Purge the Hoard: Automating 10-Year Exchange Retention & Deletion Policies

8 min. read

The Ticket: The Legal Discovery Nightmare

A client's legal counsel just panicked during an eDiscovery request because the CEO's mailbox still contains highly sensitive emails from 2014 that should have been wiped. They’ve mandated a strict data lifecycle rule: absolutely nothing lives in Exchange longer than ten years. You need to implement a Microsoft Purview Retention Policy to automatically and silently purge old data, reducing legal liability and curbing storage bloat, without relying on users to manually empty their folders.

Pre-Flight Check

• Permissions: Compliance Administrator or Global Admin in Microsoft 365.
• Tools: Microsoft Purview portal, Exchange Online PowerShell.
• Impact: High - Data destruction is permanent. Once the 10-year mark hits, items bypass the standard Deleted Items folder and are eventually hard-deleted.

The Solution Note: Do not use the legacy Exchange Admin Center (MRM) for this. We use Purview for tenant-wide lifecycle management.

1. Access Purview: Log in to purview.microsoft.com and navigate to Data Lifecycle Management > Microsoft 365 > Retention Policies.
2. Initialize: Click New retention policy.
3. Naming: Enter a clear name (e.g., Exchange_10_Year_Purge) and a description defining the exact scope.
4. Scope Selection (Correcting the Myth): Select Static.
   • Correction: The original guide claimed you select Static because "at least one mailbox will always exist." That is incorrect. You select Static because Adaptive Scopes require an expensive E5 or Compliance Add-on license. Unless the client is paying for premium SKUs, Adaptive will fail to apply. Static is standard for Business Premium/E3.
5. Target Workloads: Toggle off everything except Exchange mailboxes.
   • Note: This automatically applies to both primary and archive mailboxes. Leave it set to "All users" unless specifically requested otherwise.
6. Retention Settings: * Choose Retain items for a specific period.
   • Set the period to 10 Years.
   • Set "Retain the period based on" to When items were created (or "When items were sent/received" for emails).
7. Deletion Action: At the end of the retention period, select Delete items automatically.
8. Finalize: Review the policy and click Submit.

The "Why" (Root Cause) Why are we building this in Purview instead of using the old Exchange Retention Tags (MRM)? Because legacy MRM policies are easily overridden by end-users. Users can right-click a folder in Outlook and assign a "Personal Tag" that breaks your compliance strategy.

Furthermore, the source guide claims that this new Purview policy "ignores any tags set by a legacy MRM policy." That is a dangerous half-truth. Microsoft evaluates conflicting policies using the Principles of Retention. The hierarchy works like this:

1. Retention wins over deletion. (If MRM says delete in 5 years, but Purview says retain for 10, the email stays for 10).
2. Longest retention period wins. 3. Explicit inclusion wins over implicit. (An MRM personal tag manually applied to a specific folder will override a tenant-wide Purview policy).
3. Shortest deletion period wins.

By setting this policy at the Purview level, you are establishing a firm baseline. However, if you want this to be bulletproof, you must also go into the Exchange Admin Center and strip out any default MRM tags that grant users the ability to apply personal exemptions.

Under the Hood (Technical Deep Dive) Clicking "Submit" in Purview does not immediately delete a decade of emails. The web GUI simply writes a rule to the Security & Compliance center. To understand how the data actually gets destroyed, you have to look at the Managed Folder Assistant (MFA) daemon inside Exchange Online.

The MFA is a background throttle process that runs on Microsoft's datacenter servers. It constantly crawls mailboxes to apply retention policies. When the MFA detects an email older than 3,650 days (10 years) under this specific Purview policy, it does not send the item to the user's "Deleted Items" folder.

Instead, it moves the item into the Recoverable Items partition of the mailbox, specifically into a hidden subfolder called Purges or DiscoveryHolds (if a Litigation Hold is concurrently active). The user can no longer see the email in Outlook or OWA.

If there is no active Litigation Hold or eDiscovery lock preventing deletion, the Exchange Mailbox Assistant runs a final garbage collection pass. The data blocks are de-referenced in the Extensible Storage Engine (ESE) database, and the email is permanently scrubbed from the disk. This happens at the storage layer, completely invisible to the tenant administrator.

The original guide states: "It can take up to a week for the policy to be fully applied." This is because the Managed Folder Assistant operates on a 7-day work cycle by default to prevent localized CPU spikes on the Exchange clusters. You do not have to wait a week. You can bypass this throttle using Exchange Online PowerShell.

RMM & Automation Tips If you are rolling this out to 50 tenants, doing it via the Purview GUI is a massive waste of time. You need to connect to the Security & Compliance PowerShell module (Connect-IPPSSession) and deploy it programmatically.

PowerShell

# Create the base policy
New-RetentionCompliancePolicy -Name "Exchange_10_Year_Purge" -ExchangeLocation All

# Create the specific 10-year retention/deletion rule linked to the policy
New-RetentionComplianceRule -Name "10_Year_Delete_Rule" -Policy "Exchange_10_Year_Purge" -RetentionDuration 3650 -RetentionAction KeepAndDelete

Note: We use KeepAndDelete to ensure the data is legally retained for the full 10 years before it is systematically destroyed, fulfilling both compliance archiving and data lifecycle reduction in one stroke.

Troubleshooting & Edge Cases

• Edge Case 1: The "Up to a week" Delay. Don't wait for Microsoft's backend to decide when to process the mailbox. Connect to Exchange Online PowerShell and force the daemon to run against a specific user immediately: Start-ManagedFolderAssistant -Identity "[email protected]". Check back in a few hours.
• Edge Case 2: In-Place Holds / Litigation Holds. If the CEO was put on a Litigation Hold five years ago, the Purview deletion policy will appear to fail. The emails will vanish from the user's inbox, but they will remain trapped forever in the Recoverable Items partition, continuing to consume quota. You must resolve the overarching Litigation Hold before hard-deletion can physically execute.