Message Policy and Compliance

Office 365

Applies to: Office 365

Topic Last Modified: 2017-10-20

Exchange Online mailboxes reside in the cloud, and archiving them requires unique hosting environments. In some cases, Exchange Online can also be used to archive on-premises mailboxes in the cloud. The options for archiving with Exchange Online are described in this section.

Exchange Online provides built-in archiving capabilities for cloud-based mailboxes, including an In-Place Archive that gives users a convenient place to store older email messages. An In-Place Archive is a special type of mailbox that appears alongside a user’s primary mailbox folders in Outlook and Outlook Web App. Users can access and search the archive in the same way they access and search their primary mailboxes. Available functionality depends on the client in use:

  • Outlook 2016, Outlook 2013, Outlook 2010, and Outlook Web App   Users have access to the full features of the archive, as well as related compliance features like control over retention and archive policies.

  • Outlook 2007   Users have basic support for the In-Place Archive, but not all archiving and compliance features are available. For example, users cannot apply retention or archive policies to mailbox items and must rely on administrator-provisioned policies instead.

Administrators use the Exchange admin center or remote Windows PowerShell to enable the personal archive feature for specific users.

For more information, see:

Only one user’s messaging data can be stored in each personal archive. The allocation of storage depends on the subscription plan. For more information about archive mailbox sizes, see the “Mailbox storage limits” section in Exchange Online Limits.

Using journaling, transport rules, or auto-forwarding rules to copy messages to an Exchange Online mailbox for the purposes of archiving is not permitted. Microsoft reserves the right to deny unlimited archiving in instances where a mailbox archive is not being used in a personal scenario.
In-Place Archive has specific licensing requirements for Outlook users. Outlook 2007 users must have the Office 2007 Cumulative Update for February 2011 to access the personal archive.
Exchange Online does not support the New-MailboxImportRequest Windows PowerShell cmdlet of Exchange Server 2010 Service Pack 1 or later for administrator-driven import of .pst files into a personal archive. If a user has both the primary mailbox and the archive in Exchange Online, an administrator can use PST Capture, a free tool, to import .pst file data to the user’s primary mailbox or archive.

Using Exchange Online for cloud-based archiving of on-premises Exchange Server 2010 or later mailboxes is possible with Microsoft Exchange Online Archiving, a hosted archiving solution from Microsoft. This requires that the on-premises organization be in Hybrid mode or be set up for Exchange Online Archiving.

Users with an on-premises mailbox on an Exchange 2010 Mailbox server who have a Managed Folder policy applied cannot have an on-premises or cloud-based In-Place Archive enabled.

Exchange Online offers retention policies to help organizations reduce the liabilities associated with email and other communications. With these policies, administrators can apply retention settings to specific folders in users’ inboxes. Administrators can also give users a menu of retention policies and let them apply the policies to specific items, conversations, or folders using Outlook 2010 or later or Outlook Web App.

In Exchange Online, administrators manage retention policies by using the Exchange admin center (EAC) or remote Windows PowerShell.

Exchange Online offers two types of policies: archive policies and delete policies. Both types can be combined on the same item or folder. For example, a user can tag an email message to be automatically moved to the In-Place Archive in a specified number of days and deleted after another span of days.

With Outlook 2010 or later and Outlook Web App, users can apply retention policies to folders, conversations, or individual messages. They can also view the applied retention policies and expected deletion dates on messages. Users of other email clients can only have email messages deleted or archived based on server-side retention policies set by the administrator.

The retention policy capabilities offered in Exchange Online are the same as those offered in Exchange Server 2010 Service Pack 2 RU4. Administrators can use remote Windows PowerShell to migrate retention policies from on-premises Exchange Server 2010 or later environments to Exchange Online.

Managed Folders, an older approach to messaging records management that was introduced in Exchange Server 2007, are not available in Exchange Online.

For more information, see Retention Tags and Retention Policies.

In Office 365, email data at rest is encrypted using BitLocker Drive Encryption. BitLocker encrypts the hard drives on a computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, as well as more secure data deletion when BitLocker-protected computers are decommissioned or recycled. To learn more, see BitLocker Overview. For more information about security features in Office 365, see the Office 365 Trust Center. If you are using Office 365 operated by 21Vianet, see the 21Vianet Trust Center.

Information Rights Management (IRM) allows an organization to prevent information leakage by restricting the rights that email recipients have on messages and attachments—such as whether they may forward a message to other recipients, print a message or attachment, or copy and paste message or attachment content.

Administrators can use the cloud-based Azure Information Protection or an on-premises Active Directory Rights Management Services (AD RMS) server in conjunction with Exchange Online. If an on-premises AD RMS server is deployed, Outlook can communicate directly with the server, enabling users to compose and read messages that are protected by AD RMS. There is no need for interoperability between the AD RMS server and Exchange Online in order to use the AD RMS features of Outlook.

Microsoft Exchange Server 2010 introduced advanced IRM-related AD RMS features that organizations can use with Exchange Online. To enable these features, administrators import the Trusted Publishing Domain (TPD) key from their AD RMS server to Exchange Online using remote Windows PowerShell.

After this one-time import, the following IRM-related features become available:

  • Support for IRM in Outlook Web App   Users can read and create IRM-protected messages natively in Outlook Web App. They can also view IRM-protected messages in Outlook Web App by using Internet Explorer, Firefox, Safari, and Chrome browsers (with no plug-in required). Viewing features include full-text search, conversation view, and the preview pane.

  • Support for IRM in Exchange ActiveSync   Users with mobile devices that support the IRM features of Exchange ActiveSync can open and work with IRM-protected messages without tethering the device or installing additional IRM software. Administrators can control this feature by using Role-Based Access Control (RBAC) or Exchange ActiveSync policies.

  • Search of IRM-protected messages   IRM-protected messages are indexed and searchable, including headers, subject, body, and attachments. Users can search protected items in Outlook and Outlook Web App and administrators can search protected items by searching multiple mailboxes.

  • Transport protection rules   Administrators can set up rules to automatically apply AD RMS protection to email (including Microsoft Office and XPS attachments) in transit. This provides persistent protection anywhere a file is sent and prevents forwarding, copying, or printing, depending on the rights policy template applied.

  • Journal report decryption   When journaling messages to an external archive, administrators can include both the IRM-protected message and a decrypted, clear-text copy of the message (including Microsoft Office and XPS attachments) in journal reports. This allows IRM-protected messages to be indexed and searched for legal and regulatory purposes.

  • Protected voice mail   Senders or administrators can apply Do Not Forward permissions to voice mail messages to prevent them from being forwarded to unauthorized persons, regardless of the email client.

  • Outlook Protection Rules   New to Outlook 2010, these rules automatically trigger Outlook to apply an Active Directory Rights Management Services template, based on sender or recipient identities, before users can send an email message. Unlike Transport Protection Rules, Outlook Protection Rules can be configured so that users can turn off protection for less-sensitive content.

For more information, see Information Rights Management in Exchange Online.

Office 365 Message Encryption is an online service that allows email users to send encrypted email messages to anyone. To use this encryption service, Office 365 customers must have one of the following combinations:

  • An Office 365 subscription that includes Azure Rights Management as well as Exchange Online or Exchange Online Protection (EOP).

  • An Azure Information Protection subscription and an Office 365 subscription that includes Exchange Online or Exchange Online Protection (EOP).

On-premises customers can access Office 365 Message Encryption by purchasing Azure Information Protection and using Exchange Online Protection to set up mail flow through Exchange Online.

Office 365 Message Encryption allows you to:

  • Define mail flow rules for encryption. Administrators can use the Exchange Admin Center or Windows PowerShell to create rules to encrypt outgoing email messages and decrypt incoming encrypted replies to those messages.

  • Add branding to encrypted messages. Administrators can customize encrypted email and the OME portal with a company or organization brand.

  • Send encrypted messages. Messages that match admin-defined encryption rules are automatically encrypted before they’re sent. End users can also choose to encrypt email messages from within Outlook for PC, Outlook for Mac, and Outlook on the web.

  • View and reply to encrypted messages. Recipients who receive an encrypted email message sent to an Office 365 account in Outlook 2016 or Outlook on the web, don't have to take any additional action to view the message. It works seamlessly. Recipients using other email clients and email service providers also have an improved experience.

For more information, see Office 365 Message Encryption.

S/MIME allows you to help protect sensitive information by sending signed and encrypted email within your organization.  Administrators can use remote Windows PowerShell to set up S/MIME after establishing and issuing PKI certificates to users. These certificates must be synchronized from an on-premises Active Directory Certificate Service.

S/MIME is supported on Internet Explorer 9 or later. Currently, S/MIME is unsupported on Firefox, Opera, and Chrome. For more information, see S/MIME for Message Signing and Encryption.

When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored information (ESI), including email that's relevant to the case. This expectation can occur before the specifics of the case are known, and preservation is often broad. Organizations may preserve all email related to a specific topic, or all email for certain individuals.

In Exchange Online, you can use In-Place Hold or Litigation Hold to accomplish the following goals:

  • Enable users to be placed on hold and preserve mailbox items immutably

  • Preserve mailbox items deleted by users or automatic deletion processes such as MRM

  • Protect mailbox items from tampering, changes by a user, or automatic processes by saving a copy of the original item

  • Preserve items indefinitely or for a specific duration

  • Keep holds transparent from the user by not having to suspend MRM

  • Use In-Place eDiscovery to search mailbox items, including items placed on hold

Additionally, you can use In-Place Hold to:

  • Search and hold items matching specified criteria

  • Place a user on multiple In-Place Holds for different cases or investigations

When you put a mailbox on In-Place Hold or Litigation Hold, the hold is placed on both the primary and the archive mailbox.

For more information, see In-Place Hold and Litigation Hold.

Exchange Online enables customers to search the contents of mailboxes across an organization using a web-based interface. Administrators or compliance and security officials who are authorized to perform In-Place eDiscovery search (by assigning) can search email messages, attachments, calendar appointments, tasks, contacts, and other items. In-Place eDiscovery can search simultaneously across primary mailboxes and archives. Rich filtering capabilities include sender, receiver, message type, sent/receive date, and carbon copy/blind carbon copy, along with KQL Syntax. Search results will also include items in the Deleted Items folder if they match the search query.

Results of In-Place eDiscovery searches can be previewed in the web-based interface, exported to a PST file or copied to a special type of mailbox called a Discovery mailbox. A Discovery mailbox has a 50 GB quota for storing search results. Administrators can also connect Outlook to the Discovery mailbox to access search results, and export the search results to a .pst file.

Administrators use either the Exchange admin center or remote Windows PowerShell to perform multi-mailbox searches. The Exchange admin center can provide a read-only preview of the search results, enabling administrators to quickly verify a search and rerun it, if needed, with different parameters. Once a search is optimized, the administrator can copy the results to the Discovery mailbox.

By default, one Discovery mailbox is created for each organization, but administrators can create additional Discovery mailboxes using remote Windows PowerShell. Discovery mailboxes cannot be used for any purpose other than storing In-Place eDiscovery search results.

Administrators use either the Exchange admin center or remote Windows PowerShell to perform In-Place eDiscovery searches. The Exchange admin center can provide a read-only preview of the search results, enabling administrators to quickly verify a search and rerun it, if needed, with different parameters. Once a search is optimized, the administrator can copy the results to the Discovery mailbox or export search results to a PST file.

Administrators can use either the Exchange admin center or remote Windows PowerShell to search up to 10,000 mailboxes at a time in an In-Place eDiscovery search.

In Exchange Online, authorized users can perform In-Place eDiscovery and choose one of the following actions:

  • Estimate search results   Get an estimate of the number of messages the search will return, including keywords statistics to determine the effectiveness of keywords used in the search and tweak search parameters if required.

  • Preview search results

  • Copy messages returned in search results to a Discovery mailbox.

For more information, see In-Place eDiscovery.

You can use Exchange Transport rules to look for specific conditions on messages that pass through your organization and take action on them. Transport rules let you apply messaging policies to email messages, secure messages, protect messaging systems, and prevent information leakage.

Many organizations today are required by law, regulatory requirements, or company policies to apply messaging policies that limit the interaction between recipients and senders, both inside and outside the organization. In addition to limiting interactions among individuals, departmental groups inside the organization, and entities outside the organization, some organizations are also subject to the following messaging policy requirements:

  • Preventing inappropriate content from entering or leaving the organization

  • Filtering confidential organization information

  • Tracking or copying messages that are sent to or received from specific individuals

  • Redirecting inbound and outbound messages for inspection before delivery

  • Applying disclaimers to messages as they pass through the organization

Attachment file types that require installation of third-party iFilters on the email server (such as Adobe .pdf) cannot be inspected using Transport rules until after an appropriate iFilter is installed. For more information about file types that are supported by Transport rules, including information about extending the number of supported file types, see File Types That are Supported in Transport Rules.

For more information about Transport rules, see Transport Rules.

The data loss prevention (DLP) feature will help you identify, monitor, and protect sensitive information in your organization through deep content analysis. DLP is a premium feature that is increasingly important for enterprise message systems because business-critical email includes sensitive data that needs to be protected. The DLP feature in Exchange Online enables you to protect sensitive data without affecting worker productivity.

You can configure DLP policies in the Exchange admin center (EAC) management interface, which allows you to:

  • Start with a pre-configured policy template that can help you detect specific types of sensitive information such as PCI-DSS data, Gramm-Leach-Bliley act data, or even locale-specific personally identifiable information (PII).

  • Use the full power of existing transport rule criteria and actions and add new transport rules.

  • Test the effectiveness of your DLP policies before fully enforcing them.

  • Incorporate your own custom DLP policy templates and sensitive information types.

  • Detect sensitive information in message attachments, body text, or subject lines and adjust the confidence level at which Exchange Online takes action.

  • Detect sensitive form data by using Document Fingerprinting. Document Fingerprinting helps you easily create custom sensitive information types based on text-based forms that you can use to define transport rules and DLP policies.

  • Add Policy Tips, which can help reduce data loss by displaying a notice to your Outlook 2016, Outlook 2013, Outlook Web App, and OWA for Devices users and can also improve the effectiveness of your policies by allowing false-positive reporting.

  • Review incident data in DLP reports or add your own specific reports by using a generate incident report action.

For more information about DLP, see Data Loss Prevention.

You can configure Exchange Online to journal copies of emails to any external mailbox that can receive messages via SMTP. Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements by recording inbound and outbound email communications. When planning for messaging retention and compliance, it's important to understand journaling and how it fits in with your organization's compliance policies.

You can manage journal rules by using the Exchange admin center or remote Windows PowerShell. You can configure journaling on a per-user and per-distribution list basis, and choose to journal only internal messages, only external messages, or both. Journaled messages include not only the original message but also information about the sender, recipients, copies, and blind copies.

In order to ensure a successful and reliable journaling solution, you need to complete the following tasks:

  • The journaling destination cannot be an Exchange Online mailbox.

  • Create in the customer directory a contact object for the SMTP target email address to be used for journaling.

  • Create a second contact object as an alternative journal mailbox to capture any journal reports when the primary journal mailbox is unavailable.

  • Maintain proper management, redundancy, availability, performance, and functionality levels of the SMTP target to ensure successful mail acceptance at all times.

  • Provide respective interoperability with Exchange Server and Exchange transport including message formats, sender/recipient information integration, and appropriate content conversion.

For more information about journaling, see Journaling.

To view feature availability across Office 365 plans, standalone options, and on-premise solutions, see Exchange Online Service Description.

Comments or questions about this topic? Send your feedback to Office 365 Service Description Feedback. Need help with Office 365? Visit the Microsoft support center. Want to chat with a customer service representative? Go to the Select a plan page and click Chat now in the red banner at the top.