Sie sind auf Seite 1von 1593

Contents

Exchange Online
Exchange admin center
Permissions
Feature permissions
Role groups
Role assignment policies
Security and compliance
Modify archive policies
In-Place and Litigation Holds
Create or remove In-Place Holds
In-Place eDiscovery
Assign eDiscovery permissions
Create In-Place eDiscovery search
Export search results
Message properties and search operators
Search limits
Create a discovery mailbox
Create custom management scope
Reduce discovery mailbox size
Delete and re-create default discovery mailbox
Data loss prevention
DLP rule application
Integrate sensitive information rules
DLP policy templates
Create DLP policy from template
Create custom DLP policy
Policy Tips
Manage policy tips
Exchange auditing reports
Export mailbox audit logs
Non-owner mailbox access report
Per-mailbox litigation hold report
Search role group changes
View administrator audit log
View external admin audit log
Messaging records management
Retention tags and policies
Default Retention Policy
Default folders
Retention age
Create a Retention Policy
Add or remove retention tags
Apply retention policy
Mailbox retention hold
Journaling
Manage journaling
Configure Journaling
Mail flow rules
Conditions and exceptions
Mail flow rule actions
Configuration best practices
Inspect message attachments
Enable encryption and decryption
Common attachment blocking scenarios
Disclaimers, signatures, footers, or headers
Mail flow rule procedures
Manage mail flow rules
Test mail flow rules
Use rules to bypass Clutter
Use rules to route email
Use rules to add meetings
Manage message approval
Common message approval scenarios
Recoverable Items folder in Exchange Online
Clean up or delete items from the Recoverable Items folder in Exchange Online
Mail flow best practices
Test mail flow
Troubleshoot mail flow
Use connectors to configure mail flow
Do I need to create a connector?
Set up connectors to route mail
Set up connectors for secure mail flow with a partner
Validate connectors
Conditional mail routing
Integrate Office 365 with an email add-on service
Use Directory Based Edge Blocking
Manage accepted domains
Enable mail flow for subdomains
Remote domains
Manage remote domains
Supported character sets
Message format and transmission
Configure external postmaster address
Manage mailboxes with Office 365
Manage mail flow using third-party cloud
Manage mail flow for multiple locations
Manage mail flow on Office 365 and on-prem
How to set up a multifunction device or application to send email using Office 365
How to configure IIS for relay with Office 365
Fix issues with printers, scanners, and LOB applications that send email using Office
365
Email non-delivery reports in Exchange Online
Fix email delivery issues for error code 5.1.8 in Exchange Online
Fix email delivery issues for error code 5.4.6 through 5.4.20 in Exchange Online
Fix email delivery issues for error code 5.7.12 in Exchange Online
Fix email delivery issues for error code 5.7.13 or 5.7.135 in Exchange Online
Fix email delivery issues for error code 5.7.124 in Exchange Online
Fix email delivery issues for error code 5.7.133 in Exchange Online
Fix email delivery issues for error code 5.7.134 in Exchange Online
Fix email delivery issues for error code 5.7.136 in Exchange Online
Fix email delivery issues for error code 451 4.7.500-699 (ASxxx) in Exchange
Online
Fix email delivery issues for error code 550 4.4.7 in Exchange Online
Fix email delivery issues for error code 550 5.1.0 in Exchange Online
Fix email delivery issues for error code 550 5.1.1 through 5.1.20 in Exchange
Online
Fix email delivery issues for error code 550 5.1.10 in Exchange Online
Fix email delivery issues for error code 550 5.4.1 in Exchange Online
Fix email delivery issues for error code 550 5.6.11 in Exchange Online
Fix email delivery issues for error code 550 5.7.1 in Exchange Online
Recipients in Exchange Online
Message and recipient limits
Create user mailboxes
Delete or restore mailboxes
Manage user mailboxes
Add or remove email addresses
Change deleted item retention
Configure email forwarding
Configure message delivery restrictions
Convert a mailbox
Enable or disable Exchange ActiveSync
Enable or disable MAPI
Enable or disable Outlook on the wb
Mailbox plans
Automatically save sent items in delegator's mailbox
Clutter notifications in Outlook
Change Clutter notification branding
Enable or disable single item recovery
Recover deleted messages
Use PowerShell to display mailbox information
Manage distribution groups
Create group naming policy
Override group naming policy
Manage dynamic distribution groups
View group members
Manage mail-enabled security groups
Manage group access to Office 365 groups
Manage mail contacts
Manage mail users
Manage room mailboxes
Manage equipment mailboxes
Manage permissions for recipients
Manage Facebook contact sync
Manage LinkedIn contact sync
Configure a moderated recipient
Migrate multiple email accounts
Decide on a migration path
Use Minimal Hybrid to quickly migrate
What to know about a cutover migration
Cutover migration to Office 365
What to know about a staged migration
Perform a staged migration
Convert Exchange 2007 mailboxes
Convert Exchange 2003 mailboxes
Migrating IMAP mailboxes
Migrate consumer G Suite mailboxes
Migrate other types of IMAP mailboxes
IMAP migration in the admin center
Setting up your IMAP server connection
Optimizing IMAP migrations
CSV files for IMAP migrations
Prepare Gmail or G Suite accounts
Migrating your Outlook.com account
Enable 2-step verification for Google apps
Perform a G Suite migration
Migrate mailboxes across tenants
Migrate from Lotus Notes
Add an SSL certificate to Exchange 2013
Add an SSL certificate to Exchange 2010
Add an SSL certificate to Exchange 2007
Enable Gmail accounts for IMAP
Office 365 migration best practices
Assign permissions for migration
Manage migration batches
Migration users status report
CSV files for migration
Plan for third-party email coexistence with Microsoft 365 and Azure Active Directory
Collaboration
Public folders
Public folder procedures
Batch migration of legacy public folders
Batch migration of Exchange Server public folders
Roll back Exchange Online public folder migration
Migrate your public folders to Office 365 Groups
Batch migration of Exchange Online public folders
Set up legacy hybrid public folders
Set up modern hybrid public folders
Set up EXO hybrid public folders
Set up public folders
Access public folders with Outlook 2016 for Mac
Create public folder mailbox
Create public folder
Recover deleted public folder mailbox
Assign "Send As" or "Send on Behalf" permissions for mail-enabled public
folders
Use favorite public folders
Enable or disable mail for public folder
Update public folder hierarchy
Remove public folder
View public folder statistics
Shared mailboxes
Address books
Address book policies
Address book policy procedures
Turn on address book policy routing
Create an address book policy
Assign an address book policy to users
Change the settings of an address book policy
Remove an address book policy
Address lists
Address list procedures
Manage address lists
Use recipient filters to create an address list
Remove a global address list
Configure global address list properties
Create global address list
Hierarchical address books
Enable or disable hierarchical address books
Offline address books
Offline address book procedures
Create offline address book
Add or remove an address list
Change default offline address book
Provision recipients
Remove offline address book
Sharing
Organization relationships
Create an organization relationship
Modify an organization relationship
Remove an organization relationship
Sharing policies
Create a sharing policy
Apply a sharing policy
Modify a sharing policy
Voice mail: Unified Messaging
Greetings, announcements, menus, and prompts
Set dial plan default language
Select auto attendant language
Enable custom prompt recording
Telephone system integration with UM
Telephony advisor for Exchange 2013
Configuration notes for VoIP gateways
Configuration notes for session border controllers
Connect voice mail system
UM dial plans
UM dial plan procedures
Create UM dial plan
Manage UM dial plan
Change audio codec
Configure maximum call duration
Configure maximum recording duration
Configure recording idle time-out
Configure VoIP security setting
Configure dial plan for users with similar names
Delete UM dial plan
UM IP gateways
UM IP gateway procedures
Create UM IP gateway
Manage UM IP gateway
Enable UM IP gateway
Disable UM IP gateway
Configure fully qualified domain name
Configure IP address
Configure listening port
Delete UM IP gateway
UM hunt groups
UM hunt group procedures
Create UM hunt group
View UM hunt group
Delete UM hunt group
Automatically answer and route calls
DTMF interface
UM auto attendant procedures
Set up UM auto attendant
Create a UM auto attendant
Add an auto attendant extension number
Configure business hours
Create a holiday schedule
Enter a business name
Set a business location
Configure the time zone
Enable a customized business hours greeting
Enable a customized business hours menu prompt
Enable a customized non-business hours greeting
Enable a customized non-business hours menu prompt
Enable an informational announcement
Create menu navigation
Create business hours navigation menus
Create non-business hours navigation menus
Manage UM auto attendant
Configure DTMF fallback auto attendant
Enable UM auto attendant
Disable UM auto attendant
Delete UM auto attendant
Enable or disable speech recognition
Enable or prevent transferring calls
Enable or disable sending voice messages
Enable or disable directory lookups
Configure users that can be contacted
Configure auto attendant for users with similar names
Set up voice mail
UM mailbox policies
UM mailbox policy procedures
Create UM mailbox policy
Manage UM mailbox policy
Delete UM mailbox policy
Voice mail for users
Voice mail-enabled user procedures
Enable a user for voice mail
Include text with email sent when voicemail is enabled
Manage voice mail settings
Assign UM mailbox policy
Change UM dial plan
Enable calls from users who aren't UM-enabled
Disable calls from users who aren't UM-enabled
Allow callers without caller ID to leave voice message
Include text with email sent when voice message Is received
Prevent callers without caller ID from leaving voice message
Disable voice mail
Change SIP address
Change extension number
Add SIP address
Remove SIP address
Add extension number
Remove extension number
Change E.164 number
Add E.164 number
Remove E.164 number
Set up client voice mail features
Set up Outlook Voice Access
Outlook Voice Access commands
Navigating menus with Outlook Voice Access
Play on Phone
Outlook Voice Access procedures
Enable or disable Outlook Voice Access
Configure Outlook Voice Access number
Disable selected features
Set mailbox features for users
Set mailbox features for a user
Enable or disable automatic speech recognition
Enable an informational announcement
Enable a customized greeting
Enable or disable Play on Phone
Enable or disable sending voice messages
Enable or prevent transferring calls
Configure the group of users that Outlook Voice Access users can contact
Configure primary search method
Configure secondary search method
Configure number of sign-in failures
Configure number of input failures
Configure personal greetings limit
Protect voice mail
Protected Voice Mail procedures
Configure Protected Voice Mail from authenticated callers
Configure Protected Voice Mail from unauthenticated callers
Enable or disable multimedia playback
Specify text to display for clients that don't support Windows Rights
Management
Allow voice mail users to forward calls
Forwarding calls procedures
Call answering rules
Call answering rules in the same mailbox policy
Create a call answering rule
View and manage a call answering rule
Enable or disable a call answering rule for a user
Remove a call answering rule for a user
Allow users to see a voice mail transcript
Voice Mail Preview advisor
Voice Mail Preview procedures
Configure Voice Mail Preview partner services
Enable Voice Mail Preview
Disable Voice Mail Preview
MWI in Exchange Online
Allow MWI procedures
Allow MWI on UM IP gateway
Prevent MWI on UM IP gateway
Enable MWI for users
Disable MWI for users
Enable missed call notifications
Disable missed call notifications
Allow users to make calls
Dial codes, number prefixes, number formats
Allow users to make calls procedures
Enable outgoing calls on UM IP gateways
Disable outgoing calls on UM IP gateways
Configure dial codes
Create dialing rules
Authorize calls using dialing rules
Set up incoming faxing
Fax advisor for Exchange UM
Faxing procedures
Set the partner fax server URI to allow faxing
Include text with the email sent when a fax message is received
Allow users in the same dial plan to receive faxes
Prevent users in the same dial plan from receiving faxes
Enable faxing for a group of users
Disable faxing for a group of users
Enable a user to receive faxes
Prevent a user from receiving faxes
Set Outlook Voice Access PIN security
PIN security procedures
Set PIN policies
Reset a voice mail PIN
Retrieve voice mail PIN information
Include text in email sent when PIN Is reset
Set minimum PIN length
Set PIN lifetime
Set number of previous PINs to recycle
Disable common PIN patterns
Enable common PIN patterns
Set number of sign-in failures before PIN reset
Set number of sign-in failures before lock out
Run voice mail call reports
UM reports procedures
Review voice mail calls for organization
Review voice mail calls for user
Audio quality of voice calls in organization
Audio quality of voice calls for user
Interpret voice mail call records
UM and voice mail terminology
Clients and mobile in Exchange Online
Exchange ActiveSync
Mobile device mailbox policies
POP3 and IMAP4
Enable or disable POP3 or IMAP4 access
POP3 or IMAP4 settings
Outlook for iOS and Android
Outlook for iOS and Android FAQ
Setup with modern authentication
Manage Outlook for iOS and Android
Secure Outlook for iOS and Android
Deploy app config settings
Outlook for iOS and Android in the Government Cloud
Mobile access
Configure email on mobile phone
Remote wipe on mobile phone
Outlook on the web
Outlook on the web mailbox policies
Outlook on the web mailbox policy procedures
Create Outlook on the web mailbox policy
Apply or remove Outlook on the web mailbox policy
Remove Outlook on the web mailbox policy
Configure Outlook on the web mailbox policy properties
OWA for Devices contact sync
Public attachment handling
Increase the space used by Inbox rules
MailTips
Configure large audience size
Configure custom MailTips
MailTips over organization relationships
Manage MailTips for organization relationships
Add-ins for Outlook
Remote Connectivity Analyzer tests
Client Access Rules
Procedures for Client Access Rules
Disable Basic authentication in Exchange Online
Enable or disable modern authentication in Exchange Online
Monitoring
Use mail protection reports
Customize and schedule mail protection reports
What happened to delivery reports in Office 365?
Trace an email message
Run a Message Trace and View Results
Message Trace FAQ
Back up email
Fix Outlook connection problems in Office 365 and Exchange Online
Fix Outlook and Office 365 issues
Diagnostic log collection in Support and Recovery Assistant
Find and fix email delivery issues as an Office 365 for business admin
About Exchange documentation
Accessibility
Accessibility in Exchange admin center
Get started using screen reader
Keyboard shortcuts in admin center
Use screen reader to add equipment mailbox in Exchange admin center
Use screen reader to add mail contact in Exchange admin center
Use screen reader to add room mailbox in Exchange admin center
Use screen reader to add shared mailbox in Exchange admin center 2016
Use screen reader to add members to a distribution group in Exchange admin
center
Use screen reader to archive mailbox items in Exchange admin center
Use screen reader to configure collaboration in Exchange admin center
Use screen reader to create distribution group in Exchange admin center
Use screen reader to configure mail flow rules in Exchange admin center
Use screen reader to define rules that encrypt or decrypt email in Exchange admin
center 2016
Use screen reader to edit mailbox display name in Exchange admin center
Use screen reader to export and review audit logs in Exchange admin center
Use screen reader to identify admin role in Exchange admin center
Use screen reader to manage anti-malware protection in Exchange admin center
Use a screen reader to manage anti-spam protection
Use screen reader to open Exchange admin center
Use screen reader to run audit report in Exchange admin center
Use screen reader to trace an email message in Exchange admin center
Use screen reader to work with mobile clients in Exchange admin center
Exchange Online Multi-Geo
Exchange Online is part of the Office 365 suite of products.

End users - see Office help and training

Assign admin permissions

Learn about the Exchange admin center

To manage Exchange Online


As an administrator for your Office 365 tenant, you manage your organization's Exchange Online service in the Exchange admin
center. Here's how you get there:
1. Sign in to Office 365 using your work or school account, and then choose the Admin tile.
2. In the Microsoft 365 admin center, choose Admin centers / Exchange.
For an introduction, see Exchange admin center in Exchange Online

Help for Microsoft 365 Admins


We're consolidating our content on the Office help and training site. See the following:
Office 365 for business - Admin Help: how to get started with the Microsoft 365 admin center, reset passwords, and more.
Email in Office 365 for business - Admin Help: how to set up email, fix problems, and import email.
Exchange admin center in Exchange Online
6/24/2019 • 4 minutes to read • Edit Online

You use the Exchange admin center to manage email settings for your organization.

Get to the Exchange admin center


You must have Microsoft 365 admin permissions to access the Exchange admin center.
1. Sign in to Office 365 using your work or school account, and then choose the Admin tile.
2. In the Microsoft 365 admin center, choose Admin centers > Exchange.

You can also get to the Exchange admin center directly by using a URL. To do this, go to
https://outlook.office365.com/ecp and sign in using your credentials.

NOTE
Be sure to use a private browsing session (not a regular session) to access the Exchange admin center using the direct
URL. This will prevent the credential that you are currently logged on with from being used. To open an InPrivate
Browsing session in Microsoft Edge or Internet Explorer or a Private Browsing session in Mozilla FireFox, press
CTRL+SHIFT+P. To open a private browsing session in Google Chrome (called an incognito window), press
CTRL+SHIFT+N.

Exchange admin center features


Here's what the Exchange admin center looks like.
Feature pane
Here are the features you'll find in the left-hand navigation.

AREA WHAT YOU DO HERE

Dashboard An overview of the admin center.

Recipients View and manage your mailboxes, groups, resource


mailboxes, contacts, shared mailboxes, and mailbox
migrations.

Permissions Manage administrator roles, user roles, and Outlook on the


web (formerly known as Outlook Web App) policies.

Compliance management Manage In-Place eDiscovery & Hold, auditing, data loss
prevention (DLP), retention policies, retention tags, and
journal rules.

Organization Manage organization sharing and apps for Outlook

Protection Manage malware filters, connection filters, content filters,


outbound spam, and quarantine for your organization.

Mail flow Manage rules, message tracing, accepted domains, remote


domains, and connectors.
AREA WHAT YOU DO HERE

Mobile Manage the mobile devices that you allow to connect to


your organization. You can manage mobile device access
and mobile device mailbox policies.

Public folders Manage public folders and public folder mailboxes.

Unified messaging Manage Unified Messaging (UM) dial plans and UM IP


gateways.

Tabs
The tabs are your second level of navigation. Each of the feature areas contains various tabs, each representing
a complete feature.
Toolbar
When you click most tabs, you'll see a toolbar. The toolbar has icons that perform a specific action. The
following table describes the most common icons and their actions. To display the action associated with an
icon, simply hover over the icon.

ICON NAME ACTION

Add, New Create a new object. Some of these


icons have an associated down arrow
you can click to show additional
objects you can create.
For example, in Recipients > Groups,
clicking the down arrow displays
Distribution group, Security group,
and Dynamic distribution group as
additional options.

Edit Edit an object.

Delete Delete an object. Some delete icons


have a down arrow you can click to
show additional options.

Search Open a search box in which you can


type the search phrase for an object
you want to find.

n/a Upgrade a distribution group to an


Office 365 group. This icon can be
used only for a distribution group.

Refresh Refresh the list view.

More options View more actions you can perform


for that tab's objects.
For example, in Recipients >
Mailboxes clicking this icon shows
the following options: Add/Remove
columns, Deleted mailboxes,
Export data to a CSV file, and
Advanced search.
ICON NAME ACTION

Up arrow and down arrow Move an object's priority up or down.


For example, in Mail flow > Rules
click the up arrow to raise the priority
of a rule. You can also use these
arrows to navigate the public folder
hierarchy.

Copy Copy an object so you can make


changes to it without changing the
original object.
For example, in Permissions > Admin
roles, select a role from the list view,
and then click this icon to create a new
role group based on an existing one.

Remove Remove an item from a list.


For example, in the Public Folder
Permissions dialog box, you can
remove users from the list of users
allowed to access the public folder by
selecting the user and clicking this
icon.

List view
When you select a tab, in most cases you'll see a list view. The list view in Exchange admin center is designed to
remove limitations that existed in Exchange Control Panel.
In Exchange Online, the viewable limit from within the Exchange admin center list view is approximately
10,000 objects. In addition, paging is included so you can page to the results. In the Recipients list view, you
can also configure page size and export the data to a CSV file.
Details pane
When you select an item from the list view, information about that object is displayed in the details pane.
To bulk edit several items: press the CTRL key, select the objects you want to bulk edit, and use the options
in the details pane.
Centers, Me tile, and Help
The Centers tile allows you to change from one admin center to another. The Me tile allows you to sign out of
the EAC and sign in as a different user. From the Help drop-down menu, you can perform the following
actions:
Help: Click to view the online help content.
Disable Help bubble: The Help bubble displays contextual help for fields when you create or edit and
object. You can turn off the Help bubble help or turn it on if it has been disabled.

Supported browsers
See the following articles:
Office 365 System Requirements: lists supported browsers for Office 365 and the Exchange admin
center.
Supported Browsers for Outlook on the web.
Related articles
Are you using Exchange Server? See Exchange admin center in Exchange Server.
Are you using Exchange Online Protection? See Exchange admin center in Exchange Online Protection.
Permissions in Exchange Online
6/24/2019 • 16 minutes to read • Edit Online

Exchange Online in Office 365 includes a large set of predefined permissions, based on the Role Based Access
Control (RBAC ) permissions model, which you can use right away to easily grant permissions to your
administrators and users. You can use the permissions features in Exchange Online so that you can get your new
organization up and running quickly.
RBAC is also the permissions model that's used in Microsoft Exchange Server. Most of the links in this topic refer
to topics that reference Exchange Server. The concepts in those topics also apply to Exchange Online.
For information about permissions across Office 365, see Permissions in Office 365

NOTE
Several RBAC features and concepts aren't discussed in this topic because they're advanced features. If the functionality
discussed in this topic doesn't meet your needs, and you want to further customize your permissions model, see
Understanding Role Based Access Control.

Role-based permissions
In Exchange Online, the permissions that you grant to administrators and users are based on management roles.
A management role defines the set of tasks that an administrator or user can perform. For example, a
management role called Mail Recipients defines the tasks that someone can perform on a set of mailboxes,
contacts, and distribution groups. When a management role is assigned to an administrator or user, that person is
granted the permissions provided by the management role.
Administrative roles and end-user roles are the two types of management roles. Following is a brief description of
each type:
Administrative roles: These roles contain permissions that can be assigned to administrators or specialist
users using role groups that manage a part of the Exchange Online organization, such as recipients or
compliance management.
End-user roles: These roles, which are assigned using role assignment policies, enable users to manage
aspects of their own mailbox and distribution groups that they own. End-user roles begin with the prefix
My .

Management roles give permissions to perform tasks to administrators and users by making cmdlets available to
those who are assigned the roles. Because the Exchange admin center (EAC ) and Exchange Online PowerShell use
cmdlets to manage Exchange Online, granting access to a cmdlet gives the administrator or user permission to
perform the task in each of the Exchange Online management interfaces.
Exchange Online includes approximately 45 roles that you can use to grant permissions. For a list of roles, see
Built-in Management Roles.

NOTE
Some management roles many be available only to on-premises Exchange Server installations and won't be available in
Exchange Online.
Role groups and role assignment policies
Management roles grant permissions to perform tasks in Exchange Online, but you need an easy way to assign
them to administrators and users. Exchange Online provides you with the following to help you make
assignments:
Role groups: Role groups enable you to grant permissions to administrators and specialist users.
Role assignment policies: Role assignment policies enable you to grant permissions to end users to
change settings on their own mailbox or distribution groups that they own.
The following sections provide more information about role groups and role assignment policies.
Role groups
Every administrator who manages Exchange Online must be assigned at least one or more roles. Administrators
might have more than one role because they may perform job functions that span multiple areas in Exchange
Online.
To make it easier to assign multiple roles to an administrator, Exchange Online includes role groups. When a role
is assigned to a role group, the permissions granted by the role are granted to all the members of the role group.
This enables you to assign many roles to many role group members at once. Role groups typically encompass
broader management areas, such as recipient management. They're used only with administrative roles, and not
end-user roles. Role group members can be Exchange Online users and other role groups.

NOTE
It's possible to assign a role directly to a user without using a role group. However, that method of role assignment is an
advanced procedure and isn't covered in this topic. We recommend that you use role groups to manage permissions.

The following figure shows the relationship between users, role groups, and roles.

Exchange Online includes several built-in role groups, each one providing permissions to manage specific areas in
Exchange Online. Some role groups may overlap with other role groups. The following table lists each role group
with a description of its use.

ROLE GROUP DESCRIPTION


ROLE GROUP DESCRIPTION

Discovery Management Administrators or users who are members of the Discovery


Management role group can perform searches of mailboxes in
the Exchange Online organization for data that meets specific
criteria and can also configure legal holds on mailboxes.

Help Desk The Help Desk role group, by default, enables members to
view and modify the Outlook on the web (formerly known as
Outlook Web App) options of any user in the organization.
These options might include modifying the user's display
name, address, and phone number. They don't include options
that aren't available in Outlook on the web options, such as
modifying the size of a mailbox or configuring the mailbox
database on which a mailbox is located.

Help Desk Administrators (HelpdeskAdmins_<unique The Help Desk Administrators role group doesn't have any
value>) roles assigned to it. However, it's a member of the View-Only
Organization Management role group and inherits the
permissions provided by that role group.
This role group can't be managed in Exchange Online. You can
add members to this role group by adding users to the
Password administrator Office 365 role.

Organization Management Administrators who are members of the Organization


Management role group have administrative access to the
entire Exchange Online organization and can perform almost
any task against any Exchange Online object, with some
exceptions, such as the Discovery Management role.
Important: Because the Organization Management role
group is a powerful role, only users that perform
organizational-level administrative tasks that can potentially
impact the entire Exchange Online organization should be
members of this role group.

Recipient Management Administrators who are members of the Recipient


Management role group have administrative access to create
or modify Exchange Online recipients within the Exchange
Online organization.

Records Management Users who are members of the Records Management role
group can configure compliance features, such as retention
policy tags, message classifications, and mail flow rules (also
known as transport rules).

View-Only Organization Management Administrators who are members of the View Only
Organization Management role group can view the properties
of any object in the Exchange Online organization.

Compliance Management Users who are members of the Compliance Management role
group are responsible for compliance, to properly configure
and manage compliance settings within Exchange in
accordance with their policy.

If you work in a small organization that has only a few administrators, you might need to add those administrators
to the Organization Management role group only, and you may never need to use the other role groups. If you
work in a larger organization, you might have administrators who perform specific tasks administering Exchange
Online, such as recipient configuration. In those cases, you might add one administrator to the Recipient
Management role group, and another administrator to the Organization Management role group. Those
administrators can then manage their specific areas of Exchange Online, but they won't have permissions to
manage areas they're not responsible for.
If the built-in role groups in Exchange Online don't match the job function of your administrators, you can create
role groups and add roles to them. For more information, see the Work with role groups section later in this topic.
Role assignment policies
Exchange Online provides role assignment policies so that you can control what settings your users can configure
on their own mailboxes and on distribution groups they own. These settings include their display name, contact
information, voice mail settings, and distribution group membership.
Your Exchange Online organization can have multiple role assignment policies that provide different levels of
permissions for the different types of users in your organizations. Some users can be allowed to change their
address or create distribution groups, while others can't, depending on the role assignment policy associated with
their mailbox. Role assignment policies are added directly to mailboxes, and each mailbox can only be associated
with one role assignment policy at a time.
Of the role assignment policies in your organization, one is marked as default. The default role assignment policy
is associated with new mailboxes that aren't explicitly assigned a specific role assignment policy when they're
created. The default role assignment policy should contain the permissions that should be applied to the majority
of your mailboxes.
Permissions are added to role assignment policies using end-user roles. End-user roles begin with My and grant
permissions for users to manage only their mailbox or distribution groups they own. They can't be used to
manage any other mailbox. Only end-user roles can be assigned to role assignment policies.
When an end-user role is assigned to a role assignment policy, all of the mailboxes associated with that role
assignment policy receive the permissions granted by the role. This enables you to add or remove permissions to
sets of users without having to configure individual mailboxes. The following figure shows:
End-user roles are assigned to role assignment policies. Role assignment policies can share the same end-
user roles. For details about the end-user roles that are available in Exchange Online, see Role assignment
policies in Exchange Online.
Role assignment policies are associated with mailboxes. Each mailbox can only be associated with one role
assignment policy.
After a mailbox is associated with a role assignment policy, the end-user roles are applied to that mailbox.
The permissions granted by the roles are granted to the user of the mailbox.

The Default Role Assignment Policy role assignment policy is included with Exchange Online. As the name
implies, it's the default role assignment policy. If you want to change the permissions provided by this role
assignment policy, or if you want to create role assignment policies, see Work with role assignment policies later in
this topic.

Office 365 permissions in Exchange Online


When you create a user in Office 365, you can choose whether to assign various administrative roles, such as
Global administrator, Service administrator, Password administrator, and so on, to the user. Some, but not all,
Office 365 roles grant the user administrative permissions in Exchange Online.

NOTE
The user that was used to create your Office 365 tenant is automatically assigned to the Global administrator Office 365
role.

The following table lists the Office 365 roles and the Exchange Online role group they correspond to.

OFFICE 365 ROLE EXCHANGE ONLINE ROLE GROUP

Global administrator Organization Management

Note: The Global administrator role and the Organization


Management role group are tied together using a special
Company Administrator role group. The Company
Administrator role group is managed internally by Exchange
Online and can't be modified directly.

Billing administrator No corresponding Exchange Online role group.

Password administrator Help Desk administrator.

Service administrator No corresponding Exchange Online role group.

User management administrator No corresponding Exchange Online role group.

For a description of the Exchange Online role groups, see the table "Built-in role groups" in Role groups.
When you add a user to either the Global administrator or Password administrator Office 365 roles, the user is
granted the rights provided by the respective Exchange Online role group. Other Office 365 roles don't have a
corresponding Exchange Online role group and won't grant administrative permissions in Exchange Online. For
more information about assigning an Office 365 role to a user, see Assigning admin roles.
Users can be granted administrative rights in Exchange Online without adding them to Office 365 roles. This is
done by adding the user as a member of an Exchange Online role group. When a user is added directly to an
Exchange Online role group, they'll receive the permissions granted by that role group in Exchange Online.
However, they won't be granted any permissions to other Office 365 components. They'll have administrative
permissions only in Exchange Online. Users can be added to any of the role groups listed in the "Built-in role
groups table" in Role groups with the exception of the Company Administrator and Help Desk Administrators role
groups. For more information about adding a user directly to an Exchange Online role group, see Work with role
groups.

Work with role groups


To manage your permissions using role groups in Exchange Online, we recommend that you use the EAC. When
you use the EAC to manage role groups, you can add and remove roles and members, create role groups, and
copy role groups with a few clicks of your mouse. The EAC provides simple dialog boxes, such as the new role
group dialog box, shown in the following figure, to perform these tasks.

Exchange Online includes several role groups that separate permissions into specific administrative areas. If these
existing role groups provide the permissions your administrators need to manage your Exchange Online
organization, you need only add your administrators as members of the appropriate role groups. After you add
administrators to a role group, they can administer the features that relate to that role group. To add or remove
members to or from a role group, open the role group in the EAC, and then add or remove members from the
membership list. For a list of built-in role groups, see the table "Built-in role groups" in Role groups.

IMPORTANT
If an administrator is a member of more than one role group, Exchange Online grants the administrator all of the
permissions provided by the role groups he or she is a member of.

If none of the role groups included with Exchange Online have the permissions you need, you can use the EAC to
create a role group and add the roles that have the permissions you need. For your new role group, you will:
1. Choose a name for your role group.
2. Select the roles you want to add to the role group.
3. Add members to the role group.
4. Save the role group.
After you create the role group, you manage it like any other role group.
If there's an existing role group that has some, but not all, of the permissions you need, you can copy it and then
make changes to create a role group. You can copy an existing role group and make changes to it, without
affecting the original role group. As part of copying the role group, you can add a new name and description, add
and remove roles to and from the new role group, and add new members. When you create or copy a role group,
you use the same dialog box that's shown in the preceding figure.
Existing role groups can also be modified. You can add and remove roles from existing role groups, and add and
remove members from it at the same time, using an EAC dialog box similar to the one in the preceding figure. By
adding and removing roles to and from role groups, you turn on and off administrative features for members of
that role group.

NOTE
Although you can change which roles are assigned to built-in role groups, we recommend that you copy built-in role
groups, modify the role group copy, and then add members to the role group copy. > The Company Administrator and Help
Desk administrator role groups can't be copied or changed.

Work with role assignment policies


To manage the permissions that you grant end users to manage their own mailbox in Exchange Online, we
recommend that you use the EAC. When you use the EAC to manage end-user permissions, you can add roles,
remove roles, and create role assignment policies with a few clicks of your mouse. The EAC provides simple dialog
boxes, such as the role assignment policy dialog box, shown in the following figure, to perform these tasks.
Exchange Online includes a role assignment policy named Default Role Assignment Policy. This role assignment
policy enables users whose mailboxes are associated with it to do the following:
Join or leave distribution groups that allow members to manage their own membership.
View and modify basic mailbox settings on their own mailbox, such as Inbox rules, spelling behavior, junk
mail settings, and Microsoft ActiveSync devices.
Modify their contact information, such as work address and phone number, mobile phone number, and
pager number.
Create, modify, or view text message settings.
View or modify voice mail settings.
View and modify their marketplace apps.
Create team mailboxes and connect them to Microsoft SharePoint lists.
Create, modify, or view email subscription settings, such as message format and protocol defaults.
If you want to add or remove permissions from the Default Role Assignment Policy or any other role assignment
policy, you can use the EAC. The dialog box you use is similar to the one in the preceding figure. When you open
the role assignment policy in the EAC, select the check box next to the roles you want to assign to it or clear the
check box next to the roles you want to remove. The change you make to the role assignment policy is applied to
every mailbox associated with it.
If you want to assign different end-user permissions to the various types of users in your organization, you can
create role assignment policies. When you create a role assignment policy, you see a dialog box similar to the one
in the preceding figure. You can specify a new name for the role assignment policy, and then select the roles you
want to assign to the role assignment policy. After you create a role assignment policy, you can associate it with
mailboxes using the EAC.
If you want to change which role assignment policy is the default, you must use Exchange Online PowerShell.
When you change the default role assignment policy, any mailboxes that are created will be associated with the
new default role assignment policy if one wasn't explicitly specified. The role assignment policy associated with
existing mailboxes doesn't change when you select a new default role assignment policy.

NOTE
If you select a check box for a role that has child roles, the check boxes for the child roles are also selected. If you clear the
check box for a role with child roles, the check boxes for the child roles are also cleared.

For detailed role assignment policy procedures, see Role assignment policies in Exchange Online.

Permissions documentation
The following table contains links to topics that will help you learn about and manage permissions in Exchange
Online.

TOPIC DESCRIPTION

Understanding Role Based Access Control Learn about each of the components that make up RBAC and
how you can create advanced permissions models if role
groups and management roles aren't enough.

Manage role groups in Exchange Online Configure permissions for Exchange Online administrators
and specialist users using role groups, including adding and
removing members to and from role groups.

Role assignment policies in Exchange Online Configure which features end-users have access to on their
mailboxes using role assignment policies, view, create, modify,
and remove role assignment policies, specify the default role
assignment policy, and apply role assignment policies to
mailboxes.

View Effective Permissions View who has permissions to administer Exchange Online
features.

Feature permissions in Exchange Online Learn more about the permissions required to manage
Exchange Online features and services.
Feature permissions in Exchange Online
5/31/2019 • 2 minutes to read • Edit Online

The permissions required to perform tasks to manage Microsoft Exchange Online vary depending on the
procedure being performed or the cmdlet you want to run.
For information about Exchange Online Protection (EOP ) permissions, see Feature Permissions in EOP.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the
cmdlet you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an
equivalent custom role group, or an equivalent management role. You can also click on a role group to
see its management roles. If a feature lists more than one role group, you only need to be assigned one of
the role groups to use the feature. For more information about role groups and management roles, see
Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management
roles assigned to you to see if you have the permissions that are necessary to manage the feature.

NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.

If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.

Exchange Online permissions


You can use the features in the following table to manage your Exchange Online organization and recipients.
Users who are assigned the View -Only Management role group can view the configuration of the features in the
following table. For more information, see View -only Organization Management.

FEATURE PERMISSIONS REQUIRED

Anti-malware Organization Management


Hygiene Management

Anti-spam Organization Management


Hygiene Management

Data loss prevention Organization Management


Compliance Management

Office 365 connectors Organization Management

Journal archiving Organization Management


Recipient Management
FEATURE PERMISSIONS REQUIRED

Linked user Organization Management


Recipient Management

Mail flow Organization Management

Mailbox settings Organization Management


Recipient Management

Microsoft Office 365 Message Organization Management


Encryption (OME) Compliance Management
Records Management

Message trace Organization Management


Compliance Management
Help Desk

Organization configuration Organization Management

Outlook on thew web mailbox policies Organization Management (http://technet.microsoft.com/library/6


[Recipient Management 69d602e-68e3-41f9-a455-
b942d212d130.aspx)

POP3 and IMAP4 permissions Organization Management

Quarantine Organization Management


Hygiene Management

Subscriptions Organization Management


Recipient Management
Note: A user can create subscriptions
in their own mailbox. An administrator
can't create subscriptions in another
user's mailbox, but they can modify or
delete subscriptions in another user's
mailbox.

Supervision Organization Management

View reports Organization Management - users


have access to mailbox reports and
mail protection reports.
View-Only Organization Management
- users have access to mailbox reports.
View-Only Recipients - users have
access to mail protection reports.
Compliance Management - users have
access to mail protection reports and
Data Loss Prevention (DLP) reports (if
their subscription has DLP capabilities).
Manage role groups in Exchange Online
5/31/2019 • 15 minutes to read • Edit Online

A role group is a special kind of universal security group (USG ) that's used in the Role Based Access Control
(RBAC ) permissions model in Exchange Online. Management role groups simplify the assignment and
maintenance of permissions to users in Exchange Online. The members of the role group are assigned the same
set of roles, and you add and remove permissions from users by adding them to or removing them from the role
group. For more information about role groups in Exchange Online, see Permissions in Exchange Online.

What do you need to know before you begin?


Estimated time to complete each procedure: 5 to 10 minutes
To open the Exchange admin center (EAC ), see Exchange admin center in Exchange Online. To open
Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
The procedures in this topic require the Role Management RBAC role in Exchange Online. Typically, you get
this permission via membership in the Organization Management role group (the Office 365 Global
administrator role).
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online, or Exchange Online Protection.

View role groups


Use the EAC to view role groups
1. In the EAC, go to Permissions > Admin Roles. All of the role groups in your organization are listed here.
2. Select a role group. The Details pane shows the Name, Description, Assigned roles, Members,
Managed by, and Write scope of the role group. You can also see this information by clicking Edit .
Use Exchange Online PowerShell to view role groups
To view a role group, use the following syntax:

Get-RoleGroup [-Identity "<Role Group Name>"] [-Filter <Filter>]

This example returns a summary list of all role groups.

Get-RoleGroup

This example returns detailed information for the role group named Recipient Administrators.

Get-RoleGroup -Identity "Recipient Administrators" | Format-List

This example returns all role groups where the user Julia is a member. You need to use the DistinguishedName
(DN ) value for Julia, which you can find by running the command:
Get-User -Identity Julia | Format-List DistinguishedName .

Get-RoleGroup -Filter {Members -eq 'CN=Julia,OU=contoso.onmicrosoft.com,OU=Microsoft Exchange Hosted


Organizations,DC=NAMPR001,DC=PROD,DC=OUTLOOK,DC=COM'}

For detailed syntax and parameter information, see Get-RoleGroup.

Create role groups


When you create a new role group, you need to configure all of the settings yourself (during the creation of the
group or after). To start with the configuration of an existing role group and modify it, see Copy existing role
groups.
Use the EAC to create role groups
1. In the EAC, go to Permissions > Admin Roles and then click Add .
2. In the New role group window that appears, configure the following settings:
Name: Enter a unique name for the role group.
Description: Enter an optional description for the role group.
Write scope: The default value is Default, but you can also select a custom recipient write scope
that you've already created.
Roles: Click Add to select the roles that you want to be assigned to the role group in the new
window that appears.
Members: Click Add to select the members that you want to add to the role group in the new
window that appears. You can select users, universal security groups (USGs), or other role groups
(security principals).
When you're finished, click Save to create the role group.
Use Exchange Online PowerShell to create a role group
To create a new role group, use the following syntax:

New-RoleGroup -Name "Unique Name" -Description "Descriptive text" -Roles <"Role1","Role2"...> -ManagedBy
<Managers> -Members <Members> -CustomRecipientWriteScope "<Existing Write Scope Name>"

The Roles parameter specifies the management roles to assign to the role group by using the following
syntax "Role1","Role1",..."RoleN" . You can see the available roles by using the Get-ManagementRole
cmdlet.
The Members parameter specifies the members of the role group by using the following syntax:
"Member1","Member2",..."MemberN" . You can specify users, universal security groups ( USGs), or other role
groups (security principals).
The ManagedBy parameter specifies the delegates who can modify and remove the role group by using the
following syntax: "Delegate1","Delegate2",..."DelegateN" . Note that this setting isn't available in the EAC.
The CustomRecipientWriteScope parameter specifies the existing custom recipient write scope to apply to
the role group. You can see the available custom recipient write scopes by using the Get-
ManagementScope cmdlet.
This example creates a new role group named "Limited Recipient Management" with the following settings:
The Mail Recipients and Mail Enabled Public Folders roles are assigned to the role group.
The users Kim and Martin are added as members. Because no custom recipient write scope was specified,
Kim and Martin can manage any recipient in the organization.

New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail Enabled Public Folders" -
Members "Kim","Martin"

This is the same example with a custom recipient write scope, which means Kim and Martin can only manage
recipients that are included in the Seattle Recipients scope (recipients who have their City property set to the value
Seattle).

New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail Enabled Public Folders" -
Members "Kim","Martin" -CustomRecipientWriteScope "Seattle Recipients"

For detailed syntax and parameter information, New -RoleGroup.


