Office365 How to prevent users from permanently deleting email AKA litigation hold
If you ever need to stop a user from deleting or tampering with emails for one reason or another then you need litigation hold. This is an Exchange online feature which prevents emails from being permanently deleted from the server and can be retrieved if required by anyone with the correct permissions.
This could be a feature you want to enable by default for all of your users mailbox. Its not a substitute for user friendly email archiving but being able to retrieve deleted emails from mailboxes is certainly a useful insurance policy.
To utilise litigation hold you require a plan which includes Exchange online plan 2 and it requires enabling on a per mailbox basis or get Office 365 Enterprise.
Log into the admin center and navigate to Users -> Active users -> highlight the mailbox and click Edit Exchange properties.
The Exchange properties for the mailbox opens, click on mailbox features then click Enable for Litigation hold.
You can specify how long the mailbox will be held on litigation hold and you can also specify a notification message which displays to the user with a url to your companies litigation explanation web page. Here I leave all of the options blank which sets the mailbox into a permanent litigation hold state.
Once you save the settings you will be warned that the setting will apply within 60 minutes, so don’t delete anything as a test just yet!
Ok, so the mailbox is on litigation hold lets test it out!
Here I send an email to someone.
Next I delete the email from my sent items folder.
And now because I’m really sneaky and trying to cover my tracks I purge the email from the server which under normal circumstances would delete the email permanently.
Lets confirm and purge the email I sent so no one can retrieve it.
So now we’ve covered our tracks how can we search for and retrieve that email? Because the mailbox is on litigation hold the email doesn’t really get deleted, even if the user purges it from the server!
The next step is to search for and retrieve the email. For this you need to open up the Security and Compliance centre.
Click on Permissions and edit the eDiscovery Manager permission.
Add any users who you want to be able to search mailboxes as an eDiscovery Manger. For convenience I add my cloudadmin account as an eDiscovery Administrator.
Now lets start searching! Navigate to Search & investigation then Content search and click on the plus symbol.
Create a new search specifying the mailbox or search everything if you wish.
Next specify your search parameters, here I search for emails containing specific text where the sender matches my email address.
Clicking Search will being the search process which could take a few seconds to a few hours depending on your search parameters. When the search completes click on Preview search results to see a list of emails matching the search query.
In this example we find the email we sent earlier and deleted! it’s still on the server and you can even click Download Original Item and download the email as a .eml file.
Litigation hold is a great way to protect your business when you suspect employees doing wrong or if they are about to be fired. Why not enable the feature on all mailboxes and prevent users from permanently deleting email.