How to Set Up Email Retention Policies in Microsoft 365 Microsoft Purview Compliance Portal
Creating effective email retention policies using the Microsoft Purview Compliance Portal in Microsoft 365
I have a YouTube demo for this article on my channel control alt delete tech bits here . I am also giving away 100 free coupons to my SC-900: Microsoft Security, Compliance, and Identity Exams on Udemy, the course is here and the code is A0B24E0A23D46B00089C
The scenario we are using is leavers emails need to be kept for 5 years after they leave for compliance, for example, year 11 leavers in a school.
Implementing a 5-year email retention policy ensures that all Exchange Online mailbox content is kept for five years and then deleted, even if users delete emails earlier. In a UK secondary school using Microsoft 365 A3 licenses (which are equivalent in features to Enterprise E3 for compliance purposes), you can use the Microsoft Purview compliance portal to configure and manage this policy
Retention Period Triggers: “When Items Were Last Modified” vs. Created
When creating a retention policy in the Purview Compliance portal, you must choose what event starts the retention clock for each item – either the creation date or the last modified date. Choosing “when items were last modified” means the retention period restarts each time an email item is changed. For email in Exchange Online, items aren’t typically “modified” in the same way files are (users rarely edit an email’s content after sending/receiving). However, some user actions (e.g. moving a message to another folder, editing a draft, or adding a category/flag) could update an email’s last modified timestamp. In practice, for most email messages the last modified date will be the same as the creation/received date, unless a user action updates the item.
How “last modified” affects retention. If the policy is set to 5 years based on last modified date, an email that hasn’t been touched since it arrived will expire 5 years from its received date (since that’s its last modified time). But if a user does modify an email (say, by editing a draft or moving it to a folder) a year after receipt, the 5-year retention countdown resets from that modification. This ensures the policy retains content for 5 years of inactivity. In other words, actively used or changed content could be retained longer than 5 years from its original date, whereas stale content with no changes will be eligible for deletion 5 years after it was received. This “last modified” trigger is particularly useful for files (like in OneDrive/SharePoint) where ongoing edits should keep resetting the retention period, but it can apply to mailbox items as well
Exchange specifics: It’s important to note that for Exchange Online mailboxes, retention based on “last modified” behaves almost like “created” date in most cases, since emails aren’t usually edited after the fact. (Microsoft documentation even notes that for certain content like Teams chat messages, if “last modified” is selected it will still use the created date internally, while this note is about Teams, you can treat Exchange email similarly – the retention period for an email will effectively be based on when it was received, unless a user explicitly modified that item later.)
Bottom line: For an email retention
policy, choosing “when items were last modified” ensures that if a user somehow updates an email item, that email won’t be deleted until the specified period has elapsed from the update time. If no updates occur (the typical case), the email is eligible for deletion 5 years from when it was originally sent/received. This subtle difference rarely impacts emails, but it aligns with how retention might be configured for other content and poses no issues for Exchange.
Impact on Inactive Mailboxes (Deleted Users) with a 5-Year Hold
When a user leaves and you delete their account, the retention policy will automatically convert their mailbox into an inactive mailbox so long as the policy was in place beforehand. An inactive mailbox is essentially a mailbox on hold – it preserves the email data after the user is gone, without requiring an active license
Here’s how the 5-year “last modified” retention policy functions for inactive mailboxes:
All mailbox content is retained for the full duration even if the user attempted to delete emails before departure, the retention policy would have preserved those items in the mailbox’s hidden Recoverable Items folder. The inactive mailbox keeps all emails that existed at deletion time under hold for 5 years since their last-modified date. Users can no longer sign in, but the data remains locked in place for compliance.
Gradual deletion after 5 years. The retention policy’s deletion action will still apply on schedule for an inactive mailbox. As each email reaches 5 years from its last modification (which, in an inactive mailbox, will effectively be the received date or last user touch), the system will automatically and permanently delete that item. This happens behind the scenes via the Exchange Managed Folder Assistant. Over time, older emails age out and are removed. The mailbox stays inactive (and preserved) as long as any content is still within the 5-year window.
End-of-life for the inactive mailbox once the last item in that mailbox passes the 5-year retention period and is deleted, the mailbox becomes empty. At that point, Exchange will permanently remove the inactive mailbox itself (since the retention hold no longer applies). Essentially, the mailbox self-deletes when the policy’s retention no longer holds any content. In our 5-year scenario, this means an inactive mailbox of a departed user will exist for at most 5 years after the last email in it was modified/received, then it will be cleaned up automatically.
It’s worth emphasising that as long as the retention policy is in effect, you cannot manually remove an inactive mailbox or its data, the hold prevents it. The mailbox remains searchable for eDiscovery until the retention period expires. The use of “last modified” as the trigger doesn’t change the outcome for inactive mailboxes versus “created” date; it just ensures we’re counting from the appropriate timestamp on each item.
Licensing Considerations: Microsoft 365 A3 vs E3 for Retention and Inactive Mailboxes
Microsoft 365 A3 licenses include the same retention features as E3, so there’s no functional difference in how retention policies or inactive mailboxes operate in an A3 (academic) environment compared to an E3 (enterprise) tenant. Key points to know:
Exchange Online retention policies (part of Microsoft Purview’s Data Lifecycle Management) are available with A3 licenses just as with E3. (Office 365 A3 is analogous to Office 365 E3 in the education sector, providing advanced compliance capabilities like retention.) For example, Office 365 documentation notes that applying retention policies to mailboxes requires an E3/E5 plan – an A3 plan satisfies this requirement because A3 corresponds to E3-level features. In short, if your school has A3, you already have the rights to use retention policies on mailboxes – no special add-ons needed.
License requirements for inactive mailboxes once a mailbox is converted to an inactive mailbox (via a retention hold or litigation hold), it no longer consumes a license. The process is: you had the user licensed while they were active (so that their mailbox could be governed by the retention policy), then you delete the user account to inactive-ize the mailbox. At deletion, the user’s Office 365 license is immediately freed up back into your tenant’s pool for reuse. This is true for both A3 and E3 licenses – there’s no difference in how licenses are released. In both cases, the inactive mailbox can stay in the system without a license, and you can assign that freed license to another staff member or student as needed.
Grace period vs. retention hold: normally, when you remove a license or delete a user without any hold, their mailbox would be recoverable for 30 days before permanent deletion. However, with a retention policy in place, you are bypassing the normal 30-day grace period and ensuring indefinite (or in this case 5-year) preservation. The mailbox becomes inactive immediately upon deletion (no 30-day limit) because the retention policy’s hold takes over. No active license is needed during the inactive period, the data is retained due to the compliance policy, not because a user license is assigned. This is by design: Microsoft explicitly states that after deleting the user, “any Exchange Online license associated with the user account will be available to assign to a new user”. Inactive mailboxes do not require any form of license while they are being retained
Both A3 and E3 behave the same here. Delete the account, and the license is liberated. The mailbox retention is governed by the policy, not the license. You do need the license up until deletion (because an unlicensed mailbox can’t have a retention policy applied). In practical terms, ensure the user’s mailbox is included in the retention policy (and thus on hold) before removing their license or deleting their account. Once that’s done, you can safely remove the account; the A3 license will go back into your free pool, identical to how an E3 license would. There is no special licensing cost or SKU for inactive mailboxes at this time (Microsoft had considered an “Inactive Mailbox” SKU in the past, but confirmed they did not implement this – inactive mailboxes are simply free placeholders of data)
Converting ex-employee mailboxes to shared mailboxes as an alternative. Note that in an A3/E3 scenario, using the retention policy to create an inactive mailbox is often preferable for compliance, since it’s hands-off and automatic. Shared mailboxes have a 50 GB limit before requiring a license and remain accessible in the address book, whereas inactive mailboxes are hidden and purely for compliance. In either case, once the retention period lapses and the mailbox is removed, you no longer consume a license.
Verifying the Retention Policy (Using Purview Content Search)
After setting up the 5-year retention policy, you’ll want to confirm that it’s working as intended – for example, that a deleted user’s emails are indeed being preserved for compliance. Microsoft Purview provides eDiscovery tools (Content Search and eDiscovery cases) to find and export data under retention. Here’s how to verify the policy:
Access Content Search in Microsoft Purview: Log in to the Microsoft 365 Admin Center and click Compliance (this opens the Purview compliance portal). In the left navigation menu of the Purview portal, find Content search under the Solutions or eDiscovery section. (In the new interface, you may need to expand Solutions > eDiscovery & Content Search to see Content search.)
In the Microsoft Purview compliance portal, go to Content search and click + New search.
Create a new search query: Click “New search” to start a search job. Give the search a name (e.g. “Inactive Mailbox Retention Check”) and, optionally, a description.
Specify the location to search: In the search creation wizard, you can choose specific locations. To verify a particular former user’s mailbox, select Exchange mailboxes as the content location, then choose Specific locations and add that user’s mailbox to the scope. Even though the user is deleted, their inactive mailbox should still appear in the picker (you can search by the user’s name or email address). If it doesn’t appear by name, you can alternatively select “All mailboxes” for the search – an inactive mailbox is still considered a mailbox, just hidden from address lists. (You might also add SharePoint/OneDrive locations if your retention policy covered those and you want to verify those, but for email focus on Exchange mailboxes.)
Define query criteria (optional): If you want to narrow the results, you can add keywords or conditions – for example, search for a particular email subject or date range. To simply verify presence of data, you might initially run a broad search (no keywords) which will return all items in the chosen mailbox(es). This is a quick way to see how many items are retained. Keep in mind that without any filter, the search could return a large number of items (especially if it’s an “all mailboxes” search), so you may use conditions like sender:user@school.com or date filters to limit scope.
Run the search and review results: Start the search. The Content Search tool will quickly provide an estimated count of items and the total data size found. You can click on the search to view details and then use the Preview feature to inspect a few sample items. If the retention policy is working, you should see emails from the deleted user’s mailbox appearing in the results – even though the user can’t log in, the content is still there for compliance admins. For example, you might preview an email that the user received years ago, and it will open in the Purview viewer. This confirms that the mailbox is inactive (not gone) and its content is held by the policy. Purview Content Search is designed to include content in Recoverable Items (the hidden folder holding soft-deleted messages), so it will show items that the user might have deleted but are being retained. It’s the ideal tool to “verify what’s being retained” by the policy
(Optional) Export results: If you need to keep a copy or examine in detail, you can export the search results. This isn’t necessary for a simple verification, but it’s useful if you want to retrieve all of an ex-user’s email. Exporting will prepare a PST file (or results package) you can download. Remember that even after exporting, the inactive mailbox in the cloud remains intact until the retention period expires.
Using Content Search in this way provides peace of mind that your 5-year retention policy is in effect. For instance, if you delete a test user who had some emails, you can run a content search a day later to confirm their mailbox content is still discoverable. You’ll find that their emails are present (now only accessible via eDiscovery tools), and if you check their deletion dates versus the policy timeline, those items will remain available until they hit the 5-year mark. Compliance and records officers with proper permissions can access these inactive mailbox items whenever needed during the retention window.
Once live, the policy immediately places a retention hold on all existing mailbox content. Users won’t notice anything day-to-day, except that if they try to permanently delete items (e.g. emptying Deleted Items and then purging from Recoverable Items), the items will still be preserved for compliance. For you as an admin, the evidence of the policy working is through Content Search results and the fact that no mailbox with the policy can be permanently deleted until the time is up.
By using a 5-year retention policy based on the last modified date, the school ensures that all email correspondence is retained for at least five years for compliance purposes, regardless of user deletions. Microsoft 365 A3 licenses fully support this, just like E3, and there’s no extra licensing burden for keeping inactive mailboxes – once you’ve set it up, it runs in the background. Always double-check your configuration by searching for content in the Purview compliance portal. This proactive verification confirms that even when staff or students leave and their accounts are removed, their email data remains safely stored (and will automatically clean up after the 5-year period). With the Purview retention policy and eDiscovery tools, the school meets its data retention requirements with minimal manual effort.