How do you know this worked?
To verify that you've successfully created a role group, do either of the following steps:
In the EAC, go to Permissions > Admin Roles, select the new role group you created, and verify the
settings in the Details pane or click Edit to verify the settings.
In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the
following command to verify the settings:

Get-RoleGroup -Identity "<Role Group Name>" | Format-List

Copy existing role groups


If an existing role group is close in terms of the permissions and settings that you want to assign to users, you can
copy the existing role group and modify the copy to suit your needs.
Use the EAC to copy a role group
Note: You can't use the EAC to copy a role group if you've used Exchange Online PowerShell to configure multiple
scopes or exclusive scopes on the role group. To copy role groups that have these settings, you need to use
Exchange Online PowerShell.
1. In the EAC, go to Permissions > Admin Roles.
2. Select the role group that you want to copy and then click Copy .
3. In the New role group window that appears, configure the following settings:
Name: The default value is "Copy of <Role Group Name>, but you can enter a unique name for the
role group.
Description: The existing description is present, but you can change it.
Write scope: The existing write scope is selected, but you can select Default or another custom
recipient write scope that you've already created.
Roles: Click Add or Remove to modify the roles that are assigned to the role group.
Members: Click Add or Remove to modify the role group membership.
When you're finished, click Save to create the role group.
Use Exchange Online PowerShell to copy a role group
1. Store the role group that you want to copy in a variable using the following syntax:

$RoleGroup = Get-RoleGroup "<Existing Role Group Name>"

2. Create the new role group using the following syntax:

New-RoleGroup -Name "<Unique Name>" -Roles $RoleGroup.Roles [-Members <Members>] [-ManagedBy


<Managers>] [-CustomRecipientWriteScope "<Existing Custom Recipient Write Scope Name>"]

The Members parameter specifies the members of the role group by using the following syntax:
"Member1","Member2",..."MemberN" . You can specify users, universal security groups ( USGs), or other role
groups (security principals).

The ManagedBy parameter specifies the delegates who can modify and remove the role group by using
the following syntax: "Delegate1","Delegate2",..."DelegateN" . Note that this setting isn't available in the
EAC.

The CustomRecipientWriteScope parameter specifies the existing custom recipient write scope to apply
to the role group. You can see the available custom recipient write scopes by using the Get-
ManagementScope cmdlet.
This example copies the Organization Management role group to the new role group named "Limited
Organization Management". The role group members are Isabelle, Carter, and Lukas and the role group delegates
are Jenny and Katie.

$RoleGroup = Get-RoleGroup "Organization Management"


New-RoleGroup "Limited Organization Management" -Roles $RoleGroup.Roles -Members "Isabelle","Carter","Lukas" -
ManagedBy "Jenny","Katie"

This example copies the Organization Management role group to the new role group called Vancouver
Organization Management with the Vancouver Users recipient custom recipient write scope.

$RoleGroup = Get-RoleGroup "Organization Management"


New-RoleGroup "Vancouver Organization Management" -Roles $RoleGroup.Roles -CustomRecipientWriteScope
"Vancouver Users"

For detailed syntax and parameter information, New -RoleGroup.


How do you know this worked?
To verify that you've successfully copied a role group, do either of the following steps:
In the EAC, go to Permissions > Admin Roles, select the new role group you created, and verify the
settings in the Details pane or click Edit to verify the settings.
In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the
following command to verify the settings:

Get-RoleGroup -Identity "<Role Group Name>" | Format-List


Modify role groups
Use the EAC to modify role groups
1. In the EAC, go to Permissions > Admin Roles, select the role group you want to modify, and then click Edit
.
The same options are available when you modify role groups as when you [create role groups](Use the EAC to
create role groups). You can:
Change the name and description.
Change the write scope (if you've created custom recipient write scopes).
Add and remove management roles (create or remove role assignments).
Add and remove members.
Notes:
You can't use the EAC to modify the write scope, roles and members of a role group if you've used
Exchange Online PowerShell to configure multiple scopes or exclusive scopes on the role group. To modify
the settings of these role groups, you need to use Exchange Online PowerShell.
Some role groups (for example, the Organization Management role group) restrict the roles that you can
remove from group.
You can add or remove delegates to a role group in the EAC. You can only use Exchange Online PowerShell.
Use Exchange Online PowerShell to add roles to role groups (create role assignments)
To add roles to role groups in Exchange Online PowerShell, you create management role assignments by using the
following syntax:

New-ManagementRoleAssignment [-Name "<Unique Name>"] -SecurityGroup "<Role Group Name>" -Role "<Role Name>" [-
RecipientRelativeWriteScope <MyGAL | MyDistributionGroups | Organization | Self>] [-CustomRecipientWriteScope
"<Role Scope Name>]

The role assignment name is created automatically if you don't specify one.
If you don't use the RecipientRelativeWriteScope parameter, the implicit read scope and implicit write scope
of the role is applied to the role assignment.
If a predefined scope meets your business requirements, you can use the RecipientRelativeWriteScope
parameter to apply the scope to the role assignment.
To apply a custom recipient write scope, use the CustomRecipientWriteScope parameter.
This example assigns the Transport Rules management role to the Seattle Compliance role group.

New-ManagementRoleAssignment -SecurityGroup "Seattle Compliance" -Role "Transport Rules"

This example assigns the Message Tracking role to the Enterprise Support role group and applies the Organization
predefined scope.

New-ManagementRoleAssignment -SecurityGroup "Enterprise Support" -Role "Message Tracking" -


RecipientRelativeWriteScope Organization

This example assigns the Message Tracking role to the Seattle Recipient Admins role group and applies the Seattle
Recipients scope.

New-ManagementRoleAssignment -SecurityGroup "Seattle Recipient Admins" -Role "Message Tracking" -


CustomRecipientWriteScope "Seattle Recipients"

For detailed syntax and parameter information, see New -ManagementRoleAssignment.


Use Exchange Online PowerShell to remove roles from role groups (remove role assignments)
To remove roles from role groups in Exchange Online PowerShell, you remove management role assignments by
using the following syntax:

Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" -Role "<Role Name>" -Delegating <$true |
$false> | Remove-ManagementRoleAssignment

To remove regular role assignments that grant permissions to users, use the value $false for the
Delegating parameter.
To remove delegating role assignments that allow the role to be assigned to others, use the value $true for
the Delegating parameter.
This example removes the Distribution Groups role from the Seattle Recipient Administrators role group.

Get-ManagementRoleAssignment -RoleAssignee "Seattle Recipient Administrators" -Role "Distribution Groups" -


Delegating $false | Remove-ManagementRoleAssignment

For detailed syntax and parameter information, see Remove-ManagementRoleAssignment.


Use Exchange Online PowerShell to modify the scope of role assignments in role groups
The write scope of a role assignment in a role group defines the objects that the members of the role group can
operate on (for example, all users, or only the users whose City property has the value Vancouver). You can modify
the write scope of the roles assigned to a role group to:
The implicit scope from the roles themselves. This means you didn't specify any custom scopes when you
created the role group, or you set the value of all role assignments in an existing role group to the value
$null .

The same custom scope for all role assignments.


Different custom scopes for each individual role assignment.
To set the scope on all of the role assignments on a role group at the same time, use the following syntax:

Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Set-ManagementRoleAssignment [-


CustomRecipientWriteScope "<Recipient Write Scope Name>"] [-RecipientRelativeScopeWriteScope
<MyDistributionGroups | Organization | Self>] [-ExclusiveRecipientWriteScope "<Exclusive Recipient Write Scope
name>"]

This example changes the recipient scope for all role assignments on the Sales Recipient Management role group
to Direct Sales Employees.

Get-ManagementRoleAssignment -RoleAssignee "Sales Recipient Management" | Set-ManagementRoleAssignment -


CustomRecipientWriteScope "Direct Sales Employees"

To change the scope on an individual role assignment between a role group and a management role, do the
following steps:
1. Replace <Role Group Name> with the name of the role group and run the following command to find the
names of all the role assignments on the role group:

Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Format-List Name

2. Find the name of the role assignment you want to change. Use the name of the role assignment in the next
step.
3. To set the scope on the individual role assignment, use the following syntax:

Set-ManagementRoleAssignment -Identity "<Role Assignment Name"> [-CustomRecipientWriteScope "<Recipient


Write Scope Name>"] [-RecipientRelativeScopeWriteScope <MyDistributionGroups | Organization | Self>] [-
ExclusiveRecipientWriteScope "<Exclusive Recipient Write Scope name>"]

This example changes the recipient scope for the role assignment named Mail Recipients_Sales Recipient
Management to All Sales Employees.

```
Set-ManagementRoleAssignment "Mail Recipients_Sales Recipient Management" -CustomRecipientWriteScope "All
Sales Employees"
```

For detailed syntax and parameter information, see Set-ManagementRoleAssignment.


Use Exchange Online PowerShell modify the list of delegates in role groups
Role group delegates define who is allowed to modify and delete the role group. You can't manage role group
delegates in the EAC.
To modify the list of delegates in a role group, use the following syntax:

Set-RoleGroup -Identity "<Role Group Name>" -ManagedBy <Delegates>

To replace the existing list of delegates with the values you specify, use the following syntax:
"Delegate1","Delegate2",..."DelegateN" .

To selectively modify the existing list of delegates, use the following syntax:
@{Add="Delegate1","Delegate2"...; Remove="Delegate3","Delegate4"...} .

This example replaces all current delegates of the Help Desk role group with the specified users.

Set-RoleGroup -Identity "Help Desk" -ManagedBy "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"

This example adds Daigoro Akai and removes Valeria Barrio from the list of delegates on the Help Desk role
group.

Set-RoleGroup -Identity "Help Desk" -ManagedBy @{Add="Daigoro Akai"; Remove="Valeria Barrios"}

For detailed syntax and parameter information, see Set-RoleGroup.

Use Exchange Online PowerShell modify the list of members in role


groups
The Add-RoleGroupMember and Remove-RoleGroupMember cmdlets add or remove individual
members one at a time. The Update-RoleGroupMember cmdlet can replace or modify the existing list of
members.
The members of a role group can be users, universal security groups (USGs), or other role groups (security
principals).
To modify the members of a role group, use the following syntax:

Update-RoleGroupMember -Identity "<Role Group Name>" -Members <Members> [-BypassSecurityGroupManagerCheck]

To replace the existing list of members with the values you specify, use the following syntax:
"Member1","Member2",..."MemberN" .

To selectively modify the existing list of members, use the following syntax:
@{Add="Member1","Member2"...; Remove="Member3","Member4"...} .

This example replaces all current members of the Help Desk role group with the specified users.

Update-RoleGroupMember -Identity "Help Desk" -Members "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"

This example adds Daigoro Akai and removes Valeria Barrio from the list of members on the Help Desk role
group.

Update-RoleGroupMember -Identity "Help Desk" -Members @{Add="Daigoro Akai"; Remove="Valeria Barrios"}

For detailed syntax and parameter information, see Update-RoleGroupMember.


How do you know this worked?
To verify that you've successfully modified a role group, do any of the following steps:
In the EAC, go to Permissions > Admin Roles, select the new role group you created, and verify the
settings in the Details pane or click Edit to verify the settings.
In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the
following command to verify the settings:

Get-RoleGroup -Identity "<Role Group Name>" | Format-List

In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the
following command to verify the settings:

Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Format-Table *WriteScope

Remove role groups


You can't remove built-in role groups, but you can remove custom role groups that you've created.
Notes:
When you remove a role group, the management role assignments between the role group and the
management roles are deleted. Any management roles that are assigned to the role group aren't deleted.
If a user depends on the role group for access to a feature, the user will no longer have access to the feature
after you delete the role group.
Use the EAC to remove a role group
1. In the EAC, go to Permissions > Admin Roles.
2. Select the role group you want to remove and then click Delete .
3. Click Yes in the confirmation window that appears.
Use Exchange Online PowerShell to remove a role group
To remove a custom role group, use the following syntax:

Remove-RoleGroup -Identity "<Role Group Name>" [-BypassSecurityGroupManagerCheck]

This example removes the Training Administrators role group.

Remove-RoleGroup -Identity "Training Administrators"

This example removes the Vancouver Recipient Administrators role group. Because the user running the
command isn't defined in the ManagedBy property of the role group, the BypassSecurityGroupManagerCheck
switch is required in the command. The user that's running the command is assigned the Role Management role,
which enables the user to bypass the security group manager check.

Remove-RoleGroup - Identity "Vancouver Recipient Administrators" -BypassSecurityGroupManagerCheck

For detailed syntax and parameter information, see Remove-RoleGroup.


How do you know this worked?
To verify that you've removed a role group, do either of the following steps:
In the EAC, go to Permissions > Admin Roles and verify that the role group is no longer listed.
In Exchange Online PowerShell, run the following command to verify the role group is no longer listed:

Get-RoleGroup
Role assignment policies in Exchange Online
5/31/2019 • 13 minutes to read • Edit Online

A role assignment policy is a collection of one or more end-user roles that enable users to manage their mailbox
settings and distribution groups in Exchange Online. End-users roles are part of the role based access control
(RBAC ) permissions model in Exchange Online. You can assign different role assignment policies to different users
to allow or prevent specific self-management features in Exchange Online. For more information, see Role
assignment policies.
In Exchange Online, a default role assignment policy named Default Role Assignment Policy is specified by the
mailbox plan that's assigned to users when their account is licensed. For more information about mailbox plans,
see Mailbox plans in Exchange Online.
Role assignment polices are how end-user roles (as opposed to management roles) are assigned to users in
Exchange Online. There are several ways you can use role assignment policies to assign permissions to users:
New users:
Change the end-user roles that are assigned to the default role assignment policy.
Create a custom role assignment policy and set it as the default. Note that this method only affects
mailboxes that you create without specifying a role assignment policy or assigning a license (the
license specifies the mailbox plan, which specifies the role assignment policy).
Specify a custom role assignment policy in the mailbox plan. For more information, see Use
Exchange Online PowerShell to modify mailbox plans.
Existing users:
Assign a different license to the user. This will apply the settings of the different mailbox plan, which
specifies the role assignment policy to apply.
Manually assign a custom role assignment policy to mailboxes.
The available end-user roles that you can assign to mailbox plans are described in the following table:

ASSIGNED TO DEFAULT ROLE ASSIGNMENT


ROLE POLICY BY DEFAULT? DESCRIPTION

My Custom Apps Yes Install custom apps.

My Marketplace Apps Yes Install marketplace apps.

My ReadWriteMailbox Apps Yes Install apps with ReadWriteMailbox


permissions.

MyBaseOptions Yes Required for users to access options in


Outlook on the web from their own
mailbox.
ASSIGNED TO DEFAULT ROLE ASSIGNMENT
ROLE POLICY BY DEFAULT? DESCRIPTION

MyContactInformation Yes Edit their address and telephone


number in the global address list (GAL).

This role contains the following child


roles:
• MyAddressInformation: Change all
elements of their mailing address, work
telephone number, and fax number.
• MyMobileInformation: Change their
mobile phone and pager numbers.
• MyPersonalInformation: Change
their home telephone number and web
page.

If you think this role gives users too


much power, you can remove the role
from the role assignment policy, and
assign one or more of the child roles.
For instructions, see the Add or remove
roles from a role assignment policy
section in this topic.

MyDistributionGroupMembership Yes Join or leave existing distribution


groups (if the group is configured to let
members join or leave the group).

MyDistributionGroups Yes Create new distribution groups, delete


groups they own, modify groups they
own, and manage group membership
for groups they own.

MyMailboxDelegation No Allows users to grant send on behalf of


permissions to other users on their
mailbox. Messages clearly show the
sender in the From field (<Sender> on
behalf of <Mailbox>), but replies are
delivered to the mailbox, not the
sender.

MyMailSubscriptions Yes Connected accounts were removed


from Outlook on the web in November,
2018. For more information, see
Connected accounts is no longer
supported in Outlook on the web.
ASSIGNED TO DEFAULT ROLE ASSIGNMENT
ROLE POLICY BY DEFAULT? DESCRIPTION

MyProfileInformation Yes Edit their first name, middle initial, last


name, and display name in the GAL.

This role contains the following child


roles:
• MyDisplayName: Change their
display name.
• MyName: Change their first name,
middle initial, last name and Notes
property.

If you think this role gives users too


much power, you can remove the role
from the role assignment policy, and
assign one of the child roles. For
instructions, see the Add or remove
roles from a role assignment policy
section in this topic.

MyRetentionPolicies Yes Allows users to add personal tags that


aren't part of their assigned retention
policy.*

MyTeamMailboxes Yes Site mailboxes were discontinued in


favor of Office 365 groups in
September, 2017. For more
information, see Use Office 365 Groups
instead of Site Mailboxes.

MyTextMessaging Yes Enable text message notifications for


meetings and new email messages.*

MyVoiceMail Yes Update their voice mail settings.*

* This feature isn't available in all regions or organizations.

What do you need to know before you begin?


Estimated time to complete each procedure: less than 5 minutes.
The procedures in this topic require the Role Management RBAC role in Exchange Online. Typically, you
get this permission via membership in the Organization Management role group (the Office 365 Global
administrator role). For more information, see Manage role groups in Exchange Online.
To open the Exchange admin center (EAC ), see Exchange admin center in Exchange Online. To connect to
Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
Changes to permissions take effect after the user logs out and logs in again.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

View roles assigned to a role assignment policy


Use the EAC to view roles assigned to a role assignment policy
1. In the EAC, go to Permissions > User roles, and select the role assignment policy.
2. The roles that are assigned to the policy are displayed in the details pane. You can also click Edit to see
the roles, including the available roles that aren't assigned to the policy.
Use Exchange Online PowerShell to view roles assigned to a role assignment policy
To view the roles assigned to a role assignment policy, use the following syntax:

Get-ManagementRoleAssignment -RoleAssignee "<RoleAssignmentPolicyName>" | Format-Table Name,Role -Auto

This example returns the roles that are assigned to the policy named Default Role Assignment Policy.

Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" | Format-Table Name,Role -Auto

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.


Note: To return a list of all available end-user roles, run the following command:

Get-ManagementRole | Where {$_.IsEndUserRole -eq $true} | Format-Table Name,Parent

Add or remove roles from a role assignment policy


Use the EAC to add or remove roles from a role assignment policy
1. In the EAC, go to Permissions > User roles, select the role assignment policy, and then click Edit .
2. In the policy properties window that opens, do one of the following steps:
To add a role, select the check box next to the role.
To remove a role that's already assigned, clear the check box.
If you select a check box for a role that has child roles, the check boxes for the child roles are also selected. If
you clear the check box of the parent role, the check boxes for the child roles are also cleared. You can select
a child role by clearing the check box of the parent role and then selecting the individual child role.
3. When you're finished, click Save.
Use Exchange Online PowerShell to add roles to a role assignment policy
Adding a role to a role assignment policy creates a new role assignment with a unique name that's a combination
of the names of the role and the role assignment policy.
To add roles to a role assignment policy, use the following syntax:

New-ManagementRoleAssignment -Role <RoleName> -Policy "<RoleAssignmentPolicyName>"

This example adds the role MyMailboxDelegation to the role assignment policy named Default Role Assignment
Policy.

New-ManagementRoleAssignment -Role MyMailboxDelegation -Policy "Default Role Assignment Policy"

For detailed syntax and parameter information, see New -ManagementRoleAssignment.


Use Exchange Online PowerShell to remove roles from a role assignment policy
1. Use the procedure from the Use Exchange Online PowerShell to view roles assigned to a role assignment
policy section earlier in this topic to find the name of the role assignment for the role that you want to
remove (it's a combination of the names of the role and the role assignment policy).
2. To remove the role from the role assignment policy, use this syntax:

Remove-ManagementRoleAssignment -Identity "<RoleAssignmentName>"

This example removes the MyDistributionGroups role from the role assignment policy named Default Role
Assignment Policy.

Remove-ManagementRoleAssignment -Identity "MyDistributionGroups-Default Role Assignment Policy"

For detailed syntax and parameter information, see Remove-ManagementRoleAssignment.


How do you know this worked?
To verify that you've successfully added or removed roles from a role assignment policy, use either of the
following steps:
In the EAC, go to Permissions > User roles, select the role assignment policy, and verify the roles in the
details pane or by clicking Edit .
In Exchange Online PowerShell, replace <RoleAssignmentPolicyName> with the name of the role
assignment policy, and run the following command:

Get-ManagementRoleAssignment -RoleAssignee "<RoleAssignmentPolicyName>" | Format-Table Name,Role -Auto

Create role assignment policies


Use the EAC to create role assignment policies
1. In the EAC, go to Permissions > User roles and click New .
2. In the new role assignment policy window that opens, configure the following settings:
Name: Enter a descriptive name.
Description: Enter an optional description.
Select the roles that you want to assign to the policy.
3. When you're finished, click Save
Use Exchange Online PowerShell to create role assignment policies
To create a role assignment policy, use the following syntax:

New-RoleAssignmentPolicy -Name <UniqueName> [-Description "<Descriptive Text>"] [-Roles "<EndUserRole1>","


<EndUserRole2>"...] [-IsDefault]

This example creates a new role assignment policy named Contoso Contractors that includes the specified end-
user roles.

New-RoleAssignmentPolicy -Name "Contoso Contractors" -Description "Limited self-management capabilities for


contingent staff."] -Roles "MyBaseOptions","MyContactInformation","MyProfileInformation"
For detailed syntax and parameter information, see New -RoleAssignmentPolicy.
How do you know this worked?
To verify that you've successfully created a role assignment policy, use either of the following steps:
In the EAC, go to Permissions > User roles, select the role assignment policy, and verify the property
values in the details pane or by clicking Edit .
In Exchange Online PowerShell, replace <RoleAssignmentPolicyName> with the name of the role
assignment policy, and run the following command to verify the property values:

Get-RoleAssignmentPolicy -Identity "<RoleAssignmentPolicyName>" | Format-List


Description,AssignedRoles,IsDefault

Modify role assignment policies


You can use the EAC or Exchange PowerShell to Add or remove roles from a role assignment policy.
You can only use Exchange Online PowerShell to specify the default role assignment policy that's applied to new
mailboxes that aren't assigned a license or a role assignment policy when they're created.
Otherwise, all you can do in the EAC or Exchange Online PowerShell is modify the name and description of the
role assignment policy.
Use Exchange Online PowerShell to specify the default role assignment policy
To specify the default role assignment policy, use the following syntax:

Set-RoleAssignmentPolicy -Identity "<RoleAssignmentPolicyName>" -IsDefault

This example configures Contoso Users as the default role assignment policy.

Set-RoleAssignmentPolicy -Identity "Contoso Users" -IsDefault

Note: The IsDefault switch is also available on the New-RoleAssignmentPolicy cmdlets.


For detailed syntax and parameter information, see Set-RoleAssignmentPolicy.
How do you know this worked?
To verify that you've successfully modified a role assignment policy, use either of the following steps:
In the EAC, go to Permissions > User roles, select the role assignment policy, and verify the property
values in the details pane or by clicking Edit .
In Exchange Online PowerShell, replace <RoleAssignmentPolicyName> with the name of the role
assignment policy, and run the following command to verify the property values:

Get-RoleAssignmentPolicy -Identity "<RoleAssignmentPolicyName>" | Format-List


Description,AssignedRoles,IsDefault

Remove role assignment policies


You can't remove the role assignment policy that's currently specified as the default. You first need to specify
another role assignment policy as the default before you can delete the policy.
You can't remove a role assignment policy that's assigned to mailboxes. Use the procedures described in the Use
Exchange Online PowerShell to modify role assignment policy assignments on mailboxes section to replace the
role assignment policy that's assigned to mailboxes.
Use the EAC to remove role assignment policies
1. In the EAC, go to Permissions > User roles, select the policy that you want to delete, and then click Delete
.
2. In the warning dialog box that appears, click Yes.
Use Exchange Online PowerShell to remove role assignment policies
To remove a role assignment policy, use the following syntax:

Remove-RoleAssignmentPolicy -Identity "<RoleAssignmentPolicyName>"

This example removes the role assignment policy named Contoso Managers.

Remove-RoleAssignmentPolicy -Identity "Contoso Managers"

For detailed syntax and parameter information, see Remove-RoleAssignmentPolicy.


How do you know this worked?
To verify that you've successfully removed a role assignment policy, use either of the following steps:
In the EAC, go to Permissions > User roles and verify the role assignment policy isn't listed.
In Exchange Online PowerShell, run the following command to verify the role assignment policy isn't listed:

Get-RoleAssignmentPolicy | Format-Table Name

View role assignment policy assignments on mailboxes


Use the EAC to view role assignment policy assignments on mailboxes
1. In the EAC, go to Recipients > Mailboxes, select the mailbox, and click Edit .
2. In the mailbox properties window that opens, click Mailbox features. The role assignment policy is shown
in the Role assignment policy field.
3. When you're finished, click Save.
Use Exchange Online PowerShell to view role assignment policy assignments on mailboxes
To see the role assignment policy assignment on a specific mailbox, use the following syntax:

Get-Mailbox -Identity <MailboxIdentity> | Format-List RoleAssignmentPolicy

This example returns the role assignment policy for the mailbox named Pedro Pizarro.

Get-Mailbox -Identity "Pedro Pizarro" | Format-List RoleAssignmentPolicy

To return all mailboxes that have a specific role assignment policy assigned, use the following syntax:
$<VariableName> = Get-Mailbox -ResultSize unlimited

$<VariableName> | where {$_.RoleAssignmentPolicy -eq '<RoleAssignmentPolicyName>'}

This example returns all mailboxes that have the role assignment policy named Contoso Managers assigned.

$Mgrs = Get-Mailbox -ResultSize unlimited

$Mgrs | where {$_.RoleAssignmentPolicy -eq 'Contoso Managers'}

Modify role assignment policy assignments on mailboxes


A mailbox can have only one role assignment policy assigned. The role assignment policy that you assign to the
mailbox will replace the existing role assignment policy that's assigned.
Use the EAC to modify role assignment policy assignments on mailboxes
In the EAC, go to Recipients > Mailboxes, and do one of the following steps:
Individual mailboxes: Select the mailbox > click Edit > click Mailbox features in the window that
opens > click the dropdown next to Role assignment policy > select a new role assignment policy > click
Save.
Multiple mailboxes: Select multiple mailboxes of the same type (for example, User) by selecting a
mailbox, holding down the Shift key, and select another mailbox farther down in the list or by holding down
the CTRL key as you select each mailbox. In the details pane (that's now titled Bulk Edit): click More
options > click Update under Role Assignment Policy > select the role assignment policy in the window
that appears > click Save.
Use Exchange Online PowerShell to modify role assignment policy assignments on mailboxes
To change the role assignment policy assignment on a specific mailbox, use this syntax:

Set-Mailbox -Identity <MailboxIdentity> -RoleAssignmentPolicy "<RoleAssignmentPolicyName>"

This example applies the role assignment policy named Contoso Managers to the mailbox named Pedro Pizarro.

Get-Mailbox -Identity "Pedro Pizarro" -RoleAssignmentPolicy "<RoleAssignmentPolicyName>"

To change the assignment for all mailboxes that have a specific role assignment policy assigned, use the following
syntax:

$<VariableName> = Get-Mailbox -ResultSize unlimited

$<VariableName> | where {$_.RoleAssignmentPolicy -eq '<CurrentRoleAssignmentPolicyName>'} | Set-Mailbox -


RoleAssignmentPolicy '<NewRoleAssignmentPolicyName>'

This example changes the role assignment policy from Default Role Assignment Policy to Contoso Staff for all
mailboxes that currently have Default Role Assignment Policy assigned.
$Users = Get-Mailbox -ResultSize unlimited

$Users | where {$_.RoleAssignmentPolicy -eq 'Default Role Assignment Policy'} | Set-Mailbox -


RoleAssignmentPolicy 'Contoso Staff'

How do you know this worked?


To verify that you've successfully modified the role assignment policy assignment on a mailbox, use any of the
following steps:
In the EAC, go to Recipients > Mailboxes > select the mailbox > click Edit > click Mailbox features
in the window that opens and verify the value in the Role assignment policy field.
In Exchange Online PowerShell, replace <MailboxIdentity> with the name, alias, email address, or account
name of the mailbox, and run the following command to verify the RoleAssignmentPolicy property value:

Get-Mailbox -Identity <MailboxIdentity> | Format-List RoleAssignmentPolicy

In Exchange Online PowerShell, replace <RoleAssignmentPolicyName> with the name of the role
assignment policy, and run the following commands to verify the mailboxes that have the policy assigned:

$X = Get-Mailbox -ResultSize unlimited

$X | where {$_.RoleAssignmentPolicy -eq '<RoleAssignmentPolicyName>'}


Security and compliance for Exchange Online
6/24/2019 • 4 minutes to read • Edit Online

Email has become a reliable and ubiquitous communication medium for information workers in organizations of
all sizes. Messaging stores and mailboxes have become repositories of valuable data. It's important for
organizations to formulate messaging policies that dictate the fair use of their messaging systems, provide user
guidelines for how to act on the policies, and where required, provide details about the types of communication
that may not be allowed.
Organizations must also create policies to manage email lifecycle, retain messages for the length of time based on
business, legal, and regulatory requirements, preserve email records for litigation and investigation purposes, and
be prepared to search and provide the required email records to fulfill eDiscovery requests.
Leakage of sensitive information such as intellectual property, trade secrets, business plans, and personally
identifiable information (PII) collected or handled by your organization must also be protected.

Security and compliance in Exchange Online


The following table provides an overview of the security and compliance features in Exchange Online and includes
links to topics that will help you learn about and manage these features.

FEATURE DESCRIPTION

Archive mailboxes in Exchange Online Archive mailboxes (called In-Place Archiving) let people in your
Office 365 organization take control of messaging data by
providing additional email storage. People can use Outlook or
Outlook on the web (formerly known as Outlook Web App) to
view messages in their archive mailbox and move or copy
messages between their primary and archive mailboxes.

In-Place Hold and Litigation Hold In-Place Hold and Litigation Hold allow you to preserve or
archive mailbox content for compliance and eDiscovery.

In-Place eDiscovery In-Place eDiscovery allows authorized compliance officers in


your organization to search mailbox data across your
Exchange organization, preview search results, copy them to a
Discovery mailbox or export them to a .pst file.

Inactive mailboxes in Exchange Online You can preserve the contents of deleted mailboxes
indefinitely by using inactive mailboxes. You can make an
inactive mailbox by placing an In-Place Hold or a Litigation
Hold on the mailbox, and then deleting the corresponding
Office 365 user account. In addition to preserving mailbox
contents, administrators or compliance officers can use In-
Place eDiscovery in Exchange Online or Content Search in the
Office 365 Security & Compliance Center to search the
contents of an inactive mailbox.

Data loss prevention (DLP) Data loss prevention (DLP) helps you identify and monitor
sensitive information, such as private identification numbers,
credit card numbers, or standard forms used in your
organization. You can set up DLP policies to notify users that
they are sending sensitive information or block the
transmission of sensitive information.
FEATURE DESCRIPTION

Exchange auditing reports You can use the auditing functionality in Exchange Online to
track changes made to your Exchange Online configuration by
Microsoft and by your organization's administrators, and to
audit mailbox access by persons other than the mailbox owner.
In Exchange Online, audited actions are recorded and available
to view in an online report or export to a file.

Messaging records management (MRM) Messaging records management (MRM) helps your
organization manage email lifecycle to meet business and
regulatory requirements and reduce the legal risks associated
with email. In Exchange Online, you can use In-Place Hold or
Litigation Hold to preserve email and Retention tags and
retention policies to archive and delete email.

Information Rights Management in Exchange Online Information Rights Management (IRM) helps you and your
users control who can access, forward, print, or copy sensitive
data within an email. IRM can use your on-premises Active
Directory Rights Management Services (AD RMS) server.

Office 365 Message Encryption Office 365 Message Encryption allow you to send encrypted
messages to people inside or outside your organization,
regardless of the destination email service, whether it's
Outlook.com, Yahoo, Gmail, or another service. Designated
recipients can send encrypted replies. Office 365 Message
Encryption combines email encryption and rights
management capabilities. Rights management capabilities are
powered by Azure Information Protection.

S/MIME for Message Signing and Encryption Secure/Multipurpose Internet Mail Extensions (S/MIME) allows
email users to help protect sensitive information by sending
signed and encrypted email within their organization. As an
administrator, you can enable S/MIME-based security for your
organization if you have mailboxes in either Exchange Server
or Exchange Online.

Journaling in Exchange Online Journaling can help you meet legal, regulatory, and
organizational compliance requirements by recording inbound
and outbound email communications. In Exchange Online, you
can create journal rules to deliver journal reports to your on-
premises mailbox or archiving system, or to an external
archiving service.

Mail flow rules (transport rules) in Exchange Online You can use mail flow rules (also known as transport rules) to
inspect messages sent or received by your users and take
actions such as blocking or bouncing a message, holding it for
review by a manager or an administrator or delivering a copy
to another recipient if the message matches specified
conditions.
Modify archive policies
6/25/2019 • 4 minutes to read • Edit Online

In Exchange Online, you can use archive policies to automatically move mailbox items to personal (on-premises) or
cloud-based archives. Archive policies are retention tags that use the Move to Archive retention action.
Exchange Setup creates a retention policy called Default MRM Policy. This policy has a default policy tag (DPT)
assigned that moves items to the archive mailbox after two years. The policy also includes a number of personal
tags that users can apply to folders or mailbox items to automatically move or delete messages. If a mailbox
doesn't have a retention policy assigned when it's archive-enabled, the Default MRM Policy is automatically
applied to it by Exchange. You can also create your own archive and retention policies and apply them to mailbox
users. To learn more, see Retention tags and retention policies.
You can modify retention tags included in the default policy to meet your business requirements. For example, you
can modify the archive DPT to move items to the archive after three years instead of two. You can also create
additional personal tags and either add them to a retention policy, including the Default MRM Policy, or allow
users to add personal tags to their mailboxes from Outlook on the web (formerly known as Outlook Web App)
Options.
For additional management tasks related to archives, see Enable or disable an archive mailbox in Exchange Online.

NOTE
In an Exchange hybrid deployment, you can enable a cloud-based archive mailbox for an on-premises primary mailbox. If you
assign an archive policy to an on-premises mailbox, items are moved to the cloud-based archive. If an item is moved to the
archive mailbox, a copy of it isn't retained in the on-premises mailbox. If the on-premises mailbox is placed on hold, an archive
policy will still move items to the cloud-based archive mailbox where they are preserved for the duration specified by the
hold.

What do you need to know before you begin?


Estimated time to completion: 5 minutes.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Messaging records management" entry in the Messaging policy and
compliance permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Use the EAC to modify the default archive policy


1. Navigate to Compliance management > Retention tags and then.
2. In the list view, select the tag Default 2 year move to archive and then click Edit .
TIP
You can click the TYPE column to sort retention tags by type. The default archive policy is displayed as type Default
and has the Archive retention action. Alternatively, click NAME to sort retention tags by name.

3. In Retention Tag, view or modify the following settings, and then click Save:
Name: Use this box at the top of the page to view or change the tag name.
Retention tag type: This read-only field displays the tag type.
Retention action: Don't modify this field for archive policies.
Retention period: Select one of the following options:
Never: Click this button to disable the tag. If the DPT is disabled, the tag is no longer applied to the
mailbox.

IMPORTANT
• Items that have a disabled retention tag applied aren't processed by the Mailbox Assistant. If you want to
prevent a tag from being applied to items, we recommend disabling the tag rather than deleting it. When you
delete a tag, the tag configuration is deleted from Active Directory, and the Mailbox Assistant processes all
messages to remove the deleted tag.

• If a user applies a tag to an item believing the item will never be moved, enabling the tag later may move
items the user wanted to retain in the primary mailbox.

When the item reaches the following age (in days): Click this button to specify that items be
moved to archive after a certain period. By default, this setting is configured to move items to the
archive after two years (730 days). To modify this setting, in the corresponding text box, type the
number of days in the retention period. The range of values is from 1 through 24,855 days.
Comment: Use this box to type a comment that will be displayed to Outlook and Outlook on the web
users.

Use Exchange Online PowerShell to modify archive policies


This example modifies the Default 2 year move to archive tag to move items after 1,095 days (3 years).

Set-RetentionPolicyTag "Default 2 year move to archive" -Name "Default 3 year move to archive" -
AgeLimitForRetention 1095

This example disables the Default 2 year move to archive tag.

Set-RetentionPolicyTag "Default 2 year move to archive" -RetentionEnabled $false

This example retrieves all archive DPTs and personal tags and disables them.

Get-RetentionPolicyTag | ? {$_.RetentionAction -eq "MoveToArchive"} | Set-RetentionPolicyTag -RetentionEnabled


$false

For detailed syntax and parameter information, see Set-RetentionPolicyTag and Get-RetentionPolicyTag.
How do you know this worked?
Use the Get-RetentionPolicyTag cmdlet to retrieve settings of the retention tag.
This command retrieves properties of the Default 2 year move to archive retention tag and pipes the output to the
Format-List cmdlet to display all properties in a list format.

Get-RetentionPolicyTag "Default 2 year move to archive" | Format-List


In-Place Hold and Litigation Hold
6/24/2019 • 15 minutes to read • Edit Online

NOTE
We've postponed the July 1, 2017 deadline for creating new In-Place Holds in Exchange Online (in Office 365 and Exchange
Online standalone plans). But later this year or early next year, you won't be able to create new In-Place Holds in Exchange
Online. As an alternative to using In-Place Holds, you can use eDiscovery cases or Office 365 retention policies in the Office
365 Security & Compliance Center. After we decommission new In-Place Holds, you'll still be able to modify existing In-
Place Holds, and creating new In-Place Holds in an Exchange hybrid deployment will still be supported. And, you'll still be
able to place mailboxes on Litigation Hold.

When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored
information (ESI), including email that's relevant to the case. This expectation often exists before the specifics of
the case are known, and preservation is often broad. Organizations may need to preserve all email related to a
specific topic or all email for certain individuals. Depending on the organization's electronic discovery
(eDiscovery) practices, the following measures can be adopted to preserve email:
End users may be asked to preserve email by not deleting any messages. However, users can still delete
email knowingly or inadvertently.
Automated deletion mechanisms such as messaging records management (MRM ) may be suspended.
This could result in large volumes of email cluttering the user mailbox, and thus impacting user
productivity. Suspending automated deletion also doesn't prevent users from manually deleting email.
Some organizations copy or move email to an archive to make sure it isn't deleted, altered, or tampered
with. This increases costs due to the manual efforts required to copy or move messages to an archive, or
third-party products used to collect and store email outside Exchange.
Failure to preserve email can expose an organization to legal and financial risks such as scrutiny of the
organization's records retention and discovery processes, adverse legal judgments, sanctions, or fines.
You can use In-Place Hold or Litigation Hold to accomplish the following goals:
Place user mailboxes on hold and preserve mailbox items immutably.
Preserve mailbox items deleted by users or automatic deletion processes such as MRM.
Use query-based In-Place Hold to search for and retain items matching specified criteria.
Preserve items indefinitely or for a specific duration.
Place a user on multiple holds for different cases or investigations.
Keep holds transparent from the user by not having to suspend MRM.
Enable In-Place eDiscovery searches of items placed on hold.

In-Place Hold scenarios


In previous versions of Exchange, the notion of legal hold is to hold all mailbox data for a user indefinitely or until
when hold is removed. In Exchange Online, In-Place Hold includes a new model that allows you to specify the
following parameters:
What to hold: You can specify which items to hold by using query parameters such as keywords, senders
and recipients, start and end dates, and also specify the message types such as email messages or
calendar items that you want to place on hold.
How long to hold: You can specify a duration for items on hold.
Using this new model, In-Place Hold allows you to create granular hold policies to preserve mailbox items in the
following scenarios:
Indefinite hold: The indefinite hold scenario is similar to Litigation Hold. It's intended to preserve
mailbox items so you can meet eDiscovery requirements. During the period of litigation or investigation,
items are never deleted. The duration isn't known in advance, so no end date is configured. To hold all mail
items indefinitely, you don't specify any query parameters or time duration when creating an In-Place
Hold.
Query-based hold: If your organization preserves items based on specified query parameters, you can
use a query-based In-Place Hold. You can specify query parameters such as keywords, start and end dates,
sender and recipient addresses, and message types. After you create a query-based In-Place Hold, all
existing and future mailbox items (including messages received at a later date) that match the query
parameters are preserved.

IMPORTANT
Items that are marked as unsearchable, generally because of failure to index an attachment, are also preserved
because it can't be determined whether they match query parameters. For more details about partially indexed
items, see Partially indexed items in Content Search in Office 365.

Time-based hold: Both In-Place Hold and Litigation Hold allow you to specify a duration of time for
which to hold items. The duration is calculated from the date a mailbox item is received or created.
If your organization requires that all mailbox items be preserved for a specific period, for example 7 years,
you can create a time-based hold so that items on hold are retained for a specific period of time. For
example, consider a mailbox that's placed on a time-based In-Place Hold and has a retention period set to
365 days. If an item in that mailbox is deleted after 300 days from the date it was received, it's held for an
additional 65 days before being permanently deleted. You can use a time-based In-Place Hold in
conjunction with a retention policy to make sure items are preserved for the specified duration and
permanently removed after that period.
You can use In-Place Hold to place a user on multiple holds. When a user is placed on multiple holds, the search
queries from any query-based hold are combined (with OR operators). In this case, the maximum number of
keywords in all query-based holds placed on a mailbox is 500. If there are more than 500 keywords, then all
content in the mailbox is placed on hold (not just that content that matches the search criteria). All content is held
until the total number of keywords is reduced to 500 or less.

In-Place Hold and Litigation Hold


Litigation Hold uses the LitigationHoldEnabled property of a mailbox to place mailbox content on hold.
Whereas In-Place Hold provides granular hold capability based on query parameters and the ability to place
multiple holds, Litigation Hold only allows you to place all items on hold. You can also specify a duration period
to hold items when a mailbox is placed on Litigation Hold. The duration is calculated from the date a mailbox
item is received or created. If a duration isn't set, items are held indefinitely or until the hold is removed.
When a mailbox is placed on one or more In-Place Holds and on Litigation Hold (without a duration period) at
the same time, all items are held indefinitely or until the holds are removed. If you remove Litigation Hold and
the user is still placed on one or more In-Place Holds, items matching the In-Place Hold criteria are held for the
period specified in the hold settings.

NOTE
When you place a mailbox on In-Place Hold or Litigation Hold, the hold is placed on both the primary and the archive
mailbox. If you place an on-premises primary mailbox on hold in an Exchange hybrid deployment, the cloud-based archive
mailbox (if enabled) is also placed on hold.

For more information, see:


Place a mailbox on Litigation Hold
Place all mailboxes on hold

Placing a mailbox on In-Place Hold


Authorized users that have been added to the Discovery Management role-based access control (RBAC ) role
group or assigned the Legal Hold and Mailbox Search management roles can place mailbox users on In-Place
Hold. You can delegate the task to records managers, compliance officers, or attorneys in your organization's
legal department, while assigning the least privileges. To learn more about assigning the Discovery Management
role group, see Assign eDiscovery permissions in Exchange.
You can use the In-Place eDiscovery & Hold wizard in the Exchange admin center (EAC ) or the New-
MailboxSearch and related cmdlets in Exchange Online PowerShell to place a mailbox on In-Place Hold. To
learn more about placing a mailbox on In-Place Hold, see Create or remove an In-Place Hold.
Many organizations require that users be informed when they're placed on hold. Additionally, when a mailbox is
on hold, any retention policies applicable to the mailbox user don't need to be suspended. Because messages
continue to be deleted as expected, users may not notice they're on hold. If your organization requires that users
on hold be informed, you can add a notification message to the mailbox user's Retention Comment property
and use the RetentionUrl property to link to a web page for more information. Outlook 2010 and later displays
the notification and URL in the backstage area. You must use Exchange Online PowerShell to add and manage
these properties for a mailbox.

Placing public folders on hold


In Exchange Online, you can place public folders on hold by using a In-Place Hold. Using Litigation Hold for
public folders isn't supported. When you create an In-Place Hold, the only option is to place a hold on all public
folders in your organization. The result is that an In-Place Hold is placed on all public folder mailboxes.
Additionally, when you place public folders on In-Place Hold, email messages related to the public folder
hierarchy synchronization process are also preserved. This might result in thousands of hierarchy
synchronization related email items being preserved. These messages can fill up the storage quota for the
Recoverable Items folder on public folder mailboxes. To prevent this, you can create a query-based In-Place Hold
and add the following property:value pair to the search query:

NOT(subject:HierarchySync*)

The result is that any message (related to the synchronization of the public folder hierarchy) that contains the
phrase "HierarchySync" in the subject line is not placed on hold.

Holds and the Recoverable Items folder


In-Place Hold and Litigation Hold uses the Recoverable Items folder to preserve items. The Recoverable Items
folder replaces the feature informally known as the dumpster in previous versions of Exchange. The Recoverable
Items folder is hidden from the default view of Outlook, Outlook on the web (formerly known as Outlook Web
App), and other email clients. To learn more about the Recoverable Items folder, see Recoverable Items folder.
By default, when a user deletes a message from a folder other than the Deleted Items folder, the message is
moved to the Deleted Items folder. This is known as a move. When a user soft deletes an item (accomplished by
pressing the SHIFT and DELETE keys) or deletes an item from the Deleted Items folder, the message is moved to
the Recoverable Items folder, thereby disappearing from the user's view.
Items in the Recoverable Items folder are retained for the deleted item retention period configured for the user's
mailbox. By default, the deleted item retention period is 14 days for Exchange Online mailboxes. You can also
configure a storage quota for the Recoverable Items folder. This protects the organization from a potential denial
of service (DoS ) attack due to rapid growth of the Recoverable Items folder. If a mailbox isn't placed on In-Place
Hold or Litigation Hold, items are purged permanently from the Recoverable Items folder on a first in, first out
basis when the Recoverable Items warning quota is exceeded, or the item has resided in the folder for a longer
duration than the deleted item retention period.
The Recoverable Items folder contains the following subfolders used to store deleted items in various sites and
facilitate In-Place Hold and Litigation Hold:
Deletions - Items removed from the Deleted Items folder or soft-deleted from other folders are moved to
the Deletions subfolder and are visible to the user when using the Recover Deleted Items feature in
Outlook and Outlook on the web. By default, items reside in this folder until the deleted item retention
period configured for the mailbox expires.
Purges - When a user deletes an item from the Recoverable Items folder (by using the Recover Deleted
Items tool in Outlook and Outlook on the web, the item is moved to the Purges folder. Items that exceed
the deleted item retention period configured for the mailbox are also moved to the Purges folder. Items in
this folder aren't visible to users if they use the Recover Deleted Items tool. When the Managed Folder
Assistant processes the mailbox, items in the Purges folder are purged from the mailbox. When you place
the mailbox user on Litigation Hold, the Managed Folder Assistant doesn't purge items in this folder.
DiscoveryHold - If a user is placed on an In-Place Hold, deleted items are moved to this folder. When the
Managed Folder Assistant processes the mailbox, it evaluates messages in this folder. Items matching the
In-Place Hold query are retained until the hold period specified in the query. If no hold period is specified,
items are held indefinitely or until the user is removed from the hold.
Versions - When a user placed on In-Place Hold or Litigation Hold, mailbox items must be protected from
tampering or modification by the user or a process. This is accomplished using a copy-on-write process.
When a user or a process changes specific properties of a mailbox item, a copy of the original item is
saved in the Versions folder before the change is committed. The process is repeated for subsequent
changes. Items captured in the Versions folder are also indexed and returned in eDiscovery searches. After
the hold is removed, copies in the Versions folder are removed by the Managed Folder Assistant.
Properties that trigger copy-on-write

ITEM TYPE PROPERTIES THAT TRIGGER COPY-ON-WRITE

Messages (IPM.Note*) Subject


Posts (IPM.Post*) Body
Attachments
Senders/Recipients
Sent/Received Dates
ITEM TYPE PROPERTIES THAT TRIGGER COPY-ON-WRITE

Items other than messages and posts Any change to a visible property, except the following:
Item location (when an item is moved between folders)
Item status change (read or unread)
Changes to retention tag applied to an item

Items in the default folder Drafts None (items in the Drafts folder are exempt from copy on
write)

IMPORTANT
Copy-on-write is disabled for calendar items in the organizer's mailbox when meeting responses are received from
attendees and the tracking information for the meeting is updated. For calendar items and items that have a reminder set,
copy-on-write is disabled for the ReminderTime and ReminderSignalTime properties. Changes to these properties are not
captured by copy-on-write. Changes to RSS feeds aren't captured by copy-on-write.

Although the DiscoveryHold, Purges, and Versions folders aren't visible to the user, all items in the Recoverable
Items folder are indexed by Exchange Search and are discoverable using In-Place eDiscovery. After a mailbox
user is removed from In-Place Hold or Litigation Hold, items in the DiscoveryHold, Purges, and Versions folders
are purged by the Managed Folder Assistant.

Holds and mailbox quotas


Items in the Recoverable Items folder aren't calculated toward the user's mailbox quota. In Exchange Online, the
Recoverable Items folder has its own quota. For Exchange, the default values for the
RecoverableItemsWarningQuota and RecoverableItemsQuota mailbox properties are set to 20 GB and 30 GB
respectively. In Exchange Online, the quota for the Recoverable Items folder (in the user's primary mailbox) is
automatically increased to 100 GB when you place a mailbox on Litigation Hold or In-Place Hold. When the
storage quota for the Recoverable Items folder in the primary mailbox of a mailbox on hold is close to reaching
its limit, you can do the following things:
Enable the archive mailbox and turn on auto-expanding archiving - You can enable an unlimited
storage capacity for the Recoverable Items folder simply by enabling the archive mailbox and then turning
on the auto-expanding archiving feature in Exchange Online. This results in 110 GB for the Recoverable
Items folder in the primary mailbox and an unlimited amount of storage capacity for the Recoverable
Items folder in the user's archive. See how: Enable archive mailboxes in the Office 365 Security &
Compliance Center and Enable unlimited archiving in Office 365.
Notes:
After you enable the archive for a mailbox that's close to exceeding the storage quota for the
Recoverable Items folder, you might want to run the Managed Folder Assistant to manually trigger
the assistant to process the mailbox so that expired items are moved the Recoverable Items folder
in the archive mailbox. For instructions, see Step 4 in Increase the Recoverable Items quota for
mailboxes on hold.
Note that other items in the user's mailbox might be moved to the new archive mailbox. Consider
telling the user that this might happen after you enable the archive mailbox.
Create a custom retention policy for mailboxes on hold - In addition to enabling the archive mailbox
and auto-expanding archiving for mailboxes on Litigation Hold or In-Place Hold, you might also want to
create a custom MRM retention policy in Exchange Online for mailboxes on hold. This let's you apply a
retention policy to mailboxes on hold that's different from the Default MRM Policy that's applied to
mailboxes that aren't on hold. This lets you to apply retention tags that are specifically designed for
mailboxes on hold. This includes creating a new retention tag for the Recoverable Items folder.
For more information, see Increase the Recoverable Items quota for mailboxes on hold.

Holds and email forwarding


Users can use Outlook and Outlook on the web to set up email forwarding for their mailbox. Email forwarding
lets users configure their mailbox to forward email messages sent to their mailbox to another mailbox located in
or outside of their organization. Email forwarding can be configured so that any message sent to the original
mailbox isn't copied to that mailbox and is only sent to the forwarding address.
If email forwarding is set up for a mailbox and messages aren't copied to the original mailbox, what happens if
the mailbox is on hold? The hold settings for the mailbox are checked during the delivery process. If the message
meets the hold criteria for the mailbox, a copy of the message is saved to the Recoverable Items folder. That
means you can use eDiscovery tools to search the original mailbox to find messages that were forwarded to
another mailbox.

Deleting a mailbox on hold


When you delete the corresponding Office 365 account for a mailbox that's been placed on Litigation Hold or In-
Place Hold, the mailbox is converted to an inactive mailbox, which is a type of soft-deleted mailbox. Inactive
mailboxes are used to preserve the contents of a user's mailbox after they leave your organization. Items in an
inactive mailbox are preserved for the duration of the hold that was placed on the mailbox before it was made
inactive. This allows administrators, compliance officers, or records managers to use the Content Search tool in
the Office 365 Security & Compliance Center to access and search the contents of an inactive mailbox. Inactive
mailboxes can't receive email and aren't displayed in your organization's shared address book or other lists. For
more information, see Overview of inactive mailboxes in Office 365.
Create or remove an In-Place Hold
6/24/2019 • 7 minutes to read • Edit Online

NOTE
We've postponed the July 1, 2017 deadline for creating new In-Place Holds in Exchange Online (in Office 365 and Exchange
Online standalone plans). But later this year or early next year, you won't be able to create new In-Place Holds in Exchange
Online. As an alternative to using In-Place Holds, you can use eDiscovery cases or retention policies in the Office 365
Security & Compliance Center. After we decommission new In-Place Holds, you'll still be able to modify existing In-Place
Holds, and creating new In-Place Holds in Exchange Server and Exchange hybrid deployments will still be supported. And,
you'll still be able to place mailboxes on Litigation Hold.

An In-Place Hold preserves all mailbox content, including deleted items and original versions of modified items.
All such mailbox items are returned in an In-Place eDiscovery search. When you place an In-Place Hold on a user's
mailbox on, the contents in the corresponding archive mailbox (if it's enabled) are also placed on hold, and
returned in a eDiscovery search.

What do you need to know before you begin?


Estimated time to complete: 5 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "In-Place Hold" entry in the Messaging Policy and Compliance Permissions
topic.
To place an Exchange Online mailbox on In-Place Hold, it must be assigned an Exchange Online (Plan 2)
license. If a mailbox is assigned an Exchange Online (Plan 1) license, you would have to assign it a separate
Exchange Online Archiving license to place it on hold.
Depending on your Active Directory topology and replication latency, it may take up to an hour for an In-
Place Hold to take effect.
As previously explained, when you place an In-Place Hold on a user's mailbox, content in the user's archive
mailbox is also placed on hold. If you place an In-Place Hold on an on-premises primary mailbox in an
Exchange hybrid deployment, the cloud-based archive mailbox (if enabled) is also placed on hold.
If a user is placed on multiple In-Place Holds, the search queries from any query-based hold are combined
(with OR operators). In this case, the maximum number of keywords in all query-based holds placed on a
mailbox is 500. If there are more than 500 keywords, then all content in the mailbox is placed on hold (not
just that content that matches the search criteria). All content is held until the total number of keywords is
reduced to 500 or less.
In Exchange Online, the quota for the Recoverable Items folder is automatically increased to 100 GB when
you place an In-Place Hold on a mailbox. The default size of the Recoverable Items folder is 30 GB.
In Exchange Online, you can place an In-Place hold on Office 365 groups. When you place an Office 365
group on hold, the group mailbox is placed on hold; the mailboxes of the group members aren't placed on
hold. For information about Office 365 groups, see Learn about Office 365 groups.

Create an In-Place Hold


Use the EAC to create an In-Place Hold
1. Navigate to Compliance management > In-place eDiscovery & hold.
2. Click New .
3. In In-Place eDiscovery & Hold, on the Name and description page, type a name for the search and an
optional description, and then click Next.
4. On the Mailboxes and Public folders page, choose the content locations that you want to place on hold
and then click Next.

a. Search all mailboxes: You can't select this option to create an In-Place Hold. You can select this
option for In-Place eDiscovery searches, but to create an In-Place Hold, you must select the specific
mailboxes that you want to place on hold.
b. Don't search any mailboxes: Select this option when you're creating an In-Place Hold exclusively
for public folders.
c. Specify mailboxes to search: Select this option and then click Add to select the mailboxes or
distribution groups that you want to place on hold. In Exchange Online, you can also select Office
365 groups to place on hold.
d. Search all public folders: In Exchange Online, you can select this checkbox to place all public
folders in your organization on hold. As previously explained, to create an In-Place Hold only for
public folders, be sure to select the Don't search any mailboxes option.
5. On the Search query page, complete the following fields, and then click Next:
Include all user mailbox content: Click this button to place all content in selected mailboxes on
hold.
Filter based on criteria: Click this button to specify search criteria, including keywords, start and
end dates, sender and recipient addresses, and message types. When you create a query-based hold,
only items that match the search criteria are preserved.

TIP

When you place public folders on In-Place Hold, email messages related to the public folder hierarchy
synchronization process are also preserved. This might result in thousands of hierarchy synchronization
related email items being preserved. These messages can fill up the storage quota for the Recoverable
Items folder on public folder mailboxes. To prevent this, you can create a query-based In-Place Hold
and add the following property:value pair to the search query: > NOT(subject:HierarchySync*) > The
result is that any message (related to the synchronization of the public folder hierarchy) that contains
the phrase "HierarchySync" in the subject line is not placed on hold.

6. On the In-Place Hold settings page, select the Place content matching the search query in selected
mailboxes on hold check box and then select one of the following options:
Hold indefinitely: Click this button to place items returned by the search on an indefinite hold.
Items on hold will be preserved until you remove the mailbox from the search or remove the search.
Specify number of days to hold items relative to their received date: Click this button to hold
items for a specific period. For example, you can use this option if your organization requires that all
messages be retained for at least seven years. You can use a time-based In-Place Hold along with a
retention policy to make sure items are deleted in seven years. To learn more about retention polices,
see Retention tags and retention policies.
Use Exchange Online PowerShell to create an In-Place Hold
This example creates an In-Place Hold named Hold-CaseId012 and adds the mailbox joe@contoso.com to the
hold.

IMPORTANT
If you don't specify additional search parameters for an In-Place Hold, all items in the specified source mailboxes are placed
on hold. If you don't specify the ItemHoldPeriod parameter, items are placed on hold indefinitely or until the mailbox is
either removed from hold or the hold is deleted.

New-MailboxSearch "Hold-CaseId012"-SourceMailboxes "joe@contoso.com" -InPlaceHoldEnabled $true

For detailed syntax and parameter information, see New -MailboxSearch.


How do you know this worked?
To verify that you have successfully created the In-Place Hold, do one of the following:
Use the EAC to verify that the In-Place Hold is listed in the list view of the In-place eDiscovery & hold
tab.
Use the Get-MailboxSearch cmdlet to retrieve the mailbox search and check the search parameters. For
an example of how to retrieve a mailbox search, see the examples in Get-MailboxSearch.

Remove an In-Place Hold


IMPORTANT
In Exchange Server, mailbox searches can be used for an In-Place Hold and In-Place eDiscovery. You can't remove a mailbox
search that's used for In-Place Hold. You must first disable the In-Place Hold by clearing the Place content matching the
search query in selected mailboxes on hold check box on the In-Place Hold settings page or by setting the
InPlaceHoldEnabled parameter to $false in Exchange Online PowerShell. You can also remove a mailbox by using the
SourceMailboxes parameter specified in the search.

Use the EAC to remove an In-Place Hold


1. Navigate to Compliance management > In-Place eDiscovery & hold.
2. In the list view, select the In-Place Hold you want to remove and then click Edit .
3. In In-Place eDiscovery & Hold properties, on the In-Place Hold page, clear the Place content
matching the search query in selected mailboxes on hold, and then click Save.
4. Select the In-Place Hold again from the list view, and then click Delete .
5. In warning, click Yes to remove the search.
Use Exchange Online PowerShell to remove an In-Place Hold
This example first disables In-Place Hold named Hold-CaseId012 and then removes the mailbox search.

Set-MailboxSearch "Hold-CaseId012" -InPlaceHoldEnabled $false


Remove-MailboxSearch "Hold-CaseId012"

For detailed syntax and parameter information, see Set-MailboxSearch.


How do you know this worked?
To verify that you have successfully removed an In-Place Hold, do one of the following:
Use the EAC to verify that the In-Place Hold doesn't appear in the list view of the In-place eDiscovery &
hold tab.
Use the Get-MailboxSearch cmdlet to retrieve all mailbox searches and check that the search you
removed is no longer listed. For an example of how to retrieve a mailbox search, see the examples in Get-
MailboxSearch.
In-Place eDiscovery
6/24/2019 • 28 minutes to read • Edit Online

NOTE
We've postponed the July 1, 2017 deadline for creating new In-Place eDiscovery searches in Exchange Online (in Office 365
and Exchange Online standalone plans). But later this year or early next year, you won't be able to create new searches in
Exchange Online. To create eDiscovery searches, please start using Content Search in the Office 365 Security & Compliance
Center. After we decommission new In-Place eDiscovery searches, you'll still be able to modify existing In-Place eDiscovery
searches, and creating new In-Place eDiscovery searches in Exchange Server and Exchange hybrid deployments will still be
supported.

If your organization adheres to legal discovery requirements (related to organizational policy, compliance, or
lawsuits), In-Place eDiscovery in Microsoft Exchange Server and Exchange Online can help you perform
discovery searches for relevant content within mailboxes. Exchange Server and Exchange Online also offer
federated search capability and integration with Microsoft SharePoint 2013 and Microsoft SharePoint Online.
Using the eDiscovery Center in SharePoint, you can search for and hold all content related to a case, including
SharePoint 2013 and SharePoint Online websites, documents, file shares indexed by SharePoint (SharePoint
2013 only), mailbox content in Exchange, and archived Lync 2013 content. You can also use In-Place eDiscovery
in an Exchange hybrid environment to search on-premises and cloud-based mailboxes in the same search.

IMPORTANT
In-Place eDiscovery is a powerful feature that allows a user with the correct permissions to potentially gain access to all
messaging records stored throughout the Exchange Server or Exchange Online organization. It's important to control and
monitor discovery activities, including addition of members to the Discovery Management role group, assignment of the
Mailbox Search management role, and assignment of mailbox access permission to discovery mailboxes.

How In-Place eDiscovery works


In-Place eDiscovery uses the content indexes created by Exchange Search. Role Based Access Control (RBAC )
provides the Discovery Management role group to delegate discovery tasks to non-technical personnel, without
the need to provide elevated privileges that may allow a user to make any operational changes to Exchange
configuration. The Exchange admin center (EAC ) provides an easy-to-use search interface for non-technical
personnel such as legal and compliance officers, records managers, and human resources (HR ) professionals.
Authorized users can perform an In-Place eDiscovery search by selecting the mailboxes, and then specifying
search criteria such as keywords, start and end dates, sender and recipient addresses, and message types. After
the search is complete, authorized users can then select one of the following actions:
Estimate search results: This option returns an estimate of the total size and number of items that will be
returned by the search based on the criteria you specified.
Preview search results: This option provides a preview of the results. Messages returned from each
mailbox searched are displayed.
Copy search results: This option lets you copy messages to a discovery mailbox.
Export search results: After search results are copied to a discovery mailbox, you can export them to a
PST file.
Exchange Search
In-Place eDiscovery uses the content indexes created by Exchange Search. Exchange Search has been retooled to
use Microsoft Search Foundation, a rich search platform that comes with significantly improved indexing and
querying performance and improved search functionality. Because the Microsoft Search Foundation is also used
by other Office products, including SharePoint 2013, it offers greater interoperability and similar query syntax
across these products.
With a single content indexing engine, no additional resources are used to crawl and index mailbox databases for
In-Place eDiscovery when eDiscovery requests are received by IT departments.
In-Place eDiscovery uses Keyword Query Language (KQL ), a querying syntax similar to the Advanced Query
Syntax (AQS ) used by Instant Search in Microsoft Outlook and Outlook on the web. Users familiar with KQL can
easily construct powerful search queries to search content indexes.
For more information about the file formats indexed by Exchange search, see File Formats Indexed By Exchange
Search.

Discovery Management role group and management roles


For authorized users to perform In-Place eDiscovery searches, you must add them to the Discovery Management
role group. This role group consists of two management roles: the Mailbox Search Role, which allows a user to
perform an In-Place eDiscovery search, and the Legal Hold Role, which allows a user to place a mailbox on In-
Place Hold or litigation hold.
By default, permissions to perform In-Place eDiscovery-related tasks aren't assigned to any user or Exchange
administrators. Exchange administrators who are members of the Organization Management role group can add
users to the Discovery Management role group and create custom role groups to narrow the scope of a discovery
manager to a subset of users. To learn more about adding users to the Discovery Management role group, see
Assign eDiscovery permissions in Exchange.
IMPORTANT
If a user hasn't been added to the Discovery Management role group or isn't assigned the Mailbox Search role, the In-
Place eDiscovery & Hold user interface isn't displayed in the EAC, and the In-Place eDiscovery cmdlets aren't available in
Exchange Online PowerShell.

Auditing of RBAC role changes, which is enabled by default, makes sure that adequate records are kept to track
assignment of the Discovery Management role group. You can use the administrator role group report to search
for changes made to administrator role groups. For more information, see Search the role group changes or
administrator audit logs.

Custom management scopes for In-Place eDiscovery


You can use a custom management scope to let specific people or groups use In-Place eDiscovery to search a
subset of mailboxes in your Exchange Server or Exchange Online organization. For example, you might want to
let a discovery manager search only the mailboxes of users in a specific location or department. You do this by
creating a custom management scope that uses a custom recipient filter to control which mailboxes can be
searched. Recipient filter scopes use filters to target specific recipients based on recipient type or other recipient
properties.
For In-Place eDiscovery, the only property on a user mailbox that you can use to create a recipient filter for a
custom scope is distribution group membership. If you use other properties, such as CustomAttributeN,
Department, or PostalCode, the search fails when it's run by a member of the role group that's assigned the
custom scope. For more information, see Create a custom management scope for In-Place eDiscovery searches.

Integration with SharePoint Server and SharePoint Online


Exchange Server and Exchange Online offer integration with SharePoint Server and SharePoint Online, allowing
a discovery manager to use eDiscovery Center in SharePoint to perform the following tasks:
Search and preserve content from a single location: An authorized discovery manager can search and
preserve content across SharePoint and Exchange, including Lync content such as instant messaging
conversations and shared meeting documents archived in Exchange mailboxes.
Case management eDiscovery Center uses a case management approach to eDiscovery, allowing you to
create cases and search and preserve content across different content repositories for each case.
Export search results: A discovery manager can use eDiscovery Center to export search results. Mailbox
content included in search results is exported to a PST file.
SharePoint also uses Microsoft Search Foundation for content indexing and querying. Regardless of whether a
discovery manager uses the EAC or the eDiscovery Center to search Exchange content, the same mailbox content
is returned.
In on-premises deployments, before you can use eDiscovery Center in SharePoint to search Exchange mailboxes,
you must establish trust between the two applications. In Exchange Server and SharePoint 2013, this is done
using OAuth authentication. For details, see Configure Exchange for SharePoint eDiscovery Center. eDiscovery
searches performed from SharePoint are authorized by Exchange using RBAC. For a SharePoint user to be able
to perform an eDiscovery search of Exchange mailboxes, they must be assigned delegated Discovery
Management permission in Exchange. To be able to preview mailbox content returned in an eDiscovery search
performed using SharePoint eDiscovery Center, the discovery manager must have a mailbox in the same
Exchange organization.
For step-by step instructions for setting up an eDiscovery Center in an Office 365 organization, see Set up an
eDiscovery Center in SharePoint Online.
eDiscovery in an Exchange hybrid deployment
To successfully perform cross-premises eDiscovery searches in an Exchange Server hybrid organization, you will
have to configure OAuth (Open Authorization) authentication between your Exchange on-premises and Exchange
Online organizations so that you can use In-Place eDiscovery to search on-premises and cloud-based mailboxes.
OAuth authentication is a server-to-server authentication protocol that allows applications to authenticate to each
other.
OAuth authentication supports the following eDiscovery scenarios in an Exchange hybrid deployment:
Search on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes.
Search on-premises and cloud-based mailboxes in the same eDiscovery search.
Search on-premises mailboxes by using the eDiscovery Center in SharePoint Online.
For more information about the eDiscovery scenarios that require OAuth authentication to be configured in an
Exchange hybrid deployment, see Using Oauth Authentication to Support eDiscovery in an Exchange Hybrid
Deployment. For step-by-step instructions for configuring OAuth authentication to support eDiscovery, see
Configure OAuth Authentication Between Exchange and Exchange Online Organizations.

Discovery mailboxes
After you create an In-Place eDiscovery search, you can copy the search results to a target mailbox. The EAC
allows you to select a discovery mailbox as the target mailbox. A discovery mailbox is a special type of mailbox
that provides the following functionality:
Easier and secure target mailbox selection: When you use the EAC to copy In-Place eDiscovery search
results, only discovery mailboxes are made available as a repository in which to store search results. You
don't need to sort through a potentially long list of mailboxes available in the organization. This also
eliminates the possibility of a discovery manager accidentally selecting another user's mailbox or an
unsecured mailbox in which to store potentially sensitive messages.
Large mailbox storage quota: The target mailbox should be able to store a large amount of message
data that may be returned by an In-Place eDiscovery search. By default, discovery mailboxes have a
mailbox storage quota of 50 gigabytes (GB ). This storage quota can't be increased.
More secure by default: Like all mailbox types, a discovery mailbox has an associated Active Directory
user account. However, this account is disabled by default. Only users explicitly authorized to access a
discovery mailbox have access to it. Members of the Discovery Management role group are assigned Full
Access permissions to the default discovery mailbox. Any additional discovery mailboxes you create don't
have mailbox access permissions assigned to any user.
Email delivery disabled: Although visible in Exchange address lists, users can't send email to a discovery
mailbox. Email delivery to discovery mailboxes is prohibited by using delivery restrictions. This preserves
the integrity of search results copied to a discovery mailbox.
Exchange Setup creates one discovery mailbox with the display name Discovery Search Mailbox. You can use
Exchange Online PowerShell to create additional discovery mailboxes. By default, the discovery mailboxes you
create won't have any mailbox access permissions assigned. You can assign Full Access permissions for a
discovery manager to access messages copied to a discovery mailbox. For details, see Create a discovery mailbox.
In-Place eDiscovery also uses a system mailbox with the display name SystemMailbox{e0dc1c29-89c3-4034-
b678-e6c29d823ed9} to hold In-Place eDiscovery metadata. System mailboxes aren't visible in the EAC or in
Exchange address lists. In on-premises organizations, before removing a mailbox database where the In-Place
eDiscovery system mailbox is located, you must move the mailbox to another mailbox database. If the mailbox is
removed or corrupted, your discovery managers are unable to perform eDiscovery searches until you re-create
the mailbox. For details, see Re-Create the Discovery System Mailbox.

Using In-Place eDiscovery


Users who have been added to the Discovery Management role group can perform In-Place eDiscovery searches.
You can perform a search using the web-based interface in the EAC. This makes it easier for non-technical users
such as records managers, compliance officers, or legal and HR professionals to use In-Place eDiscovery. You can
also use Exchange Online PowerShell to perform a search. For more information, see Create an In-Place
eDiscovery search

NOTE
In on-premises organizations, you can use In-Place eDiscovery to search mailboxes located on Exchange Server Mailbox
servers. To search mailboxes located on Exchange 2010 Mailbox servers, use Multi-Mailbox Search on an Exchange 2010
server. > > In a hybrid deployment, which is an environment where some mailboxes exist on your on-premises Mailbox
servers and some mailboxes exist in a cloud-based organization, you can perform In-Place eDiscovery searches of your
cloud-based mailboxes using the EAC in your on-premises organization. If you intend to copy messages to a discovery
mailbox, you must select an on-premises discovery mailbox. Messages from cloud-based mailboxes that are returned in
search results are copied to the specified on-premises discovery mailbox. To learn more about hybrid deployments, see
Exchange Server Hybrid Deployments.

The In-Place eDiscovery & Hold wizard in the EAC allows you to create an In-Place eDiscovery search and
also use In-Place Hold to place search results on hold. When you create an In-Place eDiscovery search, a search
object is created in the In-Place eDiscovery system mailbox. This object can be manipulated to start, stop, modify,
and remove the search. After you create the search, you can choose to get an estimate of search results, which
includes keyword statistics that help you determine query effectiveness. You can also do a live preview of items
returned in the search, allowing you to view message content, the number of messages returned from each
source mailbox and the total number of messages. You can use this information to further fine-tune your query if
required.
When satisfied with the search results, you can copy them to a discovery mailbox. You can also use the EAC or
Outlook to export a discovery mailbox or some of its content to a PST file.
When creating an In-Place eDiscovery search, you must specify the following parameters:
Name: The search name is used to identify the search. When you copy search results to a discovery
mailbox, a folder is created in the discovery mailbox using the search name and the timestamp to uniquely
identify search results in a discovery mailbox.
Mailboxes: You can choose to search all mailboxes in your Exchange Server or Exchange Online
organization or specify the mailboxes to search. A user's primary and archive mailboxes are included in the
search. If you also want to use the same search to place items on hold, you must specify the mailboxes. You
can specify a distribution group to include mailbox users who are members of that group. Membership of
the group is calculated once when creating the search and subsequent changes to group membership are
not automatically reflected in the search.
In Exchange Online, you can also specify Office 365 groups as a content source so that the group mailbox
is searched (or placed on hold). When you add an Office 365 group to an In-Place eDiscovery search, only
the group mailbox is searched; the mailboxes of the group members aren't searched.
Search query: You can either include all mailbox content from the specified mailboxes or use a search
query to return items that are more relevant to the case or investigation. You can specify the following
parameters in a search query:
Keywords: You can specify keywords and phrases to search message content. You can also use the
logical operators AND, OR, and NOT. Additionally, Exchange Server also supports the NEAR
operator, allowing you to search for a word or phrase that's in proximity to another word or phrase.
To search for an exact match of a multiple word phrase, you must enclose the phrase in quotation
marks. For example, searching for the phrase "plan and competition" returns messages that contain
an exact match of the phrase, whereas specifying plan AND competition returns messages that
contain the words plan and competition anywhere in the message.
Exchange Server also supports the Keyword Query Language (KQL ) syntax for In-Place eDiscovery
searches.

NOTE
In-Place eDiscovery does not support regular expressions.

You must capitalize logical operators such as AND and OR for them to be treated as operators
instead of keywords. We recommend that you use explicit parenthesis for any query that mixes
multiple logical operators to avoid mistakes or misinterpretations. For example, if you want to
search for messages that contain either WordA or WordB AND either WordC or WordD, you must
use (WordA OR WordB ) AND (WordC OR WordD ).
Start and End dates: By default, In-Place eDiscovery doesn't limit searches by a date range. To
search messages sent during a specific date range, you can narrow the search by specifying the start
and end dates. If you don't specify an end date, the search will return the latest results every time
you restart it.
Senders and recipients: To narrow down the search, you can specify the senders or recipients of
messages. You can use email addresses, display names, or the name of a domain to search for items
sent to or from everyone in the domain. For example, to find email sent by or sent to anyone at
Contoso, Ltd, specify **@contoso.com** in the From or the To/cc field in the EAC. You can also
specify **@contoso.com** in the Senders or Recipients parameters in Exchange Online PowerShell.
Message types: By default, all message types are searched. You can restrict the search by selecting
specific message types such as email, contacts, documents, journal, meetings, notes and Lync
content.
The following screenshot shows an example of a search query in the EAC.
When using In-Place eDiscovery, also consider the following:
Attachments: In-Place eDiscovery searches attachments supported by Exchange Search. For details, see
Default Filters for Exchange Search. In on-premises deployments, you can add support for additional file
types by installing search filters (also known as an iFilter) for the file type on Mailbox servers.
Unsearchable items: Unsearchable items are mailbox items that can't be indexed by Exchange Search.
Reasons they can't be indexed include the lack of an installed search filter for an attached file, a filter error,
and encrypted messages. For a successful eDiscovery search, your organization may be required to include
such items for review. When copying search results to a discovery mailbox or exporting them to a PST file,
you can include unsearchable items. For more information, see Unsearchable Items in Exchange
eDiscovery.
Encrypted items: Because messages encrypted using S/MIME aren't indexed by Exchange Search, In-
Place eDiscovery doesn't search these messages. If you select the option to include unsearchable items in
search results, these S/MIME encrypted messages are copied to the discovery mailbox.
IRM -protected items: Messages protected using Information Rights Management (IRM ) are indexed by
Exchange Search and therefore included in the search results if they match query parameters. Messages
must be protected by using an Active Directory Rights Management Services (AD RMS ) cluster in the
same Active Directory forest as the Mailbox server. For more information, see Information Rights
Management.
IMPORTANT
When Exchange Search fails to index an IRM-protected message, either due to a decryption failure or because IRM
is disabled, the protected message isn't added to the list of failed items. If you select the option to include
unsearchable items in search results, the results may not include IRM-protected messages that could not be
decrypted. > > To include IRM-protected messages in a search, you can create another search to include messages
with .rpmsg attachments. You can use the query string attachment:rpmsg to search all IRM-protected messages
in the specified mailboxes, whether successfully indexed or not. This may result in some duplication of search results
in scenarios where one search returns messages that match the search criteria, including IRM-protected messages
that have been indexed successfully. The search doesn't return IRM-protected messages that couldn't be indexed. >
> Performing a second search for all IRM-protected messages also includes the IRM-protected messages that were
successfully indexed and returned in the first search. Additionally, the IRM-protected messages returned by the
second search may not match the search criteria such as keywords used for the first search.

De-duplication: When copying search results to a discovery mailbox, you can enable de-duplication of
search results to copy only one instance of a unique message to the discovery mailbox. De-duplication has
the following benefits:
Lower storage requirement and smaller discovery mailbox size due to reduced number of messages
copied.
Reduced workload for discovery managers, legal counsel, or others involved in reviewing search
results.
Reduced cost of eDiscovery, depending on the number of duplicate items excluded from search
results.

Estimate, preview, and copy search results


After an In-Place eDiscovery search is completed, you can view search result estimates in the Details pane in the
EAC. The estimate includes number of items returned and total size of those items. You can also view keyword
statistics, which returns details about number of items returned for each keyword used in the search query. This
information is helpful in determining query effectiveness. If the query is too broad, it may return a much bigger
data set, which could require more resources to review and raise eDiscovery costs. If the query is too narrow, it
may significantly reduce the number of records returned or return no records at all. You can use the estimates
and keyword statistics to fine-tune the query to meet your requirements.

NOTE
In Exchange Server and Exchange Online, keyword statistics also include statistics for non-keyword properties such as dates,
message types, and senders/recipients specified in a search query.

You can also preview the search results to further ensure that messages returned contain the content you're
searching for and further fine-tune the query if required. eDiscovery Search Preview displays the number of
messages returned from each mailbox searched and the total number of messages returned by the search. The
preview is generated quickly without requiring you to copy messages to a discovery mailbox.
After you're satisfied with the quantity and quality of search results, you can copy them to a discovery mailbox.
When copying messages, you have the following options:
Include unsearchable items: For details about the types of items that are considered unsearchable, see
the eDiscovery search considerations in the previous section.
Enable de-duplication: De-duplication reduces the dataset by only including a single instance of a
unique record if multiple instances are found in one or more mailboxes searched.
Enable full logging: By default, only basic logging is enabled when copying items. You can select full
logging to include information about all records returned by the search.
Send me mail when the copy is completed: An In-Place eDiscovery search can potentially return a
large number of records. Copying the messages returned to a discovery mailbox can take a long time. Use
this option to get an email notification when the copying process is completed. For easier access using
Outlook on the web, the notification includes a link to the location in a discovery mailbox where the
messages are copied.
For more information, see Copy eDiscovery Search Results to a Discovery Mailbox.

Export search results to a PST file


After search results are copied to a discovery mailbox, you can export the search results to a PST file.

After search results are exported to a PST file, you or other users can open them in Outlook to review or print
messages returned in the search results. For more information, see Export eDiscovery search results to a PST file.

Different search results


Because In-Place eDiscovery performs searches on live data, it's possible that two searches of the same content
sources and using the same search query can return different results. Estimated search results can also be
different from the actual search results that are copied to a discovery mailbox. This can happen even when
rerunning the same search within a short amount of time. There are several factors that can affect the consistency
of search results:
The continual indexing of incoming email because Exchange Search continuously crawls and indexes your
organization's mailbox databases and transport pipeline.
Deletion of email by users or automated processes.
Bulk importing large amounts of email, which takes time to index.
If you do experience dissimilar results for the same search, consider placing mailboxes on hold to preserve
content, running searches during off-peak hours, and allowing time for indexing after importing large amounts of
email.

Logging for In-Place eDiscovery searches


There are two types of logging available for In-Place eDiscovery searches:
Basic logging: Basic logging is enabled by default for all In-Place eDiscovery searches. It includes
information about the search and who performed it. Information captured about basic logging appears in
the body of the email message sent to the mailbox where the search results are stored. The message is
located in the folder created to store search results.
Full logging: Full logging includes information about all messages returned by the search. This
information is provided in a comma-separated value (.csv) file attached to the email message that contains
the basic logging information. The name of the search is used for the .csv file name. This information may
be required for compliance or record-keeping purposes. To enable full logging, you must select the Enable
full logging option when copying search results to a discovery mailbox in the EAC. If you're using
Exchange Online PowerShell, specify the full logging option using the LogLevel parameter.

NOTE
When using Exchange Online PowerShell to create or modify an In-Place eDiscovery search, you can also disable logging.

Besides the search log included when copying search results to a discovery mailbox, Exchange also logs cmdlets
used by the EAC or Exchange Online PowerShell to create, modify or remove In-Place eDiscovery searches. This
information is logged in the admin audit log entries. For details, see Administrator Audit Logging.

In-Place eDiscovery and In-Place Hold


As part of eDiscovery requests, you may be required to preserve mailbox content until a lawsuit or investigation
is disposed. Messages deleted or altered by the mailbox user or any processes must also be preserved. In
Exchange Server, this is accomplished by using In-Place Hold. For details, see In-Place Hold and Litigation Hold.
In Exchange Server, you can use the new In-Place eDiscovery & Hold wizard to search items and preserve
them for as long as they're required for eDiscovery or to meet other business requirements. When using the
same search for both In-Place eDiscovery and In-Place Hold, be aware of the following:
You can't use the option to search all mailboxes. You must select the mailboxes or distribution groups.
You can't remove an In-Place eDiscovery search if the search is also used for In-Place Hold. You must first
disable the In-Place Hold option in a search and then remove the search.

Preserving mailboxes for In-Place eDiscovery


When an employee leaves an organization, it's a common practice to disable or remove the mailbox. After you
disable a mailbox, it is disconnected from the user account but remains in the mailbox for a certain period, 30
days by default. The Managed Folder Assistant does not process disconnected mailboxes and any retention
policies are not applied during this period. You can't search content of a disconnected mailbox. Upon reaching the
deleted mailbox retention period configured for the mailbox database, the mailbox is purged from the mailbox
database.

IMPORTANT
In Exchange Online, In-Place eDiscovery can search content in inactive mailboxes. Inactive mailboxes are mailboxes that are
placed on In-Place Hold or litigation hold and then removed. Inactive mailboxes are preserved as long as they're placed on
hold. When an inactive mailbox is removed from In-Place Hold or when litigation hold is disabled, it is permanently deleted.
For details, see Manage Inactive Mailboxes in Exchange Online.

In on-premises deployments, if your organization requires that retention settings be applied to messages of
employees who are no longer in the organization or if you may need to retain an ex-employee's mailbox for an
ongoing or future eDiscovery search, do not disable or remove the mailbox. You can take the following steps to
ensure the mailbox can't be accessed and no new messages are delivered to it.
1. Disable the Active Directory user account using Active Directory Users & Computers or other Active
Directory or account provisioning tools or scripts. This prevents mailbox logon using the associated user
account.

IMPORTANT
Users with Full Access mailbox permission will still be able to access the mailbox. To prevent access by others, you
must remove their Full Access permission from the mailbox. For information about how to remove Full Access
mailbox permissions on a mailbox, see Manage permissions for recipients.

2. Set the message size limit for messages that can be sent from or received by the mailbox user to a very
low value, 1 KB for example. This prevents delivery of new mail to and from the mailbox. For details, see
Configure Message Size Limits for a Mailbox.
3. Configure delivery restrictions for the mailbox so nobody can send messages to it. For details, see
Configure message delivery restrictions for a mailbox.

IMPORTANT
You must take the above steps along with any other account management processes required by your organization, but
without disabling or removing the mailbox or removing the associated user account.

When planning to implement mailbox retention for messaging retention management (MRM ) or In-Place
eDiscovery, you must take employee turnover into consideration. Long-term retention of ex-employee mailboxes
will require additional storage on Mailbox servers and also result in an increase in Active Directory database
because it requires that the associated user account be retained for the same duration. Additionally, it may also
require changes to your organization's account provisioning and management processes.

In-Place eDiscovery limits and throttling policies


In Exchange Server and Exchange Online, the resources In-Place eDiscovery can consume are controlled using
throttling policies.
The default throttling policy contains the following throttling parameters.

PARAMETER DESCRIPTION DEFAULT VALUE

DiscoveryMaxConcurrency The maximum number of In-Place 2


eDiscovery searches that can run at the Note: If an eDiscovery search is started
same time in your organization. while two previous searches are still
running, the third search won't be
queued and will instead fail. You have
to wait until one of the previous
searches finishes before you can
successfully start a new search.

DiscoveryMaxMailboxes The maximum number of mailboxes Exchange Online: 10,0001


that can be searched in a single In- Exchange Server: 5,000
Place eDiscovery search.
PARAMETER DESCRIPTION DEFAULT VALUE

DiscoveryMaxStatsSearchMailboxes The maximum number of mailboxes 100


that can be searched in a single In- Note: After you run an eDiscovery
Place eDiscovery search that still allows search estimate, you can view keyword
you to view keyword statistics. statistics. These statistics show details
about the number of items returned for
each keyword used in the search query.
If more than 100 source mailboxes are
included in the search, an error will be
returned if you try to view keyword
statistics.

DiscoveryMaxKeywords The maximum number of keywords 500


that can be specified in a single In-
Place eDiscovery search.

DiscoveryMaxSearchResultsPageSize The maximum number of items 200


displayed on a single page when
previewing In-Place eDiscovery search
results.

DiscoverySearchTimeoutPeriod The number of minutes that an In- 10 minutes


Place eDiscovery search will run before
it times out.

NOTE
1 If you initiate an eDiscovery search from the eDiscovery Center in SharePoint Online in an Office 365 organization, you
can search a maximum of 1,500 mailboxes in a single search.

In Exchange Server, you can change the default values for these parameters to suit your requirements or create
additional throttling policies and assign them to users with delegated Discovery Management permission. In
Exchange Online, the default values for these throttling parameters can't be changed.

In-Place eDiscovery documentation


The following table contains links to topics that will help you learn about and manage In-Place eDiscovery.

TOPIC DESCRIPTION

Assign eDiscovery permissions in Exchange Learn how to give a user access to use In-Place eDiscovery in
the EAC to search Exchange mailboxes. Adding a user to the
Discovery Management role group also allows the person to
use the eDiscovery Center in SharePoint 2013 and SharePoint
Online to search Exchange mailboxes.

Create a discovery mailbox Learn how to use Exchange Online PowerShell to create a
discovery mailbox and assign access permissions.

Create an In-Place eDiscovery search Learn how to create an In-Place eDiscovery search, and how
to estimate and preview eDiscovery search results.
TOPIC DESCRIPTION

Message properties and search operators for In-Place Learn which email message properties can be searched using
eDiscovery In-Place eDiscovery. The topic provides syntax examples for
each property, information about search operators such as
AND and OR, and information about other search query
techniques such as using double quotation marks (" ") and
prefix wildcards.

Search limits for In-Place eDiscovery in Exchange Online Learn In-Place eDiscovery limits in Exchange Online that help
maintain the health and quality of eDiscovery services for
Office 365 organizations.

Start or Stop an In-Place eDiscovery Search Learn how to start, stop, and restart eDiscovery searches.

Modify an In-Place eDiscovery Search Learn how to modify an existing eDiscovery search.

Copy eDiscovery Search Results to a Discovery Mailbox Learn how to copy the results of an eDiscovery search to a
discovery mailbox.

Export eDiscovery search results to a PST file Learn how to export the results of an eDiscovery search to a
PST file.

Create a custom management scope for In-Place eDiscovery Learn how to use custom management scopes to limit the
searches mailboxes that a discovery manager can search.

Remove an In-Place eDiscovery Search Learn how to delete an eDiscovery search.

Search and Delete Messages Learn how to use the Search-Mailbox cmdlet to search for
and then delete email messages.

Reduce the size of a discovery mailbox in Exchange Use this process to reduce the size of a discovery mailbox
that's larger than 50 GB.

Delete and re-create the default discovery mailbox in Learn how to delete the default discovery mailbox, re-create
Exchange it, and then reassign permissions to it. Use this procedure if
this mailbox has exceeded the 50 GB limit and you don't need
the search results.

Re-Create the Discovery System Mailbox Learn how to recreate the discovery system mailbox. This task
is applicable only to Exchange Server organizations.

Using Oauth Authentication to Support eDiscovery in an Learn about the eDiscovery scenarios in an Exchange hybrid
Exchange Hybrid Deployment deployment that require you to configure OAuth
authentication.

Configure Exchange for SharePoint eDiscovery Center Learn how to configure Exchange Server so that you can use
the eDiscovery Center in SharePoint 2013 to search Exchange
mailboxes.

Unsearchable Items in Exchange eDiscovery Learn about mailbox items that can't be indexed by Exchange
Search and are returned in eDiscovery search results as
unsearchable items.

For more information about eDiscovery in Office 365, Exchange Server, SharePoint 2013, and Lync 2013, see the
eDiscovery FAQ.
Assign eDiscovery permissions in Exchange
5/31/2019 • 2 minutes to read • Edit Online

If you want users to be able to use Microsoft Exchange Server In-Place eDiscovery, you must first authorize them
by adding them to the Discovery Management role group. Members of the Discovery Management role group
have Full Access mailbox permissions for the Discovery mailbox that's created by Exchange Setup.
Cau t i on

Members of the Discovery Management role group can access sensitive message content. Specifically, these
members can use In-Place eDiscovery to search all mailboxes in your Exchange organization, preview messages
(and other mailbox items), copy them to a Discovery mailbox and export the copied messages to a .pst file. In most
organizations, this permission is granted to legal, compliance, or Human Resources personnel. >
To learn more about the Discovery Management role group, see Discovery Management. To learn more about
Role Based Access Control (RBAC ), see Understanding Role Based Access Control.
Interested in scenarios where this procedure is used? See the following topics:
Create an In-Place eDiscovery search
Create or remove an In-Place Hold

What do you need to know before you begin?


Estimated time to complete: 1 minute.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
By default, the Discovery Management role group doesn't contain any members. Administrators with the
Organization Management role are also unable to create or manage discovery searches without being
added to the Discovery Management role group.
In Exchange Server, members of the Organization Management role group can create an In-Place Hold and
Litigation Hold to place all mailbox content on hold. However, to create a query-based In-Place Hold, the
user must be a member of the Discovery Management role group or have the Mailbox Search role
assigned.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

Use the EAC to add a user to the Discovery Management role group
1. Go to Permissions > Admin roles.
2. In the list view, select Discovery Management and then click Edit
3. In Role Group, under Members, click Add .
4. In Select Members, select one or more users, click Add, and then click OK.
5. In Role Group, click Save.

Use Exchange Online PowerShell to add a user to the Discovery


Management role group
This example adds the user Bsuneja to the Discovery Management role group.

Add-RoleGroupMember -Identity "Discovery Management" -Member Bsuneja

For detailed syntax and parameter information, see Add-RoleGroupMember.

How do you know this worked?


To verify that you've added the user to the Discovery Management role group, do the following:
1. In the EAC, go to Permissions > Admin roles.
2. In the list view, select Discovery Management.
3. In the details pane, verify that the user is listed under Members.
You can also run this command to list the members of the Discovery Management role group.

Get-RoleGroupMember -Identity "Discovery Management"

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Create an In-Place eDiscovery search
6/25/2019 • 9 minutes to read • Edit Online

NOTE
We've postponed the July 1, 2017 deadline for creating new In-Place eDiscovery searches in Exchange Online (in Office 365
and Exchange Online standalone plans). But later this year or early next year, you won't be able to create new searches in
Exchange Online. To create eDiscovery searches, please start using Content Search in the Office 365 Security & Compliance
Center. After we decommission new In-Place eDiscovery searches, you'll still be able to modify existing In-Place eDiscovery
searches, and creating new In-Place eDiscovery searches in Exchange Server and Exchange hybrid deployments will still be
supported.

Use In-Place eDiscovery to search across all mailbox content, including deleted items and original versions of
modified items for users placed on In-Place Hold and Litigation Hold.

What do you need to know before you begin?


Estimated time to complete: 5 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "In-Place eDiscovery" entry in the Messaging Policy and Compliance
Permissions topic.
To create eDiscovery searches, you have to have an SMTP address in the organization that you're creating
the searches in. So in Exchange Online, you must have a licensed Exchange Online (Plan 2) mailbox to
create eDiscovery searches. In an Exchange hybrid organization, your on-premises Exchange mailbox must
have a corresponding mail user account in your Office 365 organization so that you can search Exchange
Online mailboxes. Or, if you sign in with an account that only exists in Office 365, such as the tenant
administrator account, that account must be assigned an Exchange Online (Plan 2) license.
Exchange Server Setup creates a Discovery mailbox called Discovery Search Mailbox to copy search
results. The Discovery Search Mailbox is also created by default in Exchange Online. You can create
additional Discovery mailboxes. For details, see Create a discovery mailbox.
When you create an In-Place eDiscovery search, messages returned in search results aren't copied
automatically to a discovery mailbox. After you create the search, you can use the Exchange admin center
(EAC ) to estimate and preview search results or copy them to a discovery mailbox. For details, see:
Use the EAC to estimate or preview search results (later in this topic)
Copy eDiscovery Search Results to a Discovery Mailbox
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Use the EAC to create an In-Place eDiscovery search


As previously explained, to create eDiscovery searches, you have to sign in to a user account that has an SMTP
address in your organization.
1. Go to Compliance management > In-place eDiscovery & hold.
2. Click New .
3. In In-Place eDiscovery & Hold, on the Name and description page, type a name for the search, add an
optional description, and then click Next.
4. On the Mailboxes page, select the mailboxes to search. You can search across all mailboxes or select
specific ones to search. In Exchange Online, you can also select Office 365 groups as a content source for
the search.

IMPORTANT
You can't use the Search all mailboxes option to place all mailboxes on hold. To create an In-Place Hold, you must
select Specify mailboxes to search. For more details, see Create or remove an In-Place Hold.

5. On the Search query page, complete the following fields:


Include all user mailbox content: Select this option to place all content in the selected mailboxes
on hold. If you select this option, you can't specify additional search criteria.
Filter based on criteria: Select this option to specify search criteria, including keywords, start and
end dates, sender and recipient addresses, and message types.

NOTE
The From: and To/Cc/Bcc: fields are connected by an OR operator in the search query that's created when you run
the search. That means any message sent or received by any of the specified users (and matches the other search
criteria) is included in the search results. > The dates are connected by an AND operator.

6. On the In-place hold settings page, you can select the Place content matching the search query in
selected mailboxes on hold check box, and then select one of the following options to place items on In-
Place Hold:
Hold indefinitely: Select this option to place the returned items on an indefinite hold. Items on
hold will be preserved until you remove the mailbox from the search or remove the search.
Specify number of days to hold items relative to their received date: Use this option to hold
items for a specific period. For example, you can use this option if your organization requires that all
messages be retained for at least seven years. You can use a time-based In-Place Hold along with a
retention policy to make sure items are deleted in seven years.

IMPORTANT
When placing mailboxes or items on In-Place Hold for legal purposes, it is generally recommended to hold items
indefinitely and remove the hold when the case or investigation is completed.

7. Click Finish to save the search and return an estimate of the total size and number of items that will be
returned by the search based on the criteria you specified. Estimates are displayed in the details pane. Click
Refresh to update the information displayed in the details pane.

Use Exchange Online PowerShell to create an In-Place eDiscovery


search
This example creates the In-Place eDiscovery search named Discovery-CaseId012 that searches for items
containing the keywords Contoso and ProjectA and that also meet the following criteria:
Start date: 1/1/2009
End date: 12/31/2011
Source mailbox: DG -Finance
Target mailbox: Discovery Search Mailbox
Message types: Email
Includes unsearchable items in the search statistics
Log level: Full

IMPORTANT
If you don't specify additional search parameters when running an In-Place eDiscovery search, all items in the specified
source mailboxes are returned in the results. If you don't specify mailboxes to search, all mailboxes in your Exchange or
Exchange Online organization are searched.

New-MailboxSearch "Discovery-CaseId012" -StartDate "01/01/2009" -EndDate "12/31/2011" -SourceMailboxes "DG-


Finance" -TargetMailbox "Discovery Search Mailbox" -SearchQuery '"Contoso" AND "Project A"' -MessageTypes
Email -IncludeUnsearchableItems -LogLevel Full
NOTE
When using the StartDate and EndDate parameters, you have to use the date format of mm/dd/yyyy, even if your local
machine settings are configured to use a different date format, such as dd/mm/yyyy. For example, to search for messages
sent between April 1, 2013 and July 1, 2013, you would use 04/01/2013 and 07/01/2013 for the start and end dates.

This example creates an In-Place eDiscovery search named HRCase090116 that searches for email messages sent
by Alex Darrow to Sara Davis in 2015.

New-MailboxSearch "HRCase090116" -StartDate "01/01/2015" -EndDate "12/31/2015" -SourceMailboxes alexd,sarad -


SearchQuery 'From:alexd@contoso.com AND To:sarad@contoso.com' -MessageTypes Email -TargetMailbox "Discovery
Search Mailbox" -IncludeUnsearchableItems -LogLevel Full

After using Exchange Online PowerShell to create an In-Place eDiscovery search, you have to start the search by
using the Start-MailboxSearch cmdlet to copy messages to the discovery mailbox specified in the TargetMailbox
parameter. For details, see Copy eDiscovery Search Results to a Discovery Mailbox.
For detailed syntax and parameter information, see New -MailboxSearch.

Use the EAC to estimate or preview search results


After you create an In-Place eDiscovery search, you can use the EAC to get an estimate and preview of the search
results. If you created a new search using the New-MailboxSearch cmdlet, you can use Exchange Online
PowerShell to start the search to get an estimate of the search results. You can't use Exchange Online PowerShell
to preview messages returned in search results.
1. Navigate to Compliance management > In-place eDiscovery & hold.
2. In the list view, select the In-Place eDiscovery search, and then do one of the following:
Click Search > Estimate search results to return an estimate of the total size and number of
items that will be returned by the search based on the criteria you specified. Selecting this option
restarts the search and performs an estimate.
Search Estimates are displayed in the details pane. Click Refresh to update the information
displayed in the details pane.
Click Preview search results in the details pane to preview the results after the search estimate is
completed. Selecting this option opens the eDiscovery search preview window. All messages
returned from the mailboxes that were searched are displayed.

NOTE
The mailboxes that were searched are listed in the right pane in the eDiscovery search preview window.
For each mailbox, the number of items returned and the total size of these items is also displayed. All items
returned by the search are listed in the right pane, and can be sorted by newest or oldest date. Items from
each mailbox can't be displayed in the right pane by clicking a mailbox in the left pane. To view the items
returned from a specific mailbox, you can copy the search results and view the items in the discovery
mailbox.
Use Exchange Online PowerShell to estimate search results
You can use the EstimateOnly switch to return only get an estimate of the search results and not copy the results
to a discovery mailbox. You have to start an estimate-only search with the Start-MailboxSearch cmdlet. Then
you can retrieve the estimated search results by using the Get-MailboxSearch cmdlet.
For example, you would run the following commands to create a new eDiscovery search and then display an
estimate of the search results:

New-MailboxSearch "FY13 Q2 Financial Results" -StartDate "04/01/2013" -EndDate "06/30/2013" -SourceMailboxes


"DG-Finance" -SearchQuery '"Financial" AND "Fabrikam"' -EstimateOnly -IncludeKeywordStatistics

Start-MailboxSearch "FY13 Q2 Financial Results"

Get-MailboxSearch "FY13 Q2 Financial Results"

To display specific information about the estimated search results from the previous example, you could run the
following command:

Get-MailboxSearch "FY13 Q2 Financial Results" | Format-List


Name,Status,LastRunBy,LastStartTime,LastEndTime,Sources,SearchQuery,ResultSizeEstimate,ResultNumberEstimate,Er
rors,KeywordHits

More information about eDiscovery searches


After you create a new eDiscovery search, you can copy search results to the discovery mailbox and export
those search results to a PST file. For more information, see:
Copy eDiscovery Search Results to a Discovery Mailbox
Export eDiscovery search results to a PST file
After you run an eDiscovery search estimate (that includes keywords in the search criteria), you can view
keyword statistics by clicking View keyword statistics in the details pane for the selected search. These
statistics show details about the number of items returned for each keyword used in the search query.
However, if more than 100 source mailboxes are included in the search, an error will be returned if you try
to view keyword statistics. To view keyword statistics, no more than 100 source mailboxes can be included
in the search.
If you use Get-MailboxSearch in Exchange Online to retrieve information about an eDiscovery search,
you have to specify the name of a search to return a complete list of the search properties; for example,
Get-MailboxSearch "Contoso Legal Case" . If you run the Get-MailboxSearch cmdlet without using any
parameters, the following properties aren't returned:
SourceMailboxes
Sources
SearchQuery
ResultsLink
PreviewResultsLink
Errors
The reason is that it requires a lot of resources to return these properties for all eDiscovery searches in your
organization.
Export eDiscovery search results to a PST file
5/31/2019 • 5 minutes to read • Edit Online

You can use the eDiscovery Export tool in the Exchange admin center (EAC ) to export the results of an In-Place
eDiscovery search to an Outlook Data File, which is also called a PST file. Administrators can distribute the results
of the search to other people within your organization, such as a human resources manager or records manager,
or to opposing counsel in a legal case. After search results are exported to a PST file, you or other users can open
them in Outlook to review or print messages returned in the search results. PST files can also be opened in third-
party eDiscovery and reporting applications. This topic shows you how to do this, as well as troubleshoot any
issues you might have.

What do you need to know before you begin?


Estimated time to complete: Time will vary based on the amount and size of the search results that will be
exported.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "In-Place eDiscovery" entry in the Messaging policy and compliance
permissions topic.
The computer you use to export search results to a PST file must meet the following system requirements:
32- or 64-bit versions of Windows 7 and later versions
Microsoft .NET Framework 4.7
A supported browser:
Internet Explorer 10 and later versions
OR
Mozilla Firefox or Google Chrome. If you use either of these browsers, be sure you install the
ClickOnce extension. To install the ClickOnce add-in, see Mozilla ClickOnce add-ons or ClickOnce
for Google Chrome.
You need an active mailbox attached to the account you wish to export.
Ensure that the local Intranet settings are setup correctly in Internet Explorer. Make sure that
https://*.outlook.com is added to the Local intranet zone.
Make sure the following URLS are not listed in the Trusted sites zone:
https://*.outlook.com
https://r4.res.outlook.com
https://*.res.outlook.com
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Use the Exchange admin center to export In-Place eDiscovery search
results to a PST
1. Go to Compliance management > In-place eDiscovery & hold.
2. In the list view, select the In-Place eDiscovery search you want to export the results of, and then click
Export to a PST file.

3. In the eDiscovery PST Export Tool window, do the following:


Click Browse to specify the location where you want to download the PST file.
Click the Enable deduplication checkbox to exclude duplicate messages. Only a single instance of
a message will be included in the PST file.
Click the Include unsearchable items checkbox to include mailbox items that couldn't be searched
(for example, messages with attachments of file types that couldn't be indexed by Exchange Search).
Unsearchable items are exported to a separate PST file.

IMPORTANT
Including unsearchable items when you export eDiscovery search results takes longer when mailboxes
contain a lot of unsearchable items. To reduce the time it takes to export search results and prevent large
PST export files, consider the following recommendations:
• Create multiple eDiscovery searches that each search a fewer number of source mailboxes.
• If you're exporting all mailbox content within a specific date range (by not specifying any keywords in the
search criteria), then all unsearchable items within that date range will be automatically included in the search
results. Therefore, don't select the Include unsearchable items checkbox.

4. Click Start to export the search results to a PST file.


A window is displayed that contains status information about the export process.

More information
You can reduce the size of the PST export fileby exporting only the unsearchable items. To do this, create or
edit a search, specify a start date in the future, and then remove any keywords from the Keywords box.
This will result in no search results being returned. When you copy or export the search results and select
the Include unsearchable items checkbox, only the unsearchable items will be copied to the discovery
mailbox or exported to a PST file.
If you enable de-duplication, all search results are exported in a single PST file. If you don't enable de-
duplication, a separate PST file is exported for each mailbox included in the search. And as previously
stated, unsearchable items are exported to a separate PST file.
In addition to the PST files that contain the search results, two other files are also exported:
A configuration file (.txt file format) that contains information about the PST export request, such as
the name of the eDiscovery search that was exported, the date and time of the export, whether de-
duplication and unsearchable items were enabled, the search query, and the source mailboxes that
were searched.
A search results log (.csv file format) that contains an entry for each message returned in the search
results. Each entry identifies the source mailbox where the message is located. If you've enabled de-
duplication, this helps you identify all mailboxes that contain a duplicate message.
The name of the search is the first part of the filename for each file that is exported. Also, the date and time
of the export request is appended to the filename of each PST file and the results log.
For more information about de-duplication and unsearchable items, see:
Estimate, preview, and copy search results
Unsearchable Items in Exchange eDiscovery
To export eDiscovery search results from the eDiscovery Center in SharePoint or SharePoint Online, see
Export eDiscovery content and create reports.

Troubleshooting
SYMPTOM POSSIBLE CAUSE

Cannot export to a PST file. There is no active mailbox attached to the account. To export
the PST, you must have an active account.
Your version of Internet Explorer is out of date. Try updating
IE to version 10 or later. Or try a different browser.
Search criteria entered in the Filter based on criteria query
is incorrect. For example, a username is entered instead of an
email address. For more information about how to filter based
on criteria, see Modify an In-Place eDiscovery search.

Unable to export search results on a specific machine. Export The wrong Windows credentials were saved in the Credential
works as expected on a different machine. Manager. Clear your credentials and log in again.

eDiscovery PST Export Tool won't start. Local intranet zone settings aren't set up correctly in Internet
Explorer. Make sure that *.outlook.com, *.office365.com,
*.sharepoint.com and *.onmicrosoft.com are added to the
Local intranet zone trusted sites.
To add these sites to the Trusted zone in IE, see Security
zones: adding or removing websites.
Message properties and search operators for In-Place
eDiscovery
6/24/2019 • 8 minutes to read • Edit Online

This topic describes the properties of Exchange email messages that you can search by using In-Place eDiscovery
& Hold in Exchange Server and Exchange Online. The topic also describes Boolean search operators and other
search query techniques that you can use to refine eDiscovery search results.
In-Place eDiscovery uses Keyword Query Language (KQL ). For more details, see Keyword Query Language syntax
reference.

Searchable properties in Exchange


The following table lists email message properties that can be searched using an In-Place eDiscovery search or by
using the New-MailboxSearch or the Set-MailboxSearch cmdlet. The table includes an example of the
property:value syntax for each property and a description of the search results returned by the examples.

SEARCH RESULTS RETURNED


PROPERTY PROPERTY DESCRIPTION EXAMPLES BY THE EXAMPLES

Attachment The names of files attached attachment:annualreport.ppt Messages that have an


to an email message. attached file named
attachment:annual* annualreport.ppt.
In the second example, using
the wildcard returns
messages with the word
"annual" in the file name of
an attachment.

Bcc The BCC field of an email bcc:pilarp@contoso.com All examples return


message.1 messages with Pilar Pinilla
bcc:pilarp included in the Bcc field.

bcc:"Pilar Pinilla"

Category The categories to search. category:"Red Category" Messages that have been
Categories can be defined by assigned the red category in
users by using Outlook or the source mailboxes.
Outlook on the web
(formerly known as Outlook
Web App). The possible
values are:
• blue
• green
• orange
• purple
• red
• yellow

Cc The CC field of an email cc:pilarp@contoso.com In both examples, messages


message.1 with Pilar Pinilla specified in
cc:"Pilar Pinilla" the CC field.
SEARCH RESULTS RETURNED
PROPERTY PROPERTY DESCRIPTION EXAMPLES BY THE EXAMPLES

From The sender of an email from:pilarp@contoso.com Messages sent by the


message.1 specified user or sent from a
from:contoso.com specified domain.

Importance The importance of an email importance:high Messages that are marked


message, which a sender can as high importance, medium
specify when sending a importance:medium importance, or low
message. By default, importance.
messages are sent with importance:low
normal importance, unless
the sender sets the
importance as high or low.

Kind The message type to search. kind:email Email messages that meet
Possible values: the search criteria. The
• contacts kind:email OR kind:im OR second example returns
• docs kind:voicemail email messages, instant
• email messaging conversations,
• faxes and voice messages that
• im meet the search criteria.
• journals
• meetings
• notes
• posts
• rssfeeds
• tasks
• voicemail

Participants All the people fields in an participants:garthf@contoso. Messages sent by or sent to


email message; these fields com garthf@contoso.com.
are From, To, CC, and BCC.1 The second example returns
participants:contoso.com all messages sent by or sent
to a user in the contoso.com
domain.

Received The date that an email received:04/15/2014 Messages that were received
message was received by a on April 15, 2014. The
recipient. received>=01/01/2014 AND second example returns all
received<=03/31/2014 messages received between
January 1, 2014 and March
31, 2014.

Recipients All recipient fields in an email recipients:garthf@contoso.co Messages sent to


message; these fields are To, m garthf@contoso.com.
CC, and BCC.1 The second example returns
recipients:contoso.com messages sent to any
recipient in the contoso.com
domain.

Sent The date that an email sent:07/01/2014 Messages that were sent on
message was sent by the July 01, 2014. The second
sender. sent>=06/01/2014 AND example returns all messages
sent<=07/01/2014 sent between June 01, 2014
and July 01, 2014.
SEARCH RESULTS RETURNED
PROPERTY PROPERTY DESCRIPTION EXAMPLES BY THE EXAMPLES

Size The size of an item, in bytes. size>26214400 Messages larger than 25


MB.
size:1..1048576 The second example returns
messages from 1 through
1,048,576 bytes (1 MB) in
size.

Subject The text in the subject line of subject:"Quarterly Financials" Messages that contain the
an email message. exact phrase "Quarterly
subject:northwind Financials" anywhere in the
text of the subject line.
The second example returns
all messages that contain the
word northwind in the
subject line.

To The To field of an email to:annb@contoso.com All examples return


message.1 messages where Ann Beebe
to:annb is specified in the To: line.

to:"Ann Beebe"

NOTE
1 For the value of a recipient property, you can use the SMTP address, display name, or alias to specify a user. For example,

you can use annb@contoso.com, annb, or "Ann Beebe" to specify the user Ann Beebe.

Supported search operators


Boolean search operators, such as AND, OR, help you define more-precise mailbox searches by including or
excluding specific words in the search query. Other techniques, such as using property operators (such as >= or ..),
quotation marks, parentheses, and wildcards, help you refine eDiscovery search queries. The following table lists
the operators that you can use to narrow or broaden search results.

IMPORTANT
You must use uppercase Boolean operators in a search query. For example, use AND; don't use and. Using lowercase
operators in search queries will return an error.

OPERATOR USAGE DESCRIPTION

AND keyword1 AND keyword2 Returns messages that include all of the
specified keywords or property:value
expressions.
OPERATOR USAGE DESCRIPTION

+ keyword1 +keyword2 +keyword3 Returns items that contain either


keyword2 or keyword3 and that also
contain keyword1 . Therefore, this
example is equivalent to the query
(keyword2 OR keyword3) AND
keyword1
.
Note that the query
keyword1 + keyword2 (with a space
after the + symbol) isn't the same as
using the AND operator. This query
would be equivalent to
"keyword1 + keyword2" and return
items with the exact phase
"keyword1 + keyword2" .

OR keyword1 OR keyword2 Returns messages that include one or


more of the specified keywords or
property:value expressions.

NOT keyword1 NOT keyword2 Excludes messages specified by a


keyword or a property:value
NOT from:"Ann Beebe" expression. For example,
NOT from:"Ann Beebe" excludes
messages sent by Ann Beebe.

- keyword1 -keyword2 The same as the NOT operator. This


query returns items that contain
keyword1 and excludes items that
contain keyword2 .

NEAR keyword1 NEAR(n) keyword2 Returns messages with words that are
near each other, where n equals the
number of words apart. For example,
best NEAR(5) worst returns
messages where the word "worst" is
within five words of "best". If no number
is specified, the default distance is eight
words.

: property:value The colon (:) in the property:value


syntax specifies that the property value
being searched for equals the specified
value. For example,
recipients:garthf@contoso.com
returns any message sent to
garthf@contoso.com.

< property<value Denotes that the property being


searched is less than the specified value.
1

> property>value Denotes that the property being


searched is greater than the specified
value.1
OPERATOR USAGE DESCRIPTION

<= property<=value Denotes that the property being


searched is less than or equal to a
specific value.1

>= property>=value Denotes that the property being


searched is greater than or equal to a
specific value.1

.. property:value1..value2 Denotes that the property being


searched is greater than or equal to
value1 and less than or equal to
value2.1

"" "fair value" Use double quotation marks (" ") to


search for an exact phrase or term in
subject:"Quarterly Financials" keyword and property:value search
queries.

* cat* Prefix wildcard searches (where the


asterisk is placed at the end of a word)
subject:set* match for zero or more characters in
keywords or property:value queries.
For example, subject:set* returns
messages that contain the word set,
setup, and setting (and other words
that start with "set") in the subject line.

() (fair OR free) AND from:contoso.com Parentheses group together Boolean


phrases, property:value items, and
(IPO OR initial) AND (stock OR shares) keywords. For example,
(quarterly financials) returns
(quarterly financials) items that contain the words quarterly
and financials.

NOTE
1 Use this operator for properties that have date or numeric values.

Unsupported characters in search queries


Unsupported characters in a search query typically cause a search error or return unintended results. Unsupported
characters are often hidden and they're typically added to a query when you copy the query or parts of the query
from other applications (such as Microsoft Word or Microsoft Excel) and copy them to the keyword box on the
query page of In-Place eDiscovery search.
Here's a list of the unsupported characters for an In-Place eDiscovery search query.
Smart quotation marks: Smart single and double quotation marks (also called curly quotes) aren't
supported. Only straight quotation marks can be used in a search query.
Non-printable and control characters: Non-printable and control characters don't represent a written
symbol, such as a alpha-numeric character. Examples of non-printable and control characters include
characters that format text or separate lines of text.
Left-to-right and right-to-left marks: These are control characters used to indicate text direction for left-
to-right languages (such as English and Spanish) and right-to-left languages (such as Arabic and Hebrew ).
Lowercase Boolean operators: As previous explained, you have to use uppercase Boolean operators, such
as AND and OR, in a search query. Note that the query syntax will often indicate that a Boolean operator is
being used even though lowercase operators might be used; for example,
(WordA or WordB) and (WordC or WordD) .

**How to prevent unsupported characters in your search queries?**The best way to prevent unsupported
characters is to just type the query in the keyword box. Alternatively, you can copy a query from Word or Excel and
then paste it to file in a plain text editor, such as Microsoft Notepad. Then save the text file and select ANSI in the
Encoding drop-down list. This will remove any formatting and unsupported characters. Then you can copy and
paste the query from the text file to the keyword query box.

Search tips and tricks


Keyword searches are not case sensitive. For example, cat and CAT return the same results.
A space between two keywords or two property:value expressions is the same as using AND. For example,
from:"Sara Davis" subject:reorganization returns all messages sent by Sara Davis that contain the word
reorganization in the subject line.
Use syntax that matches the property:value format. Values are not case-sensitive, and they can't have a
space after the operator. If there is a space, your intended value will just be full-text searched. For example
to: pilarp searches for "pilarp" as a keyword, rather than for messages that were sent to pilarp.
When searching a recipient property, such as To, From, Cc, or Recipients, you can use an SMTP address,
alias, or display name to denote a recipient. For example, you can use pilarp@contoso.com, pilarp, or "Pilar
Pinilla".
You can use only prefix wildcard searches (for example, cat* or set*). Suffix wildcard searches (*cat) or
substring wildcard searches (*cat*) aren't supported.
When searching a property, use double quotation marks (" ") if the search value consists of multiple words.
For example subject:budget Q1 returns messages that contain budget in the in the subject line and that
contain Q1 anywhere in the message or in any of the message properties. Using subject:"budget Q1"
returns all messages that contain budget Q1 anywhere in the subject line.
Search limits for In-Place eDiscovery in Exchange Online
5/31/2019 • 8 minutes to read • Edit Online

Various types of limits are applied to In-Place eDiscovery searches in Exchange Online and Office 365. These limits help to maintain the
health and quality of services provided to Office 365 organizations. In most cases, you can't modify these limits, but you should be aware of
them so that you can take these limits into consideration when planning, running, and troubleshooting eDiscovery searches.

Source mailbox limits


In-Place eDiscovery has limits on the number of source mailboxes that can be searched in a single search. The following table describes
these limits and suggests alternative ways to work around them. These limits apply to eDiscovery searches created by using the Exchange
admin center (EAC ) or Remote Windows PowerShell.

MORE INFORMATION AND SUGGESTED


DESCRIPTION OF LIMIT LIMIT WORKAROUNDS

The maximum number of mailboxes that can be 10,000 If you have more than 10,000 mailboxes in your
searched in a single In-Place eDiscovery search. organization, you won't be able to use the
Search all mailboxes option on the Mailboxes
page in the EAC. To search large numbers of
mailboxes (up to 10,000 mailboxes total), you can
organize users into distribution groups or
dynamic distribution groups and then specify a
group on the Mailboxes page in the EAC. 1
One workaround for this limit is to use the
Compliance Search feature in the Office 365
Compliance Center, which doesn't have a limit for
the number of mailboxes that can be searched in
a single search. You run a search in the
Compliance Center to search all mailboxes in your
organization to identify those that contain search
results. Then you can use that list of mailboxes as
the source mailboxes for an In-Place eDiscovery
search in the EAC. For details, see Use
Compliance Search in your eDiscovery workflow.

The maximum number of mailboxes that can be 100 After you run an eDiscovery search estimate, you
searched in a single In-Place eDiscovery search can view keyword statistics. These statistics show
that still allows you to view keyword statistics. details about the number of items returned for
each keyword used in the search query. If more
than 100 source mailboxes are included in the
search, an error will be returned if you try to view
keyword statistics.
To view keyword statistics, reduce the number of
source mailboxes to 100 or fewer, and then rerun
the search estimate. When you're satisfied with
the search query, you can add additional source
mailboxes to the search and then copy or export
the search results.

The maximum number of mailboxes that can be 10,000 You can place up to 10,000 mailboxes on In-Place
placed on In-Place Hold in a single In-Place Hold by using a single eDiscovery search.
eDiscovery search. However, if you select the Search all mailboxes
option on the Sources page, you won't be able
to enable an In-Place Hold for that search. To
place a large number of mailboxes on hold using
a single In-Place Hold, use distribution groups or
dynamic distribution groups to group mailboxes
together, and then specify one of those groups
on the Mailboxes page in the EAC. 1
A better option for placing a hold on a large
number of mailboxes is to use a Litigation Hold.
Using lots of single In-Place eDiscovery searches
to place mailboxes on hold isn't recommended.
For more information, see Place all mailboxes on
hold.
NOTE
1 Group membership is calculated only when the search or a hold is created. If a user gets added to the group after the search is created, the user's
mailbox won't be added automatically as a source mailbox. You'll have to edit the search and add the mailbox. The same thing applies when a user is
removed from a group that is used to create a search or hold. You'll have to edit the search to remove the mailbox.

Exchange admin center limits


There are also limits when you use the EAC to create and run In-Place eDiscovery searches. These limits are primarily related to the number
of source mailboxes that are displayed in the EAC when you select source mailboxes to search. The following table describes these limits and
suggests alternative ways to work around them.

MORE INFORMATION AND SUGGESTED


DESCRIPTION OF LIMIT LIMIT WORKAROUNDS

The maximum number of mailboxes that are 500 Only 500 mailboxes, distribution groups, and
displayed in the mailbox picker for selecting dynamic distribution groups are listed in the
source mailboxes when creating a new In-Place mailbox picker to select source mailboxes from
eDiscovery or In-Place Hold search. when you create a new search. A message is
displayed saying that there are more recipients
than the ones displayed. Here are some
workarounds for this limit:
Use the search box to find a mailbox that isn't
listed in the mailbox picker.
Use distribution groups or dynamic distribution
groups to group large numbers of mailboxes
together. Then pick the group from the mailbox
list or search for it using the search box. Groups
are expanded into source mailboxes when you
create an eDiscovery search.
Select Search all mailboxes on the Mailbox
page if your organization has less than 10,000
mailboxes and you're not going to place
mailboxes on hold.
Use distribution groups or dynamic distribution
groups to group users if you want to place more
than 500 mailboxes on In-Place Hold.
MORE INFORMATION AND SUGGESTED
DESCRIPTION OF LIMIT LIMIT WORKAROUNDS

The maximum number of mailboxes that are 3,000 Up to 3,000 mailboxes are displayed on the
displayed when editing an In-Place eDiscovery or Sources page in the EAC when you edit an In-
In-Place Hold search. Place eDiscovery search or hold. To add a mailbox
to the list of sources, you can use the search box
to find a mailbox that isn't listed in the mailbox
picker (a maximum of 500 recipients are listed in
the mailbox picker). To remove a mailbox that's
listed, you can select it and then click Remove.
To remove a mailbox that isn't listed, you have to
use Exchange Online PowerShell to remove it. For
example, the following commands are run to
remove the user Ann Beebe from an In-Place
Hold named ContosoHold.
$SourceMailboxes = Get-MailboxSearch
"ContosoHold"
$SourceMailboxes.Sources.Remove("/o=contoso/ou=Exchange
Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=28e3edb87e29422998ec8f3a9
annb")
Set-MailboxSearch "ContosoHold" -
SourceMailboxes $SourceMailboxes.Sources
The first command creates a variable that
contains the properties of ContosoHold. The
second command removes the user Ann Beebe
(by specifying the value of the
LegacyExchangeDN property) from the list of
source mailboxes. The third command edits
ContosoHold with the updated list of source
mailboxes.
To add a user to an In-Place Hold, use the
following syntax in the second command in the
previous example.
$SourceMailboxes.Sources.Add("
<LegacyExchangeDN of the user>")
Note: The Sources property of an In-Place
eDiscovery search or an In-Place Hold identifies
the source mailboxes by their
LegacyExchangeDN property. Because this
property uniquely identifies a user mailbox, using
the Sources property helps prevent adding or
removing the wrong mailbox. This also helps to
avoid issues if two mailboxes have the same alias
or primary SMTP address.

Other limits
The following table describes other limits that affect In-Place eDiscovery searches.

DESCRIPTION OF LIMIT LIMIT MORE INFORMATION

The maximum number of In-Place eDiscovery 2 If an eDiscovery search is started while two
searches that can run at the same time in your previous searches are still running, the third
organization. search won't be queued and will instead fail. You
have to wait until one of the running searches is
completed before you can successfully start a
new search.
Also, estimate-only and copy searches are both
considered In-Place eDiscovery searches. So, if
you are running an estimate-only search and a
copy search at the same time, you can't start
another search until one of the running searches
is completed. However, you can preview or
export the search results from another search
while two searches are running.

The maximum number of keywords that can be 500 Boolean operators, such as AND and OR aren't
specified in a single In-Place eDiscovery search counted against the total number of keywords.
query. For example, the keyword query
cat AND dog AND bird AND fish consists of
four keywords.
DESCRIPTION OF LIMIT LIMIT MORE INFORMATION

The maximum number of items displayed on the 200 When you preview search results, the mailboxes
search preview page when previewing In-Place that were searched are listed in the right pane on
eDiscovery search results. the eDiscovery search preview page. For each
mailbox, the number of items returned and the
total size of these items are also displayed. Items
returned by the search are listed in the right
pane. Up to 200 items are displayed on the
preview page.
Note: Items from each mailbox can't be displayed
in the right pane by clicking a mailbox in the left
pane. To view the items returned from a specific
mailbox, you can copy the search results and view
the items in the discovery mailbox.

The maximum number of keywords that can be 500 If multiple In-Place Holds are placed on a user's
specified in all In-Place Holds placed on a single mailbox, the maximum number of keywords in all
mailbox. search queries is 500. That's because Exchange
Online combines all the keyword search
parameters from of all In-Place Holds by using
the OR operator. If there are more than 500
keywords in the hold queries, then all content in
the mailbox is placed on hold (and not just that
content that matches the search criteria of any
query-based hold). All content is held until the
total number of keywords in all In-Place Holds is
reduced to 500 or less. Holding all mailbox
content is similar in functionality to a Litigation
Hold.

Maximum number of variants returned when 10,000 For non-phrase queries we use a special prefix
using a prefix wildcard to search for an exact index. This only tells us that a word occurs in a
phrase in a keyword search query or when using document, not where in the document it occurs.
a prefix wildcard and the NEAR operator. To do a phrase query we need to compare the
position within the document for the words in
the phrase. This means that we cannot use the
prefix index for phrase queries. In this case we are
internally expanding the query with all possible
words that the prefix expands to (i.e. "time*" can
expand to "time OR timer OR times OR timex OR
timeboxed OR ..."). 10,000 is the maximum
number of variants the word can expand to, not
the number of documents matching the query.
For non-phrase terms there are no upper limit.
Create a discovery mailbox
6/26/2019 • 2 minutes to read • Edit Online

Microsoft Exchange Server Setup creates a discovery mailbox by default. In Exchange Online, a discovery mailbox
is also created by default. Discovery mailboxes are used as target mailboxes for In-Place eDiscovery searches in
the Exchange admin center (EAC ). You can create additional discovery mailboxes as required. After you create a
new discovery mailbox, you will have to assign Full Access permissions to the appropriate users so they can
access eDiscovery search results that are copied to the discovery mailbox.
Cau t i on

After a discovery manager copies the results of an eDiscovery search to a discovery mailbox, the mailbox can
potentially contain sensitive information. You should control access to discovery mailboxes and make sure only
authorized users can access them.
For more information, see Discovery mailboxes.

What do you need to know before you begin?


Estimated time to complete: 3 minutes.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Creating discovery mailboxes" entry in Messaging policy and compliance
permissions topic.
Discovery mailboxes have a mailbox storage quota of 50 gigabytes (GB ). This storage quota can't be
increased.
You can't use the EAC to create a discovery mailbox or assign permissions to access it. You have to use
Exchange Online PowerShell.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Step 1: Connect to Exchange Online PowerShell


For instructions, see Connect to Exchange Online PowerShell.

Step 2: Create a discovery mailbox


This example creates a discovery mailbox named SearchResults.

New-Mailbox -Name SearchResults -Discovery

For detailed syntax and parameter information, see new -Mailbox.


To display a list of all discovery mailboxes in an Exchange organization, run the following command:
Get-Mailbox -Resultsize unlimited -Filter {RecipientTypeDetails -eq "DiscoveryMailbox"}

For detailed syntax and parameter information, see Get-Mailbox.

Step 3: Assign permissions to a discovery mailbox


You have to explicitly assign users or groups the necessary permissions to open a discovery mailbox that you've
created. Use the following syntax to assign a user or group permissions to open a discovery mailbox and view
search results:

Add-MailboxPermission <Name of the discovery mailbox> -User <Name of user or group> -AccessRights FullAccess -
InheritanceType all

For example, the following command assigns the Full Access permission to the Litigation Managers group, so
members of the group can open the Fabrikam Litigation discovery mailbox.

Add-MailboxPermission "Fabrikam Litigation" -User "Litigation Managers" -AccessRights FullAccess -


InheritanceType all

For detailed syntax and parameter information, see Add-MailboxPermission.

