance and discovery—using the eDiscovery Search Tool

  6. 6.

    Case-creation process

  7. 7.

    Build the search query

  8. 8.

    Review the information

  9. 9.

    Export the data for review in Outlook

Step 1: Define the Business Policy for Search

Office 365 integrates a standard electronic discovery function that allows you to scan for any type of information across Office 365. There are two ways you can search for data in Office 365, using the integrated compliance search services via SharePoint services, or through PowerShell. There are two prerequisites necessary before you perform compliance searches; you must:

  • Enable the user mailboxes in-place hold (legal hold)

  • Enable the audit capabilities of Office 365 (keeps logs of access for 30 days)

Once these features are enabled in Office 365, your Office 365 organization is compliant for all access, both internal and external.

Step 2: Enable Auditing

To start using the tracking methods in Office 365, the first step is to enable the external auditing. After this is enabled, you can access the audit reports from the Office 365 Exchange control panel. Chapter 8 provides information about setting up PowerShell on your system. The current version of Office 365 does not have an integrated user interface to enable the audit capabilities, so these capabilities must be enabled through PowerShell. You only need to do this to either turn the capabilities on or to disable them. You do not need to perform this function each time you use these audit capabilities on Office 365.

To enable mailbox audit logging for a single mailbox, run the following Windows PowerShell command:

Set-Mailbox <Identity> -AuditEnabled $true

For example, to enable mailbox auditing for a user named Sam Sneed, run the following command:

Set-Mailbox "Sam Sneed" -AuditEnabled $true

To enable mailbox auditing for all user mailboxes in your organization, run the following commands:

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}

$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}


Please refer to chapter 8 for details on installing PowerShell.

Step 3: Identify Who Will Perform the Discovery and Review Functions

There are two roles: compliance management and discovery/records management (see Figure 9-17). Users who perform the discovery function must be in this role.

Figure 9-17.
figure 17

Compliance: discovery roles

As an example, if you want to have a person to perform discovery and review, you add the person to the Discovery Management role. To add the person (see Figure 9-17), select the exchange admin center, then permissions and admin roles. Select the role (discovery management in this example), then select edit (the pencil icon) and add the person to that role. A global admin can only perform this function if they are added to the role. If you are not added to the role, you will get a PowerShell error, or you will not be able to access the discovery search records.

If you only want the person to perform search review, then you must manually give the person full access rights to the mailbox using the PowerShell script. Their access will only be through the Outlook client and not the discovery search center. Since the “Discovery Mailbox Search” is a mailbox, you use the PowerShell command to access the mailbox.

Add-MailboxPermission "Discovery Search Mailbox" -User

 -AccessRights FullAccess


Discovery management gives the user full access to all mailboxes to perform searches. If you want to restrict access to a small group of individuals, then create a uniquely named mailbox for that discovery and user access. If no mailbox is specified in your search, the default mailbox that Office 365 uses is “Discovery Mailbox Search.”

Step 4: Enabling In-Place Hold (or Legal Hold) for Immutability

There are two ways to enable immutability in Office 365: through the Exchange management interface via the discovery search center (in-place hold), or through the use of PowerShell. The common practice is to perform this function by using “compliance management” in the exchange admin center (Figure 9-18). The process to enable compliance center searching is in the following sections.

Figure 9-18.
figure 18

Compliance: in-place hold on user accounts

Extending Deleted Item Recovery

In some cases, there may be not be a need to enable in-place discovery or legal hold. The business need may be only to prevent the deletion of information for a period of time, until the information is audited. In this case, we are looking for limited information immutability. To accomplish this, we would run a PowerShell script and change the way the user deletes information in a mailbox or a group of mailboxes. This retention script operates on a mailbox (or an archive). Retention tags are used to manage information.

Set-Mailbox <identity> -LitigationHoldEnabled $true -LitigationHoldDuration <duration, in days>

Also, extend the “delete” purges folder from 14 days to 30 days.

Set-mailbox user@contoso.com0 –retaindeleteditemsfor 30

The typical example would be an audit department wanting to have a temporary legal hold on a mailbox for a limited duration (90 days). In the PowerShell example, we place the mailbox on a legal hold status, with a limited duration of time. This is different than a retention policy. Retention policy in Office 365 is used to manage mailbox information (to be deleted) and the movement of data from the mailbox to the archive or the bit bucket.

Step 5: Compliance and Discovery: Using the eDiscovery Search Tool

The Office 365 Global administrator can create an integrated eDiscovery SharePoint Site (see Figure 9-18). This site is only visible to the global administrator and delegated administrator partners (DAP) (if added as a Site collection Administrator). If you are not authorized, the eDiscovery interface is not visible, and access as a DAP is denied. The compliance and eDiscovery center must be created in the Sharepoint admin center; discovery data access is turned off by default. You must be explicitly assigned to the Exchange discovery management group to take advantage of the discovery management functions.

Once you create the discovery center (see Figure 9-19), the users assigned to discovery management need also to be assigned to the discovery management role in the exchange admin center (Step 3 above). Also, the compliance officer must be assigned the role of site collection administrator. All other members of the discover team should be explicitly assigned permission to the discovery center (usually as a contributor). Sharepoint permissions are discussed in detail in Chapter 5.”

Figure 9-19.
figure 19

Compliance: searching SharePoint site

If you have not built the compliance search center, refer to the section “Creating Integrated Electronic Discovery in Sharepoint Services.” The rest of these steps refer to processes in the Sharepoint discovery search center. At this point, we will assume the following:

  • eDiscovery search center is created

  • Compliance manager has been assigned as a site collection administrator

  • All other team members are assigned the appropriate Sharepoint roles

  • All other individuals (IT support services etc.) are removed from accessing the discovery center

Step 6: Case-Creation Process

eDiscovery is organized by cases. Figure 9-19 is the discovery project site. When you create an eDiscovery action, you are creating a case for data organization. A new case is created as a subsite under the compliance discovery site. As an example, if you are searching or reviewing all emails and content for March 2013, then you would select “new case” (Figure 9-20 ), then fill out the information about the case and assign owners (Figure 9-20).

There is no difference between an eDiscovery and a compliance archive search. They are the same. Typically, compliance reviews require a sampling of information, and an eDiscovery site is based on a terms request usually from a judicial order (or a FINRA request). The basis of both orders is that the information is immutable and auditable. The site that you select is the eDiscovery site to perform these functions.


  • The discovery management role is required to perform discovery queries.

  • Delegated access to the mailboxes must be given to the reviewers.

  • Reviewers must be given access to the “Case” site that you create.

Figure 9-20.
figure 20

Creating a new case

Before you complete the case, make sure you select “use unique permissions,” then select the navigation options to allow the case to be accessed from the main discovery windows (see Figure 9-21). Select “finish” when you have completed the details.

Figure 9-21.
figure 21

Menu configuration options

Your new site has been created, and you can now begin your search queries.

Step 7: Building the Search Query

The first step is to build the eDiscovery set. Select “new item” from eDiscovery set (under identify and hold; see Figure 9-22). If you do not have the ability to select the new item, you are not in the eDiscovery role (Step 3).

Figure 9-22.
figure 22

New eDiscovery search site for March

After you select new Item, fill out the discovery search request (See Figure 9-23).

Figure 9-23.
figure 23

Defining the eDiscovery set

When you create a discovery set, you are setting up the items so you can search it and bind the discovery set to your query. This allows you to limit your information request to address only the specific issue you are interested in. A typical discovery set invoices these steps

  1. 1.

    Define the name for the discovery set.

  2. 2.

    Add the sources to the discovery set (email addresses and/or locations in SharePoint).

  3. 3.

    In the box under “filter” use any key words you want to use to narrow the search.

  4. 4.

    Set the date range and author (if appropriate).

  5. 5.

    Apply the filter.

  6. 6.

    Select in place hold (the base accounts are already enabled from an earlier step).

The first step is to select the discovery sources (see Figure 9-24).

Figure 9-24.
figure 24

Adding sources

Once you have added the sources, just complete the rest of the steps that we outlined earlier, and your discovery set is built. There are no limits to the number of discovery sets you can have. Before you exit the discovery set, make sure you have enabled “in-place hold” for the discovery set you are reviewing. (See Figure 9-25.) Press save and exit. The new discovery set should be displayed after you have saved the query (see Figure 9-26).

