Microsoft 365 - Content Backup, Restore, Archiving, Retention, eDiscovery, and Transfer
Audience: Departmental IT organizations, Office of Cyber Security, Office of Legal Affairs, Office of Compliance.
| Capability or Process | Status | Possible Scenarios or Uses | How it works |
| Archive (button or message action) User 'Archives' a message to move it to another folder within their mailbox | Available | "Inbox Zero" - Save important messages to another folder Custom retention policies can be applied to chosen Archive folder (coming soon) Helps prevent accidental deletions | Most email clients have an "archive" button that allows users to move messages to a pre-defined folder. Behavior varies based on client implementation. Messages moved in this way are stored within your Office 365 mailbox and not otherwise backed-up or copied to an out-of band location |
| Recover Deleted Items User may recover deleted items Someone with full mailbox permission may recover deleted items on behalf of user | Available | Search for and recover a small number of user emails that were purged from the user's Deleted Items folder | Use Outlook or Outlook on the web to recover messages that have been emptied from your Deleted Items folder within the past 30 days. Learn more. |
| Full Mailbox Permission User may grant full mailbox permission to another person | Available | Transfer and/or purge content for departing employees. Assist employee with searching for misplaced content. | The user applies this permission via the Wisc Account Administration site which gives the recipient (typically an IT administrator or supervisor) access to all of the data in every email folder, every calendar, and all data in OneDrive for Business Learn more. |
| Folder / Calendar Permission User may grant Folder / Calendar Permission to another person | Available | Transfer and/or purge content for departing employees. Assist employee with searching for misplaced content. | The user applies this permission applied from Outlook or Outlook on the Web which can be enabled for specific folders and calendars so that the recipient (typically an IT administrator or supervisor) can access data only in those locations. Learn more. |
| Administrative Access User may grant Administrative Access IT staff / supervisor may request Administrative Access The Office of Cybersecurity may authorize and grant Administrative Access to departmental IT staff / supervisor without user involvement | Available | Assist employees with managing their accounts for purposes such as assigning mailbox permissions. Transfer and/or purge content for departing employees. | Permission applied from the Wisc Account Administration site which gives the recipient the ability to change settings on another account. In the context of this document, it could be used to grant Full mailbox permissions. It could also be used to set an Out of Office notification for a departed employee. Learn more. |
| In-place eDiscovery The Office of Cybersecurity may initiate searches of content within user mailboxes at the request of the Office of Legal Affairs / Office of Compliance / Dean or Director | Available | Search content in response to public records request or evidence inquiry | Allows authorized people to search any mailbox based on specific search criteria and then export the data to another location. Learn more. |
| In-Place Hold The Office of Cybersecurity may enable an In-Place Hold on an account at the request of the Office of Legal Affairs / Office of Compliance / Dean or Director | Available | Prevent deleted content from being purged in response to legal evidence inquiry | Allows authorized administrators to prevent messages from being permanently deleted or modified. Learn more. |
| Disable Unused Protocols POP protocol can be managed An authorized administrator may disable POP protocol on behalf of a user | Available | Comply with departmental HIPAA policies which may prohibit the use of some protocols Reduce the risk of lost email as a result of deleted messages bypassing the Deleted Items folder Reduce the risk of sensitive data exfiltration by malicious actors in the event of account / credential compromise | If a protocol is disabled, the account cannot be used to connect to Office 365 via that protocol. The user may re-enable the protocol but should consult with departmental policy. Learn more. |
| Third party backup/restore/archive tools and cloud services A third party tool may be used to backup, restore and archive email within a mailbox. Full mailbox permissions may be used to backup mail on behalf of other accounts. | Available | Individuals who have a workstation and willing/able to install another application to store an off-site backup of their email account. Departments who wish to assist their users in this type of backup strategy. Users can delegate full mailbox permissions to a service account such that a departmental administrator can backup mailboxes on behalf of their users. | A third party application/plugin can be configured to automatically copy messages out of mailbox. The application, depending on its capabilities, can be configured to store messages in user defined location such as local disk or a cloud storage provider (e.g., Box, Google Drive, BuckyBackup). Learn more. |
| Online Archives | Researching... | Submit feedback below | |
| Enhancements to Retaining, Searching and Recovering Lost Email | Researching... | Submit feedback below | |
| Enhancements to Authorized Administrator Functionality of the Wisc Account Admin Site | Researching... | Submit feedback below |
Many of the solutions below suggest a need to organize and segregate mail and calendar data, either by the employee or the employer. Depending on the length of tenure and complexity of the individual, this can be a daunting, yet unavoidable task. The following docs offer strategies for organizing and segregating Office 365 data.
Scenario A: An employer has an employee who is in the process of changing roles or leaving the department, so they want a copy of some or all Office 365 data from their personal (NetID) account. Usually this is done for knowledge retention, customer relationship continuity, and other business processes. The employee is able to fully participate in the knowledge transfer process prior to leaving.
Solution: The employee can organize the data into folders and copy only messages that the employer is interested in keeping. Two options exist (either or can be performed):
- Option: save data to a local pst file
The employee can download the data (e.g. as a PST) and deliver it outside the context of Office 365. Alternatively, the employee can grant Folder/Calendar permissions so that the employer can access and copy all of the organized data to another account, or download the data to a PST as needed.
The employee can delete those messages out of his/her mailbox if the employer has a requirement that former employees not retain access to certain data.
- Option: move data to a service account
Scenario B: An employer who has an employee who is in the process of changing roles or leaving the department, and the employee is unable to organize the data.
Solution: Employee grants employer Full mailbox permission via the Wisc Account Administration site. The employer can then copy any data that is needed to another account, or download any data to a PST as needed. Alternatively, the employee can grant the employer Administrative Access so that the employer can, at a later time, set Full mailbox permissions.
The employer can delete those messages out of the employee’s mailbox if the employer has a requirement that former employees not retain access to certain data.
Scenario C: An employee leaves unexpectedly, passes away, or is fired. In this situation, the employer can’t rely on the employee to facilitate the knowledge transfer process prior to leaving.
Solution: Escalate a request to the Office of Cyber Security (or some other authorized group) to grant Full mailbox permission so that the employer can access any necessary data. Alternatively, the employer can pre-arrange Administrative Access for all employee mailboxes so that the employer can, at a later time, set Full mailbox permissions.
The employer can delete those messages out of the employee’s mailbox if the employer has a requirement that former employees not retain access to certain data.
Scenario D: The Office of Legal Affairs or Office of Compliance is executing a legal request for data within an employee’s Office 365 account. The employing unit’s IT department is asked to facilitate the legal request for data. The employee is asked to identify and provide data relevant to the investigation. The employee is able to fully participate in the data discovery process.
Solution: The employee can organize the data into folders and copy only messages that the investigators are interested in obtaining.
The employee can download the data (e.g. as a PST) and deliver it to the departmental IT staff outside the context of Office 365. Alternatively, the employee can grant Folder/Calendar permissions so that the departmental IT staff can access and copy all of the organized data to another account, or download the data to a PST as needed.
Scenario E: The Office of Legal Affairs or Office of Compliance is executing a legal request for data within an employee’s Office 365 account. However, in this situation, the employee needs assistance to organize the data.
Solution: The employee grants departmental IT staff Full mailbox permission via the Wisc Account Administration site. The departmental IT staff can then copy any data that is needed to another account, or download any data to a PST as needed.
Scenario F: The Office of Legal Affairs or Office of Compliance is executing a legal request for data within an employee’s Office 365 account. However, in this situation, the employee is unable to collaborate with their departmental IT staff.
Solution: The departmental IT staff escalates a request to the Office of Cyber Security (or some other authorized group) to grant Full mailbox permission so that the employer can access any necessary data.
Scenario G: The legal request has a specific need to utilize the capabilities of In-Place eDiscovery and/or In-Place Hold.
Solution: The Office of Legal Affairs, Office of Compliance, or Departmental IT staff escalates a request to the Office of Cyber Security to use the In-Place eDiscovery and/or In-Place Hold capabilities. The mailbox is searched based on specific search terms and the results are exported to a location that can be accessed as needed.
Note: The ability to delegate In-Place eDiscovery and In-Place Hold to departmental IT staff is problematic.
It may seem advantageous to use the In-Place eDiscovery capability to search for and copy the data for use cases beyond legal investigations (e.g. knowledge transfer), however it is usually the case that Folder/Calendar permissions and/or Full mailbox permission capability is a more efficient process for finding pertinent data.
The Office 365 Team has periodically considered whether to implement the ability for people with authorized Administrative Access over an account to execute In-Place eDiscovery. The cost of implementing this capability would need to be overwhelmed by any gaps in reliance on the Folder/Calendar permissions and Full mailbox permission capability.
Once the Office of Cyber Security has gained experience using the In-Place eDiscovery capability, the Office 365 Team will evaluate feedback from stakeholders to determine if building a delegated eDiscovery capability becomes more feasible.