More information
By default, members of the Discovery Management role group only have Full Access permission to the
default Discovery Search Mailbox. You will have to explicitly assign the Full Access permission to the
Discovery Management role group if you want members to open a discovery mailbox that you've created.
Although visible in Exchange address lists, users can't send email to a discovery mailbox. Email delivery to
discovery mailboxes is prohibited with delivery restrictions. This preserves the integrity of search results
copied to a discovery mailbox.
A discovery mailbox can't be repurposed or converted to another type of mailbox.
You can remove a discovery mailbox as you would any other type of mailbox.
Create a custom management scope for In-Place
eDiscovery searches
6/25/2019 • 10 minutes to read • Edit Online

You can use a custom management scope to let specific people or groups use In-Place eDiscovery to search a
subset of mailboxes in your Exchange Online organization. For example, you might want to let a discovery
manager search only the mailboxes of users in a specific location or department. You can do this by creating a
custom management scope. This custom management scope uses a recipient filter to control which mailboxes can
be searched. Recipient filter scopes use filters to target specific recipients based on recipient type or other recipient
properties.
For In-Place eDiscovery, the only property on a user mailbox that you can use to create a recipient filter for a
custom scope is distribution group membership (the actual property name is MemberOfGroup). If you use other
properties, such as CustomAttributeN, Department, or PostalCode, the search fails when it's run by a member of
the role group that's assigned the custom scope.
To learn more about management scopes, see:
Understanding management role scopes
Understanding management role scope filters

What do you need to know before you begin?


Estimated time to complete: 15 minutes
As previously stated, you can only use group membership as the recipient filter to create a custom recipient
filter scope that is intended to be used for eDiscovery. Any other recipient properties can't be used to create
a custom scope for eDiscovery searches. Note that membership in a dynamic distribution group can't be
used either.
Perform steps 1 through 3 to let a discovery manager export the search results for an eDiscovery search
that uses a custom management scope.
If your discovery manager doesn't need to preview the search results, you can skip step 4.
If your discovery manager doesn't need to copy the search results, you can skip step 5.

Step 1: Organize users into distribution groups for eDiscovery


To search a subset of mailboxes in your organization or to narrow the scope of source mailboxes that a discovery
manager can search, you'll need to group the subset of mailboxes into one or more distribution groups. When you
create a custom management scope in step 2, you'll use these distribution groups as the recipient filter to create a
custom management scope. This allows a discovery manager to search only the mailboxes of the users who are
members of a specified group.
You might be able to use existing distribution groups for eDiscovery purposes, or you can create new ones. See
More information at the end of this topic for tips on how to create distribution groups that can be used to scope
eDiscovery searches.

Step 2: Create a custom management scope


Now you'll create a custom management scope that's defined by the membership of a distribution group (using
the MemberOfGroup recipient filter). When this scope is applied to a role group used for eDiscovery, members of
the role group can search the mailboxes of users who are members of the distribution group that was used to
create the custom management scope.
This procedure uses Exchange Online PowerShell commands to create a custom scope named Ottawa Users
eDiscovery Scope. It specifies the distribution group named Ottawa Users for the recipient filter of the custom
scope.
1. Run this command to get and save the properties of the Ottawa Users group to a variable, which is used in
the next command.

$DG = Get-DistributionGroup -Identity "Ottawa Users"

2. Run this command to create a custom management scope based on the membership of the Ottawa Users
distribution group.

New-ManagementScope "Ottawa Users eDiscovery Scope" -RecipientRestrictionFilter "MemberOfGroup -eq


'$($DG.DistinguishedName)'"

The distinguished name of the distribution group, which is contained in the variable $DG, is used to create the
recipient filter for the new management scope.

Step 3: Create a management role group


In this step, you create a new management role group and assign the custom scope that you created in step 2. Add
the Legal Hold and Mailbox Search roles so that role group members can perform In-Place eDiscovery searches
and place mailboxes on In-Place Hold or Litigation Hold. You can also add members to this role group so they can
search the mailboxes of the members of the distribution group used to create the custom scope in step 2.
In the following examples, the Ottawa Users eDiscovery Managers security group will be added as members this
role group. You can use either Exchange Online PowerShell or the EAC for this step.
Use Exchange Online PowerShell to create a management role group
Run this command to create a new role group that uses the custom scope created in step 2. The command also
adds the Legal Hold and Mailbox Search roles, and adds the Ottawa Users eDiscovery Managers security group as
members of the new role group.

New-RoleGroup "Ottawa Discovery Management" -Roles "Mailbox Search","Legal Hold" -CustomRecipientWriteScope


"Ottawa Users eDiscovery Scope" -Members "Ottawa Users eDiscovery Managers"

Use the EAC to create a management role group


1. In the EAC, go to Permissions > Admin roles, and then click New .
2. In New role group, provide the following information:
Name: Provide a descriptive name for the new role group. For this example, you'd use Ottawa
Discovery Management.
Write scope: Select the custom management scope that you created in step 2. This scope will be
applied to the new role group.
Roles: Click Add , and add the Legal Hold and Mailbox Search roles to the new role group.
Members: Click Add , and select the users, security group, or role groups that you want add as
members of the new role group. For this example, the members of the Ottawa Users eDiscovery
Managers security group will be able to search only the mailboxes of users who are members of the
Ottawa Users distribution group.
3. Click Save to create the role group.
Here's an example of what the New role group window will look like when you're done.

(Optional) Step 4: Add discovery managers as members of the


distribution group used to create the custom management scope
You only need to perform this step if you want to let a discovery manager preview eDiscovery search results.
Run this command to add the Ottawa Users eDiscovery Managers security group as a member of the Ottawa
Users distribution group.

Add-DistributionGroupMember -Identity "Ottawa Users" -Member "Ottawa Users eDiscovery Managers"

You can also use the EAC to add members to a distribution group. For more information, see Create and manage
distribution groups.
(Optional) Step 5: Add a discovery mailbox as a member of the
distribution group used to create the custom management scope
You only need to perform this step if you want to let a discovery manager copy eDiscovery search results.
Run this command to add a discovery mailbox named Ottawa Discovery Mailbox as a member of the Ottawa
Users distribution group.

Add-DistributionGroupMember -Identity "Ottawa Users" -Member "Ottawa Discovery Mailbox"

NOTE
To open a discovery mailbox and view the search results, discovery managers must be assigned Full Access permissions for
the discovery mailbox. For more information, see Create a discovery mailbox.

How do you know this worked?


Here are some ways to verify if you've successfully implemented custom management scopes for eDiscovery.
When you verify, be sure that the user running the eDiscovery searches is a member of the role group that uses
the custom management scope.
Create an eDiscovery search, and select the distribution group that was used to create the custom
management scope as the source of mailboxes to be searched. All mailboxes should be successfully
searched.
Create an eDiscovery search, and search the mailboxes of any users who aren't members of the distribution
group that was used to create the custom management scope. The search should fail because the discovery
manager can only search mailboxes for users who are members of the distribution group that was used to
create the custom management scope. In this case, an error such as "Unable to search mailbox <name of
mailbox> because the current user does not have permissions to access the mailbox" will be returned.
Create an eDiscovery search, and search the mailboxes of users who are members of the distribution group
that was used to create the custom management scope. In the same search, include the mailboxes of users
who aren't members. The search should partially succeed. The mailboxes of members of the distribution
group used to create the custom management scope should be successfully searched. The search of
mailboxes for users who aren't members of the group should fail.

More information
Because distribution groups are used in this scenario to scope eDiscovery searches and not for message
delivery, consider the following when you create and configure distribution groups for eDiscovery:
Create distribution groups with a closed membership so that members can be added to or removed
from the group only by the group owners. If you're creating the group in Exchange Online
PowerShell, use the syntax MemberJoinRestriction closed and MemberDepartRestriction closed .
Enable group moderation so that any message sent to the group is first sent to the group
moderators who can approve or reject the message accordingly. If you're creating the group in
Exchange Online PowerShell, use the syntax ModerationEnabled $true . If you're using the EAC, you
can enable moderation after the group is created.
Hide the distribution group from the organization's shared address book. Use the EAC or the Set-
DistributionGroup cmdlet after the group is created. If you're using Exchange Online PowerShell,
use the syntax HiddenFromAddressListsEnabled $true .
In the following example, the first command creates a distribution group with closed membership
and moderation enabled. The second command hides the group from the shared address book.

New-DistributionGroup -Name "Vancouver Users eDiscovery Scope" -Alias VancouverUserseDiscovery -


MemberJoinRestriction closed -MemberDepartRestriction closed -ModerationEnabled $true

Set-DistributionGroup "Vancouver Users eDiscovery Scope" -HiddenFromAddressListsEnabled $true

For more information about creating and managing distribution groups, see Create and manage
distribution groups.
Though you can use only distribution group membership as the recipient filter for a custom management
scope used for eDiscovery, you can use other recipient properties to add users to that distribution group.
Here are some examples of using the Get-Mailbox and Get-Recipient cmdlets to return a specific group
of users based on common user or mailbox attributes.

Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'Department -eq "HR"'

Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'CustomAttribute15 -eq


"VancouverSubsidiary"'

Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'PostalCode -eq "98052"'

Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'StateOrProvince -eq


"WA"'

Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize unlimited -OrganizationalUnit


"namsr01a002.sdf.exchangelabs.com/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com"

You can then use the examples from the previous bullet to create a variable that can be used with the Add-
DistributionGroupMember cmdlet to add a group of users to a distribution group. In the following
example, the first command creates a variable that contains all user mailboxes that have the value
Vancouver for the Department property in their user account. The second command adds these users to
the Vancouver Users distribution group.

$members = Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'Department -


eq "Vancouver"'

$members | ForEach {Add-DistributionGroupMember "Ottawa Users" -Member $_.Name}

You can use the Add-RoleGroupMember cmdlet to add a member to an existing role group that's used to
scope eDiscovery searches. For example, the following command adds the user
admin@ottawa.contoso.com to the Ottawa Discovery Management role group.

Add-RoleGroupMember "Vancouver Discovery Management" -Member paralegal@vancouver.contoso.com

You can also use the EAC to add members to a role group. For more information, see the "Add members to
a role group" section in Manage Role Group Members.
In Exchange Online, a custom management scope used for eDiscovery can't be used to search inactive
mailboxes. This is because an inactive mailbox can't be a member of a distribution group. For example, let's
say that a user is a member of a distribution group that was used to create a custom management scope for
eDiscovery. Then that user leaves the organization and their mailbox is made inactive (by placing a
Litigation Hold or In-Place hold on the mailbox and then deleting the corresponding Office 365 user
account). The result is that the user is removed as a member from any distribution group, including the
group that was used to create the custom management scope used for eDiscovery. If a discovery manager
(who is a member of the role group that's assigned the custom management scope) tries to search the
inactive mailbox, the search will fail. To search inactive mailboxes, a discover manager must be a member of
the Discovery Management role group or any role group that has permissions to search the entire
organization.
For more information about inactive mailboxes, see Inactive mailboxes in Exchange Online.
Reduce the size of a discovery mailbox in Exchange
6/25/2019 • 7 minutes to read • Edit Online

Have a discovery mailbox that's exceeded the 50 GB limit? You can fix this issue by creating new discovery
mailboxes and copying the search results from the large discovery mailbox to the new ones.

Why would I want to do this?


In Exchange Server and Exchange Online, the maximum size of discovery mailboxes, which are used to store In-
Place eDiscovery search results, is 50 GB. Prior to the current size limit, you were able to increase the storage
quota to more than 50 GB, which resulted in having discovery mailboxes much larger than 50 GB. There are three
issues with discovery mailboxes that are larger than 50 GB:
They're not supported.
They can't be migrated to Office 365.
If they're discovery mailboxes in Exchange Server 2010, they can't be upgraded to later versions.

The process at a glance


Here's a quick look at what you'll need to do to reduce the size of a discovery mailbox that's exceeded the 50 GB
limit:
1. Step 1: Create discovery mailboxes additional discovery mailboxes to distribute the search results to.
2. Step 2: Copy search results to a discovery mailbox the search results from the existing discovery mailbox to
one or more of the new discovery mailboxes.
3. Step 3: Delete eDiscovery searches eDiscovery searches from the original discovery mailbox to reduce its
size.
The strategy presented here groups the search results from the original discovery mailbox into separate
eDiscovery searches that are based on date ranges. This is a quick way to copy many search results to a new
discovery mailbox. The following graphic illustrates this approach.
What do you need to know before you begin?
Estimated time to complete this task: Time will vary based on the amount and size of the search results that
will be copied to different discovery mailboxes.
Run the following command to determine the size of the discovery mailboxes in your organization.

Get-Mailbox -RecipientTypeDetails DiscoveryMailbox | Get-MailboxStatistics | Format-List


DisplayName,TotalItemSize

Determine if you need to keep some or all of the search results from the discovery mailbox that's exceeded
the 50 GB limit. Follow the steps in this topic to retain search results by copying them to a different
discovery mailbox. If you don't need to keep the results of a specific eDiscovery search, you can delete the
search, as explained in step 3. Deleting a search will delete the search results from the discovery mailbox.
If you don't need any of the search results from a discovery mailbox that's exceeded the 50 GB limit, you
can delete it. If this is the default discovery mailbox that was created when your Exchange organization was
provisioned, you can re-create it. For more information, see Delete and re-create the default discovery
mailbox in Exchange.
For current legal cases, you might want to export the results of selected eDiscovery searches to .pst files.
Doing this keeps the results from a specific search intact. In addition to the .pst files that contain the search
results, a search results log (.csv file format) that contains an entry for each message returned in the search
results is also exported. Each entry in this file identifies the source mailbox where the message is located.
For more information, see Export eDiscovery search results to a PST file.
After you export search results to .pst files, you'll need to use Outlook if you want to import them to a new
discovery mailbox.

Step 1: Create discovery mailboxes


The first step is to create additional discovery mailboxes so that you can copy the search results from the discovery
mailbox that's exceeded the size limit. Based on the 50 GB size limit for discovery mailboxes, determine how many
additional discovery mailboxes you'll need and create them. You'll then need to assign users or groups the
necessary permissions to open these new discovery mailboxes.
1. Run the following command to create a new discovery mailbox.

New-Mailbox -Name <discovery mailbox name> -Discovery

2. Run the following command to assign a user or group permissions to open the discovery mailbox and view
search results.

Add-MailboxPermission <discovery mailbox name> -User <name of user or group> -AccessRights FullAccess -
InheritanceType all

Step 2: Copy search results to a discovery mailbox


The next step is to use the New-MailboxSearch cmdlet to copy the search results from the existing discovery
mailbox to a new discovery mailbox that you created in the previous step. This procedure uses the StartDate and
EndDate parameters to scope the search results into batches that are no larger than 50 GB. This may require some
testing (by estimating the search results) to size the search results appropriately.
1. Run the following command to create a new eDiscovery search.

New-MailboxSearch -Name "Search results from 2010" -SourceMailboxes "Discovery Search Mailbox" -
StartDate "01/01/2010" -EndDate "12/31/2010" -TargetMailbox "Discovery Mailbox Backup 01" -EstimateOnly
-StatusMailRecipients admin@contoso.com

This example uses the following parameters:


Name: This parameter specifies the name of the new eDiscovery search. Because the search is
scoped by sent and received dates, it's useful that the name of the search includes the date range.
SourceMailboxes: This parameter specifies the default discovery mailbox. You can also specify the
name of another discovery mailbox that's exceeded the size limit.
StartDate and EndDate: These parameters specify the date range of the search results in the default
discovery mailbox to include in the search results.

NOTE
For dates, use the short date format, mm/dd/yyyy, even if the Regional Options settings on the local
computer are configured with a different format, such as dd/mm/yyyy. For example, use 03/01/2014 to
specify March 1, 2014.

TargetMailbox: This parameter specifies that search results should be copied to the discovery
mailbox named "Discovery Mailbox Backup 01".
EstimateOnly: This switch specifies that only an estimate of the number of items that will be returned
is provided when the search is started. If you don't include this switch, messages are copied to the
target mailbox when the search is started. Using this switch lets you adjust the date ranges if
necessary to increase or decrease the number of search results.
StatusMailRecipients: This parameter specifies that the status message should be sent to the specified
recipient.
2. After the search is created, start it by using Exchange Online PowerShell or the Exchange admin center
(EAC ).
Using Exchange Online PowerShell: Run the following command to start the search created in the
previous step. Because the EstimateOnly switch was included when the search was created, the search
results won't be copied to the target discovery mailbox.

Start-MailboxSearch "Search results from 2010"

Using the EAC: Go to Compliance management > In-Place eDiscovery & hold. Select the search
created in the previous step, click Search , and then click Estimate search results.
3. If necessary, adjust the date range to increase or decrease the amount of search results that are returned. If
you change the date range, run the search again to get a new estimate of the results. Consider changing the
name of the search to reflect the new date range.
4. When you're finished testing the search, use Exchange Online PowerShell or the EAC to copy the search
results to the target discovery mailbox.
Using Exchange Online PowerShell: Run the following commands to copy the search results. You
have to remove the EstimateOnly switch before you can copy the search results.

Set-MailboxSearch "Search results from 2010" -EstimateOnly $false

Start-MailboxSearch "Search results from 2010"

Using the EAC: Go to Compliance management > In-Place eDiscovery & hold. Select the search,
click Search , and then click Copy search results.
For more information, see Copy eDiscovery Search Results to a Discovery Mailbox.
5. Repeat steps 1 through 4 to create new searches for additional date ranges. Include the date range in the
name of the new search to indicate the range of the results. To make sure none of the discovery mailboxes
exceeds the 50 GB limit, use different discovery mailboxes as the target mailbox.

Step 3: Delete eDiscovery searches


After you've copied search results from the original discovery mailbox to another discovery mailbox, you can
delete the original eDiscovery searches. Deleting an eDiscovery search will delete the search results from the
discovery mailbox where those search results are stored.
Before deleting a search, you can run the following command to identify the size of the search results that have
been copied to a discovery mailbox for all searches in your organization.

Get-MailboxSearch | Format-List Name,TargetMailbox,ResultSizeCopied

You can use Exchange Online PowerShell or the EAC to delete an eDiscovery search.
Using Exchange Online PowerShell: Run the following command.

Remove-MailboxSearch -Identity <name of search>

Using the EAC: Go to Compliance management > In-Place eDiscovery & hold. Select the search that
you want to delete, and then click Delete .

How do you know this worked?


After you've deleted the eDiscovery searches to remove the results from the discovery mailbox where they were
stored, run the following command to display the size of a selected discovery mailbox.

Get-Mailbox <name of discovery mailbox> | Get-MailboxStatistics | Format-List TotalItemSize


Delete and re-create the default discovery mailbox in
Exchange
6/26/2019 • 2 minutes to read • Edit Online

You can use Exchange Online PowerShell to delete the default discovery mailbox, re-create it, and then assign
permissions to it.

Why would I want to do this?


In Exchange Online, the maximum size of the default discovery mailbox is 50 GB. It's used to store In-Place
eDiscovery search results. Before the size limit was changed, organizations could increase the storage quota to
more than 50 GB. As a result, discovery mailboxes could grow to more than 50 GB. Discovery mailboxes that are
larger than 50 GB are no longer supported.
How you resolve this issue depends on whether you want to save the search results from a default discovery
mailbox that's exceeded 50 GB.

DO YOU WANT TO SAVE THE SEARCH RESULTS? DO THIS

No Follow the steps in this topic to delete, and then re-create the
default discovery mailbox.

Yes Follow the steps in Reduce the size of a discovery mailbox in


Exchange.

Use Exchange Online PowerShell to delete and re-create the default


discovery mailbox
NOTE
You can't use the Exchange admin center (EAC) because discovery mailboxes aren't displayed in the EAC.

1. Run the following command to delete the default discovery mailbox.

Remove-Mailbox "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"

2. In the message asking you to confirm that you want to delete the mailbox and the corresponding Active
Directory user object, type Y, and then press Enter.
A new user object is created in Active Directory when you create the discovery mailbox in the next step.
3. Run the following command to re-create the default discovery mailbox.

New-Mailbox -Name "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" -Alias


"DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" -DisplayName "Discovery Search Mailbox"
-Discovery

4. Run the following command to assign the Discovery Management role group permissions to open the
default discovery mailbox and view search results.

Add-MailboxPermission "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" -User "Discovery


Management" -AccessRights FullAccess -InheritanceType all
Data loss prevention
6/24/2019 • 8 minutes to read • Edit Online

Learn about DLP policies in Exchange Server and Exchange Online, including what they contain and how to test
them. You'll also learn about a new feature in Exchange DLP.
Data loss prevention (DLP ) is an important issue for enterprise message systems because of the extensive use of
email for business critical communication that includes sensitive data. In order to enforce compliance
requirements for such data, and manage its use in email, without hindering the productivity of workers, DLP
features make managing sensitive data easier than ever before. For a conceptual overview of DLP, watch the
following video.

DLP policies are simple packages that contain sets of conditions, which are made up of mail flow rule (also
known as transport rule) conditions, exceptions, and actions that you create in the Exchange admin center (EAC )
and then activate to filter email messages and attachments. You can create a DLP policy, but choose to not
activate it. This allows you to test your policies without affecting mail flow. DLP policies can use the full power of
existing mail flow rules. In fact, a number of new types of mail flow rules have been created in Microsoft
Exchange Server and Exchange Online in order to accomplish new DLP capability. One important new feature of
mail flow rules is a new approach to classifying sensitive information that can be incorporated into mail flow
processing. This new DLP feature performs deep content analysis through keyword matches, dictionary matches,
regular expression evaluation, and other content examination to detect content that violates organizational DLP
policies. For more information about mail flow rules, see Mail flow rules (transport rules) in Exchange Online, and
Integrating sensitive information rules with mail flow rules in Exchange Online. You can also manage your DLP
policies by using Exchange Online PowerShell cmdlets. For more information about policy and compliance
cmdlets, see Messaging Policy and Compliance Cmdlets.
In addition to the customizable DLP policies themselves, you can also inform email senders that they may be
about to violate one of your policies, even before they send an offending message. You can accomplish this by
configuring Policy Tips. Policy Tips are similar to MailTips, and can be configured to present a brief note in the
Microsoft Outlook 2013 client that provides information about possible policy violations to a person creating a
message. In Exchange Online and in Exchange Server, Policy Tips are also displayed in Outlook on the web
(formerly known as Outlook Web App) and OWA for Devices. For more information, see Policy Tips.

NOTE
DLP is a premium feature that requires an Exchange Online Plan 2 subscription. For more information, see Exchange Online
Licensing. > Messages sent between on-premises users in a hybrid deployment do not have Exchange Online DLP policies
applied, because the message doesn't leave the on-premises infrastructure.

Looking for management tasks related to Data Loss Prevention? See DLP Procedures (Exchange Server) or DLP
Procedures (Exchange Online).

Establish policies to protect sensitive data


The data loss prevention features can help you identify and monitor many categories of sensitive information
that you have defined within the conditions of your policies, such as private identification numbers or credit card
numbers. You have the option of defining your own custom policies and mail flow rules or using the pre-defined
DLP policy templates provided by Microsoft in order to get started quickly. For more information about the
policy templates that are included, see DLP policy templates supplied in Exchange. A policy template includes a
range of conditions, rules, and actions that you can choose from in order to create and save an actual DLP policy
that will help you inspect messages. The policy templates are models from which you can select or build your
own specific rules to create a policy that meets your needs for data loss prevention.
Three different methods exist for you to begin using DLP:
1. Apply an out-of-the-box template supplied by Microsoft: The quickest way to start using DLP
policies is to create and implement a new policy using a template. This saves you the effort of building a
new set of rules from nothing. You will need to know what type of data you want to check for or which
compliance regulation you are attempting to address. You will also need to know your organizations
expectations for processing such data. More information at DLP policy templates supplied in Exchange
and Create a DLP policy from a template.
2. Import a pre-built policy file from outside your organization: You can import policies that have
already been created outside of your messaging environment by independent software vendors. In this
way you can extend the DLP solutions to suit your business requirements. More information at Policies
from Microsoft Partners, Define Your Own DLP Templates and Information Types, and Import a DLP
Policy From a File.
3. Create a custom policy without any pre-existing conditions: Your enterprise may have its own
requirements for monitoring certain types of data known to exist within a messaging system. You can
create a custom policy entirely on your own in order to start checking and acting upon your own unique
message data. You will need to know the requirements and constraints of the environment in which the
DLP policy will be enforced in order to create such a custom policy. More information at Create a custom
DLP policy.
After you have added a policy, you can review and change its rules, make the policy inactive, or remove it
completely. The procedures for these actions are provided in the Manage DLP Policies topic.

Sensitive information types in DLP policies


When you create or change DLP policies, you can include rules that include checks for sensitive information. The
sensitive information types listed in the Sensitive Information Types Inventory topic are available to be used in
your policies. The conditions that you establish within a policy, such as how many times something has to be
found before an action is taken or exactly what that action is can be customized within your new custom policies
in order to meet your specific policy requirements. For more information about creating DLP policies see, Create
a custom DLP policy. For more information about the full suite mail flow rules, see Mail flow rules (transport
rules) in Exchange Online.
To make it easy for you to make use of the sensitive information-related rules, Microsoft has supplied policy
templates that already include some of the sensitive information types. You cannot add conditions for all of the
sensitive information types listed here to policy templates however, because the templates are designed to help
you focus on the most-common types of compliance-related data within your organization. For more information
about the pre-built templates, see DLP policy templates supplied in Exchange. You can create numerous DLP
policies for your organization and have them all enabled so that many disparate types of information are
examined. You can also create a DLP policy that is not based on an existing template. To begin creating such a
policy, see Create a custom DLP policy. For more information about sensitive information types, see Sensitive
Information Types Inventory.

Policy Tips notify users about sensitive content expectations


You can use Policy Tip notification messages to inform email senders about possible compliance issues while
they are composing an email message. When you configure a Policy Tip in a DLP policy, the notification message
will only show up if something in the sender's email message meets the conditions described in your policy.
Policy Tips are similar to MailTips that were introduced in Microsoft Exchange 2010. For more information, see
Policy Tips.

Detecting sensitive information along with traditional message


classification
Exchange Server and Exchange Online present a new method of helping you manage message and attachment
data when compared with traditional message classification. A key factor in the strength of a DLP solution is the
ability to correctly identify confidential or sensitive content that may be unique to the organization, regulatory
needs, geography, or other business needs. Exchange Server can achieve this by using a new architecture for
deep content analysis coupled with detection criteria that you establish through rules in your DLP policies.
Helping prevent data loss in Exchange Server relies on configuring the correct set of sensitive information rules
so that they provide a high degree of protection while minimizing inappropriate mail flow disruption with false
positives and negatives. These types of rules, referred to throughout the DLP information as sensitive
information detection, function within the framework offered by mail flow rules in order to enable DLP
capabilities.
To learn more about these new features, see Integrating sensitive information rules with mail flow rules in
Exchange Online. The traditional message classification fields can still be applied to messages in Exchange and
these can be combined with the new sensitive information detection either together within a single DLP policy or
running concurrently so they are evaluated independently within Exchange. To learn more about the legacy
Exchange 2010 message classifications, see Understanding Message Classifications.

Information about DLP-processed messages


For Exchange Server to obtain information about messages and DLP policy detections in your environment, see
DLP policy detection reports and Create incident reports for DLP policy detections. Data related to DLP
detections, is highly integrated into the delivery reports message tracking tool of Exchange Server.
For Exchange Online, see DLP policy detection reports and Create incident reports for DLP policy detection.

Installation prerequisites
In order to make use of DLP features, you must have Exchange Server or Exchange Online configured with at
least one sender mailbox. Data Loss Prevention is a premium feature that requires an Enterprise Client Access
License (CAL ). For more information about getting started with Exchange Server, see Planning and Deployment.
For more information about getting started with Exchange Online, see Exchange Online.

For more information


Exchange Server
Messaging Policy and Compliance
DLP Procedures
DLP policy detection reports
Messaging Policy and Compliance Cmdlets
Exchange Online
Security and compliance for Exchange Online
DLP Procedures
DLP policy detection reports
How DLP rules are applied to evaluate messages
6/10/2019 • 4 minutes to read • Edit Online

You can set up sensitive information rules within your Microsoft Exchange data loss prevention (DLP ) policies to
detect very specific data in email messages. This topic will help you understand how these rules are applied and
how messages are evaluated. You can avoid workflow disruptions for your email users and achieve a high degree
of accuracy with your DLP detections if you know how your rules are enforced. Let's use the Microsoft-supplied
credit card information rule as an example. When you activate a mail flow rule (also known as a transport rule) or
DLP policy, all messages that your users send are compared with the rule sets that you create.

Get precise about your needs


Suppose you need to act on credit card information in messages. The actions you take once it is found are not the
subject of this topic, but you can learn more about that in Mail flow rule actions in Exchange Online. With as most
certainty as possible, you need to ensure that what is detected in a message is truly credit card data and not
something else that could be a legitimate use of groups of numbers that merely resemble credit card data; for
example, a reservation code or a vehicle identification number.
To meet this need, let's make it clear that the following information should be classified as a credit card:

Margie's Travel,
I have received updated credit card information for Spencer.
Spencer Badillo
Visa: 4111 1111 1111 1111
Expires: 2/2012
Please update his travel profile.

Let's also make it clear that the following information should not be classified as a credit card.

Hi Alex,
I expect to be in Hawaii too. My booking code is 1234 1234 1234 1234 and I'll be there on 3/2018.
Regards, Lisa

The following XML snippet shows how the needs expressed earlier are currently defined in a sensitive information
rule that is provided with Exchange and it is embedded within one of the supplied DLP policy templates.

<Entity id="50842eb7-edc8-4019-85dd-5a5c1f2bb085" patternsProximity="300" recommendedConfidence="85">


<Pattern confidenceLevel="85">
<IdMatch idRef="Func_credit_card" />
<Any minMatches="1">
<Match idRef="Keyword_cc_verification" />
<Match idRef="Keyword_cc_name" />
<Match idRef="Func_expiration_date" />
</Any>
</Pattern>
</Entity>

Pattern-matching in your solution


The XML rule definition shown earlier includes pattern-matching, which improves the likelihood that the rule will
detect only the important information and not detect vague, related information. For more information about the
XML schema for DLP rules and templates, see Define Your Own DLP Templates and Information Types.
In the credit card rule, there is a section of XML code for patterns, which includes a primary identifier match and
some additional corroborative evidence. All three of these requirements are explained here:
1. <IdMatch idRef="Func_credit_card" /> : This requires a match of a function, titled credit card, that is internally
defined. This function includes a couple of validations as follows:
2. It matches a regular expression (in this instance for 16 digits) that could also include variations like a space
delimiter so that it also matches 4111 1111 1111 1111 or a hyphen delimiter so that it also matches 4111-
1111-1111-1111.
3. It evaluates the Lhun's checksum algorithm against the 16-digit number in order to ensure the likelihood of
this being a credit card number is high.
4. It requires a mandatory match, after which corroborative evidence is evaluated.
5. <Any minMatches="1"> : This section indicates that the presence of at least one of the following items of
evidence is required.
6. The corroborative evidence can be a match of one of these three:
<Match idRef="Keyword_cc_verification">

<Match idRef="Keyword_cc_name">

<Match idRef="Func_expiration_date">

These three simply mean a list of keywords for credit cards, the names of the credit cards, or an expiration
date is required. The expiration date is defined and evaluated internally as another function.

The process of evaluating content against rules


The five steps here represent actions that Exchange takes to compare your rule with email messages. For our credit
card rule example, the following steps are taken.

STEP ACTION

1. Get Content Spencer Badillo

Visa: 4111 1111 1111 1111

Expires: 2/2012

2. Regular Expression Analysis 4111 1111 1111 1111 -> a 16-digit number is detected

3. Function Analysis 4111 1111 1111 1111 -> matches checksum

1234 1234 1234 1234 -> doesn't match

4. Additional Evidence

Keyword Visa is near the number. A regular expression for a


date (2/2012) is near the number.

5. Verdict
STEP ACTION

There is a regular expression that matches a checksum.


Additional evidence increases confidence.

The way this rule is set up by Microsoft makes it mandatory that corroborating evidence such as keywords are a
part of the email message content in order to match the rule. So the following email content would not be detected
as containing a credit card:

Margie's Travel,
I have received updated information for Spencer.
Spencer Badillo
4111 1111 1111 1111
Please update his travel profile.

You can use a custom rule that defines a pattern without extra evidence, as shown in the next example. This would
detect messages with only credit card number and no corroborating evidence.

<Pattern confidenceLevel="85">
<IdMatch idRef="Func_credit_card" />
</Pattern>
</Entity>

The illustration of credit cards in this article can be extended to other sensitive information rules as well. To see the
complete list of the Microsoft-supplied rules in Exchange, use the Get-ClassificationRuleCollection cmdlet in
Exchange Online PowerShell in the following manner:

$rule_collection = Get-ClassificationRuleCollection

$rule_collection[0].SerializedClassificationRuleCollection | Set-Content oob_classifications.xml -Encoding byte

For more information


Data loss prevention
Mail flow rules (transport rules) in Exchange Online
Exchange Online PowerShell
Integrating sensitive information rules with mail flow
rules in Exchange Online
5/21/2019 • 2 minutes to read • Edit Online

In Exchange Online, you can create DLP policies that contain rules for not only traditional message classifications
and existing mail flow rules (also known as transport rules) but also combine these with rules for sensitive
information found within messages. The existing mail flow rules framework offers rich capabilities to define
messaging policies, covering the entire spectrum of soft to hard controls. Examples include:
Limiting the interaction between recipients and senders, including interactions between departmental
groups inside an organization.
Applying separate policies for communications within and outside of an organization.
Preventing inappropriate content from entering or leaving an organization.
Filtering confidential information.
Tracking or archiving messages that are sent to or received from specific individuals.
Redirecting inbound and outbound messages for inspection before delivery.
Applying disclaimers to messages as they pass through the organization.
Mail flow rules allow you to apply messaging policies to email messages that flow through the mail flow pipeline
in the Transport service on Mailbox servers and on Edge Transport servers. These rules allow system
administrators to enforce messaging policies, help keep messages more secure, help to protect messaging
systems, and help prevent accidental information loss. For more information about mail flow rules, see Mail flow
rules (transport rules) in Exchange Online.

Sensitive information rules within the mail flow rule framework


Sensitive information rules are integrated with the mail flow rules framework by introduction of a condition that
you can customize: If the message contains...Sensitive Information. This condition can be configured with one
or more sensitive information types that are contained within the messages. When multiple DLP policies or rules
within a policy are configured with this condition, the policy or rule is satisfied when any of the conditions match.
Exchange policy rules examine the subject, body and any attachments of a message. If the rule matches any of
these message components, the rule actions will be applied.
The sensitive information condition may be combined with any of the already existing mail flow rules to define
messaging policies. If combined, the condition works in conjunction with other rules and provides the AND
semantics. For example, two different conditions are added together with an AND statement such that both need
to match for the action to be applied. Any of the mail flow rule actions can be configured as result of rules
containing the sensitive information type matching. Many different file types can be scanned by the mail flow rules
agent, which scans messages to enforce mail flow rules. To learn more about the supported file types, see File
Types that are supported in mail flow rules (Exchange Server) or Use mail flow rules to inspect message
attachments in Office 365 (Exchange Online).
The rules can also be used in the exception part of a rule definition. Their use in the exception definition is
independent of their use as a condition within the rule. This provides the flexibility to define rules that have the
condition specifying multiple information types to be applied as part of the condition and also differing
information types in the condition. This would allow policies such as matching specific traditional message-
classification rules, but not matching other sensitive information types before performing actions that you define
within a policy.

For more information


Data loss prevention
Sensitive Information Types Inventory
Mail flow rules in Exchange Server
Mail flow rules (transport rules) in Exchange Online
Create a custom DLP policy
DLP policy templates supplied in Exchange
5/31/2019 • 6 minutes to read • Edit Online

In Microsoft Exchange Server and Exchange Online, you can use data loss prevention (DLP ) policy templates as a
starting point for building DLP policies that help you meet your specific regulatory and business policy needs. You
can modify the templates to meet the specific needs of your organization.
Cau t i on

You should enable your DLP policies in test mode before running them in your production environment. During
such tests, it is recommended that you configure sample user mailboxes and send test messages that invoke your
test policies in order to confirm the results. > Use of these policies does not ensure compliance with any
regulation. After your testing is complete, make the necessary configuration changes in Exchange so the
transmission of information complies with your organization's policies. For example, you might need to configure
TLS with known business partners or add more restrictive mail flow rule (also known as transport rule) actions,
such as adding rights protection to messages that contain a certain type of data.

Templates available for DLP


The following table lists the DLP policy templates in Exchange. To learn more about customizing these templates
to create DLP policies, see Manage DLP Policies.

TEMPLATE DESCRIPTION

Australia Financial Data Helps detect the presence of information commonly


considered to be financial data in Australia, including credit
cards, and SWIFT codes.

Australia Health Records Act (HRIP Act) Helps detect the presence of information commonly
considered to be subject to the Health Records and
Information Privacy (HRIP) act in Australia, like medical
account number and tax file number.

Australia Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Australia, like tax file number and driver's license.

Australia Privacy Act Helps detect the presence of information commonly


considered to be subject to the privacy act in Australia, like
driver's license and passport number.

Canada Financial Data Helps detect the presence of information commonly


considered to be financial data in Canada, including bank
account numbers and credit cards.

Canada Health Information Act (HIA) Helps detect the presence of information subject to Canada
Health Information Act (HIA) for Alberta, including data like
passport numbers and health information.

Canada Personal Health Act (PHIPA) - Ontario Helps detect the presence of information subject to Canada
Personal Health Information Protection Act (PHIPA) for
Ontario, including data like passport numbers and health
information.
TEMPLATE DESCRIPTION

Canada Personal Health Information Act (PHIA) - Manitoba Helps detect the presence of information subject to Canada
Personal Health Information Act (PHIA) for Manitoba,
including data like health information.

Canada Personal Information Protection Act (PIPA) Helps detect the presence of information subject to Canada
Personal Information Protection Act (PIPA) for British
Columbia, including data like passport numbers and health
information.

Canada Personal Information Protection Act (PIPEDA) Helps detect the presence of information subject to Canada
Personal Information Protection and Electronic Documents
Act (PIPEDA), including data like passport numbers and health
information.

Canada Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Canada, like health ID number and social insurance number.

France Data Protection Act Helps detect the presence of information commonly
considered to be subject to the Data Protection Act in France,
like the health insurance card number.

France Financial Data Helps detect the presence of information commonly


considered to be financial information in France, including
information like credit card, account information, and debit
card numbers.

France Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
France, including information like passport numbers.

Germany Financial Data Helps detect the presence of information commonly


considered to be financial data in Germany like EU debit card
numbers.

Germany Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Germany, including information like driver's license and
passport numbers.

Israel Financial Data Helps detect the presence of information commonly


considered to be financial data in Israel, including bank
account numbers and SWIFT codes.

Israel Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Israel, like national ID number.

Israel Protection of Privacy Helps detect the presence of information commonly


considered to be subject to the Protection of Privacy in Israel,
including information like bank account numbers or national
ID.
TEMPLATE DESCRIPTION

Japan Financial Data Helps detect the presence of information commonly


considered to be financial information in Japan, including
information like credit card, account information, and debit
card numbers.

Japan Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Japan, including information like driver's license and passport
numbers.

Japan Protection of Personal Information Helps detect the presence of information subject to Japan
Protection of Personal Information, including data like
resident registration numbers.

PCI Data Security Standard (PCI DSS) Helps detect the presence of information subject to PCI Data
Security Standard (PCI DSS), including information like credit
card or debit card numbers.

Saudi Arabia - Anti-Cyber Crime Law Helps detect the presence of information commonly
considered to be subject to the Anti-Cyber Crime Law in
Saudi Arabia, including international bank account numbers
and SWIFT codes.

Saudi Arabia Financial Data Helps detect the presence of information commonly
considered to be financial data in Saudi Arabia, including
international bank account numbers and SWIFT codes.

Saudi Arabia Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Saudi Arabia, like national ID number.

U.K. Access to Medical Reports Act Helps detect the presence of information subject to United
Kingdom Access to Medical Reports Act, including data like
National Health Service numbers.

U.K. Data Protection Act Helps detect the presence of information subject to United
Kingdom Data Protection Act, including data like national
insurance numbers.

U.K. Financial Data Helps detect the presence of information commonly


considered to be financial information in United Kingdom,
including information like credit card, account information,
and debit card numbers.

U.K. Personal Information Online Code of Practice (PIOCP) Helps detect the presence of information subject to United
Kingdom Personal Information Online Code of Practice,
including data like health information.

U.K. Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
United Kingdom, including information like driver's license and
passport numbers.

U.K. Privacy and Electronic Communications Regulations Helps detect the presence of information subject to United
Kingdom Privacy and Electronic Communications Regulations,
including data like financial information.
TEMPLATE DESCRIPTION

U.S. Federal Trade Commission (FTC) Consumer Rules Helps detect the presence of information subject to U.S.
Federal Trade Commission (FTC) Consumer Rules, including
data like credit card numbers.

U.S. Financial Data Helps detect the presence of information commonly


considered to be financial information in United States,
including information like credit card, account information,
and debit card numbers.

U.S. Gramm-Leach-Bliley Act (GLBA) Helps detect the presence of information subject to Gramm-
Leach-Bliley Act (GLBA), including information like social
security numbers or credit card numbers.

U.S. Health Insurance Act (HIPAA) Helps detect the presence of information subject to United
States Health Insurance Portability and Accountability Act
(HIPAA),including data like social security numbers and health
information.

U.S. Patriot Act Helps detect the presence of information commonly subject
to U.S. Patriot Act, including information like credit card
numbers or tax identification numbers.

U.S. Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in the
United States, including information like social security
numbers or driver's license numbers.

U.S. State Breach Notification Laws Helps detect the presence of information subject to U.S. State
Breach Notification Laws, including data like social security
and credit card numbers.

U.S. State Social Security Number Confidentiality Laws Helps detect the presence of information subject to U.S. State
Social Security Number Confidentiality Laws, including data
like social security numbers.

For more information


Data loss prevention
Create a DLP policy from a template
Sensitive Information Types Inventory
Create a DLP policy from a template
5/31/2019 • 3 minutes to read • Edit Online

In Microsoft Exchange, you can use data loss prevention (DLP ) policy templates to help meet the messaging policy
and compliance needs of your organization. These templates contain pre-built sets of rules that can help you
manage message data that is associated with several common legal and regulatory requirements. To see a list of
all the templates supplied by Microsoft, see DLP policy templates supplied in Exchange. Example DLP templates
that are supplied can help you manage:
Gramm-Leach-Bliley Act (GLBA) data
Payment Card Industry Data Security Standard (PCI-DSS )
United States Personally Identifiable Information (U.S. PII)
You can customize any of these DLP templates or use them as-is. DLP policy templates are built on top of mail
flow rules (also known as transport rules) that include new conditions or predicates and actions. DLP policies
support the full range of traditional mail flow rules, and you can add the additional rules after a DLP policy has
been established. For more information about policy templates, see What the DLP policy templates include. To
learn more about mail flow rule capabilities, see Mail flow rules (transport rules) in Exchange Online. Once you
have started enforcing a policy, you can learn about how to observe the results by reviewing the Exchange Online:
DLP policy detection reports
Cau t i on

You should enable your DLP policies in test mode before running them in your production environment. During
such tests, it is recommended that you configure sample user mailboxes and send test messages that invoke your
test policies in order to confirm the results.

What do you need to know before you begin?


Estimated time to complete: 30 minutes
Ensure that Exchange Server is set up as described in Planning and Deployment.
Configure both administrator and user accounts within your organization and validate basic mail flow.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Data loss prevention (DLP )" entry in the Messaging policy and compliance
permissions topic
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Use the EAC to configure a DLP policy from a template


1. In the EAC, navigate to Compliance management > Data loss prevention, and then click Add .
NOTE
You can also select this action if you click the arrow next to the Add icon and select New DLP policy from
template from the drop down menu.

2. On the Create a new DLP policy from a template page, complete the following fields:
3. Name: Add a name that will distinguish this policy from others.
4. Description: Add an optional description that summarizes this policy.
5. Choose a template: Select the appropriate template to begin creating a new policy.
6. More options: Select the mode or state. The new policy is not fully enabled until you specify that it should
be. The default mode for a policy is test without notifications.
7. Click Save to finish creating the policy.

NOTE
In addition to the rules within a specific template, your organization may have additional expectations or company policies
that apply to regulated data within your messaging environment. Exchange Server makes it easy for you to change the basic
template in order to add actions so that your Exchange messaging environment complies with your own requirements.

You can modify policies by editing the rules within them once the policy has been saved in your Exchange Server
environment. An example rule change might include making specific people exempt from a policy or sending a
notice and blocking message delivery if a message is found to have sensitive content. For more information about
editing policies and rules, see Manage DLP Policies.
You have to navigate to the specific policy's rule set on the Edit DLP policy page and use the tools available on
that page in order to change a DLP policy you have already created in Exchange Server.
Some policies allow the addition of rules that invoke RMS for messages. You must have RMS configured on the
Exchange server before adding the actions to make use of these types of rules.
For any of the DLP policies, you can change the rules, actions, exceptions, enforcement time period or whether
other rules within the policy are enforced and you can add your own custom conditions for each.

For more information


Data loss prevention
DLP policy templates
5/31/2019 • 4 minutes to read • Edit Online

A custom data loss prevention (DLP ) policy allows you to establish conditions, rules, and actions that can help
meet the specific needs of your organization, and which may not be covered in one of the pre-existing DLP
templates.
The rule conditions that are available to you in a single policy include all the traditional mail flow rules (also
known as transport rules) in addition to the sensitive information types presented in Sensitive Information Types
Inventory. For more information about mail flow rules, see Mail flow rules (transport rules) in Exchange Online.
Cau t i on

You should enable your DLP policies in test mode before running them in your production environment. During
such tests, it is recommended that you configure sample user mailboxes and send test messages that invoke your
test policies in order to confirm the results. for more information about testing, see Test a mail flow rule.
For additional management tasks related to creating a custom DLP policy, see DLP Procedures(Exchange Server)
or DLP Procedures (Exchange Online).

What do you need to know before you begin?


Estimated time to complete: 60 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Data loss prevention (DLP )" entry in the Messaging policy and compliance
permissions topic.
In order to create a new custom DLP policy, you must follow the installation instructions for Exchange
Server. For more information about deployment, see Planning and Deployment.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

NOTE
Due to the variances in customer environments and content match requirements, Microsoft Support cannot assist in
providing custom content matching definitions; e.g., defining Custom Classifications and/or Regular Expression patterns
("RegEx"). For custom content matching development, testing, and debugging, Office 365 customers will need to rely upon
internal IT resources, or use an external consulting resource such as Microsoft Consulting Services (MCS). Support engineers
can provide limited support for the feature, but cannot provide assurances that any custom content matching development
will fulfill the customer's requirements or obligations. As an example of the type of support which can be provided, sample
regular expression patterns may be provided for testing purposes. Or support can assist with troubleshooting an existing
RegEx pattern which is not triggering as expected with a single specific content example.

For additional information on the .NET regex engine which is used for processing the text, see
https://docs.microsoft.com/dotnet/standard/base-types/regular-expressions.

Create a custom DLP policy


TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Use the EAC to create a custom DLP policy without any existing rules
1. In the EAC, navigate to Compliance management > Data loss prevention. Any existing policies that
you have configured are shown in a list.
2. Click the arrow that is beside the Add icon, and select New custom policy.

IMPORTANT
If you click Add icon instead of the arrow, you will create a new policy based on a template. For more information
about using templates, see Create a DLP policy from a template.

3. On the New custom policy page, complete the following fields:


4. Name: Add a name that will distinguish this policy from others.
5. Description: Add an optional description that summarizes this policy.
6. Choose a state: Select the mode or state for this policy. The new policy is not fully enabled until you
specify that it should be. The default mode for a policy is test without notifications.
7. Click Save to finish creating the new policy reference information. The policy is added to the list of all
policies that you have configured, although there are not yet any rules or actions associated with this new
custom policy.
8. Double-click the policy that you just created or select it and click Edit .
9. On the Edit DLP policy page, click Rules.
Click Add to add a new blank rule. You can establish conditions using all the traditional mail flow rules in
addition to the sensitive information types.
In order to avoid confusion, supply a unique name for each part of your policy or rule when you have the
option to provide your own character string. There are several options additional options available to you:
10. Click the arrow that is beside the Add icon to add a rule about sender notification or allowing overrides.
11. To remove a rule, highlight the rule and click Delete .
12. Click More options to add additional conditions and actions for this rule including time-bound limits of
enforcement or effects on other rules in this policy.
13. Click Save to finish modifying the policy and save your changes.
DLP policy templates are one type of feature Microsoft Exchange that can help you design and apply a robust
policy and compliance system for your messaging environment. For more information about compliance features,
see Messaging Policy and Compliance (Exchange 2016) or Security and compliance for Exchange Online.

For more information


Data loss prevention
Mail flow rules in Exchange Server Exchange 2016
Mail flow rules (transport rules) in Exchange Online Exchange Online
Integrating sensitive information rules with mail flow rules
Policy Tips in Exchange Online
6/24/2019 • 6 minutes to read • Edit Online

You can help to prevent your organization's Outlook, Outlook on the web (formerly known as Outlook Web App),
and OWA for Devices email users from inappropriately sending sensitive information by creating data loss
prevention (DLP ) policies that include Policy Tip notification messages. Similar to MailTips that were introduced
in Exchange Server 2010, Policy Tip notification messages are displayed to users in Outlook while they are
composing an email message. Policy Tip notification messages only show up if something about the sender's
email message seems to violate a DLP policy that you have in place and that policy includes a rule to notify the
sender when the conditions that you establish are met. Watch this video to learn more.
!VIDEO
In order to show Policy Tips to your email senders, your rules must include the Notify the sender with a Policy
Tip action. You can add this in the rules editor from the Exchange admin center. For more information, see
Manage policy tips.
DLP policies do not differentiate between email message attachments, body text, or subject lines while evaluating
messages and the conditions within your policies. For example, if a user creates an email message that includes a
credit card number in the body of the message and then attempts to address the message to a recipient outside
your organization, then a Policy Tip notification message can be shown to that user in Outlook or Outlook on the
web reminding them of your enterprise's expectations for such information. However, this type of notification will
only show up if you have configured a DLP policy that restricts the example actions described; in this case adding
an external email alias to the header of a message with credit card data. There is a great variety of conditions,
actions, and exceptions you can choose from while creating DLP policies. This variety allows you to tailor your
data loss prevention efforts in a way that meets your specific organization's needs.
Any time you use either the notify sender action or an override action within a rule, we recommend that you also
include the condition that the message was sent from within your organization. You can do this by using the
policy rules editor to add the following condition: The sender is located... > inside the organization. Learn
more about changing existing DLP policies at Manage DLP Policies. This is a best practice recommendation
because the notify sender action is applied as part of your company's message creation experience. The senders
referred to by the action are the authors of messages within your company. The user interaction presented by
Policy Tips cannot be acted upon by your users for incoming messages and will be ignored when the sender is
located outside your organization. You can apply DLP policies to scan incoming messages and take a variety of
actions, but when you do this, don't add the notify sender action.
If email senders in your organization who are in the act of composing a message are made aware of your
organizational expectations and standards in real time through Policy Tip notifications, then they are less likely to
violate standards that your organization wants to enforce.

NOTE
DLP is a premium feature that requires an Exchange Online Plan 2 subscription. For more information, see Exchange Online
Licensing.

Default text for Policy Tips and rule options


You have a range of possible options when you add sender notification rules to DLP policies. When you add a
rule to notify the sender by using the Notify the sender with a Policy Tip action within a DLP policy, you can
choose how restrictive to be. The notification options in the following table are available. For general information
about editing policies, see Manage DLP Policies. For specific information about creating Policy Tips, see Manage
policy tips.

DEFAULT POLICY TIP NOTIFICATION


NOTIFICATION RULE MEANING MESSAGE THAT OUTLOOK USERS WILL SEE

Notify only Similar to MailTips, this causes an This message may contain sensitive
informative Policy Tip notification content. All recipients must be
message about a policy violation. A authorized to receive this content.
sender can prevent this type of tip
from showing up by using a Policy Tip
options dialog box that can be
accessed in Outlook.

Reject message The message will not be delivered until This message may contain sensitive
the condition is no longer present. The content. Your organization won't allow
sender is provided with an option to this message to be sent until that
indicate that their email message does content is removed.
not contain sensitive content. This is
also known as a false-positive override.
If the sender indicates this, then
Outlook will allow the message to leave
the outbox so that the user's report
may be audited, but Exchange will
block the message from being sent.

Reject unless false positive override The result with this notification rule is Before the sender selects an option
similar to the Reject message to override: This message may contain
notification rule. However, if you select sensitive content. Your organization
this then Exchange will allow the won't allow this message to be sent
message to be sent to the intended until that content is removed.
recipient, instead of blocking the After the sender selects an option
message. override: Your feedback will be
submitted to your administrator when
the message is sent.

Reject unless silent override The message will not be delivered until Before the sender selects an option
the condition is no longer present or to override: This message may contain
the sender indicates an override. The sensitive content. Your organization
sender is provided with an option to won't allow this message to be sent
indicate that they wish to override the until that content is removed.
policy. After the sender selects an option
override: You have overridden your
organization's policy for sensitive
content in this message. Your action
will be audited by your organization.

Reject unless explicit override The result with this notification rule is Before the sender selects an option
similar to the Reject unless silent to override: This message may contain
override notification rule, except that sensitive content. Your organization
in this case when the sender attempts won't allow this message to be sent
to override the policy, they are required until that content is removed.
to provide a justification for overriding After the sender selects an option
the policy. override: You have overridden your
organization's policy for sensitive
content in this message. Your action
will be audited by your organization.

Customize your Policy Tip notification messages


To customize the text of a Policy Tip notification that email senders see in their email program, select Manage
Policy Tips on the Data Loss Prevention page. In order for any of your custom text to appear, a DLP policy rule
must include the Notify the sender with a Policy Tip action. Add the action to a rule by using the DLP rules
editor.
For procedures that explain how to create your own Policy Tips, see Manage policy tips. The custom text that you
create can replace the default text shown in the previous table.

POLICY TIP NOTIFICATION ACTIONS AND SETTINGS MEANING

Notify the sender Your text only appears when a Notify the sender, but allow
them to send action is initiated.

Allow the sender to override Your text only appears when the following actions are
initiated: Block the message unless it's a false positive,
Block the message, but allow the sender to override and
send.

Block the message Your text only appears when a Block the message action is
initiated.

Link to compliance URL The compliance URL is a link to a web page where you can
explain your compliance and override policies. This link is
displayed in the Policy Tip when a user clicks the More
details link.

For more information


Data loss prevention
Manage DLP Policies
Manage policy tips
Manage policy tips
6/24/2019 • 8 minutes to read • Edit Online

Policy Tips are informative notices that are displayed to email senders while they're composing a message. The
purpose of the Policy Tip is to educate users that they might be violating the business practices or policies that you
are enforcing with the data loss prevention (DLP ) policies that you have established. The following procedures will
help you begin using Policy Tips. Watch this video to learn more.

What do you need to know before you begin?


Estimated time to complete each procedure: 30 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Data loss prevention (DLP )" entry in the Messaging policy and compliance
permissions topic.
Policy Tips will only show up for email senders when the following conditions are met:
1. Sender's message client program is Microsoft Outlook 2013. If your organization has deployed Exchange
2013 SP1 or is using Exchange Online, Policy Tips also show up in Outlook on the web (formerly known as
Outlook Web App) and OWA for Devices.
2. A mail flow rule (also known as a transport rule) exists that invokes Policy Tip notifications. You can create
such a mail flow rule by configuring a DLP policy that includes the action Notify the sender with a
Policy Tip.
3. The content of a message header, message body, or message attachment meets the conditions established
within the DLP policies or rules that also include Policy Tip notification rules. Put another way, the Policy
Tip only shows up for end-users if they do something that causes the associated rule to take action.
The default Policy Tip notification text that is built into the system will be shown if you don't use the
Policy Tip settings feature to customize your Policy Tip text. To learn more about the default text, see
Policy Tips.
For information about keyboard shortcuts that may apply to the procedures in this topic, see
Keyboard shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Create or modify a notify-only Policy Tip


This procedure results in an informational Policy Tip being shown to an email sender when the conditions of a
specific rule are met. In Microsoft Outlook, the sender can prevent this tip from showing up by using a Policy Tip
options dialog box. To configure custom Policy Tip text, see the Create custom Policy Tip notification text section
later in this topic
Use the EAC to configure notify-only Policy Tips
1. In the EAC, go to Compliance management > Data loss prevention.
2. Double-click one of the policies that appear in your list of policies or highlight one item and select Edit .
3. On the Edit DLP policy page, select Rules.
4. To add Policy Tips to an existing rule, highlight the rule and select Edit .
To add a new blank rule that you can fully customize, select Add and then select Create a new rule.
5. In Apply this rule if, select, The message contains sensitive information. This condition is required.
6. Select Add , select the sensitive information types, select Add, select OK, and then select OK.
7. In the Do the following box, select Notify the sender with a Policy Tip, and select an option in the
Choose whether the message is blocked or can be sent drop-down list, and then select OK.
8. If you want to add additional conditions or actions, at the bottom of the window, select More options.
Note:
You can only use the following conditions:
The recipient is (SentTo)
The recipient is located (SentToScope)
The sender is (From)
The sender is a member of (FromMemberOf)
The sender is located (FromScope)
You can't use the following actions:
Reject the message and include an explanation (RejectMessageReasonText)
Reject the message with the enhanced status code of (RejectMessageEnhancedStatusCode)
Delete the message without notifying anyone (DeleteMessage)
9. In the Choose a mode for this rule list, select whether you want the rule to be enforced. We recommend
testing the rule first.
10. Select Save to finish modifying the rule and save your changes.
How do you know this worked?
To verify that you have successfully created a Policy Tip that will only notify a sender, do the following:
1. In the EAC, go to Compliance management > Data loss prevention.
2. Select the policy that you expect to contain a notification message.
3. Select Edit and then select Rules.
4. Select the specific rule that you expect to contain a notification message.
5. Confirm that your Notify the sender action appears in the lower portion of the rule summary.

Create or modify a block-message Policy Tip


This procedure results in a Policy Tip being shown to an email sender that indicates a message is rejected and it
will not be delivered until the problematic condition is no longer present. The sender is provided with an option to
indicate that their email message does not contain the problematic condition. This is also known as a false-positive
override. If the sender indicates this, then the message can leave the outbox and the user's report may be audited.
However, Exchange will block the message from being sent.
Use the EAC to configure block-message Policy Tips
1. In the EAC, go to Compliance management > Data loss prevention.
2. Double-click one of the policies that appear in your list of policies or highlight one item and select Edit .
3. On the Edit DLP policy page, select Rules.
4. To add Policy Tips to an existing rule, highlight the rule and select Edit .
5. To add a new blank rule that you can fully customize, select Add .
6. To add an action that will reveal a Policy Tip, select More options... and then select the Add action button.
7. From the drop down list, select Notify the sender with a Policy Tip and then select Block the message.
8. Select OK, then select Save to finish modifying the rule and save your changes.
How do you know this worked?
To verify that you have successfully created a reject message Policy Tip, do the following:
1. In the EAC, go to Compliance management > Data loss prevention.
2. Select one time to highlight the policy that you expect to contain a notification message.
3. Select Edit and then select Rules.
4. Select one time to highlight the specific rule that you expect to contain a notification message.
5. Confirm that your Notify the sender that the message can't be sent action appears in the lower
portion of the rule summary.

Create or modify a block-unless-override Policy Tip


There are four options for Policy Tips that can reject messages or prevent messages from leaving the sender's
outbox. To learn more about these options, see Policy Tips.
Use the EAC to configure block-unless override Policy Tips
1. In the EAC, go to Compliance management > Data loss prevention.
2. Double-select one of the policies that appear in your list of policies or highlight one item and select Edit .
3. On the edit DLP policy page, select Rules.
4. To add Policy Tips to an existing rule, highlight the rule and select Edit .
To add a new blank rule that you can fully customize, select Add and then select More options....
5. To add the action that will reveal a Policy Tip, Select the Add action button.
6. From the drop down list, select Notify the sender with a Policy Tip and then select Block the message,
but allow the sender to override and send.
7. Select OK, then select Save to finish modifying the rule and save your changes.
How do you know this worked?
To verify that you have successfully created a reject unless override Policy Tip, do the following:
1. In the EAC, go to Compliance management > Data loss prevention.
2. Select one time to highlight the policy that you expect to contain a notification message.
3. Select Edit and then select Rules.
4. Select one time to highlight the specific rule that you expect to contain a notification message.
5. Confirm that your Block the message, but allow the sender to override and send action appears in
the lower portion of the rule summary.

Create custom Policy Tip notification text


This optional procedure will help you to customize the Policy Tip notification text that email senders see in their
email program. If you do this, your custom Policy Tip notification text will not appear unless you also configure a
DLP policy rule with an action that will cause the notification to appear. Keep in mind that there are default system
Policy Tip notifications that can be shown if you do not customize your Policy Tip notification text. To learn more
about the default text, see Policy Tips.
Use the EAC to create and manage custom Policy Tip notification text
1. In the EAC, go to Compliance management > Data loss prevention.
2. Select Policy Tip settings .
3. To add a new Policy Tip with your own customized message, select Add . For more information about the
action choices available, see Policy Tips.
To modify an existing Policy Tip, highlight the tip and select Edit .
To delete an existing Policy Tip, highlight it and select Delete and then confirm your action.
4. Select Save to finish modifying the Policy Tip and save your changes.
5. Select Close to finish managing your Policy Tips and save your changes.
Use Exchange Online PowerShell to create custom Policy Tip notification text
The following example creates a new English-language Policy Tip that will block a message from being sent. The
text of this custom Policy Tip is changed to the following value: "This message appears to contain restricted
content and will not be delivered."

New-PolicyTipConfig -Name en\Reject -Value "This message appears to contain restricted content and will not be
delivered."

For more information about DLP cmdlets, see Messaging Policy and Compliance Cmdlets.
Use Exchange Online PowerShell to modify custom Policy Tip notification text
The following example modifies an existing English-language, notify-only Policy Tip. The text of this custom Policy
Tip is changed to "Sending bank account numbers in email is not recommended."

Set-PolicyTipConfig en\NotifyOnly "Sending bank account numbers in email is not recommended."

For more information about DLP cmdlets, see Messaging Policy and Compliance Cmdlets.
How do you know this worked?
To verify that you have successfully created custom Policy Tip text, do the following:
1. In the EAC, go to Compliance management > Data loss prevention.
2. Select Policy Tip settings .
3. Select Refresh .
4. Confirm that your action, locale and text for that locale appear in the list.

For more information


Data loss prevention
Policy Tips
Mail flow rules in Exchange Server
Mail flow rules (transport rules) in Exchange Online
Exchange 2010 MailTips
Exchange auditing reports
6/24/2019 • 6 minutes to read • Edit Online

Use audit logging to troubleshoot configuration issues by tracking specific changes made by administrators and to
help you meet regulatory, compliance, and litigation requirements. Exchange Online provides two types of audit
logging:
Administrator audit logging records any action, based on an Exchange Online PowerShell cmdlet,
performed by an administrator. This can help you troubleshoot configuration issues or identify the cause of
security-related or compliance-related problems. In Exchange Online, actions performed by Microsoft
administrators and delegated administrators, are also recorded.
Mailbox audit logging records when a mailbox is accessed by an administrator, a delegated user, or the
person who owns the mailbox. This can help you determine who has accessed a mailbox and what they've
done.

Export audit logs


On the Compliance Management > Auditing page in the Exchange admin center (EAC ), you can search for and
export entries from the administrator audit log and the mailbox audit log.
Export the administrator audit log: Any action performed by an administrator that's based on an
Exchange Online PowerShell cmdlet that doesn't begin with the verbs Get, Search, or Test is logged in the
administrator audit log. Audit log entries include the cmdlet that was run, the parameter and values used
with the cmdlet, and when the operation was successful. You can search for and export entries from the
administrator audit log. When you export your search results, Microsoft Exchange saves them in an XML
file and attaches it to an email message. For more information, see:
Search the role group changes or administrator audit logs
View and export the external admin audit log

NOTE
By default, admin audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted. This
setting can't be changed in a cloud-based organization. However, it can be changed in an on-premises
Exchange organization by using the Set-AdminAuditLog cmdlet.

Export mailbox audit logs: When mailbox audit logging is enabled for a mailbox, Microsoft Exchange
stores a record of actions performed on mailbox data by non-owners in the mailbox audit log, which is
stored in a hidden folder in the mailbox being audited. Mailbox audit logging can also be configure to log
owner actions. Entries in this log indicate who accessed the mailbox and when, the actions performed, and
whether the action was successful. When you search for entries in the mailbox audit log and export them,
Microsoft Exchange saves the search results in an XML file and attaches it to an email message. For more
information, see Export mailbox audit logs.

Run auditing reports


When you run any of the following reports on the Auditing page in the EAC, the results are displayed in the
details pane of the report.
Run a non-owner mailbox access report: Use this report to find mailboxes that have been accessed by
someone other than the person who owns the mailbox. For more information, see Run a non-owner
mailbox access report.
Run an administrator role group report: Use this report to search for changes made to administrator
role groups. For more information, see Search the role group changes or administrator audit logs.
Run an in-place discovery and hold report: Use this report to find mailboxes that have been put on, or
removed from, In-Place Hold. For more information, see:
In-Place Hold and Litigation Hold
In-Place eDiscovery
Run a per-mailbox litigation hold report: Use this report to find mailboxes that were put on, or removed
from, litigation hold. For more information, see.
Run a per-mailbox litigation hold report
Place a mailbox on Litigation Hold
Run the admin audit log report: Use this report to view entries from the administrator audit log. Instead
of exporting the administrator audit log, which can take up to 24 hours to receive in an email message, you
can run this report in the EAC. This report records configuration changes made by administrators in your
organization. Up to 5000 entries will be displayed on multiple pages. To narrow the search, you can specify
a date range. For more information, see:
View the administrator audit log
Administrator audit logging
Run the external admin audit log report: This report is only available in Exchange Online and Exchange
Online Protection. Actions performed by Microsoft administrators or delegated administrators are logged
in the administrator audit log. Use the external admin audit log report to search for and view the actions
that administrators outside your organization performed on the configuration of your Exchange Online
organization. For more information, see View and export the external admin audit log.

Configure audit logging


Before you can run auditing reports and export audit logs, you have to configure audit logging for your
organization.
Enable mailbox audit logging
You have to enable mailbox audit logging for each mailbox that you want to run a non-owner mailbox access
report for. If mailbox audit logging isn't enabled for a mailbox, you won't get any results when you run a report for
it or export the mailbox audit log.
To enable mailbox audit logging for a single mailbox, run the following command in Exchange Online PowerShell.

Set-Mailbox <Identity> -AuditEnabled $true

To enable mailbox auditing for all user mailboxes in your organization, run the following commands.

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}


$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

For more information about configuring which actions are logged, see:
Exchange Server: Enable or disable mailbox audit logging for a mailbox
Exchange Online: Enable mailbox auditing in Office 365
Give users access to Auditing reports
By default, administrators can access and run any of the reports on the Auditing page in the EAC. However, other
users, such as a records manager or legal staff, have to be assigned the necessary permissions.
The easiest way to give users access is to add them to the Records Management role group. You can also use
Exchange Online PowerShell to give a user access to the Auditing page in the EAC by assigning the Audit Logs
role to the user.
Add a user to the Records Management role group
1. Go to Permissions > Admin Roles.
2. In the list of role groups, click Records Management, and then click Edit .
3. Under Members, click Add .
4. In the Select Members dialog box, select the user. You can search for a user by typing all or part of a
display name, and then clicking Search . You can also sort the list by clicking the Name or Display
Name column headings.
5. Click Add and then click OK to return to the role group page.
6. Click Save to save the change to the role group.
In the details pane, the user is listed under Members and can access the Auditing page in the EAC, run auditing
reports, and export audit logs.
Assign the Audit Logs role to a user
Run the following command to assign the Audit Logs role to a user.

New-ManagementRoleAssignment -Role "Audit Logs" -User <Identity>

This enables the user to select Compliance Management > Auditing in the EAC to run any of the reports. The
user can also export the mailbox audit log, and export and view the administrator audit log.

NOTE
To allow a user to run auditing reports but not to export audit logs, use the preceding command to assign the View-Only
Audit Logs role.

Configure Outlook on the web to allow XML attachments


When you export the mailbox audit log or administrator audit log, Microsoft Exchange attaches the audit log,
which is an XML file, to an email message. However, Outlook on the web (formerly known as Outlook Web App)
blocks XML attachments by default. If you want to use Outlook on the web to access these audit logs, you have to
configure Outlook on the web to allow XML attachments.
Run the following command to allow XML attachments in Outlook on the web.

Set-OwaMailboxPolicy -Identity Default -AllowedFileTypes


'.rpmsg','.xlsx','.xlsm','.xlsb','.tiff','.pptx','.pptm','.ppsx','.ppsm','.docx','.docm','.zip','.xls','.wmv',
'.wma','.wav','.vsd','.txt','.tif','.rtf','.pub','.ppt','.png','.pdf','.one','.mp3','.jpg','.gif','.doc','.bmp
','.avi','.xml'
Export mailbox audit logs
6/24/2019 • 7 minutes to read • Edit Online

When mailbox auditing is enabled for a mailbox, Microsoft Exchange logs information in the mailbox audit log
whenever a user other than the owner accesses the mailbox. Each log entry includes information about who
accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful.
Entries in the mailbox audit log are retained for 90 days by default. You can use the mailbox audit log to determine
if a user other than the owner has accessed a mailbox.
When you export entries from mailbox audit logs, Microsoft Exchange saves the entries in an XML file and
attaches it to an email message sent to the specified recipients.

Before you begin


Estimated time to complete each procedure: Times are variable. In Exchange Online, the mailbox audit log is
sent within a few days after you export it.
In Exchange Online, you have to use Remote Windows PowerShell to perform many of the procedures in
this topic. For details, see Connect to Exchange Online Using Remote PowerShell.
Procedures in this topic require specific permissions. See each procedure for its permissions information.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..

Configure mailbox audit logging


You have to enable mailbox audit logging on each mailbox that you want to audit before you can export and view
mailbox audit logs. You also have to configure Outlook on the web (formerly known as Outlook Web App) to allow
XML attachments to use Outlook on the web to access the audit log.
Step 1: Enable mailbox audit logging
You have to enable mailbox audit logging for each mailbox that you want to run a non-owner mailbox access
report for. If mailbox audit logging isn't enabled for a mailbox, you won't get any results for that mailbox when you
export the mailbox audit log.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Mailbox audit logging" entry in the Messaging policy and compliance permissions
topic.
To enable mailbox audit logging for a single mailbox, run the command in Exchange Online PowerShell.

Set-Mailbox <Identity> -AuditEnabled $true

To enable mailbox audit logging for all user mailboxes in your organization, run the following commands.
$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}

$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

Step 2: Configure Outlook on the web to allow XML attachments


When you export the mailbox audit log, Microsoft Exchange attaches the audit log, which is an XML file, to an
email message. However, Outlook on the web blocks XML attachments by default. To access the exported audit
log, you have to use Microsoft Outlook or configure Outlook on the web to allow XML attachments.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Outlook on the web mailbox policies" entry in the Client Access Permissions topic.
Perform the following procedures to allow XML attachments in Outlook on the web. In Exchange Server, use the
value Default for the Identity parameter.
1. Run the following command to add XML to the list of allowed file types in Outlook on the web.

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes @{add='.xml'}

2. Run the following command to remove XML from the list of blocked file types in Outlook on the web.

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -BlockedFileTypes @{remove='.xml'}

How do you know this worked?


To verify that you've successfully configured mailbox audit logging, do the following:
1. Run the following command to verify that audit logging is configured for mailboxes.

Get-Mailbox | Format-List Name,AuditEnabled

A value of True for the AuditEnabled property verifies that audit logging is enabled.
2. Run the following command to verify that XML attachments are allowed in Outlook on the web.

Get-OwaMailboxPolicy | Select-Object -ExpandProperty AllowedFileTypes

Verify that .xml is included in the list of allowed file types.


3. Run the following command to verify that XML attachments are removed from the blocked file list in
Outlook on the web.

Get-OwaMailboxPolicy | Select-Object -ExpandProperty BlockedFileTypes

Verify that .xml isn't included in the list of blocked file types.

Export the mailbox audit log


You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "View -only administrator audit logging" entry in the Shell Infrastructure
Permissions topic.
1. In the Exchange admin center (EAC ), go to Compliance Management > Auditing.
2. Click Export mailbox audit logs.
3. Configure the following search criteria for exporting the entries from the mailbox audit log:
Start and end dates: Select the date range for the entries to include in the exported file.
Mailboxes to search audit log for: Select the mailboxes to retrieve audit log entries for.
Type of non-owner access: Select one of the following options to define the type of non-owner
access to retrieve entries for:
All non-owners: Search for access by administrators and delegated users inside your
organization, and by Microsoft datacenter administrators in Exchange Online.
External users: Search for access by Microsoft datacenter administrators.
Administrators and delegated users: Search for access by administrators and delegated
users inside your organization.
Administrators: Search for access by administrators in your organization.
Recipients: Select the users to send the mailbox audit log to.
4. Click Export.
Microsoft Exchange retrieves entries in the mailbox audit log that meet your search criteria, saves them to a file
named SearchResult.xml, and then attaches the XML file to an email message sent to the recipients that you
specified.
How do you know this worked?
Sign in to the mailbox where the mailbox audit log was sent. If you've successfully exported the audit log, you'll
receive a message sent from Exchange. In Exchange Online, it may take a few days to receive this message. The
mailbox audit log (named SearchResult.xml) will be attached to this message. If you've correctly configured
Outlook on the web to allow XML attachments, you can download the attached XML file.

View the mailbox audit log


You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "View -only administrator audit logging" entry in the Shell Infrastructure
Permissions topic.
To save and view the SearchResult.xml file:
1. Sign in to the mailbox where the mailbox audit log was sent.
2. In the Inbox, open the message with the XML file attachment sent by Microsoft Exchange. Notice that the
body of the email message contains the search criteria.
3. Click the attachment and select to download the XML file.
4. Open the SearchResult.xml in Microsoft Excel.

More information
Entries in the mailbox audit log
The following example shows an entry from the mailbox audit log contained in the SearchResult.xml file. Each
entry is preceded by the <Event> XML tag and ends with the </Event> XML tag. This entry shows that the
administrator purged the message with the subject, "Notification of litigation hold" from the Recoverable Items
folder in David's mailbox on April 30, 2010.

<Event MailboxGuid="6d4fbdae-e3ae-4530-8d0b-f62a14687939"
Owner="PPLNSL-dom\david50001-1363917750"
LastAccessed="2010-04-30T11:01:55.140625-07:00"
Operation="HardDelete"
OperationResult="Succeeded"
LogonType="Admin"
FolderId="0000000073098C3277988F4CB882F5B82EBF64610100A7C317F68C24304BBD18ABE1F185E79B00000026BD4F0000"
FolderPathName="\Recoverable Items\Deletions"
ClientInfoString="Client=OWA;Action=ViaProxy"
ClientIPAddress="10.196.241.168"
InternalLogonType="Owner"
MailboxOwnerUPN="david@contoso.com"
MailboxOwnerSid="S-1-5-21-290112810-296651436-1966561949-1151"
CrossMailboxOperation="false"
LogonUserDN="Administraor"
LogonUserSid="S-1-5-21-290112810-296651436-1966561949-1149">
<SourceItems>
<ItemId="0000000073098C3277988F4CB882F5B82EBF64610700A7C317F68C24304BBD18ABE1F185E79B00000026BD4F0000A7C317F68
C24304BBD18ABE1F185E79B00000026BD540"
Subject="Notification of litigation hold"
FolderPathName="\Recoverable Items\Deletions" />
</SourceItems>
</Event>

Useful fields in the mailbox audit log


Here's a description of useful fields in the mailbox audit log. They can help you identify specific information about
each instance of non-owner access of a mailbox.

FIELD DESCRIPTION

Owner The owner of the mailbox that was accessed by a non-owner.

LastAccessed The date and time when the mailbox was accessed.

Operation The action that was performed by the non-owner. For more
information, see the "What gets logged in the mailbox audit
log?" section in Run a Non-Owner Mailbox Access Report.

OperationResult Whether the action performed by the non-owner succeeded


or failed.

LogonType The type of non-owner access. These include administrator,


delegate, and external.

FolderPathName The name of the folder that contained the message that was
affected by the non-owner.

ClientInfoString Information about the mail client used by the non-owner to


access the mailbox.

ClientIPAddress The IP address of the computer used by the non-owner to


access the mailbox.

InternalLogonType The logon type of the account used by the non-owner to


access this mailbox.
FIELD DESCRIPTION

MailboxOwnerUPN The email address of the mailbox owner.

LogonUserDN The display name of the non-owner.

Subject The subject line of the email message that was affected by the
non-owner.
Run a non-owner mailbox access report
5/31/2019 • 5 minutes to read • Edit Online

The Non-Owner Mailbox Access Report in the Exchange admin center (EAC ) lists the mailboxes that have been
accessed by someone other than the person who owns the mailbox. When a mailbox is accessed by a non-owner,
Microsoft Exchange logs information about this action in a mailbox audit log that's stored as an email message in a
hidden folder in the mailbox being audited. Entries from this log are displayed as search results and include a list of
mailboxes accessed by a non-owner, who accessed the mailbox and when, the actions performed by the non-owner,
and whether the action was successful. By default, entries in the mailbox audit log are retained for 90 days.
When you enable mailbox audit logging for a mailbox, Microsoft Exchange logs specific actions by non-owners,
including both administrators and users, called delegated users, who have been assigned permissions to a mailbox.
You can also narrow the search to users inside or outside your organization.

What do you need to know before you begin?


Estimated time to complete: 5 minutes.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Mailbox audit logging" entry in the Messaging policy and compliance
permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..

Enable mailbox audit logging


You have to enable mailbox audit logging for each mailbox that you want to run a non-owner mailbox access
report for. If mailbox audit logging isn't enabled, you won't get any results when you run a report.
To enable mailbox audit logging for a single mailbox, run the following command in Exchange Online PowerShell.

Set-Mailbox <Identity> -AuditEnabled $true

For example, to enable mailbox auditing for a user named Florence Flipo, run the following command.

Set-Mailbox "Florence Flipo" -AuditEnabled $true

To enable mailbox auditing for all user mailboxes in your organization, run the following commands.

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}

$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}


How do you know this worked?
Run the following command to verify that you've successfully configured mailbox audit logging.

Get-Mailbox | Format-List Name,AuditEnabled

A value of True for the AuditEnabled property verifies that audit logging is enabled.

Run a non-owner mailbox access report


1. In the EAC, navigate to Compliance Management > Auditing.
2. Click Run a non-owner mailbox access report.
By default, Microsoft Exchange runs the report for non-owner access to any mailboxes in the organization
over the past two weeks. The mailboxes listed in the search results have been enabled for mailbox audit
logging.
3. To view non-owner access for a specific mailbox, select the mailbox from the list of mailboxes. View the
search results in the details pane.

TIP
Want to narrow the search results? Select the start date, end date, or both, and select specific mailboxes to search. Click
Search to re-run the report.

Search for specific types of non-owner access


You can also specify the type of non-owner access, also called the logon type, to search for. Here are your options:
All non-owners: Search for access by administrators and delegated users inside your organization. Also
includes access user outside of your organization.
External users: Search for access by users outside of your organization.
Administrators and delegated users: Search for access by administrators and delegated users inside your
organization.
Administrators: Search for access by administrators in your organization.
How do you know this worked?
To verify that you've successfully run a non-owner mailbox access report, check the search results pane. Mailboxes
that you ran the report for are displayed in this pane. If there are no results for a specific mailbox, it's possible there
hasn't been access by a non-owner or that non-owner access hasn't taken place within the specified date range. As
previously described, be sure to verify that audit logging has been enabled for the mailboxes you want to search
for access by non-owners.

What gets logged in the mailbox audit log?


When you run a non-owner mailbox access report, entries from the mailbox audit log are displayed in the search
results in the EAC. Each report entry contains this information:
Who accessed the mailbox and when
The actions performed by the non-owner
The affected message and its folder location
Whether the action was successful
The following table lists the actions performed by non-owners that can be logged by mailbox audit logging. In the
table, a Yes indicates that the action can be logged for that logon type, and a No indicates that an action can't be
logged. An asterisk ( * ) indicates that the action is logged by default when mailbox audit logging is enabled for the
mailbox. If you want to track actions that aren't logged by default, you have to use PowerShell to enable logging of
those actions.

NOTE
An administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegated user.

ACTION DESCRIPTION ADMINISTRATOR DELEGATED USER

Copy A message was copied to Yes No


another folder.

Create An item is created in the Yes* Yes*


Calendar, Contacts, Notes,
or Tasks folder in the
mailbox; for example, a new
meeting request is created.
Note that message or folder
creation isn't audited.

FolderBind A mailbox folder was Yes* Yes


accessed.

Hard-delete A message was purged from Yes* Yes*


the Recoverable Items folder.

MessageBind A message was viewed in Yes No


the preview pane or opened.

Move A message was moved to Yes* Yes


another folder.

Move To Deleted Items A message was moved to Yes* Yes


the Deleted Items folder.

Send as A message was sent using Yes* Yes*


SendAs permission. This
means another user sent the
message as though it came
from the mailbox owner.

Send on behalf of A message was sent using Yes* Yes


SendOnBehalf permission.
This means another user
sent the message on behalf
of the mailbox owner. The
message will indicate to the
recipient who the message
was sent on behalf of and
who actually sent the
message.
ACTION DESCRIPTION ADMINISTRATOR DELEGATED USER

Soft-delete A message was deleted from Yes* Yes*


the Deleted Items folder.

Update A message was changed. Yes* Yes*

NOTE
* Audited by default if auditing is enabled for a mailbox.
Run a per-mailbox litigation hold report
5/31/2019 • 2 minutes to read • Edit Online

If your organization is involved in a legal action, you may have to take steps to preserve relevant data, such as
email messages, that may be used as evidence. In situations like this, you can use litigation hold to retain all email
sent and received by specific people or retain all email sent and received in your organization for a specific time
period. For more information about what happens when a mailbox is on litigation hold and how to enable and
disable it, see the "Mailbox Features" section in Manage user mailboxes.
Use the litigation hold report to keep track of the following types of changes made to a mailbox in a given time
period:
Litigation hold was enabled.
Litigation hold was disabled.
For each of these change types, the report includes the user who made the change and the time and date the
change was made.

What do you need to know before you begin?


You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "View -only administrator audit logging" entry in the Shell Infrastructure
Permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..

Use the EAC to run a litigation hold report


1. In the EAC, navigate to Compliance Management > Auditing.
2. Click Run a per-mailbox litigation hold report.
Microsoft Exchange runs the report for litigation hold changes made to any mailbox in the past two weeks.
3. To view the changes for a specific mailbox, in the search results pane, select the mailbox. View the search
results in the details pane.

TIP
Want to narrow the search results? Select the start date, end date, or both, and select specific mailboxes to search. Click
Search to re-run the report.

How do you know this worked?


To verify that you've successfully run a litigation hold report, mailboxes that had litigation hold changes within the
date range are displayed in the search results pane. If there are no results, then no changes to litigation hold have
taken place within the date range or recent changes haven't taken effect yet.

NOTE
When a mailbox is put on litigation hold, it can take up to 60 minutes for the hold to take effect.
Search the role group changes or administrator audit
logs in Exchange Online
6/24/2019 • 7 minutes to read • Edit Online

You can search the administrator audit logs to discover who made changes to the organization and recipient
configuration. This can be helpful when you're trying to track the cause of unexpected behavior, to identify a
malicious administrator, or to verify that compliance requirements are being met. For more information about
administrator audit logging, see Administrator audit logging.
If you want to search the mailbox audit log, see Mailbox Audit Logging.

TIP
In Exchange Online, you can use the EAC to view entries in the administrator audit log. For more information, see View the
administrator audit log.

What do you need to know before you begin?


Estimated time to complete each procedure: less than 5 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "View -only administrator audit logging" entry in the Exchange and Shell
Infrastructure Permissions topic.
To open the Exchange admin center (EAC ), see Exchange admin center in Exchange Online. To connect to
Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Use the EAC to run the management role group changes report
If you want to know what changes to management role group membership have been made to role groups in
your organization, you can use the Administrator Role Group report in the Exchange admin center (EAC ). Using
the Administrator Role Group report, you can view a list of role groups that have changed during a specified date
range. You can also select the specific role groups you want to view changes for.
1. In the EAC, select Compliance management > Auditing, and then click Run an administrator role
group report.
2. Select a date range using the Start date and End date fields.
3. Click Select role groups, and then select the role groups you want to show changes for or leave this field
blank to search for changes in all role groups.
4. Click Search.
If any changes are found using the criteria you specified, a list of changes will be displayed in the results pane.
Clicking a role group displays the changes to the role group in the details pane.

Use the EAC to export the administrator audit log


If you want to create an XML file that contains changes made to your organization, you can use the Export
Administrator Audit Log report in the EAC. Using the Export Administrator Audit Log report, you can specify a
date range to search for audit log entries that contain changes made by users you specify. The XML file is then
sent to a recipient as an email attachment. The maximum size of the XML file is 10 megabytes (MB ).

NOTE
By default, Outlook on the web (formerly known as Outlook Web App) doesn't allow you to open XML attachments. You can
either configure Outlook on the web to allow XML attachments to be viewed, or you can use another email client to view
the attachment (for example, Microsoft Outlook). For information about how to configure Outlook on the web to allow you
to view XML attachments, see View or configure Outlook on the web mailbox policy properties in Exchange Online.

1. In the EAC, select Compliance management > Auditing, and then click Export the administrator
audit log.
2. Select a date range using the Start date and End date fields.
3. In the Send the auditing report to field, click Select users and then select the recipient you want to send
the report to.
4. Click Export.
If any log entries are found using the criteria you specified, an XML file will be created and sent as an email
attachment to the recipient you specified.

Use Exchange Online PowerShell to search for audit log entries


You can use Exchange Online PowerShell to search for audit log entries that meet the criteria you specify. For a list
of search criteria, see Administrator audit logging. This procedure uses the Search-AdminAuditLog cmdlet and
displays search results in Exchange Online PowerShell. You can use this cmdlet when you need to return a set of
results that exceeds the limits defined on the New-AdminAuditLogSearch cmdlet or in the EAC Audit Reporting
reports.
If you want to send audit log search results in an email attachment to a recipient, see the Use Exchange Online
PowerShell to search for audit log entries and send results to a recipient section later in this topic.
To search the audit log for criteria you specify, use the following syntax.

Search-AdminAuditLog - Cmdlets <cmdlet 1, cmdlet 2, ...> -Parameters <parameter 1, parameter 2, ...> -


StartDate <start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$True |
$False >

NOTE
The Search-AdminAuditLog cmdlet returns a maximum of 1,000 log entries by default. Use the ResultSize parameter to
specify up to 250,000 log entries. Or, use the value Unlimited to return all entries.

This example performs a search for all audit log entries with the following criteria:
Start date: 08/04/2018
End date: 10/03/2018
User IDs: davids, chrisd, kima
Cmdlets: Set-Mailbox
Parameters: ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize,
MaxReceiveSize

Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters


ProhibitSendQuota,ProhibitSendReceiveQuota,IssueWarningQuota,MaxSendSize,MaxReceiveSize -StartDate 08/04/2018
-EndDate 10/03/2018 -UserIds davids,chrisd,kima

This example searches for changes made to a specific mailbox. This is useful if you're troubleshooting or you need
to provide information for an investigation. The following criteria are used:
Start date: 05/01/2018
End date: 10/03/2018
Object ID: contoso.com/Users/DavidS

Search-AdminAuditLog -StartDate 05/01/2018 -EndDate 10/03/2018 -ObjectID contoso.com/Users/DavidS

If your searches return many log entries, we recommend that you use the procedure provided in Use Exchange
Online PowerShell to search for audit log entries and send results to a recipient later in this topic. The
procedure in that section sends an XML file as an email attachment to the recipients you specify, enabling you to
more easily extract the data you're interested in.
For detailed syntax and parameter information, see Search-AdminAuditLog.
View details of audit log entries
The Search-AdminAuditLog cmdlet returns the fields described in the "Audit log contents section of
Administrator audit logging. Of the fields returned by the cmdlet, two fields, CmdletParameters and
ModifiedProperties, contain additional information that isn't viewable by default.
To view the contents of the CmdletParameters and ModifiedProperties fields, use the following steps. Or, you
can use the procedure in Use Exchange Online PowerShell to search for audit log entries and send results
to a recipient later in this topic to create an XML file.
This procedure uses the following concepts:
Arrays
User-Defined Variables
1. Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet, and store the results in
a variable using the following command.

$Results = Search-AdminAuditLog <search criteria>

2. Each audit log entry is stored as an array element in the variable $Results . You can select an array element
by specifying its array element index. Array element indexes start at zero (0) for the first array element. For
example, to retrieve the 5th array element, which has an index of 4, use the following command.
$Results[4]

3. The previous command returns the log entry stored in array element 4. To see the contents of the
CmdletParameters and ModifiedProperties fields for this log entry, use the following commands.

$Results[4].CmdletParameters
$Results[4].ModifiedProperties

4. To view the contents of the CmdletParameters or ModifiedParameters fields in another log entry,
change the array element index.

Use Exchange Online PowerShell to search for audit log entries and
send results to a recipient
You can use Exchange Online PowerShell to search for audit log entries that meet the criteria you specify, and then
send those results to a recipient you specify as an XML file attachment. The results are sent to the recipient within
15 minutes. For a list of search criteria, see Administrator audit logging.

NOTE
By default, Outlook on the web doesn't allow you to open XML attachments. You can either configure Outlook on the web
to allow XML attachments to be viewed, or you can use another email client to view the attachment (for example, Microsoft
Outlook). For information about how to configure Outlook on the web to allow you to view XML attachments, see View or
configure Outlook on the web mailbox policy properties in Exchange Online.

To search the audit log for criteria you specify, use the following syntax.

New-AdminAuditLogSearch -Cmdlets <cmdlet1, cmdlet2, ...> -Parameters <parameter1, parameter2, ...> -StartDate
<start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$true | $false > -
StatusMailRecipients <recipient1, recipient2, ...> -Name <string to include in subject>

This example performs a search for all audit log entries with the following criteria:
Start date: 08/04/2018
End date: 10/03/2018
User IDs davids, chrisd, kima
Cmdlets: Set-Mailbox
Parameters: ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize,
MaxReceiveSize
The command sends the results to the davids@contoso.com SMTP address with "Mailbox limit changes" included
in the subject line of the message.

New-AdminAuditLogSearch -Cmdlets Set-Mailbox -Parameters


ProhibitSendQuota,ProhibitSendReceiveQuota,IssueWarningQuota,MaxSendSize,MaxReceiveSize -StartDate 08/04/2018
-EndDate 10/03/2018 -UserIds davids,chrisd,kima -StatusMailRecipients davids@contoso.com -Name "Mailbox limit
changes"
NOTE
The report that the New-AdminAuditLogSearch cmdlet generates can be a maximum of 10 MB in size. If the search you
perform returns a report larger than 10 MB, change the search criteria you specified. For example, reduce the size of the
date range and run multiple reports, each with a portion of the original date range.

For more information about the format of the XML file, see Administrator Audit Log Structure.
For detailed syntax and parameter information, see New -AdminAuditLogSearch.
View the administrator audit log
6/24/2019 • 2 minutes to read • Edit Online

In Exchange Online, you can use the Exchange admin center (EAC ) to search for and view entries in the
administrator audit log. The administrator audit log records specific actions, based on Exchange Online PowerShell
cmdlets, performed by administrators and users who have been assigned administrative privileges. Entries in the
administrator audit log provide you with information about what cmdlet was run, which parameters were used,
who ran the cmdlet, and what objects were affected.

NOTE
Administrator auditing logging is enabled by default.
The administrator audit log doesn't record any action that's based on an Exchange Online PowerShell cmdlet that begins with
the verbs Get, Search, or Test.
Audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted.

What do you need to know before you begin?


Estimated time to complete: 5 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "View reports" entry in the Feature Permissions in EOP topic.
As previously stated, administrator audit logging is enabled by default. To verify that it's enabled, you can
run the following command.

Get-AdminAuditLogConfig | Format-List AdminAuditLogEnabled

In Exchange Server, you can enable administrator audit logging if it's disabled by running the following
command.

Set-AdminAuditLogConfig -AdminAuditLogEnabled $True

In Exchange Online Protection and Exchange Online, administrator audit logging is always enabled. It can't
be disabled.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Use the EAC to view the administrator audit log


1. In the EAC, go to Compliance management > Auditing, and choose Run the admin audit log report.
2. Choose a Start date and End date, and then choose Search. All configuration changes made during the
specified time period are displayed, and can be sorted, using the following information:
Date: The date and time that the configuration change was made. The date and time are stored in
Coordinated Universal Time (UTC ) format.
Cmdlet: The name of the cmdlet that was used to make the configuration change.
User: The name of the user account of the user who made the configuration change.
Up to 5000 entries will be displayed on multiple pages. Specify a smaller date range if you need to
narrow your results. If you select an individual search result, the following additional information is
displayed in the details pane:
Object modified: The object that was modified by the cmdlet.
Parameters (Parameter:Value): The cmdlet parameters that were used, and any value specified
with the parameter.
3. If you want to print a specific audit log entry, choose the Print button in the details pane.

How do you know this worked?


If you've successfully run an administrator audit log report, configuration changes made within the date range you
specify are displayed in the search results pane. If there are no results, change the date range and then run the
report again.

NOTE
When a change is made in your organization, it may take up to 15 minutes to appear in audit log search results. If a change
doesn't appear in the administrator audit log, wait a few minutes and run the search again.
View and export the external admin audit log
6/24/2019 • 5 minutes to read • Edit Online

In Exchange Online, actions performed by Microsoft and delegated administrators are logged in the administrator
audit log. You can use the Exchange admin center (EAC ) or Exchange Online PowerShell to search for and view
audit log entries to determine if external administrators performed any actions on or changed the configuration of
your Exchange Online organization. You can also use Exchange Online PowerShell to export these audit log
entries.

What do you need to know before you begin?


Estimated time to complete: This will vary based on whether you view or export entries from the admin
audit log. See each procedure for its estimated time to complete.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "View -only administrator audit logging" entry in the Exchange and Shell
Infrastructure Permissions topic.
When you export the admin audit log, Microsoft Exchange attaches the audit log, which is an XML file, to an
email message that is sent to the specified recipients. However, Outlook on the web (formerly known as
Outlook Web App) blocks XML attachments by default. If you want to use Outlook on the web to access
these audit logs, you have to configure Outlook on the web to allow XML attachments. Run the following
command to allow XML attachments in Outlook on the web.

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes


'.rpmsg','.xlsx','.xlsm','.xlsb','.tiff','.pptx','.pptm','.ppsx','.ppsm','.docx','.docm','.zip','.xls',
'.wmv','.wma','.wav','.vsd','.txt','.tif','.rtf','.pub','.ppt','.png','.pdf','.one','.mp3','.jpg','.gif
','.doc','.bmp','.avi','.xml'

For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Use the EAC to view the external admin audit log report
Estimated time to complete: 3 minutes
1. Go to Compliance management > Auditing and click View the external admin audit log report. All
configuration changes made by Microsoft datacenter administrators and delegated administrators during
the specified time period are displayed, and can be sorted, using the following information:
Date: The date and time that the configuration change was made. The date and time are stored in
Coordinated Universal Time (UTC ) format.
Cmdlet: The name of the cmdlet that was used to make the configuration change.
If you select an individual search result, the following information is displayed in the details pane:
The date and time that the cmdlet was run.
The user who ran the cmdlet. For all entries in the external admin audit log report, the user is
identified as Administrator, which indicates a Microsoft datacenter administrator or an external
administrator.
The cmdlet parameters that were used, and any value specified with the parameter, in the format
Parameter:Value.
2. If you want to print a specific audit log entry, select it in the search results pane and then click Print in the
details pane.
3. To narrow the search, choose dates in the Start date and End date drop-down menus, and then click
Search.

Use Exchange Online PowerShell to view entries in the external admin


audit log report
Estimated time to complete: 3 minutes
You can use the Search-AdminAuditLog cmdlet with the ExternalAccess parameter to view entries from the
administrator audit log for actions performed by Microsoft datacenter administrators and delegated
administrators.
This command returns all entries in the administrator audit log for cmdlets run by external administrators.

Search-AdminAuditLog -ExternalAccess $true

This command returns entries in the administrator audit log for cmdlets run by external administrators between
September 17, 2013 and October 2, 2013.

Search-AdminAuditLog -ExternalAccess $true -StartDate 09/17/2013 -EndDate 10/02/2013

For more information, see Search-AdminAuditLog.

Use Exchange Online PowerShell to export the admin audit log


Estimated time to complete: Approximately 24 hours
You can use the New-AdminAuditLogSearch cmdlet with the ExternalAccess parameter to export entries from
the administrator audit log for actions performed by Microsoft datacenter administrators or delegated
administrators. Microsoft Exchange retrieves entries in the administrator audit log that were performed by external
administrators and saves them to a file named SearchResult.xml. This XML file is attached to an email message
that is sent to the specified recipients within 24 hours.
The following command returns entries in the administrator audit log for cmdlets run by external administrators
between September 25, 2013 and October 24, 2013. The search results are sent to the admin@contoso.com and
pilarp@contoso.com SMTP addresses and the text "External admin audit log" is added to the subject line of the
message.

New-AdminAuditLogSearch -ExternalAccess $true -EndDate 10/24/2013 -StartDate 07/25/2013 -StatusMailRecipients


admin@contoso.com,pilarp@contoso.com -Name "External admin audit log"
NOTE
When you include the ExternalAccess parameter, only entries for actions performed by Microsoft datacenter administrator or
delegated administrators are included in the audit log that is exported. If you don't include the ExternalAccess parameter, the
audit log will contain entries for actions performed by the administrators in your organization and by external administrators.

To verify that the command to export the admin audit log entries performed by external administrators was
successful, and to display information about current administrator audit log searches, run the following command:

Get-AuditLogSearch | Format-List

More information
In Office 365, you can delegate the ability to perform certain administrative tasks to an authorized partner
of Microsoft. These admin tasks include creating or editing users, resetting user passwords, managing user
licenses, managing domains, and assigning admin permissions to other users in your organization. When
you authorize a partner to take on this role, the partner is referred to as a delegated admin. The tasks
performed by a delegated admin are logged in the admin audit log. As previously described, actions
performed by delegated admins can be viewed by running the external admin audit log report or exported
by using the New-AdminAuditLogSearch cmdlet with the ExternalAccess parameter.
The administrator audit log records specific actions, based on Exchange Online PowerShell cmdlets,
performed by administrators and users who have been assigned administrative privileges. Actions
performed by external administrators are also logged. Entries in the admin audit log provide you with
information about the cmdlet that was run, which parameters were used, and what objects were affected.
The administrator audit log doesn't record any action that is based on an Exchange Online PowerShell
cmdlet that begins with the verbs Get, Search, or Test.
Audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted.
Messaging records management
7/3/2019 • 7 minutes to read • Edit Online

Users send and receive email every day. If left unmanaged, the volume of email generated and received each day
can inundate users, impact user productivity, and expose your organization to risks. As a result, email lifecycle
management is a critical component for most organizations.
Messaging records management (MRM ) is the records management technology in Exchange Server and Exchange
Online that helps organizations manage email lifecycle and reduce the legal risks associated with email. Deploying
MRM can help your organization in several ways:
Meet business requirements: Depending on your organization's messaging policies, you may need to
retain important email messages for a certain period. For example, a user's mailbox may contain critical
messages related to business strategy, transactions, product development, or customer interactions.
Meet legal and regulatory requirements: Many organizations have a legal or regulatory requirement to
store messages for a designated period and remove messages older than that period. Storing messages
longer than necessary may increase your organization's legal or financial risks.
Increase user productivity: If left unmanaged, the ever-increasing volume of email in your users'
mailboxes can also impact their productivity. For example, although newsletter subscriptions and automated
notifications may have informational value when they're received, users may not remove them after reading
(often they're never read). Many of these types of messages don't have a retention value beyond a few days.
Using MRM to remove such messages can help reduce information clutter in users' mailboxes, thereby
increasing productivity.
Improve storage management: Due to expectations driven by free consumer email services, many users
keep old messages for a long period or never remove them. Maintaining large mailboxes is increasingly
becoming a standard practice, and users shouldn't be forced to change their work habits based on restrictive
mailbox quotas. However, retaining messages beyond the period that's necessary for business, legal, or
regulatory reasons also increases storage costs.
MRM provides the flexibility to implement the records management policy that best meets your organization's
requirements. With a good understanding of MRM, In-Place Archiving, and In-Place Hold, you can help meet your
goals of managing mailbox storage and meeting regulatory retention requirements.
Looking for management tasks related to MRM? See Messaging Records Management Procedures.

MRM in Exchange Server and Exchange Online


In Exchange Server and Exchange Online, MRM is accomplished through the use of retention tags and retention
policies. Retention tags are used to apply retention settings to an entire mailbox and default mailbox folders such
as Inbox and Deleted Items. You can also create and deploy retention tags that Outlook 2010 and later and
Outlook on the web (formerly known as Outlook Web App) users can use to apply to folders or individual
messages. After they're created, you add retention tags to a retention policy and then apply the policy to users. The
Managed Folder Assistant processes mailboxes and applies retention settings in the user's retention policy. To
learn more about retention policies, see Retention tags and retention policies.
When a message reaches its retention age specified in the applicable retention tag, the Managed Folder Assistant
takes the retention action specified by the tag. Messages can then be deleted permanently or deleted with the
ability to recover them. If an archive has been provisioned for the user, you can also use retention tags to move
items to the user's In-Place Archive.
MRM strategies
You can use retention policies to enforce basic message retention for an entire mailbox or for specific default
folders. Although there are several strategies for deploying MRM, here are some of the most common:
Remove all messages after a specified period: In this strategy, you implement a single MRM policy that
removes all messages after a certain period. In this strategy, there's no classification of messages. You can
implement this policy by creating a single default policy tag (DPT) for the mailbox. However, this doesn't ensure
that messages are retained for the specified period. Users can still delete messages before retention period is
reached.
Move messages to archive mailboxes: In this strategy, you implement MRM policies that move items to the
user's archive mailbox. An archive mailbox provides additional storage for users to maintain old and infrequently
accessed content. Retention tags that move items are also known as archive policies. Within the same retention
policy, you can combine a DPT and personal tags to move items, and a DPT, RPTs, and personal tags to delete
items. To learn more about archiving policies, see:
Exchange Server 2016: In-Place Archiving
Exchange Online: Archive Mailboxes in Exchange Online

NOTE
In an Exchange hybrid deployment, you can enable a cloud-based archive mailbox for an on-premises primary mailbox. If you
assign an archive policy to an on-premises mailbox, items are moved to the cloud-based archive. If an item is moved to the
archive mailbox, a copy of it isn't retained in the on-premises mailbox. If the on-premises mailbox is placed on hold, an
archive policy will still move items to the cloud-based archive mailbox where they are preserved for the duration specified by
the hold.

Remove messages based on folder location: In this strategy, you implement MRM policies based on email
location. For example, you can specify that messages in the Inbox are retained for one year and messages in the
Junk Email folder are retained for 60 days. You can implement this policy by using a combination of retention
policy tags (RPTs) for each default folder you want to configure and a DPT for the entire mailbox. The DPT applies
to all custom folders and all default folders that don't have an RPT applied.

NOTE
In Exchange Server, you can create RPTs for the Calendar and Tasks folders. If you don't want items in these folders or other
default folders to expire, you can create a disabled retention tag for that default folder.

Allow users to classify messages: In this strategy, you implement MRM policies that include a baseline retention
setting for all messages but allow users to classify messages based on business or regulatory requirements. In this
case, users become an important part of your records management strategy - often they have the best
understanding of a message's retention value.
Users can apply different retention settings to messages that need to be retained for a longer or shorter period.
You can implement this policy using a combination of the following:
A DPT for the mailbox
Personal tags that users can apply to custom folders or individual messages
(Optional) Additional RPTs to expire items in specific default folders

For example, you can use a retention policy with personal tags that have a shorter retention period (such as two
days, one week, or one month), as well as personal tags that have a longer retention period (such as one, two, or
five years). Users can apply personal tags with the shorter retention periods for items such as newsletter
subscriptions that may lose their value within days of receiving them, and apply the tags with longer periods to
preserve items that have a high business value. They can also automate the process by using Inbox rules in
Outlook to apply a personal tag to messages that match rule conditions.
Retain messages for eDiscovery purposes: In this strategy, you implement MRM policies that remove
messages from mailboxes after a specified period but also retain them in the Recoverable Items folder for In-Place
eDiscovery purposes, even if the messages were deleted by the user or another process.
You can meet this requirement by using a combination of retention policies and In-Place Hold and Litigation Hold
or Litigation Hold. Retention policies remove messages from the mailbox after the specified period. A time-based
In-Place Hold or Litigation Hold preserves messages that were deleted or modified before that period. For
example, to retain messages for seven years, you can create a retention policy with a DPT that deletes messages in
seven years and Litigation Hold to hold messages for seven years. Messages that aren't removed by users will be
deleted after seven years; messages deleted by users before the seven year period will be retained in the
Recoverable Items folder for seven years. To learn more about this folder, see Recoverable Items Folder.
Optionally, you can use RPTs and personal tags to allow users to clean up their mailboxes. However, In-Place Hold
and Litigation Hold continues to retain the deleted messages until the hold period expires.

NOTE
A time-based In-Place Hold or Litigation Hold is similar to what was informally referred to as a rolling legal hold in Exchange
2010. Rolling legal hold was implemented by configuring the deleted item retention period for a mailbox database or
individual mailbox. However, deleted item retention retains deleted and modified items based on the date deleted. In-Place
Hold and Litigation Hold preserves items based on the date they're received or created. This ensures that messages are
preserved for at least the specified period.

For more information


Messaging Records Management Terminology in Exchange 2013
Retention tags and retention policies
Retention tags and retention policies
7/3/2019 • 15 minutes to read • Edit Online

In Microsoft Exchange Server and Exchange Online, Messaging records management (MRM ) helps
organizations to manage email lifecycle and reduce legal risks associated with e-mail and other communications.
MRM makes it easier to keep messages needed to comply with company policy, government regulations, or legal
needs, and to remove content that has no legal or business value.
Watch this video for a quick overview of how to apply retention tags and a retention policy to a mailbox in
Exchange Online.

Messaging Records Management strategy


MRM in Exchange Server and Exchange Online is accomplished by using retention tags and retention policies.
Before discussing the details about each of these retention features, it's important to learn how the features are
used in the overall MRM strategy. This strategy is based on:
Assigning retention policy tags (RPTs) to default folders, such as the Inbox and Deleted Items.
Applying default policy tags (DPTs) to mailboxes to manage the retention of all untagged items.
Allowing the user to assign personal tags to custom folders and individual items.
Separating MRM functionality from users' Inbox management and filing habits. Users aren't required to
file messages in managed folders based on retention requirements. Individual messages can have a
different retention tag than the one applied to the folder in which they're located.
The following figure illustrates the tasks involved in implementing this strategy.
Retention tags
As illustrated in the preceding figure, retention tags are used to apply retention settings to folders and individual
items such as e-mail messages and voice mail. These settings specify how long a message remains in a mailbox
and the action to be taken when the message reaches the specified retention age. When a message reaches its
retention age, it's moved to the user's In-Place Archive or deleted.
Retention tags allow users to tag their own mailbox folders and individual items for retention. Users no longer
have to file items in managed folders provisioned by an administrator based on message retention requirements.
Types of retention tags
Retention tags are classified into the following three types based on who can apply them and where in a mailbox
they can be applied.

TYPE OF RETENTION
TAG APPLIED... APPLIED BY... AVAILABLE ACTIONS... DETAILS

Default policy tag Automatically to Administrator Move to archive Users can't change
(DPT) entire mailbox Delete and allow DPTs applied to a
A DPT applies to recovery mailbox.
untagged items, Permanently delete
which are mailbox
items that don't have
a retention tag
applied directly or by
inheritance from the
folder.
TYPE OF RETENTION
TAG APPLIED... APPLIED BY... AVAILABLE ACTIONS... DETAILS

Retention policy tag Automatically to a Administrator Delete and allow Users can't change
(RPT) default folder recovery the RPT applied to a
Default folders are Permanently delete default folder.
folders created
automatically in all
mailboxes, for
example: Inbox,
Deleted Items, and
Sent Items. See the
list of supported
default folders in
Default folders that
support Retention
Policy Tags.

Personal tag Manually to items Users Move to archive Personal tags allow
and folders Delete and allow your users to
Users can automate recovery determine how long
tagging by using Permanently delete an item should be
Inbox rules to either retained. For example,
move a message to a the mailbox can have
folder that has a a DPT to delete items
particular tag or to in seven years, but a
apply a personal tag user can create an
to the message. exception for items
such as newsletters
and automated
notifications by
applying a personal
tag to delete them in
three days.

More about personal tags


Personal tags are available to Outlook or later and Outlook on the web (formerly known as Outlook Web App)
users as part of their retention policy. In Outlook and Outlook on the web, personal tags with the Move to
Archive action appear as Archive Policy, and personal tags with the Delete and Allow Recovery or
Permanently Delete actions appear as Retention Policy, as shown in the following figure.
Users can apply personal tags to folders they create or to individual items. Messages that have a personal tag
applied are always processed based on the personal tag's settings. Users can apply a personal tag to a message
so that it's moved or deleted sooner or later than the settings specified in the DPT or RPTs applied to that user's
mailbox. You can also create personal tags with retention disabled. This allows users to tag items so they're never
moved to an archive or never expire.

NOTE
Users can apply archive policies to default folders, user-created folders or subfolders, and individual items. Users can apply
a retention policy to user-created folders or subfolders and individual items (including subfolders and items in a default
folder), but not to default folders.

Users can also use the Exchange admin center (EAC ) to select additional personal tags that aren't linked to their
retention policy. The selected tags then become available in Outlook 2010 and Outlook on the web. To enable
users to select additional tags from the EAC, you must add the MyRetentionPolicies Role to the user's role
assignment policy. To learn more about role assignment policies for users, see Understanding Management Role
Assignment Policies. If you allow users to select additional personal tags, all personal tags in your Exchange
organization become available to them.

NOTE
Personal tags are a premium feature. Mailboxes with policies that contain these tags (or as a result of users adding the tags
to their mailbox) require an Exchange Enterprise client access license (CAL).

Retention age
When you enable a retention tag, you must specify a retention age for the tag. This age indicates the number of
days to retain a message after it arrives in the user's mailbox.
The retention age for non-recurring items (such as email messages) is calculated differently than items that have
an end date or recurring items (such as meetings and tasks). To learn how retention age is calculated for different
types of items, see How retention age is calculated.
You can also create retention tags with retention disabled or disable tags after they're created. Because messages
that have a disabled tag applied aren't processed, no retention action is taken. As a result, users can use a
disabled personal tag as a Never Move tag or a Never Delete tag to override a DPT or RPT that would
otherwise apply to the message.
Retention actions
When creating or configuring a retention tag, you can select one of the following retention actions to be taken
when an item reaches its retention age:

RETENTION ACTION ACTION TAKEN... EXCEPT...

Move to Archive1 Moves the message to the user's If the user doesn't have an archive
archive mailbox mailbox, no action is taken.
Only available for DPTs and personal
tags
For details about archiving, see:
In-Place Archiving
Archive Mailboxes in Exchange Online

Delete and Allow Recovery Emulates the behavior when the user If you've set the deleted item retention
empties the Deleted Items folder. period to zero days, items are
Items are moved to the Recoverable permanently deleted. For details, see
Items Folder in the mailbox and Change how long permanently deleted
preserved until the deleted item items are kept for an Exchange Online
retention period. mailbox.
Provides the user a second chance to
recover the item using the Recover
Deleted Items dialog box in Outlook
or Outlook on the web

Permanently Delete Permanently deletes messages. If mailbox is placed on In-Place Hold


You can't recover messages after and Litigation Hold or Litigation Hold,
they're permanently deleted. items are preserved in the Recoverable
Items folder based on hold parameters.
In-Place eDiscovery will still return
these items in search results.

Mark as Past Retention Limit Marks a message as expired. In N. A.


Outlook 2010 or later, and Outlook on
the web, expired items are displayed
with the notification stating 'This item
has expired' and 'This item will expire in
0 days'. In Outlook 2007, items
marked as expired are displayed by
using strikethrough text.

NOTE
1 In an Exchange hybrid deployment, you can enable a cloud-based archive mailbox for an on-premises primary mailbox. If
you assign an archive policy to an on-premises mailbox, items are moved to the cloud-based archive. If an item is moved
to the archive mailbox, a copy of it isn't retained in the on-premises mailbox. If the on-premises mailbox is placed on hold,
an archive policy will still move items to the cloud-based archive mailbox where they are preserved for the duration
specified by the hold.
For details about how to create retention tags, see Create a Retention Policy.

Retention policies
To apply one or more retention tags to a mailbox, you must add them to a retention policy and then apply the
policy to mailboxes. A mailbox can't have more than one retention policy. Retention tags can be linked to or
unlinked from a retention policy at any time, and the changes automatically take effect for all mailboxes that have
the policy applied.
A retention policy can have the following retention tags:

RETENTION TAG TYPE TAGS IN A POLICY

Default policy tag (DPT) One DPT with the Move to Archive action
One DPT with the Delete and Allow Recovery or
Permanently Delete actions
One DPT for voice mail messages with the Delete and Allow
Recovery or Permanently Delete action

Retention policy tags (RPTs) One RPT for each supported default folder
> Note: You can't link more than one RPT for a particular
default folder (such as Deleted Items) to the same retention
policy.

Personal tags Any number of personal tags


> Tip: **Many personal tags in a policy can confuse users.
We recommend adding no more than 10 personal tags to a
retention policy.

NOTE
Although a retention policy doesn't need to have any retention tags linked to it, we don't recommend using this scenario. If
mailboxes with retention policies don't have retention tags linked to them, this may cause mailbox items to never expire.

A retention policy can contain both archive tags (tags that move items to the personal archive mailbox) and
deletion tags (tags that delete items). A mailbox item can also have both types of tags applied. Archive mailboxes
don't have a separate retention policy. The same retention policy is applied to the primary and archive mailbox.
When planning to create retention policies, you must consider whether they'll include both archive and deletion
tags. As mentioned earlier, a retention policy can have one DPT that uses the Move to Archive action and one
DPT that uses either the Delete and Allow Recovery or Permanently Delete action. The DPT with the Move
to Archive action must have a lower retention age than the DPT with a deletion action. For example, you can use
a DPT with the Move to Archive action to move items to the archive mailbox in two years, and a DPT with a
deletion action to remove items from the mailbox in seven years. Items in both primary and archive mailboxes
will be deleted after seven years.
For a list of management tasks related to retention policies, see Messaging Records Management Procedures.
Default retention policy
Exchange Setup creates the retention policy Default MRM Policy. The Default MRM Policy is applied
automatically to new mailboxes in Exchange Online. In Exchange Server, the policy is applied automatically if you
create an archive for the new user and don't specify a retention policy
You can modify tags included in the Default MRM Policy, for example by changing the retention age or retention
action, disable a tag or modify the policy by adding or removing tags from it. The updated policy is applied to
mailboxes the next time they're processed by the Managed Folder Assistant.
For more details, including a list of retention tags linked to the policy, see Default Retention Policy in Exchange
Online and Exchange Server.

Managed Folder Assistant


The Managed Folder Assistant, a mailbox assistant that runs on Mailbox servers, processes mailboxes that have a
retention policy applied.
The Managed Folder Assistant applies the retention policy by inspecting items in the mailbox and determining
whether they're subject to retention. It then stamps items subject to retention with the appropriate retention tags
and takes the specified retention action on items past their retention age.
The Managed Folder Assistant is a throttle-based assistant. Throttle-based assistants are always running and
don't need to be scheduled. The system resources they can consume are throttled. You can configure the
Managed Folder Assistant to process all mailboxes on a Mailbox server within a certain period (known as a work
cycle). Additionally, at a specified interval (known as the work cycle checkpoint), the assistant refreshes the list of
mailboxes to be processed. During the refresh, the assistant adds newly created or moved mailboxes to the
queue. It also reprioritizes existing mailboxes that haven't been processed successfully due to failures and moves
them higher in the queue so they can be processed during the same work cycle.
You can also use the Start-ManagedFolderAssistant cmdlet to manually trigger the assistant to process a
specified mailbox. To learn more, see Configure the Managed Folder Assistant.

NOTE
The Managed Folder Assistant doesn't take any action on messages that aren't subject to retention, specified by disabling
the retention tag. You can also disable a retention tag to temporarily suspend items with that tag from being processed.

Moving items between folders


A mailbox item moved from one folder to another inherits any tags applied to the folder to which it's moved. If
an item is moved to a folder that doesn't have a tag assigned, the DPT is applied to it. If the item has a tag
explicitly assigned to it, the tag always takes precedence over any folder-level tags or the default tag.
Applying a retention tag to a folder in the archive
When the user applies a personal tag to a folder in the archive, if a folder with the same name exists in the
primary mailbox and has a different tag, the tag on that folder in the archive changes to match the one in the
primary mailbox. This is by design to avoid any confusion about items in a folder in the archive having a different
expiry behavior than the same folder in the user's primary mailbox. For example, the user has a folder named
Project Contoso in the primary mailbox with a Delete - 3 years tag and a Project Contoso folder also exists in the
archive mailbox. If the user applies a Delete - 1 year personal tag to delete items in the folder after 1 year. When
the mailbox is processed again, the folder reverts to the Delete - 3 Years tag.
Removing or deleting a retention tag from a retention policy
When a retention tag is removed from the retention policy applied to a mailbox, the tag is no longer available to
the user and can't be applied to items in the mailbox.
Existing items that have been stamped with that tag continue to be processed by the Managed Folder Assistant
based on those settings and any retention action specified in the tag is applied to those messages.
However, if you delete the tag, the tag definition stored in Active Directory is removed. This causes the Managed
Folder Assistant to process all items in a mailbox and restamp the ones that have the removed tag applied.
Depending on the number of mailboxes and messages, this process may significantly consume resources on all
Mailbox servers that contain mailboxes with retention policies that include the removed tag.
IMPORTANT
If a retention tag is removed from a retention policy, any existing mailbox items with the tag applied will continue to expire
based on the tag's settings. To prevent the tag's settings from being applied to any items, you should delete the tag.
Deleting a tag removes it from any retention policies in which it's included.

Disabling a retention tag


If you disable a retention tag, the Managed Folder Assistant ignores items that have that tag applied. Items that
have a retention tag for which retention is disabled are either never moved or never deleted, depending on the
specified retention action. Because these items are still considered tagged items, the DPT doesn't apply to them.
For example, if you want to troubleshoot retention tag settings, you can temporarily disable a retention tag to
stop the Managed Folder Assistant from processing messages with that tag.

NOTE
The retention period for a disabled retention tag is displayed to the user as Never. If a user tags an item believing it will
never be deleted, enabling the tag later may result in unintentional deletion of items the user didn't want to delete. The
same is true for tags with the Move to Archive action.

Retention hold
When users are temporarily away from work and don't have access to their e-mail, retention settings can be
applied to new messages before they return to work or access their e-mail. Depending on the retention policy,
messages may be deleted or moved to the user's personal archive. You can temporarily suspend retention
policies from processing a mailbox for a specified period by placing the mailbox on retention hold. When you
place a mailbox on retention hold, you can also specify a retention comment that informs the mailbox user (or
another user authorized to access the mailbox) about the retention hold, including when the hold is scheduled to
begin and end. Retention comments are displayed in supported Outlook clients. You can also localize the
retention hold comment in the user's preferred language.

NOTE
Placing a mailbox on retention hold doesn't affect how mailbox storage quotas are processed. Depending on the mailbox
usage and applicable mailbox quotas, consider temporarily increasing the mailbox storage quota for users when they're on
vacation or don't have access to e-mail for an extended period. For more information about mailbox storage quotas, see
Configure Storage Quotas for a Mailbox.

During long absences from work, users may accrue a large amount of e-mail. Depending on the volume of e-
mail and the length of absence, it may take these users several weeks to sort through their messages. In these
cases, consider the additional time it may take the users to catch up on their mail before removing them from
retention hold.
If your organization has never implemented MRM, and your users aren't familiar with its features, you can also
use retention holds during the initial warm up and training phase of your MRM deployment. You can create and
deploy retention policies and educate users about the policies without the risk of having items moved or deleted
before users can tag them. A few days before the warm up and training period ends, you should remind users of
the warm-up deadline. After the deadline, you can remove the retention hold from user mailboxes, allowing the
Managed Folder Assistant to process mailbox items and take the specified retention action.
For details about how to place a mailbox on retention hold, see Place a mailbox on retention hold.
Default Retention Policy in Exchange Online and
Exchange Server
5/31/2019 • 2 minutes to read • Edit Online

Exchange creates the retention policy Default MRM Policy in your Exchange Online and on-premises Exchange
organization. The policy is automatically applied to new users in Exchange Online. In on-premises organizations,
the policy is applied when you create an archive for the mailbox. You can change the retention policy applied to a
user at any time.
You can modify tags included in the Default MRM Policy, for example by changing the retention age or retention
actions, disable a tag, or modify the policy by adding or removing tags from it. The updated policy is applied to
mailboxes the next time they're processed by the Managed Folder Assistant

Retention tags linked to the Default MRM Policy


The following table lists the default retention tags linked to the Default MRM Policy.

NAME TYPE RETENTION AGE (DAYS) RETENTION ACTION

Default 2 years move to Default Policy Tag (DPT) 730 Move to Archive
archive

Recoverable Items 14 days Recoverable Items folder 14 Move to Archive


move to archive

Personal 1 year move to Personal tag 365 Move to Archive


archive

Personal 5 year move to Personal tag 1,825 Move to Archive


archive

Personal never move to Personal tag Not applicable Move to Archive


archive

1 Week Delete Personal tag 7 Delete and Allow Recovery

1 Month Delete Personal tag 30 Delete and Allow Recovery

6 Month Delete Personal tag 180 Delete and Allow Recovery

1 Year Delete Personal tag 365 Delete and Allow Recovery

5 Year Delete Personal tag 1,825 Delete and Allow Recovery

Never Delete Personal tag Not applicable Delete and Allow Recovery

What you can do with the Default MRM Policy


YOU CAN... IN EXCHANGE ONLINE... IN EXCHANGE SERVER...

Apply the Default MRM Policy Yes, applied by default. No action is Yes, applied by default if you also create
automatically to new users required. an archive for the new user.
If you create an archive for the user
later, the policy is applied automatically
only if the user doesn't have an existing
Retention Policy.

Modify the retention age or retention Yes Yes


action of a retention tag linked to the
policy

Disable a retention tag linked to the Yes Yes


policy

Add a retention tag to the policy Yes Yes

Remove a retention tag from the policy Yes Yes

Set another policy as the default No No


retention policy to be applied
automatically to new users

More information
A Retention Tag can be linked to more than one Retention Policy. For details about managing Retention tags
and retention policies, see Messaging Records Management Procedures.
The Default MRM Policy doesn't include a DPT to automatically delete items (but it does contain personal
tags with the delete retention action that users can apply to mailbox items). If you want to automatically
delete items after a specified period, you can create a DPT with the required delete action and add it to the
policy. For details, see Create a Retention Policy and Add retention tags to or remove retention tags from a
retention policy.
Retention policies are applied to mailbox users. The same policy applies to the user's mailbox and archive.
Default folders that support Retention Policy Tags
6/24/2019 • 4 minutes to read • Edit Online

You can use Retention tags and retention policies to manage email lifecycle. Retention Policies contain Retention
Tags, which are settings you can use to specify when a message should be automatically moved to the archive or
when it should be deleted.
A Retention Policy Tag (RPT) is a type of retention tag that you can apply to default folders in a mailbox, such as
Inbox and Deleted Items.

Supported default folders


You can create RPTs for the default folders shown in the following table.

FOLDER NAME DETAILS


FOLDER NAME DETAILS

Archive This folder is the default destination for messages archived


with the Archive button in Outlook. The Archive feature
provides a fast way for users to remove messages from their
Inbox without deleting them.
This RPT is available only in Exchange Online.

Calendar This default folder is used to store meetings and


appointments.

Clutter This folder contains email messages that are low priority.
Clutter looks at what you've done in the past to determine the
messages you're most likely to ignore. It then moves those
messages to the Clutter folder.

Conversation History This folder is created by Microsoft Lync (previously Microsoft


Office Communicator). Although not treated as a default
folder by Outlook, it's treated as a special folder by Exchange
and can have RPTs applied.

Deleted Items This default folder is used to store items deleted from other
folders in the mailbox. Outlook and Outlook on the web
(formerly known as Outlook Web App) users can manually
empty this folder. Users can also configure Outlook to empty
the folder upon closing Outlook.

Drafts This default folder is used to store draft messages that haven't
been sent by the user. Outlook on the web also uses this
folder to save messages that were sent by the user but not
submitted to the Hub Transport server.

Inbox This default folder is used to store messages delivered to a


mailbox.

Journal This default folder contains actions selected by the user. These
actions are automatically recorded by Outlook and placed in a
timeline view.

Junk E-mail This default folder is used to save messages marked as junk e-
mail by the content filter on an Exchange server or by the
anti-spam filter in Outlook.

Notes This folder contains notes created by users in Outlook. These


notes are also visible in Outlook on the web.

Outbox This default folder is used to temporarily store messages sent


by the user until they're submitted to a Hub Transport server.
A copy of sent messages is saved in the Sent Items default
folder. Because messages usually remain in this folder for a
brief period, it isn't necessary to create an RPT for this folder.

RSS Feeds This default folder contains RSS feeds.


FOLDER NAME DETAILS

Recoverable Items This is a hidden folder in the Non-IPM sub-tree. It contains


the Deletions, Versions, Purges, DiscoveryHolds, and Audits
sub-folders. Retention tags for this folder move items from
the Recoverable Items folder in the user's primary mailbox to
the Recoverable Items folder in the user's archive mailbox. You
can assign only the Move To Archive retention action to tags
for this folder. To learn more, see Recoverable Items Folder.

Sent Items This default folder is used to store messages that have been
submitted to a Hub Transport server.

Sync Issues This folder contains synchronization logs. To learn more, see
Synchronization error folders.

Tasks This default folder is used to store tasks. To create an RPT for
the Tasks folder, you have to use Exchange Online PowerShell.
For more information, see New-RetentionPolicyTag. After the
RPT for the Tasks folder is created, you can manage it by using
the Exchange admin center.

