Menu Close

How to Delete Emails From DiscoveryHolds (2023)

Today, I want to show you how you can delete emails from discoveryholds on a mailbox in Exchange Online.

We have a shared mailbox in Exchange Online that receives emails, which are processed and then deleted by an automated system. The emails are no longer needed or wanted after that. We don’t need an archive configuration, as we are not trying to retain any of it. This mailbox is currently deleting thousands of emails regularly until these backend displacement holding areas fill up, at which point the process no longer works. By doing this, the recoverable items quota will reach 100 GB and we will not be able to delete new messages.

How do we just purge them and be done?

Microsoft Purview offers several ways that your organization can prevent mailbox content from being permanently deleted. This allows your organization to retain content to meet compliance regulations or during legal and other types of investigations. Here’s a list of the retention features (also called holds) in Microsoft Purview and Microsoft 365.

  • Litigation Hold: Holds that are applied to user mailboxes in Exchange Online.
  • eDiscovery hold: Holds that are associated with a Microsoft Purview eDiscovery (Standard) case in the Microsoft Purview compliance portal. eDiscovery holds can be applied to user mailboxes and to the corresponding mailbox for Microsoft 365 Groups and Microsoft Teams.
  • Microsoft Purview retention policies: Can be configured to retain (or retain and then delete) content in user mailboxes in Exchange Online and in the corresponding mailbox for Microsoft 365 Groups and Microsoft Teams. There are two types of Microsoft Purview retention policies that can be assigned to mailboxes.
    • Specific location retention policies: These are policies that are assigned to the content locations of specific users. You use the Get-Mailbox cmdlet in Exchange Online PowerShell to get information about retention policies assigned to specific mailboxes. For more information about this type of retention policy, see Section A of the retention policy documentation for specific inclusions or exclusions.
    • Organization-wide retention policies: These are policies that are assigned to all content locations in your organization. You use the Get-OrganizationConfig cmdlet in Exchange Online PowerShell to get information about organization-wide retention policies. For more information about this type of retention policy, see Section A, “Policy that applies to entire locations,” in the retention policy documentation.
  • Microsoft Purview retention labels: If a user applies a Microsoft Purview retention label (one that’s configured to retain content or retain and then delete content) to any folder or item in their mailbox, a hold is placed on the mailbox as if the mailbox was placed on Litigation Hold or assigned to a Microsoft Purview retention policy. For more information, see identifying mailboxes on hold because a retention label has been applied to a folder or item.

To manage mailboxes on hold, you may have to identify the type of hold that’s placed on a mailbox so that you can perform tasks such as changing the hold duration, temporarily or permanently removing the hold, or excluding a mailbox from a Microsoft Purview retention policy. In these cases, the first step is to identify the type of hold placed on the mailbox. And because multiple holds (and different types of holds) can be placed on a single mailbox, you have to identify all holds placed on a mailbox if you want to remove or change a hold.

Step 1: Obtain the GUID for holds placed on a mailbox

You can run the following two cmdlets in Exchange Online PowerShell to get the GUID of the holds that are placed on a mailbox. After you obtain a GUID, you use it to identify the specific hold in Step 2. A litigation hold isn’t identified by a GUID. litigation holds are either enabled or disabled for a mailbox.

  • Get-Mailbox: Use this cmdlet to determine whether Litigation Hold is enabled for a mailbox and to get the GUIDs for eDiscovery Holds, In-Place Holds, and Microsoft Purview retention policies that are assigned to a mailbox. The output of this cmdlet will also indicate if a mailbox has been explicitly excluded from an organization-wide retention policy.
  • Get-OrganizationConfig: Use this cmdlet to get the GUIDs for organization-wide retention policies.

Run the following two commands to get information about the holds and Microsoft Purview retention policies applied to a mailbox:

1. Get-Mailbox | FL LitigationHoldEnabled,InPlaceHolds

To remove the litigation hold, Set-Mailbox “John” -LitigationHoldEnabled $False

To remove the InPlaceHold, check the Microsoft website.

If the InPlaceHolds property is empty when you run the Get-Mailbox cmdlet, there may still be one or more organization-wide Microsoft Purview retention policies applied to the mailbox. Run the following command in Exchange Online PowerShell to get a list of GUIDs for organization-wide Microsoft Purview retention policies:

2. Get-OrganizationConfig | FL InPlaceHolds

Note: If there are too many values in the InPlaceHolds property and not all of them are displayed, you can run the Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds command to display each GUID on a separate line.

