Identify Exchange mailbox hold types in eDiscovery (preview)

Microsoft Purview offers several ways that your organization can prevent mailbox content from being permanently deleted. This allows your organization to retain content to meet compliance regulations or during legal and other types of investigations.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Hold types

Here's a list of the retention features (also called holds) in Microsoft Purview and Microsoft 365:

  • Litigation Hold: Holds that are applied to user mailboxes in Exchange Online.

  • eDiscovery hold: Holds that are associated with a eDiscovery (preview) case in the Microsoft Purview portal. You can place a hold on the Exchange mailboxes and OneDrive accounts of people you're investigating in the case. You can also place a hold on the mailboxes and sites that are associated with Microsoft Teams, Microsoft 365 groups, and Viva Engage Groups.

  • Microsoft Purview retention policies: Can be configured to retain (or retain and then delete) content in user mailboxes in Exchange Online and in the corresponding mailbox for Microsoft 365 Groups and Microsoft Teams. You can also create a retention policy to retain Skype for Business Conversations, which are stored in user mailboxes.

    There are two types of Microsoft Purview retention policies that can be assigned to mailboxes.

    • Specific location retention policies: These are policies that are assigned to the content locations of specific users. You use the Get-Mailbox cmdlet in Exchange Online PowerShell to get information about retention policies assigned to specific mailboxes. For more information about this type of retention policy, see the section A policy with specific inclusions or exclusions from the retention policy documentation.
    • Organization-wide retention policies: These are policies that are assigned to all content locations in your organization. You use the Get-OrganizationConfig cmdlet in Exchange Online PowerShell to get information about organization-wide retention policies. For more information about this type of retention policy, see the section A policy that applies to entire locations from the retention policy documentation.
  • Microsoft Purview retention labels: If a user applies a Microsoft Purview retention label (one that's configured to retain content or retain and then delete content) to any folder or item in their mailbox, a hold is placed on the mailbox as if the mailbox was placed on Litigation Hold or assigned to a Microsoft Purview retention policy. For more information, see the Identifying mailboxes on hold because a retention label was applied to a folder or item section in this article.

To manage mailboxes on hold, you may have to identify the type of hold that's placed on a mailbox so that you can perform tasks such as changing the hold duration, temporarily or permanently removing the hold, or excluding a mailbox from a Microsoft Purview retention policy. In these cases, the first step is to identify the type of hold placed on the mailbox. And because multiple holds (and different types of holds) can be placed on a single mailbox, you have to identify all holds placed on a mailbox if you want to remove or change a hold.

Step 1: Obtain the GUID for holds placed on a mailbox

You can run the following two cmdlets in Exchange Online PowerShell to get the GUID of the holds that are placed on a mailbox. After you obtain a GUID, you use it to identify the specific hold in Step 2. A Litigation Hold isn't identified by a GUID. Litigation Holds are either enabled or disabled for a mailbox.

  • Get-Mailbox: Use this cmdlet to determine whether Litigation Hold is enabled for a mailbox and to get the GUIDs for eDiscovery holds and Microsoft Purview retention policies that are assigned to a mailbox. The output of this cmdlet will also indicate if a mailbox has been explicitly excluded from an organization-wide retention policy.
  • Get-OrganizationConfig: Use this cmdlet to get the GUIDs for organization-wide retention policies.

To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

Get-Mailbox

Run the following command to get information about the holds and Microsoft Purview retention policies applied to a mailbox.

Get-Mailbox <username> | FL LitigationHoldEnabled,InPlaceHolds

Tip

If there are too many values in the InPlaceHolds property and not all of them are displayed, you can run the Get-Mailbox <username> | Select-Object -ExpandProperty InPlaceHolds command to display each GUID on a separate line.

The following table describes how to identify different types of holds based on the values in the InPlaceHolds property when you run the Get-Mailbox cmdlet.

Hold type Example value How to identify the hold
Litigation Hold True Litigation Hold is enabled for a mailbox when the LitigationHoldEnabled property is set to True.
eDiscovery hold UniH7d895d48-7e23-4a8d-8346-533c3beac15d The InPlaceHolds property contains the GUID of any hold associated with an eDiscovery case in the Microsoft Purview portal. You can tell this is an eDiscovery hold because the GUID starts with the UniH prefix (which denotes a Unified Hold).
Microsoft Purview retention policy applied to the mailbox mbxcdbbb86ce60342489bff371876e7f224:1
or
skp127d7cf1076947929bf136b7a2a8c36f:3
The InPlaceHolds property contains GUIDs of any specific location retention policy that's applied to the mailbox. You can identify retention policies because the GUID starts with the mbx or the skp prefix. The skp prefix indicates that the retention policy is applied to Skype for Business conversations in the user's mailbox.
Excluded from an organization-wide Microsoft Purview retention policy -mbxe9b52bf7ab3b46a286308ecb29624696 If a mailbox is excluded from an organization-wide Microsoft Purview retention policy, the GUID for the retention policy that the mailbox is excluded from is displayed in the InPlaceHolds property and is identified by the -mbx prefix.

Get-OrganizationConfig

If the InPlaceHolds property is empty when you run the Get-Mailbox cmdlet, there still may be one or more organization-wide Microsoft Purview retention policies applied to the mailbox. Run the following command in Exchange Online PowerShell to get a list of GUIDs for organization-wide Microsoft Purview retention policies.

Get-OrganizationConfig | FL InPlaceHolds

Tip

If there are too many values in the InPlaceHolds property and not all of them are displayed, you can run the Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds command to display each GUID on a separate line.

The following table describes the different types of organization-wide holds and how to identify each type based on the GUIDs contained in InPlaceHolds property when you run the Get-OrganizationConfig cmdlet.

Hold type Example value Description
Microsoft Purview retention policies applied to Exchange mailboxes, Exchange public folders, and Teams chats mbx7cfb30345d454ac0a989ab3041051209:2 Organization-wide retention policies applied to Exchange mailboxes, Exchange public folders, and 1xN chats in Microsoft Teams are identified by GUIDs that start with the mbx prefix. Note 1xN chats are stored in the mailbox of the individual chat participants.
Microsoft Purview retention policy applied to Microsoft 365 Groups and Teams channel messages grp1a0a132ee8944501a4bb6a452ec31171:3 Organization-wide retention policies applied to Microsoft 365 groups and channel messages in Microsoft Teams are identified by GUIDs that start with the grp prefix. Note channel messages are stored in the group mailbox that is associated with a Microsoft Team.

For more information about retention policies applied to Microsoft Teams, see Learn about retention policies for Microsoft Teams.

Understanding the format of the InPlaceHolds value for retention policies

In addition to the prefix (mbx, skp, or grp) that identifies an item in the InPlaceHolds property as a Microsoft Purview retention policy, the value also contains a suffix that identifies the type of retention action that's configured for the policy. For example, the action suffix is highlighted in bold type in the following examples:

skp127d7cf1076947929bf136b7a2a8c36f:1

mbx7cfb30345d454ac0a989ab3041051209:2

grp1a0a132ee8944501a4bb6a452ec31171:3

The following table defines the three possible retention actions:

Value Description
1 Indicates that the retention policy is configured to delete items. The policy doesn't retain items.
2 Indicates that the retention policy is configured to hold items. The policy doesn't delete items after the retention period expires.
3 Indicates that the retention policy is configured to hold items and then delete them after the retention period expires.

Note

Because retention label policies publish or auto-apply labels that apply item-level actions, they will always show an action value of 1 within the InPlaceHolds property of the mailbox.

To identify whether a hold has been applied to a folder or item within the mailbox, refer to Identifying mailboxes on hold because a retention label has been applied to a folder or item.

For more information about retention actions, see the Retaining content for a specific period of time section.

Step 2: Use the GUID to identify the hold

After you obtain the GUID for a hold that is applied to a mailbox, the next step is to use that GUID to identify the hold. The following sections show how to identify the name of the hold (and other information) by using the hold GUID.

eDiscovery holds

Run the following commands in Security & Compliance PowerShell to identify an eDiscovery hold that's applied to the mailbox. Use the GUID (not including the UniH prefix) for the eDiscovery hold that you identified in Step 1.

To connect to Security & Compliance PowerShell, see Connect to Security & Compliance PowerShell.

The first command creates a variable that contains information about the hold. This variable is used in the other commands. The second command displays the name of the eDiscovery case the hold is associated with. The third command displays the name of the hold and a list of the mailboxes the hold applies to.

$CaseHold = Get-CaseHoldPolicy <hold GUID without prefix>
Get-ComplianceCase $CaseHold.CaseId | FL Name
$CaseHold | FL Name,ExchangeLocation

Microsoft Purview retention policies

Connect to Security & Compliance PowerShell and run the following command to identity the Microsoft Purview retention policy (organization-wide or specific location) that's applied to the mailbox. Use the GUID (not including the mbx, skp, or grp prefix or the action suffix) that you identified in Step 1.

Get-RetentionCompliancePolicy <hold GUID without prefix or suffix> -DistributionDetail  | FL Name,*Location

Identifying mailboxes on hold because a retention label has been applied to a folder or item

Whenever a user applies a retention label that's configured to retain or retain and then delete content to any folder or item in their mailbox, the ComplianceTagHoldApplied mailbox property is set to True. When this happens, the mailbox is treated similarly to if it was placed on hold, such as when assigned to a Microsoft Purview retention policy or placed on Litigation Hold, however with some caveats. When the ComplianceTagHoldApplied property is set to True, the following things occur:

  • If the mailbox or the user's Microsoft 365 account is deleted, the mailbox becomes an inactive mailbox.
  • You aren't able to disable the mailbox (either the primary mailbox or the archive mailbox, if it's enabled).
  • Items that have been deleted from the mailbox follows one of two paths depending on if they're labeled or not:
    • Unlabeled items follows the same path deleted items take when no holds apply to the mailbox. The time that it takes for these items to be permanently deleted is determined by the deleted item retention configuration and whether single item recovery is enabled for the mailbox or not.
    • Labeled items are retained within the recoverable items folder in the same way they would be if a Microsoft Purview retention policy applied, but at the individual item level. If multiple items have different labels that are configured to retain or retain and then delete content at different intervals, each item is retained based on the configuration of the applied label.
  • Other holds, such as Microsoft Purview retention policies, eDiscovery holds or litigation hold can extend how long labeled items are retained based on the principles of retention.

To view the value of the ComplianceTagHoldApplied property for a single mailbox, run the following command in Exchange Online PowerShell:

Get-Mailbox <username> | FL ComplianceTagHoldApplied

For more information about retention labels, see retention labels.

Managing mailboxes on delay hold

After any type of hold is removed from a mailbox, a delay hold is applied. This means that the actual removal of the hold is delayed for 30 days to prevent data from being permanently deleted (purged) from the mailbox. This gives admins an opportunity to search for or recover mailbox items that are purged after a hold is removed. A delay hold is placed on a mailbox the next time the Managed Folder Assistant processes the mailbox and detects that a hold was removed. Specifically, a delay hold is applied to a mailbox when the Managed Folder Assistant sets one of the following mailbox properties to True:

  • DelayHoldApplied: This property applies to email-related content (generated by people using Outlook and Outlook on the web) that's stored in a user's mailbox.
  • DelayReleaseHoldApplied: This property applies to cloud-based content (generated by non-Outlook apps such as Microsoft Teams, Microsoft Forms, and Microsoft Viva Engage) that's stored in a user's mailbox. Cloud data generated by a Microsoft app is typically stored in a hidden folder in a user's mailbox.

When a delay hold is placed on the mailbox (when either of the previous properties is set to True), the mailbox is still considered to be on hold for an unlimited hold duration, as if the mailbox was on Litigation Hold. After 30 days, the delay hold expires, and Microsoft 365 will automatically attempt to remove the delay hold (by setting the DelayHoldApplied or DelayReleaseHoldApplied property to False) so that the hold is removed. After either of these properties are set to False, the corresponding items that are marked for removal are purged the next time the mailbox is processed by the Managed Folder Assistant.

Note

If the user account for the mailbox is disabled, the mailbox isn't processed by the Managed Folder Assistant and the delay hold remains after the 30 days have expired. For more information, see Delay hold considerations.

To view the values for the DelayHoldApplied and DelayReleaseHoldApplied properties for a mailbox, run the following command in Exchange Online PowerShell.

Get-Mailbox <username> | FL *HoldApplied*

To remove the delay hold before it expires, you can run one (or both) the following commands in Exchange Online PowerShell, depending on which property you want to change:

Set-Mailbox <username> -RemoveDelayHoldApplied

Or

Set-Mailbox <username> -RemoveDelayReleaseHoldApplied

You must be assigned the Legal Hold role in Exchange Online to use the RemoveDelayHoldApplied or RemoveDelayReleaseHoldApplied parameters.

To remove the delay hold on an inactive mailbox, run one of the following commands in Exchange Online PowerShell:

Set-Mailbox <DN or Exchange GUID> -InactiveMailbox -RemoveDelayHoldApplied

Or

Set-Mailbox <DN or Exchange GUID> -InactiveMailbox -RemoveDelayReleaseHoldApplied

Tip

The best way to specify an inactive mailbox in the previous command is to use its Distinguished Name or Exchange GUID value. Using one of these values helps prevent accidentally specifying the wrong mailbox.

For more information about using these parameters for managing delay holds, see Set-Mailbox.

Delay hold considerations

Keep the following things in mind when managing a mailbox on delay hold:

  • If either the DelayHoldApplied or DelayReleaseHoldApplied property is set to True and a mailbox (or the corresponding user account) is deleted, the mailbox becomes an inactive mailbox. That's because a mailbox is considered to be on hold if either property is set to True, and deleting a mailbox on hold results in an inactive mailbox. To delete a mailbox and not make it an inactive mailbox, you have to set both properties to False.
  • A mailbox is considered to be on hold for an unlimited hold duration if either the DelayHoldApplied or DelayReleaseHoldApplied property is set to True. However, that doesn't mean that all content in the mailbox is preserved. It depends on the value that's set to each property. For example, let's say both properties are set to True because holds are removed from the mailbox. Then you remove only the delay hold that's applied to non-Outlook cloud data (by using the RemoveDelayReleaseHoldApplied parameter). The next time the Managed Folder Assistant processes the mailbox, the non-Outlook items marked for removal are purged. Any Outlook items marked for removal won't be purged because the DelayHoldApplied property is still set to True. The opposite would also be true: if DelayHoldApplied is set to False and DelayReleaseHoldApplied is set to True, then only Outlook items marked for removal would be purged.

How to confirm that an organization-wide retention policy is applied to a mailbox

When an organization-wide retention policy is applied or removed to a mailbox, exporting the mailbox diagnostics logs can help you be certain that Exchange Online has applied or removed the retention policy to the mailbox. To view this information, you first need to validate a few things using Exchange Online PowerShell.

Obtain the GUIDs for any retention policies explicitly applied to a mailbox

Get-Mailbox <username> | Select-Object -ExpandProperty InPlaceHolds

Obtain the GUIDs for any organization-wide retention policies applied to mailboxes

Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds

Get the Mailbox Diagnostics for HoldTracking

The Hold Tracking Mailbox Diagnostics logs maintain a history of the holds applied to a user mailbox.

$ht = Export-MailboxDiagnosticLogs <username> -ComponentName HoldTracking
$ht.MailboxLog | Convertfrom-Json

Review the results of the Mailbox Diagnostics logs

If you gather data from the previous step, the resulting data may look something like this:

ed : 0001-01-01T00:00:00.0000000 hid : mbx7cfb30345d454ac0a989ab3041051209:1 ht : 4 lsd : 2020-03-23T18:24:37.1884606Z osd : 2020-03-23T18:24:37.1884606Z

Use the following table to help you understand each of the previous values listed in the diagnostics log.

Value Description
ed Indicates the End date, which is the date the retention policy was disabled. MinValue means the policy is still assigned to the mailbox.
hid Indicates the GUID for the retention policy. This value coorelates to the GUIDs that you collected for the explicit or organization-wide retention policies assigned to the mailbox.
ht Indicates the hold type. Values are 0 for LitigationHold, 1 for InPlaceHold, 2 for ComplianceTagHold, 3 for DelayReleaseHold, 4 for OrganizationRetention, 5 for CompliancePolicy, 6 for SubstrateAppPolicy, and 7 for SharepointPolicy.
lsd Indicates the Last start date, which is the date the retention policy was assigned to the mailbox.
osd Indicates the Original start date, which is the date that Exchange first recorded information about the retention policy.

When a retention policy is no longer applied to a mailbox, we'll place a temporary delay hold on the user to prevent purging content. A delay hold can be disabled by running the Set-Mailbox -RemoveDelayHoldApplied command.

Next steps

After you identify the holds that are applied to a mailbox, you can perform tasks such as changing the duration of the hold, temporarily or permanently removing the hold, or excluding an inactive mailbox from a Microsoft Purview retention policy. For more information about performing tasks related to holds, see one of the following articles: