Exchange & Teams Retention Policies in Purview

Welcome back, tech warriors! In the first part of our five-part series on Microsoft Purview, we introduced Apex Finance, a mid-sized investment firm hit with a GDPR data privacy probe, and showed how Purview’s retention policies turned their compliance chaos into a structured plan. If you missed it, part one laid the foundation for Purview’s superpower in protecting data across Microsoft 365.

A compliant envelope by Jaime López using Designer

Now, in part two, we’re zooming in on communications—Exchange Online emails and Microsoft Teams chats and channel messages—for IT admins and compliance officers. Apex’s legal team needs every executive email and chat preserved to trace personal data handling, a common GDPR challenge that could mean hefty fines if mishandled.

Why keep reading? This series equips you with a complete Purview compliance toolkit, and this article tackles the chaos of communications data. Through Apex’s GDPR-inspired scenario, we’ll explore practical retention strategies with step-by-step instructions to make audits less daunting and your IT life saner. Let’s dive in and tame the communications beast!

MRM to Purview for Exchange Online

Let’s revisit the evolution from part one. Messaging Records Management (MRM) was Exchange Online’s old tool, using retention tags to archive or delete emails (e.g., “archive after 2 years”). It was limited, like a typewriter in a laptop world, unable to handle Teams or SharePoint.

Microsoft Purview unifies retention across workloads, critical for Apex’s GDPR probe. They set a policy to retain executive emails for 7 years, overriding MRM tags to avoid conflicts. In the Purview compliance portal, you select Exchange mailboxes (specific or via adaptive scopes) and set retention rules.

A pro tip from experience: test on one mailbox first—skipping this can lead to policy chaos, as one admin learned after a week-long cleanup. Purview’s eDiscovery integration ensures GDPR-compliant data preservation, making legal responses faster.

Teams Retention

With email retention locked down, let’s tackle Teams. Teams chats and channel messages are challenging due to their volume and variety, including threaded replies and external guest chats. Purview stores these in hidden Exchange folders (SubstrateHolds), searchable for legal holds (Teams meeting recordings, stored in OneDrive/SharePoint, will be covered in part three).

Apex needed project-related Teams chats retained for 3 years to trace personal data for GDPR. They used a Purview policy for the data protection group’s Teams, covering private chats and channel posts. Adaptive scopes targeted specific users or teams (e.g., “GDPR Project Team”), avoiding over-retention of irrelevant data. This keeps storage lean and audits manageable, unlike one team I know that bloated storage by retaining all chats unnecessarily.

Real-World Examples

Let’s bring Apex’s GDPR probe to life with practical examples and setups.

Exchange Online Email Retention

Apex’s legal team required all executive emails to be retained for 7 years to meet GDPR’s accountability rules. A Purview policy preserved emails in the Recoverable Items folder (a hidden Exchange storage area), searchable via eDiscovery even if deleted. For specific emails (e.g., containing “personal data”), Apex used auto-applied Retention Labels for granular control.

Setup Steps:

1. Access Purview Portal: In Purview, go to “Data lifecycle management” > "Policies" > “Retention policies”.

2. Create Policy: Name it (e.g., “GDPR Email Retention”).

3. Choose Scope: Select “Static” for specific mailboxes or “Adaptive” for dynamic targeting (e.g., “department:Leadership”).

4. Select Workload: Choose “Exchange mailboxes”.

5. Set Retention: Retain for 7 years from creation; optionally delete post-period unless under a legal hold.

6. Test and Monitor: Pilot on one mailbox, verify retention in Recoverable Items via eDiscovery, and deploy (full effect in up to 7 days).

Retention Label for Sensitive Emails

For specific emails containing personal data (e.g., those with “personal data” or “consent”), Apex used a Retention Label to ensure GDPR-compliant retention with granular control. The label auto-applies to sensitive content, preserving it for 7 years.

Setup Steps:

1. Access Purview Portal: In Purview, go to “Data lifecycle management” > "Retention labels”.

2. Create a Retention Label: Call it “GDPR Sensitive Emails”.

3. Set Retention Period: Choose “Retain items for a specific period” (7 years for GDPR compliance). optionally delete post-period unless under a legal hold.

4. Finish: Finish the creation of the label.

5. Create a Label Policy: Go to “Data lifecycle management” > "Policies" > "Label policies” and select "Auto-apply a label" and name it (e.g. GDPR Sensitive Emails Label).

6. Choose the type of content: Select “Apply label to content that contains sensitive info” and configure your sensitive info types (e.g., GDPR).

7. Choose Scope: Select “Static” for specific mailboxes or “Adaptive” for dynamic targeting (e.g., “department:Leadership”).

8. Select Workload: Choose “Exchange mailboxes”.

9. Select the retention label created: Add the "GDPR Sensitive Emails" label created previously.

10. Test and Monitor: Test the policy before running it to evaluate it first.

Teams Chat and Channel Retention

Apex retained project-related Teams chats and channel messages for 3 years. The policy covered the data protection group, with messages preserved in SubstrateHolds for eDiscovery.

Setup Steps:

1. Access Retention Policies: In Purview, go to “Data lifecycle management” > "Policies" > “Retention policies”.

2. Create Policy: Name it (e.g., “GDPR Teams Retention”).

3. Choose Scope: Use “Static” for specific Teams or “Adaptive” for dynamic targeting (e.g., Teams with “GDPR” in the name).

4. Select Workloads: Choose “Teams channel messages” and “Teams chats”.

5. Set Retention: Retain for 3 years; optionally delete post-period unless under a legal hold.

6. Test and Monitor: Pilot on one Team, verify chats in SubstrateHolds via eDiscovery, and deploy.

Conclusion

In part two of our five-part series, Apex’s story shows how Purview tames the chaos of Exchange Online and Teams communications. From MRM’s email-only limits to Purview’s unified retention.

Having wrestled with these configs (and learned a few lessons), I can tell you these policies reduce stress, speed up legal responses, and keep collaboration seamless.

Ready to take control? Start with a test policy in the Purview compliance portal today. Join us next Tuesday for part three, where we’ll tackle SharePoint and OneDrive document retention!

References

• Mastering Retention Policies in Microsoft Purview: https://intranetfromthetrenches.substack.com/p/mastering-retention-policies-in-microsoft-purview

• Retention Policies for SharePoint Online and OneDrive in Purview: https://intranetfromthetrenches.substack.com/p/retention-policies-for-sharepoint-online-and-onedrive-in-purview

• Advanced Retention Features in Microsoft Purview: https://intranetfromthetrenches.substack.com/p/advanced-retention-features-in-microsoft-purview

• 8 Must-Know Best Practices for Mastering Retention in Microsoft Purview: https://intranetfromthetrenches.substack.com/p/8-must-know-best-practices-for-mastering-retention-in-microsoft-purview

• Learn about retention policies & labels to retain or delete: https://learn.microsoft.com/en-us/purview/retention

• Learn about retention for Exchange: https://learn.microsoft.com/en-us/purview/retention-policies-exchange

• Learn about retention for Microsoft Teams: https://learn.microsoft.com/en-us/purview/retention-policies-teams