Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Compliance and Security Features in Exchange Online Archiving

Office 365
 

Applies to: Office 365

Topic Last Modified: 2014-04-03

The following sections describe the compliance features of Microsoft Exchange Online Archiving.

Exchange Online Archiving offers retention policies to help organizations reduce the liabilities associated with email and other communications. With these policies, administrators can apply retention settings to specific folders in users’ inboxes. Administrators can also give users a menu of retention policies and let them apply the policies to specific items, conversations, or folders using Outlook 2010 or later or Outlook Web App. In Exchange Online Archiving, administrators manage retention policies from the on-premises infrastructure.

Exchange Online Archiving offers two types of policies: archive and delete. Both types can be applied to the same item or folder. For example, a user can tag an email message so that it is automatically moved to the personal archive in a specified number of days and deleted after another span of days.

With Outlook 2010 and later and Outlook Web App, users can apply retention policies to folders, conversations, or individual messages and can also view the applied retention policies and expected deletion dates on messages. Users of other email clients can have email deleted or archived based on server-side retention policies provisioned by the administrator, but they do not have the same level of visibility and control.

The retention policy capabilities offered in Exchange Online Archiving are the same as those offered in Exchange Server 2010 Service Pack 2 (SP2) and later. Administrators can manage retention policies from on-premises Exchange Server 2010 and later environments. Managed Folders, an older approach to messaging records management that was introduced in Exchange 2007, are not available in and not compatible with Exchange Online Archiving. For more details, see Retention Tags and Retention Policies.

Exchange Online Archiving provides legal hold capabilities to preserve users’ deleted and modified mailbox items (including email messages, appointments, and tasks) from both their primary mailboxes and archives. Administrators can use In-Place Hold, which allows placing the following types of holds:

  • Indefinite hold   Preserves items indefinitely until the hold is removed.

  • Time-based hold   Preserves items for a specified period of time.

  • Query-based hold   Preserves items that match specified query parameters such as keywords, start, sender and recipient addresses.

This feature also includes an option that automatically alerts the user through Outlook 2010 that a hold has been placed on the mailboxes. Administrators must use Exchange Administration Console or the Exchange Management Shell in their on-premises Exchange server to place a mailbox on hold. For details, see In-Place Hold.

Items placed on hold are preserved in the Recoverable Items folders in the user’s archive mailbox. Exchange Online Archiving users receive an unlimited storage for the recoverable items folder. However, a default quota of 30 GB is set on the folder, which is large enough to accommodate reasonable use.

NoteNote:
The default quota for the Recoverable Items Folder is 30 GB for Exchange Online Archiving users.

Exchange Online Archiving supports In-Place eDiscovery for searching the contents of mailboxes in an organization. Using the Exchange admin center or remote Windows PowerShell from an on-premises Exchange 2013 server, administrators or authorized Discovery managers can search a variety of mailbox items – including email messages, attachments, calendar appointments, tasks, and contacts. In-Place eDiscovery can search simultaneously across primary mailboxes and archives. Rich filtering capabilities include sender, receiver, message types, sent date, received date, carbon copy, and blind carbon copy, along with Keyword Query Language (KQL) syntax. For more details, see In-Place eDiscovery.

The Exchange admin center and remote Windows PowerShell can be used to search up to 5,000 mailboxes at a time. For details about searching up to 5,000 mailboxes at a time using remote Windows PowerShell, see New-MailboxSearch. Remote Windows PowerShell can also be used to perform searches on an unlimited number of mailboxes. For details about searching large numbers of mailboxes using remote Windows PowerShell, see Search-Mailbox.

NoteNote:
The Search-Mailbox cmdlet doesn’t have a limit on the number of mailboxes you can search.

Results of an In-Place eDiscovery search can be previewed in the Exchange admin center, exported to a .pst file, or copied to a special type of mailbox, called a discovery mailbox. Administrators or compliance officers can connect to the discovery mailbox to review messages. For details, see Create an In-Place eDiscovery Search.

NoteNote:
When copying search results for an In-Place eDiscovery search performed across on-premises and cloud-based mailboxes or archives, you must select an on-premises discovery mailbox. Messages from the on-premises primary mailbox and the cloud-based archive are copied to the on-premises discovery mailbox.

Administrators can also search for and delete inappropriate email messages sent to multiple mailboxes across their organizations. For example, if confidential salary information was accidentally sent to all employees, an administrator can delete the email from the users’ mailboxes. This type of search is not available in the Exchange admin center. It must be performed using Remote PowerShell. For details on how to delete messages from users’ mailboxes, see Search and Delete Messages.