Understanding the format of the InPlaceHolds value for retention policies

In addition to the prefix (mbx, skp, or grp) that identifies an item in the InPlaceHolds property as a Microsoft Purview retention policy, the value also contains a suffix that identifies the type of retention action that’s configured for the policy. For example, the action suffix is highlighted in bold type in the following examples:

kp127d7cf1076947929bf136b7a2a8c36f:1

mbx7cfb30345d454ac0a989ab3041051209:2

grp1a0a132ee8944501a4bb6a452ec31171:3

The following table defines the three possible retention actions:

delete emails from discoveryholds

Step 2: Use the GUID to identify the hold

After you obtain the GUID for a hold that is applied to a mailbox, the next step is to use that GUID to identify the hold. The following sections show how to identify the name of the hold (and other information) by using the hold GUID.

eDiscovery holds

Run the following commands in Security & Compliance PowerShell to identify an eDiscovery hold that’s applied to the mailbox. Use the GUID (not including the UniH prefix) for the eDiscovery hold that you identified in Step 1.

The first command creates a variable that contains information about the hold. This variable is used in the other commands. The second command displays the name of the eDiscovery case the hold is associated with. The third command displays the name of the hold and a list of the mailboxes the hold applies to.

$CaseHold = Get-CaseHoldPolicy

Get-ComplianceCase $CaseHold.CaseId | FL Name

$CaseHold | FL Name,ExchangeLocation

Use the Exchange admin center to remove an In-Place Hold

  1. Go to Compliance management > In-Place eDiscovery & Hold.
  2. In the list view, select the In-Place Hold you want to remove, and then click Edit.
  3. In In-Place eDiscovery & Hold properties, on the In-Place Hold page, clear the Place content matching the search query in selected sources on hold check box, and then click Save.
  4. Select the In-Place Hold again from the list view and then click Delete.
  5. In the warning, click Yes to remove the search.

Use the Exchange Management Shell to remove an In-Place Hold

This example first disables the in-place hold named Hold-CaseId012 and then removes the mailbox search.

Set-MailboxSearch “Hold-CaseId012” -InPlaceHoldEnabled $false; Remove-MailboxSearch “Hold-CaseId012”

Microsoft Purview retention policies

Connect to Security & Compliance PowerShell and run the following command to identify the Microsoft Purview retention policy (organization-wide or specific location) that’s applied to the mailbox. Use the GUID (not including the mbx, skp, or grp prefix or the action suffix) that you identified in Step 1.

Get-RetentionCompliancePolicy 17cfb30345d454ac0a989ab3041051209 -DistributionDetail | FL Name,*Location

In my case, the shared mailbox is not assigned to litigation hold and ediscovery hold but all users are added to the TeamsChatLocation and TeamsChannelLocation.

It indicates that the retention policy is configured to hold items. The policy doesn’t delete items after the retention period expires.

Note: By default, all teams and all users are selected, but you can refine this by selecting the Choose and Exclude options.

Now, to delete the emails that are held by the above organization, we need to exclude the mailbox from the retention compliance policy mentioned above.

You can run the command below to exclude the mailbox from the organization’s hold:

Set-RetentionCompliancePolicy 17cfb30345d454ac0a989ab3041051209 -AddTeamsChatLocationException “Shared Mailbox Email Address”

Once the mailbox is excluded, the emails will start getting deleted that were held by the retention compliance policy.

Note: Emails will be deleted permanently, and we cannot recover those deleted emails.

And run the commands below to immediately start messaging records management (MRM) processing of mailbox:

  1. Start-ManagedFolderAssistant -Identity “Shared Mailbox Email Address”
  2. Start-ManagedFolderAssistant -Identity “Shared Mailbox Email Address” -FullCrawl
  3. Start-ManagedFolderAssistant -Identity “Shared Mailbox Email Address” -HoldCleanup

If emails are still not being deleted from the primary mailbox, then check the retention policy assigned to the mailbox. I have set 1 day to permanently delete.

After applying the retention policy, run the below script to force the agent to process emails.

while($true)
{
start-managedfolderassistant “Email Address”
write-host “waiting”; start-sleep -seconds 300;
}

Well, that’s how you can delete emails from discoveryholds.

Now it’s your turn:

Did you find the article most interesting? Or maybe you have a question about something that I covered.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *