Switch to classic view
Outlook Web App > For Exchange Online Administrators >

Compliance Features in Exchange Online

 

Applies to: Office 365 for professionals and small businesses, Office 365 for enterprises, Live@edu

Topic Last Modified: 2011-12-19

The compliance features of Exchange Online help your organization meet legal, regulatory, and organizational compliance requirements in the following ways:

  • Preserve   Prevent the deletion of messages to comply with data retention requirements or legal requirements.
  • Discover   Search for relevant items relating to specific legal cases or requests from regulatory authorities.
  • Control   Control the flow of messages and implement actionable rules based on message content, or who sends and receives the message.
  • Protect   Encrypt content and enforce policies that apply to the use of e-mail.

Let’s take a closer look:

For more information about the compliance, security, and privacy features in Microsoft Office 365, see the Office 365 Trust Center.

Compliance features in Exchange Online

  • Messaging records management (MRM)   MRM helps your organization prevent the permanent deletion of e-mail messages and other messaging content, deleted by users or by messaging policies, needed to comply with company policy, government regulations, or legal needs. MRM also lets you automatically remove older messaging content that has no legal or business value. MRM uses retention policies and retention tags to control how long to keep items in users' mailboxes and define what action to take on items that have reached a certain age.
    See Set Up and Manage Retention Policies in Exchange Online with Windows PowerShell.
  • Discovery   Discovery harnesses Multi-Mailbox Search, a GUI-based tool that allows legal and human resource professionals and other discovery managers to search primary and archive mailboxes across your organization for messages that match specified criteria. Because discovery searches don’t require full administrative permissions, you can assign regular users the necessary permissions to search mailboxes and limit the scope of mailboxes that a person can search. The results of a multi-mailbox search can be printed or exported to a .PST file by using Microsoft Outlook.
    See Multi-Mailbox Searches.
  • Personal archive   You can create an archive mailbox, called a personal archive, for a user's primary cloud-based mailbox. Users can use the archive mailbox to store historical messaging data by moving or copying messages from their primary mailbox to their archive mailbox. Administrators and users can use MRM features to automatically move messages that reach a certain age to the archive mailbox. Because items in a user’s archive mailbox are indexed, archive mailboxes are included in a multi-mailbox search.
    See Enable an Archive Mailbox.
  • Litigation hold   You can put a litigation hold, also known as legal hold, on a mailbox to preserve e-mail messages and other mail items for an extended period. Litigation hold also prevents items from being permanently deleted. When a user's mailbox is put on litigation hold, the user can purge items from their mailbox but the items are retained indefinitely on the servers in the Microsoft datacenter. Litigation hold also maintains the version history for items that are modified.
    See Put a Mailbox on Litigation Hold.
  • Information rights management (IRM)   IRM provides online and offline protection of e-mail messages and supported attachments. IRM protection can be applied by users in Outlook or Outlook Web App, and it can be applied by administrators using transport protection rules and Outlook protection rules. IRM helps administrators and users control who can access, forward, print, or copy sensitive data within e-mail messages. Note that IRM requires that you have an Active Directory Rights Management Services (AD RMS) server deployed in your on-premises organization.
    See Set Up and Manage Information Rights Management in Exchange Online.
    Note   For a list of the file attachment types allowed and blocked in Outlook Web App, see the “File and attachment settings” section in Outlook Web App Mailbox Policies | Available Settings.
  • Transport rules and transport protection rules   Transport rules let you control the flow of and apply messaging policies to e-mail messages sent within your organization and sent in to and out of your organization. Using transport rules, administrators can define specific message attributes, or conditions, and the actions to apply to any message that contain those attributes. For example, you can use transport rules append a disclaimer to message sent outside your organization or prevent e-mail communication between specific groups of users.
    Transport protection rules let you use transport rules to IRM-protect messages by applying an AD RMS rights policy template.
    See Organization-Wide Rules.
    Microsoft Live@edu   Outlook Live for Live@edu also provides supervision policies to help schools control who can send e-mail to and receive e-mail from the users in their institution. See Supervision Policies.
  • Journaling   Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements by recording inbound and outbound e-mail communications. Journal rules are used to record, or "journal", the e-mail messages sent to or from specific recipients. When a message matches the criteria defined by the journal rule, a journal report that contains the original message is generated and sent to a journaling mailbox.
    See Journal Rules.
  • Audit logging   Auditing Reports is a GUI-based tool that helps your organization track the unauthorized access to a user’s mailbox, identify mailboxes that are on litigation hold, and identify any change made to administrator role groups. You can also export the administrator audit log that identifies any action performed by an administrator.
    See Use Auditing Reports in Exchange Online.

