Export (0) Print
Expand All
3 out of 5 rated this helpful - Rate this topic

Message Policy, Recovery and Compliance

Office 365
 

Applies to: Office 365

Topic Last Modified: 2014-04-04

Exchange Online mailboxes reside in the cloud, and archiving them requires unique hosting environments. In some cases, Exchange Online can also be used to archive on-premises mailboxes in the cloud. The options for archiving with Exchange Online are described in this section.

Exchange Online provides built-in archiving capabilities for cloud-based mailboxes, including an In-Place Archive that gives users a convenient place to store older email messages. An In-Place Archive is a special type of mailbox that appears alongside a user’s primary mailbox folders in Outlook and Outlook Web App. Users can access and search the archive in the same way they access and search their primary mailboxes. Available functionality depends on the client in use:

  • Outlook 2013, Outlook 2010, and Outlook Web App   Users have access to the full features of the archive, as well as related compliance features like control over retention and archive policies.

  • Outlook 2007   Users have basic support for the In-Place Archive, but not all archiving and compliance features are available. For example, users cannot apply retention or archive policies to mailbox items and must rely on administrator-provisioned policies instead.

Administrators use the Exchange admin center or remote Windows PowerShell to enable the personal archive feature for specific users.

For more information about In-Place Archives, see In-Place Archiving.

Only one user’s messaging data can be stored in each personal archive. The allocation of storage depends on the subscription plan. For more information about archive mailbox sizes, see the “Mailbox storage limits” section in Exchange Online Limits.

ImportantImportant:
Using journaling, transport rules, or auto-forwarding rules to copy messages to an Exchange Online mailbox for the purposes of archiving is not permitted. Microsoft reserves the right to deny unlimited archiving in instances where a mailbox archive is not being used in a personal scenario.
In-Place Archive has specific licensing requirements for Outlook users. Outlook 2007 users must have the Office 2007 Cumulative Update for February 2011 to access the personal archive.
Exchange Online does not support the New-MailboxImportRequest Windows PowerShell cmdlet of Exchange Server 2010 Service Pack 1 or later for administrator-driven import of .pst files into a personal archive. If a user has both the primary mailbox and the archive in Exchange Online, an administrator can use PST Capture, a free tool, to import .pst file data to the user’s primary mailbox or archive.

Using Exchange Online for cloud-based archiving of on-premises Exchange Server 2010 or later mailboxes is possible with Microsoft Exchange Online Archiving, a hosted archiving solution from Microsoft. This requires that the on-premises organization be in Hybrid mode or be set up for Exchange Online Archiving.

ImportantImportant:
Users with an on-premises mailbox on an Exchange 2010 Mailbox server who have a Managed Folder policy applied cannot have an on-premises or cloud-based In-Place Archive enabled.

Exchange Online offers retention policies to help organizations reduce the liabilities associated with email and other communications. With these policies, administrators can apply retention settings to specific folders in users’ inboxes. Administrators can also give users a menu of retention policies and let them apply the policies to specific items, conversations, or folders using Outlook 2010 or later or Outlook Web App.

In Exchange Online, administrators manage retention policies by using the Exchange admin center (EAC) or remote Windows PowerShell.

Exchange Online offers two types of policies: archive policies and delete policies. Both types can be combined on the same item or folder. For example, a user can tag an email message to be automatically moved to the In-Place Archive in a specified number of days and deleted after another span of days.

With Outlook 2010 or later and Outlook Web App, users can apply retention policies to folders, conversations, or individual messages. They can also view the applied retention policies and expected deletion dates on messages. Users of other email clients can only have email messages deleted or archived based on server-side retention policies set by the administrator.

The retention policy capabilities offered in Exchange Online are the same as those offered in Exchange Server 2010 Service Pack 2 RU4. Administrators can use remote Windows PowerShell to migrate retention policies from on-premises Exchange Server 2010 or later environments to Exchange Online.

ImportantImportant:
Managed Folders, an older approach to messaging records management that was introduced in Exchange Server 2007, are not available in Exchange Online.

For more information, see Retention Tags and Retention Policies.

In Office 365, email data at rest is encrypted using BitLocker Drive Encryption. BitLocker encrypts the hard drives on a computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, as well as more secure data deletion when BitLocker-protected computers are decommissioned or recycled. To learn more, see BitLocker Overview. For more information about security features in Office 365, see the Office 365 Trust Center.

Information Rights Management (IRM) allows an organization to prevent information leakage by restricting the rights that email recipients have on messages and attachments—such as whether they may forward a message to other recipients, print a message or attachment, or copy and paste message or attachment content.

Administrators can use the cloud-based Azure Active Directory Rights Management (Azure AD RM), or an on-premises Active Directory Rights Management Services (AD RMS) server in conjunction with Exchange Online. If an on-premises AD RMS server is deployed, Outlook can communicate directly with the server, enabling users to compose and read messages that are protected by AD RMS. There is no need for interoperability between the AD RMS server and Exchange Online in order to use the AD RMS features of Outlook.

Microsoft Exchange Server 2010 introduced advanced IRM-related AD RMS features that organizations can use with Exchange Online. To enable these features, administrators import the Trusted Publishing Domain (TPD) key from their AD RMS server to Exchange Online using remote Windows PowerShell.

After this one-time import, the following IRM-related features become available:

  • Support for IRM in Outlook Web App   Users can read and create IRM-protected messages natively in Outlook Web App. They can also view IRM-protected messages in Outlook Web App by using Internet Explorer, Firefox, Safari, and Chrome browsers (with no plug-in required). Viewing features include full-text search, conversation view, and the preview pane.

  • Support for IRM in Exchange ActiveSync   Users with mobile devices that support the IRM features of Exchange ActiveSync can open and work with IRM-protected messages without tethering the device or installing additional IRM software. Administrators can control this feature by using Role-Based Access Control (RBAC) or Exchange ActiveSync policies.

  • Search of IRM-protected messages   IRM-protected messages are indexed and searchable, including headers, subject, body, and attachments. Users can search protected items in Outlook and Outlook Web App and administrators can search protected items by searching multiple mailboxes.

  • Transport protection rules   Administrators can set up rules to automatically apply AD RMS protection to email (including Microsoft Office and XPS attachments) in transit. This provides persistent protection anywhere a file is sent and prevents forwarding, copying, or printing, depending on the rights policy template applied.

  • Journal report decryption   When journaling messages to an external archive, administrators can include both the IRM-protected message and a decrypted, clear-text copy of the message (including Microsoft Office and XPS attachments) in journal reports. This allows IRM-protected messages to be indexed and searched for legal and regulatory purposes.

  • Protected voice mail   Senders or administrators can apply Do Not Forward permissions to voice mail messages to prevent them from being forwarded to unauthorized persons, regardless of the email client.

  • Outlook Protection Rules   New to Outlook 2010, these rules automatically trigger Outlook to apply an Active Directory Rights Management Services template, based on sender or recipient identities, before users can send an email message. Unlike Transport Protection Rules, Outlook Protection Rules can be configured so that users can turn off protection for less-sensitive content.

For more information, see Information Rights Management in Exchange Online.

Office 365 Message Encryption is an online service that allows email users to send encrypted email messages to anyone. To use this encryption service, Office 365 customers must have an Office 365 subscription that includes both Exchange Online and Azure AD Rights Management, or an Office 365 subscription that includes Exchange Online and can support Azure AD Rights Management purchased as a separate add-on. On-premises customers can access Office 365 Message Encryption by purchasing Azure AD Rights Management and using Exchange Online Protection to set up mail flow through Exchange Online. For more information about setting up Azure AD Rights Management, see Set up Azure Rights Management for Office 365 Message Encryption.

Office 365 Message Encryption allows you to:

  • Define transport rules for encryption   Administrators can use the Exchange Admin Center or Windows PowerShell to create rules to encrypt outgoing email messages and decrypt incoming encrypted replies to those messages.

  • Add branding to encrypted messages   Administrators can customize the encrypted email with a company or organization brand.

  • Send encrypted messages   Messages that match admin-defined encryption rules are automatically encrypted and sent to the specified email address.

  • View and reply to encrypted messages   Encrypted emails arrive in addressee inboxes with an HTML attachment, along with instructions for opening and viewing the attached encrypted email message.

For more information, see Office 365 Message Encryption.

S/MIME allows you to help protect sensitive information by sending signed and encrypted email within your organization.  Administrators can use remote Windows PowerShell to set up S/MIME after establishing and issuing PKI certificates to users. These certificates must be synchronized from an on-premises Active Directory Certificate Service.

S/MIME is supported on Internet Explorer 9 or later. Currently, S/MIME is unsupported on Firefox, Opera, and Chrome. For more information, see S/MIME for Message Signing and Encryption.

When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored information (ESI), including email that's relevant to the case. This expectation can occur before the specifics of the case are known, and preservation is often broad. Organizations may preserve all email related to a specific topic, or all email for certain individuals.

In Exchange Online, you can use In-Place Hold or Litigation Hold to accomplish the following goals:

  • Enable users to be placed on hold and preserve mailbox items immutably

  • Preserve mailbox items deleted by users or automatic deletion processes such as MRM

  • Protect mailbox items from tampering, changes by a user, or automatic processes by saving a copy of the original item

  • Preserve items indefinitely or for a specific duration

  • Keep holds transparent from the user by not having to suspend MRM

  • Use In-Place eDiscovery to search mailbox items, including items placed on hold

Additionally, you can use In-Place Hold to:

  • Search and hold items matching specified criteria

  • Place a user on multiple In-Place Holds for different cases or investigations

For more information, see In-Place Hold.

Exchange Online enables customers to search the contents of mailboxes across an organization using a web-based interface. Administrators or compliance and security officials who are authorized to perform In-Place eDiscovery search (by assigning) can search email messages, attachments, calendar appointments, tasks, contacts, and other items. In-Place eDiscovery can search simultaneously across primary mailboxes and archives. Rich filtering capabilities include sender, receiver, message type, sent/receive date, and carbon copy/blind carbon copy, along with KQL Syntax. Search results will also include items in the Deleted Items folder if they match the search query.

Results of In-Place eDiscovery searches can be previewed in the web-based interface, exported to a PST file or copied to a special type of mailbox called a Discovery mailbox. A Discovery mailbox has a 50 GB quota for storing search results. Administrators can also connect Outlook to the Discovery mailbox to access search results, and export the search results to a .pst file.

Administrators use either the Exchange admin center or remote Windows PowerShell to perform multi-mailbox searches. The Exchange admin center can provide a read-only preview of the search results, enabling administrators to quickly verify a search and rerun it, if needed, with different parameters. Once a search is optimized, the administrator can copy the results to the Discovery mailbox.

By default, one Discovery mailbox is created for each organization, but administrators can create additional Discovery mailboxes using remote Windows PowerShell. Discovery mailboxes cannot be used for any purpose other than storing In-Place eDiscovery search results.

Administrators use either the Exchange admin center or remote Windows PowerShell to perform In-Place eDiscovery searches. The Exchange admin center can provide a read-only preview of the search results, enabling administrators to quickly verify a search and rerun it, if needed, with different parameters. Once a search is optimized, the administrator can copy the results to the Discovery mailbox or export search results to a PST file.

The Exchange admin center can be used to search up to 5000 mailboxes at a time. Remote Windows PowerShell can also be used to perform searches on an unlimited number of mailboxes.

In Exchange Online, authorized users can perform In-Place eDiscovery and choose one of the following actions:

  • Estimate search results   Get an estimate of the number of messages the search will return, including keywords statistics to determine the effectiveness of keywords used in the search and tweak search parameters if required.

  • Preview search results

  • Copy messages returned in search results to a Discovery mailbox.

For more information, see In-Place eDiscovery.

You can use Exchange Transport rules to look for specific conditions on messages that pass through your organization and take action on them. Transport rules let you apply messaging policies to email messages, secure messages, protect messaging systems, and prevent information leakage.

Many organizations today are required by law, regulatory requirements, or company policies to apply messaging policies that limit the interaction between recipients and senders, both inside and outside the organization. In addition to limiting interactions among individuals, departmental groups inside the organization, and entities outside the organization, some organizations are also subject to the following messaging policy requirements:

  • Preventing inappropriate content from entering or leaving the organization

  • Filtering confidential organization information

  • Tracking or copying messages that are sent to or received from specific individuals

  • Redirecting inbound and outbound messages for inspection before delivery

  • Applying disclaimers to messages as they pass through the organization

ImportantImportant:
Attachment file types that require installation of third-party iFilters on the email server (such as Adobe .pdf) cannot be inspected using Transport rules until after an appropriate iFilter is installed. For more information about file types that are supported by Transport rules, including information about extending the number of supported file types, see File Types That are Supported in Transport Rules.

For more information about Transport rules, see Transport Rules.

The data loss prevention (DLP) feature will help you identify, monitor, and protect sensitive information in your organization through deep content analysis. DLP is a premium feature that is increasingly important for enterprise message systems because business-critical email includes sensitive data that needs to be protected. The DLP feature in Exchange Online enables you to protect sensitive data without affecting worker productivity.

You can configure DLP policies in the Exchange admin center (EAC) management interface, which allows you to:

  • Start with a pre-configured policy template that can help you detect specific types of sensitive information such as PCI-DSS data, Gramm-Leach-Bliley act data, or even locale-specific personally identifiable information (PII).

  • Use the full power of existing transport rule predicates and actions and add new transport rules.

  • Test the effectiveness of your DLP policies before fully enforcing them.

  • Incorporate your own custom DLP policy templates and sensitive information types.

  • Detect sensitive information in message attachments, body text, or subject lines and adjust the confidence level at which Exchange Online takes action.

  • Detect sensitive form data by using Document Fingerprinting. Document Fingerprinting helps you easily create custom sensitive information types based on text-based forms that you can use to define transport rules and DLP policies.

  • Add Policy Tips, which can help reduce data loss by displaying a notice to your Outlook 2013, Outlook Web App, and OWA for Devices users and can also improve the effectiveness of your policies by allowing false-positive reporting.

  • Review incident data in DLP reports or add your own specific reports by using a generate incident report action.

For more information about DLP, see Data Loss Prevention.

You can configure Exchange Online to journal copies of emails to any external mailbox that can receive messages via SMTP. Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements by recording inbound and outbound email communications. When planning for messaging retention and compliance, it's important to understand journaling and how it fits in with your organization's compliance policies.

You can manage journal rules by using the Exchange admin center or remote Windows PowerShell. You can configure journaling on a per-user and per-distribution list basis, and choose to journal only internal messages, only external messages, or both. Journaled messages include not only the original message but also information about the sender, recipients, copies, and blind copies.

In order to ensure a successful and reliable journaling solution, you need to complete the following tasks:

  • The journaling destination cannot be an Exchange Online mailbox.

  • Create in the customer directory a contact object for the SMTP target email address to be used for journaling.

  • Create a second contact object as an alternative journal mailbox to capture any journal reports when the primary journal mailbox is unavailable.

  • Maintain proper management, redundancy, availability, performance, and functionality levels of the SMTP target to ensure successful mail acceptance at all times.

  • Provide respective interoperability with Exchange Server and Exchange transport including message formats, sender/recipient information integration, and appropriate content conversion.

For more information about journaling, see Journaling.

 

Feature

Exchange Server 2013

Office 365 Small Business

Office 365 Small Business Premium

Office 365 Midsize Business

Office 365 Enterprise E1

Office 365 Education A2

Office 365 Government G1

Office 365 Enterprise E3

Office 365 Education A3

Office 365 Government G3

Office 365 Enterprise E4

Office 365 Education A4

Office 365 Government G4

Office 365 Enterprise K1

Office 365 Government K1

Archiving Exchange Online-based Mailboxes

No

Yes

Yes

Yes

Yes

Yes

Yes

No

Cloud-Based Archiving of On-Premises Mailboxes

Yes1

No

No

No

No

No

No

No

Retention Tags and Retention Policies

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Encryption of data at rest (BitLocker)

Yes2

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IRM using Azure AD RM

No

No

No

No

No3

Yes

Yes

No3

IRM using Windows Server AD RMS

Yes4

No

No

Yes4

Yes4

Yes4

Yes4

Yes4

Office 365 Message Encryption

Yes5

No

No

No

No3

Yes6

Yes6

No3

S/MIME

Yes7

Yes

Yes

Yes

Yes

Yes

Yes

Yes

In-Place Hold and Litigation Hold

Yes

No

No

No

No

Yes

Yes

No

In-Place eDiscovery

Yes

No

No

Yes

Yes

Yes

Yes

Yes

Transport Rules

Yes8

No

No

Yes 8

Yes 8

Yes 8

Yes 8

Yes 8

Data Loss Prevention

Yes 9, 10

No

No

No

No

Yes

Yes

No

Journaling

Yes

No

No

Yes

Yes

Yes

Yes

Yes

NoteNote:
1   Requires an Exchange Online Archiving (EOA) subscription for each on-premises mailbox user that has a cloud-based archive.
2   BitLocker Drive Encryption is supported for Exchange Server 2013, but an administrator needs to enable the feature.
3   Azure AD RM isn’t included but can be purchased as a separate add-on in order to enable the supported IRM features. Office 365 Message Encryption depends on Azure AD Rights Management.
4   Windows Server AD RMS is an on-premises server that must be purchased and managed separately in order to enable the supported IRM features.
5   Supported for Exchange Server 2013 on-premises customers who purchaseAzure AD Rights Management. O365 Message Encryption requires on-premises customers to route email through Exchange Online, either by using Exchange Online Protection for email filtering, or by establishing hybrid mail flow.
6   Azure AD Rights Management (which includes Office 365 Message Encryption) is not available with Office 365 Government G3 or Office 365 Government G4.
7   Available to Exchange Server 2013 SPI customers.
8   Transport rules are made up of predicates, which allow you to define conditions and exceptions, and actions to take based on the predicates. The available predicates and actions differ between Exchange Online and Exchange Server 2013. For a list of available predicates and actions, see the corresponding predicates and actions topics for each product.
9   For Exchange 2013, DLP requires an Exchange Enterprise Client Access License (CAL). For more information about CALs and server licensing, see Exchange Server Licensing.
10   Exchange Server 2013 customers need to download and install SP1 in order to access Document Fingerprinting and Policy tips in OWA and OWA for Devices.

 

Feature

Exchange Server 2013

Exchange Online Plan 1

Exchange Online Plan 2

Exchange Online Kiosk

Archiving Exchange Online-based Mailboxes

Yes

Yes

Yes

No

Cloud-Based Archiving of On-Premises Mailboxes

Yes1

No

No

No

Retention Tags and Retention Policies

Yes

Yes

Yes

Yes

Encryption of data at rest (BitLocker)

Yes2

Yes

Yes

Yes

IRM using Azure AD RM

No

No3

No3

No3

IRM using Windows Server AD RMS

Yes4

Yes4

Yes4

Yes4

Office 365 Message Encryption

Yes5

No3

No3

No3

S/MIME

Yes5

Yes

Yes

Yes

In-Place Hold and Litigation Hold

Yes

No

Yes

No

In-Place eDiscovery

Yes

Yes

Yes

Yes

Transport Rules

Yes7

Yes7

Yes7

Yes 7

Data Loss Prevention

Yes8, 9

No

Yes

No

Journaling

Yes

Yes

Yes

Yes

NoteNote:
1   Requires an Exchange Online Archiving (EOA) subscription for each on-premises mailbox user that has a cloud-based archive.
2   BitLocker Drive Encryption is supported for Exchange Server 2013, but an administrator needs to enable the feature.
3   Azure AD RM isn’t included but can be purchased as a separate add-on in order to enable the supported IRM features. Office 365 Message Encryption depends on Azure AD Rights Management.
4   Windows Server AD RMS is an on-premises server that must be purchased and managed separately in order to enable the supported IRM features.
5   Supported for Exchange Server 2013 on-premises customers who purchase Azure AD Rights Management. O365 Message Encryption requires on-premises customers to route email through Exchange Online, either by using Exchange Online Protection for email filtering, or by establishing hybrid mail flow.
6   Available to Exchange Server 2013 SP1 customers.
7   Transport rules are made up of predicates, which allow you to define conditions and exceptions, and actions to take based on the predicates. The available predicates and actions differ between Exchange Online and Exchange Server 2013. For a list of available predicates and actions, see the corresponding predicates and actions topics for each product.
8   For Exchange 2013, DLP requires an Exchange Enterprise Client Access License (CAL). For more information about CALs and server licensing, see Exchange Server Licensing.
9   Exchange Server 2013 customers need to download and install SP1 in order to access Document Fingerprinting and Policy tips in OWA and OWA for Devices.

If you have comments or questions about this topic, we'd love to hear from you. Just send your feedback to Office 365 Service Description Feedback. Your comments will help us provide the most accurate and concise content.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.