Figure 9-25.
figure 25

Enabling in-place hold on the eDiscovery set

Earlier, we discussed the AQS syntax. The AQS syntax is used to build the search request to collect data for review by the compliance officer or discovery technician. This information can be updated in the discovery set. When you access the discovery set the next time, the discovery set will update based on the filter criteria that you have provided. To verify the discovery set, select the item from the list. There is a detailed description of the AQS syntax later in this chapter.

Figure 9-26.
figure 26

eDiscovery set summary

Step 8: Review the Information

To review the raw information based on your filters is simple. Just select the discovery set to verify the information (See Figure 9-27), then select “preview.”

Figure 9-27.
figure 27

eDiscovery set preview

After you have selected the preview, select the item in the windows to display in the Outlook web app. This portion of the discovery set is used for verification. There are additional tools in case management that are used to provide more information detail (See Figure 9-28).

Figure 9-28.
figure 28

eDiscovery set review

The main page of the discovery management site will list the cases that are created (see Figure 9-19). The case we were discussing is the “March” case. The discovery cetners builds a Sharepoint site for case specific discovery actions. Figure 9-29 shows the March case sharepoint site.

Figure 9-29.
figure 29

New eDiscovery search site for March

Step 9: Export the Data for Review in Outlook

You can export the discovery information collected in the session, just select the export function and download the data (See Figure 9-30). Office 365 will download the data as a PST file along with search parameters and statistics. Once the data is downloaded, all that is needed is to open up Outlook and load the file in as a local archive.


The desktop discovery download tool requires that you are framework 4.5.

Figure 9-30.
figure 30

Exporting eDiscovery search

The eDiscovery search tool will download the information to your local system (See Figure 9-31). Once the data is downloaded, open Outlook and review the information in detail using the local Outlook tools. You have completed a discovery search request. Open up Outlook (2010 or 2013), and add the downloaded PST archive.

Figure 9-31.
figure 31

eDiscovery download manager

Retention Example

Retention policy is about the moving of data from the online mailbox into the archive mailbox. In some cases you may wish to delete emails, in others to preserve them long term. When you are experimenting with retention policies, use a mailbox with a trial set of sample data. If you are afraid of deleting information, then enable litigation hold (or in-place hold) on the account that you are setting up the retention tags. If the retention tags are not set up correctly, information will be deleted.

Figure 9-32.
figure 32

Retention tag structure (courtesy of Microsoft)

We are presenting this figure again to highlight that Retention policy is composed form retention tags. Retention tags describe the movement of information in a users mailbox. Legal hold (or in-place hold) is about the immutability of information. If you have legal hold implemented on a mailbox, the retention policy will move information, and information that moved will be removed from the user’s view and appear to be deleted to the user, but the data is maintained in a hidden directory for legal search if the legal hold is implemented.

Earlier we designated the retention policy as having three steps:

  1. 1.

    Determine the business retention policy.

  2. 2.

    Define the retention tags.

  3. 3.

    Implement the retention policy rules.

Step 1: Determining the Retention Policy—Four Questions

When you put a retention policy in place, you are putting in place a business process definition for your organization. The retention policy needs to be implemented uniformly across your organization and well documented. You can have different retention polices for different groups, but you should not single out a retention policy for an individual. If you are in a discovery situation, you may place your organization at risk when you do not have a uniform policy.

When we define a retention policy for an organization, we ask the following questions and set up the retention policy rules. Remember that a regulated organization will have a litigation hold component that will overlay the retention policy to ensure data immutability. The four questions that define the retention policy are:

  1. 1.

    How long is information kept in the user primary mailbox?

  2. 2.

    How long is the information kept in the archive mailbox?

  3. 3.

    How long is deleted information kept?

  4. 4.

    What happens to deleted information?

Retention polices are configured in the exchange admin center (EAC). To access the EAC on the Office 365 admin page, select “service settings,” choose the Mail tab, then “manage additional settings in exchange admin center.” Select “compliance management,” then “retention polices” (see Figure 9-33).

Figure 9-33.
figure 33

Finding the retention policies

All Office 365 organizations are set up with the default retention policy composed of a set of retention tags to govern the way data is retained and moved to the archive. Once you have configured your retention polices, you need to enable them for the mailbox. There are two ways you apply a policy: using the graphical user interface and applying to the user mailbox or using a PowerShell commands. (See TechNet link ). The default retention tags are listed in Figure 9-34.

Figure 9-34.
figure 34

Default retention tags that make up the default retention policy

When you first look at the retention tags, they seem to be in conflict with each other. Retention tags are implemented for a folder in a mailbox. This can be at the root (entire mailbox) or a specific folder in a mailbox. Figure 9-34 retention tags apply to different folders. The combination of the retention tags make up the retention policy.

Step 2: Create a New Test Policy

Before you modify the retention tags, you want to build a new policy and pick a set of tags to experiment against a user mailbox. The way retention tags are designed, you do not have the ability to add new ones, only to modify the existing tags.

To build a retention policy, and add a small subset of the retention tags into the new policy, apply the policy to a user mailbox. This will allow you to test out the renetion policy. To create a new policy do the following:

  1. 1.

    In the Exchange Admin center, select “retention policies,” then select the “+” sign to create a new policy and assign it a name.

  2. 2.

    Add a retention tags from the list above to build out new test Policy (see Figure 9-35).

Figure 9-35.
figure 35

Adding a new retention policy

  1. 3.

    Save this policy and apply it to a test account to verify the operation. (to apply a policy, select the user mailbox (see Figure 9-36).

Figure 9-36.
figure 36

Apply the new retention policy to a test mailbox

Step 3: Modify the Test Policy

The next step is to modify the test policy and add your new rules to it. Before you change the retention tags, collect all of the current tags you plan to use into the test policy to see how the policy operates. Once you understand how the policy operates, then change the retention tags to meet your business rules. (Remember the four questions. Keep in mind that the tags are global, so changing a tag will affect all retention policies that use this tag.

To change a retention tag, edit the retention tag, and change the properties (se Figure 9-37).

Figure 9-37.
figure 37

Modification of a retention tag

In our example, we changed the retention tag to move data from the mailbox to the archive in 30 days. Then apply the retention tag. The changes will replicate in all of the retention policies that are using this retention tag.

Creating Integrated Electronic Discovery in SharePoint Services

The first step in using the integrated eDiscovery SharePoint site in Office 365 is to create the eDiscovery site and assign the permissions. The eDiscovery site is created in the SharePoint admin center. Once the site is created, you can access it directly from the SharePoint admin center, or through a link on your team site. Once you build the eDiscovery site, you need to enable the user to have access to it from the discovery management or the record management group. The default configuration of Office 365 does not assign any user to these roles. To add a user, you need to add the user in Exchange administration and one of the three user roles:

  • Mailbox search role—Allows users to perform in-place searches

  • Legal hold role—Allows a user to place a mailbox on hold

  • Discovery mailbox permission—Allows a user to review the contents of a discovery mailbox

Why do you have multiple eDiscovery roles? Simple. You may have a situation where there is an external person who is required to review the material, but you may not want to give the external person permission to generate the material for review. In this case, you would assign an internal person the permissions to perform a mailbox search and the external resource with full permissions to discovery mailbox results. The external resource most likely will be the other side’s attorney or an external compliance officer. This is a very common situation in a compliance audit or sharing of eDiscovery searches.

Step 1: Creating the Compliance Search Site

The compliance search site is created in the SharePoint admin center.

  1. 1.

    To create the compliance site, in the office admin panel, select “service settings,” then “sites,” and then select “create site collection” (Figure 9-38).

Figure 9-38.
figure 38

SharePoint site creation

  1. 2.

    In the site collection, select new site (see Figure 9-39).

Figure 9-39.
figure 39

creating a compliance site, part one

  1. 3.

    Once you start the new private site, you select the correct site for your business. In this case, it’s an eDiscovery center (Figure 9-40).

Figure 9-40.
figure 40

Creating a compliance site, part two

  1. 4.

    Once the compliance site is created, you can access the site from the SharePoint admin center (See Figure 9-41) or use the https URL for the discovery site.

    1. a.

      When you create the discovery site, assign the compliance officer permission as a site collection administrator. The other members of the compliance team need to be assigned roles as contributing members.

    2. b.

      If you invite external individuals to the discovery center, it is better to use a Sharepoint licenses and apply explicit rights then to use an external email address invite. This will give you a better set of controls for operation.

Figure 9-41.
figure 41

eDiscovery SharePoint site: access URL

Step 2: Building a Compliance Search Case

The compliance search site is created in the SharePoint admin center (Figure 41). Once the site is created, the site administrator can access it directly using the site URL https://...../sites/ediscovery/default.aspx or by adding a shortcut on the user’s personal site - home page. To use the compliance site, create cases and use them to frame your search request (see Figure 9-42).

Figure 9-42.
figure 42

Compliance site: case creation

Step 3: Linking Exchange Server to the eDiscovery Center

After you create the eDiscovery center, you need to enable the Exchange server for access to the eDiscovery center. This is not enabled by default. If you do not enable the server you will see the following error message when you try to enter a user mailbox: “The connection to the search service application failed.”

To enable Exchange search for the case site, do the following:

  1. 1.

    Select the eDiscovery home site that you just created.

  2. 2.

    Select “site settings” under the gear icon (Figure 9-43).

Figure 9-43.
figure 43

Selecting site settings

  1. 3.

    Under “site collection administration,” select “search result sources.”

  2. 4.

    Select “new result source” (see Figure 9-44), and enter the following:

    1. a.

      Supply a name for the exchange connection.

    2. b.

      Choose “Exchange” for the protocol.

    3. c.

      Select “Autodiscover”.

    4. d.

      Clear the Query Transform text box.

    5. e.

      Click “Save”.

Figure 9-44.
figure 44

Connecting Exchange server to eDiscovery center

Discovery Search Using Advance Query Strings (AQS)

Before we address any of the examples, we need to step back for a brief review of advance query strings or AQS. The syntax can become very complex. AQS is provided by the Windows operating system using Windows Desktop Search (WDS). All AQS searches must be fully qualified. A fully qualified search requires that you add a parenthesis every time you add a Boolean operator (AND OR or NOT) to a search query. The Queries are processed based on the location of the parenthesis).

A definitive explanation on this topic exists here:


Sample AQS Query for Financial Review

You can use the AQS query to address compliance related issues (such as FINRA audit review by the Compliance Officier). The AQS can be any combination of words. The more complex, the longer it takes to generate the query request.

(Guarantee OR Money OR Complaint OR Attorney OR Transfer OR Security OR Loss OR Loan OR Misrepresented OR Unauthorized OR Yield OR Stock OR Bond OR Security OR Percent OR Pay* OR Promise OR Funds OR Risk OR Secure OR Take* OR Pissed OR Churn)

Creating and Exporting Discovery Mailboxes

Your Office 365 site is created with a unique mailbox called Discovery Search Mailbox. This is the default mailbox that is used to handle all discovery requests. To create a specific mailbox for discovery or assign permissions to the discovery mailbox you need to use PowerShell commands in Office 365.


Discovery mailboxes only have 50 GB of space allocated, and permissions to use them (or see them) are by the discovery management role.

Creating and Accessing Discovery Mailboxes

Since a Discovery Search Mailbox is a mailbox, you can use all of the standard PowerShell commands in accessing the mailbox. The only restriction on discovery mailboxes is that they cannot send or receive email. Discovery mailboxes are designed for one purpose; to act as a store for discovery search request.

To create a new discovery search mailbox, use the following PowerShell command:

New-Mailbox -Name <String> -Discovery

To list all of the discovery mailboxes (these are not listed in the Exchange management console) run the following PowerShell command:

Get-Mailbox -Resultsize unlimited -Filter {RecipientTypeDetails -eq "DiscoveryMailbox"}

Likewise, to assign permissions to a specific person as a reviewer, use the Add-MailboxPermission command:

Add-MailboxPermission <Display name of discovery mailbox> -User <Display Name> -AccessRights FullAccess

Likewise to find all permissions on a mailbox (remember a discovery Mailbox is just another mailbox), run the Get-MailboxPermission command:

Get-MailboxPermission <Display name of discovery mailbox> | Format-Table User,AccessRights,Deny

Exporting Information from Discovery Mailboxes

Office 365 does not support Export-Mailbox or Import-Mailbox commands using PowerShell. The only way to export information is to use Outlook. When the user is granted a role in the Discovery Management Group, that user has full access to the mailbox and can add an additional mailbox to Outlook (see Figure 9-45). Once the mailbox is in Outlook, you can export the Discovery Search Mailbox as a PST file using the standard Outlook data export commands to create a PST file:

  1. 1.