Return to top

Common compliance scenarios supported by Exchange Online

Let’s look at some of the most common compliance scenarios supported in Exchange Online.

 

Store historical messaging data for each user

Retain messaging data and remove it after the retention period expires

Collect, process, and review messaging data relevant to litigation

Prevent the removal or modification of mailbox items during litigation

Allow members of a legal team to enable and disable litigation hold

Allow members of legal team to perform mailbox searches

Create a discovery mailbox for a specific legal case

Prevent e-mail communication between members of different departments, legal teams, or schools

Apply persistent protection to messages sent outside of the organization

Add a disclaimer to message sent by users in your organization

Collect e-mail messages sent outside of your organization

Determine if a mailbox was accessed by someone other than the owner

Store historical messaging data for each user

To implement and manage an archive strategy for your organization, you can enable an archive mailbox for each user. This provides administrators and users a single, unified archive for managing historical data. MRM technology automatically moves items into a user’s archive mailbox and Multi-Mailbox Search searches archive mailboxes for items that meet the search criteria. See Enable an Archive Mailbox.

Retain messaging data and remove it after the retention period expires

To help organizations meet business, legal, or regulatory requirements, a default retention policy is applied to all Exchange Online mailboxes. This retention policy applies retention settings to the following default mail folders in a user’s mailbox:

  • Deleted Items   Applies to messages in the Deleted Items folder. Thirty days after a user deletes a message, the message is permanently deleted and moved into the Recoverable Items folder, also called the dumpster. A user can recover items in the Recoverable Items folder by using the Recover Deleted Items feature in Outlook or Outlook Web App.
  • Junk E-mail   Applies to messages in the Junk E-mail folder. Thirty days after a junk e-mail message is moved or sent to the user’s Junk E-mail folder, the message is permanently deleted and moved into the Recoverable Items folder.
  • Recoverable Items   Applies to messages in the Recoverable Items folder. Fourteen days after a message is moved to the Recoverable Items folder, it is moved to the Recoverable Items folder in the user’s archive mailbox. At this point, only an administrator can recover an item by using single item recovery in Exchange Online. If the user doesn’t have an archive mailbox, no action is taken and the item remains in the Recoverable Items folder in the user’s primary mailbox.
    Note   Users can remove, or purge, items from the Recoverable Items folder using the Recover Deleted Items feature in Outlook or Outlook Web App. Single item recovery retains purged items for an additional 14 days; after 14 days, MRM moves purged items to the Recoverable Items folder in the user’s archive mailbox.

All other items in the user’s mailbox that aren’t affected by these retention settings are moved to the user’s archive mailbox after two years. Exchange Online also provides default personal retention tags that users can apply to folders and individual items in their mailbox. See the following:

Collect, process, and review messaging data relevant to litigation

To comply with legal discovery requests, organizations can use the discovery features in Exchange Online to collect, process, and review e-mail messages relevant to a legal case. See the following:

Note   Your organization has to implement a hybrid deployment to search mailboxes in both your on-premises and cloud-based organizations. For more information, see Exchange Hybrid Deployment and Migration with Office 365.

Return to scenarios

Prevent the removal or modification of mailbox items during litigation

If an organization is informed of a pending litigation, it must preserve relevant data such as e-mail that may be used as evidence. To retain e-mail related to a legal case, mailboxes can be put on litigation hold. Then, as part of legal discovery, a mailbox on litigation hold can be searched to find items relevant to the case. When litigation hold is enabled, it is also applied to the user’s archive mailbox. See the following:

Allow members of a legal team to enable and disable litigation hold

You can assign members of your legal team or other authorized personnel the necessary permissions to use the Exchange Control Panel to put a mailbox on litigation hold. See Put a Mailbox on Litigation Hold.

Allow members of legal team to perform mailbox searches

You can also give members of a legal team the necessary permissions to use the Discovery features in Exchange Online. This enables lawyers, legal team members, and discovery managers to use the Exchange Control Panel to perform multi-mailbox searches. See Give Users Access to Multi-Mailbox Search.

Create a discovery mailbox for a specific legal case

Discovery search results are copied to a discovery mailbox. A default Discovery Search Mailbox is created for each Exchange Online organization. However, administrators can create additional discovery search mailboxes, each with a 50 GB default quota, for specific legal cases or legal teams. Administrators then assign permissions to discovery managers to access the discovery mailbox. See the following:

Prevent e-mail communication between members of different departments, legal teams, or schools

Your organization may need to prevent conflicts of interest that might result when members of different departments, legal teams, or schools have the capability to share sensitive information. To address this, organizations can prevent different groups of users from exchanging e-mail. This type of restriction is sometimes called an ethical wall. Here are some examples:

  • Law firms that need to maintain client confidentiality need to restrict mail flow to personnel working on specific legal cases.
  • In investment organizations, where market researchers may have confidential information that might influence a broker, regulatory requirements frequently state that those two groups must be prevented from communicating in any way.
  • School districts that want to prevent students in different schools from using their school accounts to exchange e-mail.

See Use Rules to Prevent Mail Flow Between Specific Groups.

Return to scenarios

Apply persistent protection to messages sent outside of the organization

If users in your organization have to send e-mail messages with financial, legal, or other confidential information to recipients outside of your organization, you can create transport protection rules that apply a Rights Management Services (RMS) template to protect content in e-mail messages. Depending on the settings you specify in the RMS template, recipients are prevented from performing actions such as forwarding, copying, or printing an IRM-protected message. You can also use transport rules to apply RMS templates to messages sent by members of a distribution group or sent by members of a specific department. See the following:

Add a disclaimer to message sent by users in your organization

You can use transport rules to automatically add text, commonly called a disclaimer, to e-mail messages. Disclaimers are typically used to provide legal information, compliance information, or for other reasons specific to your organization. See Add Disclaimers to Messages.

Collect e-mail messages sent outside of your organization

To comply with regulatory requirements, your organization may need to collect all e-mail messages sent to external recipients. In this case, you can create a journal rule to generate a journal report for every message sent outside of your organization. You can also create journal rules for messages sent to or received by specific users or by members of a distribution group. See Create Journal Rules.

Determine if a mailbox was accessed by someone other than the owner

By default, only mailbox owners can access a mailbox, but permissions to access the mailbox can be assigned to other users, such as delegates or administrators. If you have legal, human resource, or IT reasons to suspect that a mailbox was accessed by or tampered with by someone other than the mailbox owner, you can run a non-owner mailbox access report. See Run a Non-Owner Mailbox Access Report.

Return to scenarios

Compliance feature availability

Use the following table to see the compliance features available in Exchange Online for Microsoft Office 365 and Microsoft Live@edu.

 

Compliance feature Office 365 for professionals and small businesses Office 365 for enterprises Live@edu

Personal archive

Yes (Combined total size of 25 GB for primary and archive mailboxes)

Yes (Combined total size of 25 GB for primary and archive mailboxes); 100 GB default quota for Exchange Online (Plan 2) subscription or higher

No

Messaging records management

Yes

Yes

Yes

Litigation hold

No

Yes; requires Exchange Online (Plan 2) subscription or higher

No

Multi-Mailbox Search

No

Yes

Yes

Information rights management

No

Yes

No

Transport rules

No

Yes

Yes

Journaling

No

Yes

Yes

Audit logging

Yes

Yes

Yes

Return to top