The following sections describe the security features of Microsoft Exchange Online Archiving.

TLS is used to encrypt the connection between email servers to help prevent spoofing and provide confidentiality for messages in transit. TLS is also used for securing on-premises mail server traffic to Office 365 data centers for Exchange Online Archiving.

Client connections to Exchange Online Archiving use the following encryption methods to enhance security:

  • SSL is used for securing Outlook, Outlook Web App, and Exchange Web Services traffic, using TCP port 443.

  • Client connections to on-premises servers do not change with the introduction of Exchange Online Archiving.

Exchange Online Archiving will store Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. However, Exchange Online Archiving does not host S/MIME functions or host the public keys, nor does it provide key repository, key management, or key directory services because all of these services attach to the on-premises Exchange infrastructure.

Similarly, Exchange Online Archiving will store messages that are encrypted using client-side, third-party encryption solutions such as Pretty Good Privacy (PGP).

Exchange Online Archiving does not provide hosted Information Rights Management (IRM) services, but administrators can use on-premises Active Directory Rights Management Services (AD RMS). If an AD RMS server is deployed, Outlook can communicate directly with that server, enabling users to compose and read IRM-protected messages. If interoperability between the AD RMS server and the on-premises Exchange environment is configured, users will be able to compose and read IRM-protected messages.

Users can read and create IRM-protected messages natively in Outlook Web App, just as they can in Outlook. IRM-protected messages in Outlook Web App can be accessed through Internet Explorer, Firefox, Safari, and Chrome (with no plug-in required). The messages include full-text search, conversation view, and the preview pane. Interoperability between the Active Directory Rights Management Services server and the on-premises Exchange environment must be configured to enable this.

IRM-protected messages are indexed and searchable, including headers, subject, body, and attachments. Users can search IRM-protected items in Outlook and Outlook Web App, and administrators can search IRM-protected items by using Multi-Mailbox Search or the Search-Mailbox cmdlet.

Exchange Online Archiving provides two types of built-in auditing capabilities:

  • Administrator audit logging   Administrator audit logging allows customers to track changes made by their administrators in the Exchange Online Archiving environment, including changes to RBAC roles or Exchange policies and settings.

  • Mailbox audit logging   Mailbox audit logging allows customers to track access to mailboxes by users other than the mailbox owner.

Several predefined audit reports are available in the Exchange admin center, including Administrator Role Changes, Litigation Hold, and Non-Owner Mailbox Access. Administrators can filter reports by date and role, and they can export all audit events for specified mailboxes in XML format for long-term retention or custom reporting.

Administrator audit logging is on by default, and mailbox audit logging is off by default. Administrators can use remote Windows PowerShell to enable mailbox audit logging for some or all mailboxes in their organization. For more information, see Auditing Reports.

 

Feature Exchange Online Archiving for Exchange Server1 Exchange Online Archiving for Exchange Online2

Retention policies

Yes

Yes

In-Place Hold

Yes

Yes

In-Place eDiscovery

Yes

Yes

Encryption between on-premises servers and Exchange Online Archiving

Yes

Yes

Encrypting between clients and Exchange Online Archiving

Yes

Yes

Encryption: S/MIME and PGP

Yes

Yes

IRM using Azure AD RM

No

No3

IRM using Windows Server AD RMS

Yes4

Yes4

Auditing

Yes

Yes

NoteNote:
1   User mailboxes must reside on Exchange 2010 SP2 or later.
2   As an add-on for Exchange Online mailboxes with Exchange Online Plan 1 or Exchange Online Kiosk. In-Place Archive can only be used to archive mail for a single user or entity for which a license has been applied. Using an In-Place Archive as a means to store mail from multiple users or entities is prohibited. For example, IT administrators can’t create shared mailboxes and have users copy (through the Cc or Bcc field, or through a transport rule) a shared mailbox for the explicit purpose of archiving.
3   Azure AD RM isn’t included but can be purchased as a separate add-on in order to enable the supported IRM features.
4   Windows Server AD RMS is an on-premises server that must be purchased and managed separately in order to enable the supported IRM features.

If you have comments or questions about this topic, we'd love to hear from you. Just send your feedback to Office 365 Service Description Feedback. Your comments will help us provide the most accurate and concise content.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.