    Start Outlook 2013.

  2. 2.

    Select file, then account settings.

  3. 3.

    Select your email account, then change settings.

  4. 4.

    On the change account page, select more settings.

  5. 5.

    Select the Advanced tab and then enter “Discovery Search Mailbox”.

Figure 9-45.
figure 45

Adding the Discovery Search Mailbox to Outlook

Once the mailbox is added, it will look similar to Figure 9-46. If the mailbox search information is not present, then depress Shift-F9 to update the mailbox folder from the Office 365 Exchange server.

Figure 9-46.
figure 46

Outlook with Discovery Mailbox Search results

Reference Links

There is a lot of information about Office 365 on the web—the issue is finding the right site. The information contained in this chapter is a combination of our experiences in doing deployments and support information that has been published by third parties.

Microsoft Office 365 Blog: Latest News about Office 365

Searching Mailboxes on Legal Hold

Understanding Legal Hold in Office 365

Understanding Retention Policy PowerShell Commands

Understanding Permissions on Discovery Mailboxes

Search for Deleted Messages

Benoit’s Corner – Useful Tips and Tricks on Exchange and SharePoint

AQS Query Syntax : Discovery

Next Steps

Your basic Office 365 systems has been set up and configured. At this point you are 100 percent functional and ready to move to the next steps. However your work is not complete at this time; there is much more to do, depending on your Office 365 configuration. Here are the key chapters you need to review for your Office 365 deployment:

  • Chapter 5, SharePoint Administration

    • SharePoint administration and design can be simple or complex depending on your business needs. This chapter provides you with a basic overview of the configuration necessary to be up and running using Office 365 Team Site. This chapter describes Site Design and Construction issues as well as the full SharePoint Administration functions for Office 365.

  • Chapter 7, Windows Intune Administration

    • The secret to an optimal Office 365 site is the management of the desktop to ensure that updates are current, and the user antivirus is functioning. Windows Intune is a desktop management tool that addresses these issues and reduces the administrator’s effort in desktop management, as well as improving the user’s experience.

  • Chapter 8, Office 365 Administration

    • This chapter describes the different administration centers in Office 365 and the most common tools that you would use to administer your Office 365 company. Depending on your Office 365 services, there are five possible administration tools. This chapter focuses on the Office 365, Exchange, and Lync administration centers. The SharePoint and Windows Intune administration centers are described in their own chapters. We close the chapter with using PowerShell to manage your Office 365 environment.

  • Chapter 10, Exchange Online Protection Administration

    • Office 365 is composed of a set of services. The Exchange Online Protection (EOP) service is the front end of the Office 365 that handle all of the external email front end processing and filtering. If you have smart devices that email to Office 365, you will use EOP to manage the interaction.

  • Chapter 11, DirSync, ADFS, Single Sign On and Exchange Federation

    • Active Directory Federation Services and Single Sign On is the integration of the Office 365 Active Directory with on premises Active Directory. This allows one sign on (controlled by on premises servers) to give access to both Cloud and on premises resources. Password Sync can be a simpler implementation that meets many requirements. Federation allows on premises and Cloud Exchange Servers to work together.

Author information

Authors and Affiliations


Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (, which permits any noncommercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this chapter or parts of it.

The images or other third party material in this chapter are included in the chapter’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the chapter’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and Permissions

Copyright information

© 2013 Matthew Katzer

About this chapter

Cite this chapter

Katzer, M., Crawford, D. (2013). Office 365 Compliance and Data Loss Prevention. In: Office 365. Apress, Berkeley, CA.

Download citation

We’re sorry, something doesn't seem to be working properly.

Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.