Microsoft 365 - Content Backup, Restore, Archiving, Retention, eDiscovery, and Transfer

This document covers various scenarios where someone may need to obtain authorized access to data within someone else’s Office 365 account. The document also covers all of the capabilities that Office 365 offers for backup, restore, archiving, retention and eDiscovery.

Audience: Departmental IT organizations, Office of Cyber Security, Office of Legal Affairs, Office of Compliance.

>
Capability or ProcessStatusPossible Scenarios or Uses How it works
Archive (button or message action)

User 'Archives' a message to move it to another folder within their mailbox
Available"Inbox Zero" - Save important messages to another folder

Custom retention policies can be applied to chosen Archive folder (coming soon)

Helps prevent accidental deletions
Most email clients have an "archive" button that allows users to move messages to a pre-defined folder.  Behavior varies based on client implementation.  

Messages moved in this way are stored within your Office 365 mailbox and not otherwise backed-up or copied to an out-of band location
Recover Deleted Items

User may recover deleted items

Someone with full mailbox permission may recover deleted items on behalf of user
AvailableSearch for and recover a small number of user emails that were purged from the user's Deleted Items folder Use Outlook or Outlook on the web to recover messages that have been emptied from your Deleted Items folder within the past 30 days.

Learn more
.
Full Mailbox Permission

User may grant full mailbox permission to another person
AvailableTransfer and/or purge content for departing employees.

Assist employee with searching for misplaced content.
The user applies this permission via the Wisc Account Administration site which gives the recipient (typically an IT administrator or supervisor) access to all of the data in every email folder, every calendar, and all data in OneDrive for Business  

Learn more
.
Folder / Calendar Permission

User may grant Folder / Calendar Permission to another person
AvailableTransfer and/or purge content for departing employees.

Assist employee with searching for misplaced content.
The user applies this permission applied from Outlook or Outlook on the Web which can be enabled for specific folders and calendars so that the recipient (typically an IT administrator or supervisor) can access data only in those locations. 

Learn more.
Administrative Access

User may grant Administrative Access

IT staff / supervisor may request Administrative Access

The Office of Cybersecurity may authorize and grant Administrative Access to departmental IT staff / supervisor without user involvement
AvailableAssist employees with managing their accounts for purposes such as assigning mailbox permissions.

Transfer and/or purge content for departing employees.
Permission applied from the Wisc Account Administration site which gives the recipient the ability to change settings on another account. In the context of this document, it could be used to grant Full mailbox permissions.  It could also be used to set an Out of Office notification for a departed employee.

Learn more.
In-place eDiscovery

The Office of Cybersecurity may initiate searches of content within user mailboxes at the request of the Office of Legal Affairs / Office of Compliance / Dean or Director
AvailableSearch content in response to public records request or evidence inquiryAllows authorized people to search any mailbox based on specific search criteria and then export the data to another location. 

Learn more.
In-Place Hold

The Office of Cybersecurity may enable an In-Place Hold on an account at the request of the Office of Legal Affairs / Office of Compliance / Dean or Director
AvailablePrevent deleted content from being purged in response to legal evidence inquiryAllows authorized administrators to prevent messages from being permanently deleted or modified. Learn more.
Disable Unused Protocols

POP protocol can be managed

An authorized administrator may disable POP protocol on behalf of a user
AvailableComply with departmental HIPAA policies which may prohibit the use of some protocols

Reduce the risk of lost email as a result of deleted messages bypassing the Deleted Items folder 

Reduce the risk of sensitive data exfiltration by malicious actors in the event of account / credential compromise
If a protocol is disabled, the account cannot be used to connect to Office 365 via that protocol.  The user may re-enable the protocol but should consult with departmental policy.  Learn more
Third party backup/restore/archive tools and cloud services

A third party tool may be used to backup, restore and archive email within a mailbox.

Full mailbox permissions may be used to backup mail on behalf of other accounts.
 AvailableIndividuals who have a workstation and willing/able to install another application to store an off-site backup of their email account.

Departments who wish to assist their users in this type of backup strategy.

Users can delegate full mailbox permissions to a service account such that a departmental administrator can backup mailboxes on behalf of their users.
A third party application/plugin can be configured to automatically copy messages out of mailbox. The application, depending on its capabilities, can be configured to store messages in user defined location such as local disk or a cloud storage provider (e.g., Box, Google Drive, BuckyBackup).

Learn more.
Online ArchivesResearching...
Submit feedback below
Enhancements to Retaining, Searching and Recovering Lost EmailResearching...
Submit feedback below
Enhancements to Authorized Administrator Functionality of the Wisc Account Admin SiteResearching... Submit feedback below

Note:

Scenario A: An employer has an employee who is in the process of changing roles or leaving the department, so they want a copy of some or all Office 365 data from their personal (NetID) account. Usually this is done for knowledge retention, customer relationship continuity, and other business processes. The employee is able to fully participate in the knowledge transfer process prior to leaving.

Solution: The employee can organize the data into folders and copy only messages that the employer is interested in keeping. Two options exist (either or can be performed):

  • Option: save data to a local pst file

    The employee can download the data (e.g. as a PST) and deliver it outside the context of Office 365. Alternatively, the employee can grant Folder/Calendar permissions so that the employer can access and copy all of the organized data to another account, or download the data to a PST as needed.

    The employee can delete those messages out of his/her mailbox if the employer has a requirement that former employees not retain access to certain data.

  • Option: move data to a service account

Scenario B: An employer who has an employee who is in the process of changing roles or leaving the department, and the employee is unable to organize the data.

Solution: Employee grants employer Full mailbox permission via the Wisc Account Administration site. The employer can then copy any data that is needed to another account, or download any data to a PST as needed. Alternatively, the employee can grant the employer Administrative Access so that the employer can, at a later time, set Full mailbox permissions.

The employer can delete those messages out of the employee’s mailbox if the employer has a requirement that former employees not retain access to certain data.

Scenario C: An employee leaves unexpectedly, passes away, or is fired. In this situation, the employer can’t rely on the employee to facilitate the knowledge transfer process prior to leaving.

Solution: Escalate a request to the Office of Cyber Security (or some other authorized group) to grant Full mailbox permission so that the employer can access any necessary data. Alternatively, the employer can pre-arrange Administrative Access for all employee mailboxes so that the employer can, at a later time, set Full mailbox permissions.

The employer can delete those messages out of the employee’s mailbox if the employer has a requirement that former employees not retain access to certain data.

Scenario D: The Office of Legal Affairs or Office of Compliance is executing a legal request for data within an employee’s Office 365 account. The employing unit’s IT department is asked to facilitate the legal request for data. The employee is asked to identify and provide data relevant to the investigation. The employee is able to fully participate in the data discovery process.

Solution: The employee can organize the data into folders and copy only messages that the investigators are interested in obtaining.

The employee can download the data (e.g. as a PST) and deliver it to the departmental IT staff outside the context of Office 365. Alternatively, the employee can grant Folder/Calendar permissions so that the departmental IT staff can access and copy all of the organized data to another account, or download the data to a PST as needed.

Scenario E: The Office of Legal Affairs or Office of Compliance is executing a legal request for data within an employee’s Office 365 account. However, in this situation, the employee needs assistance to organize the data.

Solution: The employee grants departmental IT staff Full mailbox permission via the Wisc Account Administration site. The departmental IT staff can then copy any data that is needed to another account, or download any data to a PST as needed.

Scenario F: The Office of Legal Affairs or Office of Compliance is executing a legal request for data within an employee’s Office 365 account. However, in this situation, the employee is unable to collaborate with their departmental IT staff.

Solution: The departmental IT staff escalates a request to the Office of Cyber Security (or some other authorized group) to grant Full mailbox permission so that the employer can access any necessary data.

Scenario G: The legal request has a specific need to utilize the capabilities of In-Place eDiscovery and/or In-Place Hold.

Solution: The Office of Legal Affairs, Office of Compliance, or Departmental IT staff escalates a request to the Office of Cyber Security to use the In-Place eDiscovery and/or In-Place Hold capabilities. The mailbox is searched based on specific search terms and the results are exported to a location that can be accessed as needed.

Note: The ability to delegate In-Place eDiscovery and In-Place Hold to departmental IT staff is problematic.

It may seem advantageous to use the In-Place eDiscovery capability to search for and copy the data for use cases beyond legal investigations (e.g. knowledge transfer), however it is usually the case that Folder/Calendar permissions and/or Full mailbox permission capability is a more efficient process for finding pertinent data.

The Office 365 Team has periodically considered whether to implement the ability for people with authorized Administrative Access over an account to execute In-Place eDiscovery. The cost of implementing this capability would need to be overwhelmed by any gaps in reliance on the Folder/Calendar permissions and Full mailbox permission capability.

Once the Office of Cyber Security has gained experience using the In-Place eDiscovery capability, the Office 365 Team will evaluate feedback from stakeholders to determine if building a delegated eDiscovery capability becomes more feasible.



Keywords:
microsoft office365 o365 m365 microsoft 365 gain access retrieve restore authorized data email calendar onedrive people contacts owa outlook 2016 on the web archive back up restoration retain copy export import PST backing online archive 
Doc ID:
62713
Owned by:
O365 S. in Microsoft 365
Created:
2016-04-14
Updated:
2023-02-02
Sites:
DoIT Help Desk, Microsoft 365