More Info
RPTs are retention tags for default folders. You can only select a delete action for RPTs - either delete and
allow recovery or permanently delete.
You can't create an RPT to move messages to the archive. To move old items to archive, you can create a
Default Policy Tag (DPT), which applies to the entire mailbox, or Personal Tags, which are displayed in
Outlook and Outlook on the web as Archive Policies. Your users can apply them to folders or individual
messages.
You can't apply RPTs to the Contacts folder.
You can only add one RPT for a particular default folder to a Retention Policy. For example, if a retention
policy has an Inbox tag, you can't add another RPT of type Inbox to that retention policy.
To learn how to create RPTs or other types of retention tags and add them to a retention policy, see Create a
Retention Policy.
In Exchange Server and Exchange Online, a DPT also applies to the Calendar and Tasks default folders.
This may result in items being deleted or moved to the archive based on the DPT settings. To prevent the
DPT settings from deleting items in these folders , create RPTs with retention disabled. To prevent the DPT
settings from moving items in a default folder, you can create a disabled Personal Tag with the move to
archive action, add it to the retention policy, and then have users apply it to the default folder. For details, see
Prevent archiving of items in a default folder in Exchange 2010.
How retention age is calculated
5/31/2019 • 4 minutes to read • Edit Online

The Managed Folder Assistant (MFA) is one of many mailbox assistant processes that runs on mailbox servers. Its
job is to process mailboxes that have a Retention Policy applied, add the Retention Tags included in the policy to
the mailbox, and process items in the mailbox. If the items have a retention tag, the assistant tests the age of those
items. If an item has exceeded its retention age, it takes the specified retention action. Retention actions include
moving an item to the user's archive, deleting the item and allowing recovery, or deleting the item permanently.
See Retention tags and retention policies for more information.

Determining the age of different types of items


The retention age of mailbox items is calculated from the date of delivery or in the case of items like drafts that
aren't delivered but created by the user, the date an item was created. When the Managed Folder Assistant
processes items in a mailbox, it stamps a start date and an expiration date for all items that have retention tags
with the Delete and Allow Recovery or Permanently Delete retention action. Items that have an archive tag
are also stamped with a move date.
Items in the Deleted Items folder and items which may have a start and end date, such as calendar items (meetings
and appointments) and tasks, are handled differently as shown in this table.

THE RETENTION AGE IS CALCULATED


IF THE ITEM TYPE IS... AND THE ITEM IS... BASED ON...

Email message Not in the Deleted Items folder Delivery date or date of creation
Document
Fax
Journal item
Meeting request, response, or
cancellation
Missed call

Email message In the Deleted Items folder Date of delivery or creation unless the
Document item was deleted from a folder that
Fax does not have an inherited or implicit
Journal item retention tag.
Meeting request, response, or If an item is in a folder that doesn't have
cancellation an inherited or implicit retention tag
Missed call applied, the item isn't processed by the
MFA and therefore doesn't have a start
date stamped by it. When the user
deletes such an item, and the MFA
processes it for the first time in the
Deleted Items folder, it stamps the
current date as the start date.

Calendar Not in the Deleted Items folder Non-recurring calendar items expire
according to their end date.
Recurring calendar items expire
according to the end date of their last
occurrence. Recurring calendar items
with no end date don't expire.
THE RETENTION AGE IS CALCULATED
IF THE ITEM TYPE IS... AND THE ITEM IS... BASED ON...

Calendar In the Deleted Items folder A calendar item expires according to its
message-received date, if one exists. If a
calendar item doesn't have a message-
received date, it expires according to its
message-creation date. If a calendar
item has neither a message-received
date nor a message-creation date, it
doesn't expire.

Task Not in the Deleted Items folder Non-recurring tasks:


A non-recurring task expires according
to its message-received date , if one
exists.
If a non-recurring task doesn't have a
message-received date , it expires
according to its
message-creation date .
If a non-recurring task has neither a
message-received date nor a
message-creation date , it doesn't
expire.
A recurring task expires according to
the end date of its last occurrence. If
a recurring task doesn't have an
end date , it doesn't expire.
A regenerating task (which is a recurring
task that regenerates a specified time
after the preceding instance of the task
is completed) doesn't expire.

Task In the Deleted Items folder A task expires according to its message-
received date, if one exists. If a task
doesn't have a message-received date,
it expires according to its message-
creation date. If a task has neither a
message-received date nor a message-
creation date, it doesn't expire.

Contact In any folder Contacts aren't stamped with a start


date or an expiration date, so they're
skipped by the Managed Folder
Assistant and don't expire.

Corrupted In any folder Corrupted items are skipped by the


Managed Folder Assistant and don't
expire.

Examples
IF THE USER... THE RETENTION TAGS ON FOLDER... THE MANAGED FOLDER ASSISTANT...
IF THE USER... THE RETENTION TAGS ON FOLDER... THE MANAGED FOLDER ASSISTANT...

Receives a message in the Inbox on Inbox: Delete in 365 days Processes the message in the Inbox on
01/26/2013. Deletes the message on Deleted Items: Delete in 30 days 1/26/2013, stamps it with a start date
2/27/2013. of 01/26/2013 and an expiration date
of 01/26/2014. Processes the message
again in the Deleted Items folder on
2/27/2013. It recalculates the expiration
date based on the same start date
(01/26/2013). Because the item is older
than 30 days, it is expired immediately.

Receives a message in the Inbox on Inbox: None (inherited or implicit) Processes the message in the Deleted
01/26/2013. Deletes the message on Deleted Items: Delete in 30 days Items folder on 02/27/2013 and
2/27/2013. determines the item doesn't have a
start date. It stamps the current date as
the start date, and 03/27/2013 as the
expiration date. The item is expired on
3/27/2013, which is 30 days after the
user deleted or moved it to the Deleted
Items folder.

More Info
In Exchange Online, the Managed Folder Assistant processes a mailbox once in seven days. This might
result in items being expired up to seven days after the expiration date stamped on the item.
Items in mailboxes placed on Retention Hold aren't processed by the Managed Folder Assistant until the
Retention Hold is removed.
If a mailbox is placed on In-Place Hold or Litigation Hold, expiring items are removed from the Inbox but
preserved in the Recoverable Items folder until the mailbox is removed from In-Place Hold and Litigation
Hold.
In hybrid deployments, the same retention tags and retention policies must exist in your on-premises and
Exchange Online organizations in order to consistently move and expire items across both organizations.
See Export and Import Retention Tags for more information.
Create a Retention Policy
6/24/2019 • 6 minutes to read • Edit Online

In Exchange Online, you can use retention policies to manage email lifecycle. Retention policies are applied by
creating retention tags, adding them to a retention policy, and applying the policy to mailbox users.
Here's a video that shows you how to create a retention policy and apply it to a mailbox in Exchange Online.
For additional management tasks related to retention policies, see Messaging Records Management Procedures.

What do you need to know before you begin?


Estimated time to complete this task: 30 minutes.
Procedures in this topic require specific permissions. See each procedure for its permissions information.
Mailboxes to which you apply retention policies must reside on Exchange Server 2010 or later servers.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

Step 1: Create a retention tag


You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Messaging records management" entry in the Messaging policy and compliance
permissions topic.
Use the EAC to create a retention tag
1. Navigate to Compliance management > Retention tags, and then click Add
2. Select one of the following options:
Applied automatically to entire mailbox (default): Select this option to create a default policy
tag (DPT). You can use DPTs to create a default deletion policy and a default archive policy, which
applies to all items in the mailbox.

NOTE
You can't use the EAC to create a DPT to delete voice mail items. For details about how to create a DPT to
delete voice mail items, see Exchange Online PowerShell example below.

Applied automatically to a specific folder: Select this option to create a retention policy tag
(RPT) for a default folder such as Inbox or Deleted Items.

NOTE
You can only create RPTs with the Delete and allow recovery or Permanently delete actions.

Applied by users to items and folders (Personal): Select this option to create personal tags.
These tags allow Outlook and Outlook on the web (formerly known as Outlook Web App) users to
apply archive or deletion settings to a message or folders that are different from the settings applied
to the parent folder or the entire mailbox.
3. The New retention tag page title and options will vary depending on the type of tag you selected.
Complete the following fields:
Name: Enter a name for the retention tag. The tag name is for display purposes and doesn't have
any impact on the folder or item a tag is applied to. Consider that the personal tags you provision for
users are available in Outlook and Outlook on the web.
Apply this tag to the following default folder: This option is available only if you selected
Applied automatically to a specific folder.
Retention action: Select one of the following actions to be taken after the item reaches its retention
period:
Delete and Allow Recovery: Select this action to delete items but allow users to recover them
using the Recover Deleted Items option in Outlook or Outlook on the web. Items are retained until
the deleted item retention period configured for the mailbox database or the mailbox user is reached.
Permanently Delete: Select this option to permanently delete the item from the mailbox database.

IMPORTANT
Mailboxes or items subject to In-Place Hold or litigation hold will be retained and returned in In-Place
eDiscovery searches. To learn more, see In-Place Hold and Litigation Hold.

Move to Archive: This action is available only if you're creating a DPT or a personal tag. Select this
action to move items to the user's In-Place Archive.
Retention period: Select one of the following options:
Never: Select this option to specify that items should never be deleted or moved to the archive.
When the item reaches the following age (in days): Select this option and specify the number of
days to retain items before they're moved or deleted. The retention age for all supported items
except Calendar and Tasks is calculated from the date an item is received or created. Retention age
for Calendar and Tasks items is calculated from the end date.
Comment: User this optional field to enter any administrative notes or comments. The field isn't
displayed to users.
Use Exchange Online PowerShell to create a retention tag
Use the New-RetentionPolicyTag cmdlet to create a retention tag. Different options available in the cmdlet
allow you to create different types of retention tags. Use the Type parameter to create a DPT ( All ), RPT (specify a
default folder type, such as Inbox ) or a personal tag ( Personal ).
This example creates a DPT to delete all messages in the mailbox after 7 years (2,556 days).

New-RetentionPolicyTag -Name "DPT-Corp-Delete" -Type All -AgeLimitForRetention 2556 -RetentionAction


DeleteAndAllowRecovery

This example creates a DPT to move all messages to the In-Place Archive in 2 years (730 days).

New-RetentionPolicyTag -Name "DPT-Corp-Move" -Type All -AgeLimitForRetention 730 -RetentionAction


MoveToArchive

This example creates a DPT to delete voice mail messages after 20 days.
New-RetentionPolicyTag -Name "DPT-Corp-Voicemail" -Type All -MessageClass Voicemail -AgeLimitForRetention 20 -
RetentionAction DeleteAndAllowRecovery

This example creates a RPT to permanently delete messages in the Junk EMail folder after 30 days.

New-RetentionPolicyTag -Name "RPT-Corp-JunkMail" -Type JunkEmail -AgeLimitForRetention 30 -RetentionAction


PermanentlyDelete

This example creates a personal tag to never delete a message.

New-RetentionPolicyTag -Name "Never Delete" -Type Personal -RetentionAction DeleteAndAllowRecovery -


RetentionEnabled $false

Step 2: Create a retention policy


You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Messaging records management" entry in the Messaging policy and compliance
permissions topic.
Use the EAC to create a retention policy
1. Navigate to Compliance management > Retention policies, and then click Add
2. In New Retention Policy, complete the following fields:
Name: Enter a name for the retention policy.
Retention tags: Click Add to select the tags you want to add to this retention policy.
A retention policy can contain the following tags:
One DPT with the Move to Archive action.
One DPT with the Delete and Allow Recovery or Permanently Delete actions.
One DPT for voice mail messages with the Delete and Allow Recovery or Permanently
Delete actions.
One RPT per default folder such as Inbox to delete items.
Any number of personal tags.

NOTE
Although you can add any number of personal tags to a retention policy, having many personal tags with
different retention settings can confuse users. We recommend linking no more than ten personal tags to a
retention policy.

You can create a retention policy without adding any retention tags to it, but items in the mailbox to which the
policy is applied won't be moved or deleted. You can also add and remove retention tags from a retention policy
after it's created.
Use Exchange Online PowerShell to create a retention policy
This example creates the retention policy RetentionPolicy-Corp and uses the RetentionPolicyTagLinks parameter
to associate five tags to the policy.
New-RetentionPolicy "RetentionPolicy-Corp" -RetentionPolicyTagLinks "DPT-Corp-Delete","DPT-Corp-Move","DPT-
Corp-Voicemail","RPT-Corp-JunkMail","Never Delete"

For detailed syntax and parameter information, see New -RetentionPolicy.

Step 3: Apply a retention policy to mailbox users


After you create a retention policy, you must apply it to mailbox users. You can apply different retention policies to
different set of users. For detailed instructions, see Apply a retention policy to mailboxes.

How do you know this worked?


After you create retention tags, add them to a retention policy, and apply the policy to a mailbox user, the next time
the MRM mailbox assistant processes the mailbox, messages are moved or deleted based on settings you
configured in the retention tags.
To verify that you have applied the retention policy, do the following:
1. Replace <Mailbox Identity> with the name, email address, or alias of the mailbox, and run the following
command in Exchange Online PowerShell command to run the MRM assistant manually against a single
mailbox:

Start-ManagedFolderAssistant -Identity "<Mailbox Identity>"

2. Log on to the mailbox using Outlook or Outlook on the web and verify that messages are deleted or moved
to an archive in accordance with the policy configuration.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Add retention tags to or remove retention tags from
a retention policy
6/25/2019 • 2 minutes to read • Edit Online

You can add retention tags to a retention policy when the policy is created or any time thereafter. For details about
how to create a retention policy, including how to simultaneously add retention tags, see Create a Retention Policy.
A retention policy can contain the following retention tags:
One or more retention policy tags (RPTs) for supported default folders
One default policy tag (DPT) with the Move to Archive action
One DPT with the Delete and Allow Recovery or the Permanently Delete action
One DPT for voice mail
Any number of personal tags
For more information about retention tags, see Retention tags and retention policies.

What do you need to know before you begin?


Estimated time to completion: 10 minutes.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Messaging records management" entry in the Mailbox Permissions topic.
Retention tags aren't applied to a mailbox until they're linked to a retention policy and the Managed Folder
Assistant processes the mailbox. To start the Managed Folder Assistant so that it processes a mailbox, see
Configure and run the Managed Folder Assistant in Exchange 2016.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Use the EAC to add or remove retention tags


1. Go to Compliance management > Retention policies.
2. In the list view, select the retention policy to which you want to add retention tags and then click Edit .
3. In Retention Policy, use the following settings:
Add Click this button to add a retention tag to the policy.
Remove Select a tag from the list, and then click this button to remove the tag from the policy.

Use Exchange Online PowerShell to add or remove retention tags


This example adds the retention tags VPs-Default, VPs-Inbox, and VPs-DeletedItems to the retention policy
RetPolicy-VPs, which doesn't already have retention tags linked to it.
Cau t i on

If the policy has retention tags linked to it, this command replaces the existing tags.

Set-RetentionPolicy -Identity "RetPolicy-VPs" -RetentionPolicyTagLinks "VPs-Default","VPs-Inbox","VPs-


DeletedItems"

This example adds the retention tag VPs-DeletedItems to the retention policy RetPolicy-VPs, which already has
other retention tags linked to it.

$TagList = (Get-RetentionPolicy "RetPolicy-VPs").RetentionPolicyTagLinks


$TagList.Add((Get-RetentionPolicyTag 'VPs-DeletedItems').DistinguishedName)
Set-RetentionPolicy "RetPolicy-VPs" -RetentionPolicyTagLinks $TagList

This example removes the retention tag VPs-Inbox from the retention policy RetPolicy-VPs.

$TagList = (Get-RetentionPolicy "RetPolicy-VPs").RetentionPolicyTagLinks


$TagList.Remove((Get-RetentionPolicyTag 'VPs-Inbox').DistinguishedName)
Set-RetentionPolicy "RetPolicy-VPs" -RetentionPolicyTagLinks $TagList

For detailed syntax and parameter information, see set-RetentionPolicy and get-RetentionPolicy.

How do you know this worked?


To verify that you have successfully added or removed a retention tag from a retention policy, use the get-
RetentionPolicy cmdlet to verify the RetentionPolicyTagLinks property.
This example use the Get-RetentionPolicy cmdlet to retrieve retention tags added to the Default MRM Policy and
pipes them to the Format-Table cmdlet to output only the name property of each tag.

(Get-RetentionPolicy "Default MRM Policy").RetentionPolicyTagLinks | Format-Table name


Apply a retention policy to mailboxes
5/31/2019 • 2 minutes to read • Edit Online

You can use retention policies to group one or more retention tags and apply them to mailboxes to enforce
message retention settings. A mailbox can't have more than one retention policy.
Cau t i on

Messages are expired based on settings defined in the retention tags linked to the policy. These settings include
actions such moving messages to the archive or permanently deleting them. Before applying a retention policy to
one or more mailboxes, we recommended that you test the policy and inspect each retention tag associated with it.
For additional management tasks related to messaging records management (MRM ), see Messaging Records
Management Procedures.

What do you need to know before you begin?


Estimated time to complete: 5 minutes.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Applying retention policies" entry in the Messaging Policy and Compliance
Permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Use the EAC to apply a retention policy to a single mailbox


1. Navigate to Recipients > Mailboxes.
2. In the list view, select the mailbox to which you want to apply the retention policy, and then click Edit .
3. In User Mailbox, click Mailbox features.
4. In the Retention policy list, select the policy you want to apply to the mailbox, and then click Save.

Use the EAC to apply a retention policy to multiple mailboxes


1. Navigate to Recipients > Mailboxes.
2. In the list view, use the Shift or Ctrl keys to select multiple mailboxes.
3. In the details pane, click More options.
4. Under Retention Policy, click Update.
5. In Bulk Assign Retention Policy, select the retention policy you want to apply to the mailboxes, and then
click Save.

Use Exchange Online PowerShell to apply a retention policy to a single


mailbox
This example applies the retention policy RP -Finance to Morris's mailbox.

Set-Mailbox "Morris" -RetentionPolicy "RP-Finance"

For detailed syntax and parameter information, see Set-Mailbox.

Use Exchange Online PowerShell to apply a retention policy to multiple


mailboxes
This example applies the new retention policy New -Retention-Policy to all mailboxes that have the old policy Old-
Retention-Policy.

$OldPolicy={Get-RetentionPolicy "Old-Retention-Policy"}.distinguishedName
Get-Mailbox -Filter {RetentionPolicy -eq $OldPolicy} -Resultsize Unlimited | Set-Mailbox -RetentionPolicy
"New-Retention-Policy"

This example applies the retention policy RetentionPolicy-Corp to all mailboxes in the Exchange organization.

Get-Mailbox -ResultSize unlimited | Set-Mailbox -RetentionPolicy "RetentionPolicy-Corp"

This example applies the retention policy RetentionPolicy-Finance to all mailboxes in the Finance organizational
unit.

Get-Mailbox -OrganizationalUnit "Finance" -ResultSize Unlimited | Set-Mailbox -RetentionPolicy


"RetentionPolicy-Finance"

For detailed syntax and parameter information, see Get-Mailbox and Set-Mailbox.

How do you know this worked?


To verify that you have applied the retention policy, run the Get-Mailbox cmdlet to retrieve the retention policy for
the mailbox or mailboxes.
This example retrieves the retention policy for Morris's mailbox.

Get-Mailbox Morris | Select RetentionPolicy

This command retrieves all mailboxes that have the retention policy RP -Finance applied.

Get-Mailbox -ResultSize unlimited | Where-Object {$_.RetentionPolicy -eq "RP-Finance"} | Format-Table


Name,RetentionPolicy -Auto
Place a mailbox on retention hold
5/31/2019 • 2 minutes to read • Edit Online

Placing a mailbox on retention hold suspends the processing of a retention policy or managed folder mailbox
policy for that mailbox. Retention hold is designed for situations such as a user being on vacation or away
temporarily.
During retention hold, users can log on to their mailbox and change or delete items. When you perform a mailbox
search, deleted items that are past the deleted item retention period aren't returned in search results. To make sure
items changed or deleted by users are preserved in legal hold scenarios, you must place a mailbox on legal hold.
For more information, see Create or remove an In-Place Hold.
You can also include retention comments for mailboxes you place on retention hold. The comments are displayed
in supported versions of Microsoft Outlook.
For additional management tasks related to messaging records management (MRM ), see Messaging Records
Management Procedures.

What do you need to know before you begin?


Estimated time to complete: 1 minute.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Messaging records management" entry in the Messaging Policy and
Compliance Permissions topic.
You can't use the Exchange admin center (EAC ) to place a mailbox on retention hold. You must use Exchange
Online PowerShell.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Use Exchange Online PowerShell to place a mailbox on retention hold


This example places Michael Allen's mailbox on retention hold.

Set-Mailbox "Michael Allen" -RetentionHoldEnabled $true

For detailed syntax and parameter information, see Set-Mailbox.

Use Exchange Online PowerShell to remove retention hold for a


mailbox
This example removes the retention hold from Michael Allen's mailbox.
Set-Mailbox "Michael Allen" -RetentionHoldEnabled $false

For detailed syntax and parameter information, see Set-Mailbox.

How do you know this worked?


To verify that you have successfully placed a mailbox on retention hold, use the Get-Mailbox cmdlet to retrieve the
RetentionHoldEnabled property of the mailbox.
This command retrieves the RetentionHoldEnabled property for Michael Allen's mailbox.

Get-Mailbox "Michael Allen" | Select RetentionHoldEnabled

This command retrieves all mailboxes in the Exchange organization, filters the mailboxes that are placed on
retention hold, and lists them along with the retention policy applied to each.

IMPORTANT
Because RetentionHoldEnabled isn't a filterable property in Exchange Server, you can't use the Filter parameter with the Get-
Mailbox cmdlet to filter mailboxes that are placed on retention hold on the server-side. This command retrieves a list of all
mailboxes and filters on the client running Exchange Online PowerShell session. In large environments with thousands of
mailboxes, this command may take a long time to complete.

Get-Mailbox -ResultSize unlimited | Where-Object {$_.RetentionHoldEnabled -eq $true} | Format-Table


Name,RetentionPolicy,RetentionHoldEnabled -Auto
Journaling in Exchange Online
5/31/2019 • 8 minutes to read • Edit Online

Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements
by recording inbound and outbound email communications. When planning for messaging retention and
compliance, it's important to understand journaling, how it fits in your organization's compliance policies, and how
Exchange Online helps you secure journaled messages.

Why journaling is important


First, it's important to understand the difference between journaling and a data archiving strategy:
Journaling is the ability to record all communications, including email communications, in an organization
for use in the organization's email retention or archival strategy. To meet an increasing number of
regulatory and compliance requirements, many organizations must maintain records of communications
that occur when employees perform daily business tasks.
Data archiving refers to backing up the data, removing it from its native environment, and storing it
elsewhere, therefore reducing the strain of data storage. You can use Exchange journaling as a tool in your
email retention or archival strategy.
Although journaling may not be required by a specific regulation, compliance may be achieved through journaling
under certain regulations. For example, corporate officers in some financial sectors may be held liable for the
claims made by their employees to their customers. To verify that the claims are accurate, a corporate officer may
set up a system where managers review some part of employee-to-client communications regularly. Every quarter,
the managers verify compliance and approve their employees' conduct. After all managers report approval to the
corporate officer, the corporate officer reports compliance, on behalf of the company, to the regulating body. In this
example, email messages might be one type of the employee-to-client communications that managers must
review; therefore, journaling can be used to collect all email messages sent by client-facing employees. Other client
communication mechanisms may include faxes and telephone conversations, which may also be subject to
regulation. The ability to journal all classes of data in an enterprise is a valuable functionality of the IT architecture.
The following list shows some of the more well-known U.S. and international regulations where journaling may
help form part of your compliance strategies:
Sarbanes-Oxley Act of 2002 (SOX)
Security Exchange Commission Rule 17a-4 (SEC Rule 17 A-4)
National Association of Securities Dealers 3010 & 3110 (NASD 3010 & 3110)
Gramm-Leach-Bliley Act (Financial Modernization Act)
Financial Institution Privacy Protection Act of 2001
Financial Institution Privacy Protection Act of 2003
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001 (Patriot Act)
European Union Data Protection Directive (EUDPD )
Japan's Personal Information Protection Act
Journal rules
The following are key aspects of journal rules:
Journal rule scope: Defines which messages are journaled by the Journaling agent.
Journal recipient: Specifies the SMTP address of the recipient you want to journal.
Journaling mailbox: Specifies one or more mailboxes used for collecting journal reports.
In Exchange Online, there's a limit to the number of journal rules that you can create. For details, see Journal,
Transport, and Inbox rule limits.
Journal rule scope
You can use a journal rule to journal only internal messages, only external messages, or both. The following list
describes these scopes:
Internal messages only: Journal rules with the scope set to journal internal messages sent between the
recipients inside your Exchange organization.
External messages only: Journal rules with the scope set to journal external messages sent to recipients
or received from senders outside your Exchange organization.
All messages: Journal rules with the scope set to journal all messages that pass through your organization
regardless of origin or destination. These include messages that may have already been processed by
journal rules in the Internal and External scopes.
Journal recipient
You can implement targeted journaling rules by specifying the SMTP address of the recipient you want to journal.
The recipient can be a mailbox, distribution group, mail user, or contact. These recipients may be subject to
regulatory requirements, or they may be involved in legal proceedings where email messages or other
communications are collected as evidence. By targeting specific recipients or groups of recipients, you can easily
configure a journaling environment that matches your organization's processes and meets regulatory and legal
requirements. Targeting only the specific recipients that need to be journaled also minimizes storage and other
costs associated with retention of large amounts of data.
All messages sent to or from the journaling recipients you specify in a journaling rule are journaled. If you specify
a distribution group as the journaling recipient, all messages sent to or from members of the distribution group
are journaled. If you don't specify a journaling recipient, all messages sent to or from recipients that match the
journal rule scope are journaled.
Journaling mailbox
The journaling mailbox is used to collect journal reports. How you configure the journaling mailbox depends on
your organization's policies, regulatory requirements, and legal requirements. You can specify one journaling
mailbox to collect messages for all the journal rules configured in the organization, or you can use different
journaling mailboxes for different journal rules or sets of journal rules.
You can't designate an Exchange Online mailbox as a journaling mailbox. You can deliver journal reports to an on-
premises archiving system or a third-party archiving service. If you're running an Exchange hybrid deployment
with your mailboxes split between on-premises servers and Exchange Online, you can designate an on-premises
mailbox as the journaling mailbox for your Exchange Online and on-premises mailboxes.
Journaling mailboxes contain very sensitive information. You must secure journaling mailboxes because they
collect messages that are sent to and from recipients in your organization. These messages may be part of legal
proceedings or may be subject to regulatory requirements. Various laws require that messages remain tamper-
free before they're submitted to an investigatory authority. We recommend that you create policies that govern
who can access the journaling mailboxes in your organization, limiting access to only those individuals who have a
direct need to access them. Speak with your legal representatives to make sure that your journaling solution
complies with all the laws and regulations that apply to your organization.

IMPORTANT
If you've configured a journaling rule to send the journal reports to a journaling mailbox that doesn't exist or is an invalid
destination, the journal report remains in the transport queue on Microsoft datacenter servers. If this happens, Microsoft
datacenter personnel will attempt to contact your organization and ask you to fix the problem so that the journal reports
can be successfully delivered to a journaling mailbox. If you haven't resolved the issue after two days of being contacted,
Microsoft will disable the problematic journaling rule.

Alternate journaling mailbox


When the journaling mailbox is unavailable, you may not want the undeliverable journal reports to collect in mail
queues on Mailbox servers. Instead, you can configure an alternate journaling mailbox to store those journal
reports. The alternate journaling mailbox receives the journal reports as attachments in the non-delivery reports
(also known as NDRs or bounce messages) generated when the journaling mailbox or the server on which it's
located refuses delivery of the journal report or becomes unavailable.
When the journaling mailbox becomes available again, you can use the Send Again feature of OfficeOutlook to
submit journal reports for delivery to the journaling mailbox.
When you configure an alternate journaling mailbox, all the journal reports that are rejected or can't be delivered
across your entire Exchange organization are delivered to the alternate journaling mailbox. Therefore, it's
important to make sure that the alternate journaling mailbox and the Mailbox server where it's located can
support many journal reports.
Cau t i on

If you configure an alternate journaling mailbox, you must monitor the mailbox to make sure that it doesn't
become unavailable at the same time as the journal mailboxes. If the alternate journaling mailbox also becomes
unavailable or rejects journal reports at the same time, the rejected journal reports are lost and can't be retrieved.
Because the alternate journaling mailbox collects all the rejected journal reports for the entire Exchange Online
organization, you must make sure that this doesn't violate any laws or regulations that apply to your organization.
If laws or regulations prohibit your organization from allowing journal reports sent to different journaling
mailboxes from being stored in the same alternate journaling mailbox, you may be unable to configure an
alternate journaling mailbox. Discuss this with your legal representatives to determine whether you can use an
alternate journaling mailbox.
When you configure an alternate journaling mailbox, you should use the same criteria that you used when you
configured the journaling mailbox.

IMPORTANT
The alternate journaling mailbox should be treated as a special dedicated mailbox. Any messages addressed directly to the
alternate journaling mailbox aren't journaled.

Journal reports
A journal report is the message that the Journaling agent generates when a message matches a journal rule and is
to be submitted to the journaling mailbox. The original message that matches the journal rule is included unaltered
as an attachment to the journal report. The body of a journal report contains information from the original
message such as the sender email address, message subject, message-ID, and recipient email addresses. This is
also referred to as envelope journaling, and is the only journaling method supported by Office 365.
Journal reports and IRM -protected messages
When implementing journaling, you must consider journaling reports and IRM -protected messages. IRM -
protected messages will affect the search and discovery capabilities of third-party archiving systems that don't
have RMS support built-in. In Office 365, you can configure Journal Report Decryption to save a clear-text copy of
the message in a journal report.

Troubleshooting
When a message matches the scope of multiple journal rules, all matching rules will be triggered.
If the matching rules are configured with different journal mailboxes, a journal report will be sent to each
journal mailbox.
If the matching rules are all configured with the same journal mailbox, only one journal report is sent to the
journal mailbox.
Journaling always identifies messages as internal if the email address in the SMTP MAIL FROM command is in a
domain that's configured as an accepted domain in Exchange Online. This includes spoofed messages from
external sources (messages where the X-MS -Exchange-Organization-AuthAs header value is also
Anonymous). Therefore, journal rules that are scoped to external messages won't be triggered by spoofed
messages with SMTP MAIL FROM email addresses in accepted domains.
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online
Protection.
If you're having trouble with the JournalingReportDNRTo mailbox, see Transport and Mailbox Rules in Exchange
Online don't work as expected.
Manage journaling
5/21/2019 • 5 minutes to read • Edit Online

Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements by
recording inbound and outbound email communications. For more information about journaling, see Journaling in
Exchange Online.
This topic shows you how to perform basic tasks related to managing journaling in Exchange Server and Exchange
Online.

What do you need to know before you begin?


Estimated time to complete each procedure: 5 minutes.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Journaling" entry in the Messaging policy and compliance permissions topic.
You need to have a journaling mailbox and (optionally) an alternate journaling mailbox configured. For more
information, see Configure Journaling in Exchange Online.
In Exchange Online, there's a limit to the number of journal rules that you can create. For details, see Journal,
Transport, and Inbox rule limits.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection. If
you're having trouble with the JournalingReportDNRTo mailbox, see Transport and Mailbox Rules in Exchange Online don't
work as expected.

Create a journal rule


Use the EAC to create a journal rule
1. In the EAC, go to Compliance management > Journal rules, and then click Add .
2. In Journal rule, provide a name for the journal rule and then compete the following fields:
If the message is sent to or received from: Specify the recipient that the rule will target. You can
either select a specific recipient or apply the rule to all messages.
Journal the following messages: Specify the scope of the journal rule. You can journal only the
internal messages, only the external messages, or all messages regardless of origin or destination.
Send journal reports to: Type the address of the journaling mailbox that will receive all the journal
reports.
NOTE
You can also type the display name or alias of a mail user or a mail contact as the journal mailbox. In this case, journal
reports will be sent to the external email address of the mail user or mail contact. But as previously explained, the
external email address of a mail user or mail contact can't be the address of an Exchange Online mailbox.

3. Click Save to create the journal rule.


Use Exchange Online PowerShell to create a journal rule
This example creates the journal rule Discovery Journal Recipients to journal all messages sent from and received
by the recipient user1@contoso.com.

New-JournalRule -Name "Discovery Journal Recipients" -Recipient user1@contoso.com -JournalEmailAddress "Journal


Mailbox" -Scope Global -Enabled $True

How do you know this worked?


To verify that you have successfully created the journal rule, do one of the following:
From the EAC, verify that the new journal rule you created is listed on the Journal rules tab.
From Exchange Online PowerShell, verify that the new journal rule exists by running the following
command (the example below verifies the rule created in Exchange Online PowerShell example above):

Get-JournalRule -Identity "Discovery Journal Recipients"

View or modify a journal rule


Use the EAC to view or modify a journal rule
1. In the EAC, go to Compliance management > Journal rules.
2. In the list view, you'll see all the journal rules in your organization.
3. Double-click the rule you want to view or modify.
4. In Journal Rule, modify the settings you want. For more information about the settings in this dialog box,
see the procedure Use the EAC to create a journal rule earlier in this topic.
Use Exchange Online PowerShell to view or modify a journal rule
This example displays a summary list of all journal rules in the Exchange organization:

Get-JournalRule

This example retrieves the journal rule Brokerage Journal Rule, and pipes the output to the Format-List command
to display rule properties in a list format:

Get-JournalRule -Identity "Brokerage Journal Rule" | Format-List

If you want to modify the properties of a specific rule, you need to use the Set-JournalRule cmdlet. This example
changes the name of the journal rule JR-Sales to TraderVault . The following rule settings are also changed:
Recipient
JournalEmailAddress
Scope

Set-JournalRule -Identity "JR-Sales" -Name TraderVault -Recipient traders@woodgrovebank.com -


JournalEmailAddress tradervault@woodgrovebank.com -Scope Internal

How do you know this worked?


To verify that you have successfully modified a journal rule, do one of the following:
From the EAC, go to Compliance management, > Journal rules. Double-click the rule you modified and
verify your changes were saved.
From Exchange Online PowerShell, verify that you modified the journal rule successfully by running the
following command. This command will list the properties you modified along with the name of the rule
(the example below verifies the rule modified in Exchange Online PowerShell example above):

Get-JournalRule -Identity "TraderVault" | Format-List Name,Recipient,JournalEmailAddress,Scope

Enable or disable a journal rule


IMPORTANT
When you disable a journal rule, the journaling agent will stop journaling messages targeted by that rule. While a journal rule
is disabled, any messages that would have normally been journaled by the rule aren't journaled. Make sure that you don't
compromise the regulatory or compliance requirements of your organization by disabling a journaling rule.

Use the EAC to enable or disable a journal rule


1. In the EAC, go to Compliance management > Journal rules.
2. In the list view, in the On column next to the rule's name, select the check box to enable the rule or clear it to
disable the rule.
Use Exchange Online PowerShell to enable or disable a journal rule
This example enables the rule Contoso.

Enable-JournalRule -Identity "Contoso Journal Rule"

This example disables the rule Contoso.

Disable-JournalRule -Identity "Contoso Journal Rule"

How do you know this worked?


To verify that you have successfully enabled or disabled a journal rule, do one of the following:
From the EAC, view the list of journal rules check the status of the check box in the On column.
From Exchange Online PowerShell, run the following command to return a list of all journal rules in your
organization along, including their status:

Get-JournalRule | Format-Table Name,Enabled


Remove a journal rule
Use the EAC to remove a journal rule
1. In the EAC, go to Compliance management > Journal rules.
2. In the list view, select the rule you want to remove, and then click Delete .
Use Exchange Online PowerShell to remove a journal rule
This example removes the rule Brokerage Journal Rule.

Remove-JournalRule -Identity "Brokerage Journal Rule"

How do you know this worked?


To verify that you have successfully removed the journal rule, do one of the following:
From the EAC, verify that the rule you removed is no longer listed on the Journal rules tab.
From Exchange Online PowerShell, run the following command to verify that the rule you removed is no
longer listed:

Get-JournalRule

For more information


Disable or Enable Journaling of Voice Mail and Missed Call Notifications
New -JournalRule
Get-JournalRule
Set-JournalRule
Enable-JournalRule
Disable-JournalRule
Remove-JournalRule
Configure Journaling in Exchange Online
5/21/2019 • 2 minutes to read • Edit Online

Journaling allows you to meet your organization's archiving requirements. You can create journal rules and have
messages matching the rule's conditions delivered to the journaling address specified in the rule. For more
information about journaling, see Journaling in Exchange Online.
Here are two things you need to know before you start creating journal rules.

Specify a journaling mailbox


A journaling mailbox is the mailbox or recipient that receives journal reports for messages that match a journal
rule's conditions. You can specify different journaling mailboxes for different journal rules. For example, you can
create a journal rule to journal messages sent or received by users in Europe and another one to journal messages
sent or received by users in North America, and configures each rule to deliver journal reports to an address in
their own geography. Or configure different journal rules for users in the Finance and Legal departments and
similarly, have the journal reports delivered to different addresses.
Exchange Online doesn't support delivering journal reports to an Exchange Online mailbox. You must specify the
email address of an on-premises archiving system or a third-party archiving service as the journaling mailbox.

IMPORTANT
If you've configured a journaling rule to send the journal reports to a journaling mailbox that doesn't exist or is an invalid
destination, the journal report remains in the transport queue on Microsoft datacenter servers; delivery of queued items is
periodically retried. If this happens, Microsoft datacenter personnel will attempt to contact your organization and ask you to
fix the problem so that the journal reports can be successfully delivered to a journaling mailbox. If you haven't resolved the
issue after two days of being contacted, Microsoft will disable the problematic journaling rule.

Specify an alternate journaling mailbox for undeliverable journal


reports
As previously explained, undeliverable journal reports are queued on Microsoft datacenter servers. Undeliverable
journal reports can't be returned to the sender in a non-delivery report (also known as an NDR or bounce
message) because the sender is the Exchange Online service. To handle the NDRs for undelivered journal reports,
you have to you specify an alternate journaling mailbox that accepts the NDRs for all undeliverable journal reports.
Like the journaling mailbox, the alternate journaling mailbox can't be an Exchange Online mailbox.

The original journal report is an attachment in the NDR. When the journaling mailbox for a undelivered journal
report becomes available again, you can use the Resend this message feature in Outlook on the NDRs in the
alternate journaling mailbox to send the unaltered delivery report to the journaling mailbox.
Mail flow rules (transport rules) in Exchange Online
5/31/2019 • 9 minutes to read • Edit Online

You can use mail flow rules (also known as transport rules) to identify and take action on messages that flow
through your Exchange Online organization. Mail flow rules are similar to the Inbox rules that are available in
Outlook and Outlook on the web. The main difference is mail flow rules take action on messages while they're
in transit, and not after the message is delivered to the mailbox. Mail flow rules contain a richer set of
conditions, exceptions, and actions, which provides you with the flexibility to implement many types of
messaging policies.
This article explains the components of mail flow rules, and how they work.
For steps to create, copy, and manage mail flow rules, see Manage mail flow rules. For each rule, you have the
option of enforcing it, testing it, or testing it and notifying the sender. To learn more about the testing options,
see Test a mail flow rule and Policy Tips.
For summary and detail reports about messages that matched mail flow rules, see Use mail protection reports
in Office 365 to view data about malware, spam, and rule detections.
To implement specific messaging policies by using mail flow rules, see these topics:
Use mail flow rules to inspect message attachments in Office 365
Enable message encryption and decryption in Office 365
Common attachment blocking scenarios for mail flow rules
Organization-wide message disclaimers, signatures, footers, or headers in Office 365
Use mail flow rules so messages can bypass Clutter
Use mail flow rules to route email based on a list of words, phrases, or patterns
Use mail flow rules to set the spam confidence level (SCL ) in messages
Create organization-wide safe sender or blocked sender lists in Office 365
Common message approval scenarios
Define rules to encrypt or decrypt email messages

Mail flow rule components


A mail flow rule is made of conditions, exceptions, actions, and properties:
Conditions: Identify the messages that you want to apply the actions to. Some conditions examine
message header fields (for example, the To, From, or Cc fields). Other conditions examine message
properties (for example, the message subject, body, attachments, message size, or message classification).
Most conditions require you to specify a comparison operator (for example, equals, doesn't equal, or
contains) and a value to match. If there are no conditions or exceptions, the rule is applied to all messages.
For more information about mail flow rule conditions in Exchange Online, see Mail flow rule conditions and
exceptions (predicates) in Exchange Online.
Exceptions: Optionally identify the messages that the actions shouldn't apply to. The same message
identifiers that are available in conditions are also available in exceptions. Exceptions override
conditions and prevent the rule actions from being applied to a message, even if the message matches
all of the configured conditions.
Actions: Specify what to do to messages that match the conditions in the rule, and don't match any of
the exceptions. There are many actions available, such as rejecting, deleting, or redirecting messages,
adding additional recipients, adding prefixes in the message subject, or inserting disclaimers in the
message body.
For more information about mail flow rule actions that are available in Exchange Online, see Mail flow
rule actions in Exchange Online.
Properties: Specify other rules settings that aren't conditions, exceptions or actions. For example, when
the rule should be applied, whether to enforce or test the rule, and the time period when the rule is
active.
For more information, see the Mail flow rule properties section in this topic.
Multiple conditions, exceptions, and actions
The following table shows how multiple conditions, condition values, exceptions, and actions are handled in a
rule.

COMPONENT LOGIC COMMENTS

Multiple conditions AND A message must match all the


conditions in the rule. If you need to
match one condition or another, use
separate rules for each condition. For
example, if you want to add the same
disclaimer to messages with
attachments and messages that
contain specific text, create one rule
for each condition. In the EAC, you
can easily copy a rule.

One condition with multiple values OR Some conditions allow you to specify
more than one value. The message
must match any one (not all) of the
specified values. For example, if an
email message has the subject Stock
price information, and the The
subject includes any of these words
condition is configured to match the
words Contoso or stock, the condition
is satisfied because the subject
contains at least one of the specified
values.

Multiple exceptions OR If a message matches any one of the


exceptions, the actions are not applied
to the message. The message doesn't
have to match all the exceptions.
COMPONENT LOGIC COMMENTS

Multiple actions AND Messages that match a rule's


conditions get all the actions that are
specified in the rule. For example, if
the actions Prepend the subject of
the message with and Add
recipients to the Bcc box are
selected, both actions are applied to
the message.

Keep in mind that some actions (for


example, the Delete the message
without notifying anyone action)
prevent subsequent rules from being
applied to a message. Other actions
(for example, the Forward the
message) don't allow additional
actions.

You can also set an action on a rule so


that when that rule is applied,
subsequent rules are not applied to
the message.

Mail flow rule properties


The following table describes the rule properties that are available in mail flow rules.

PROPERTY NAME IN THE EAC PARAMETER NAME IN POWERSHELL DESCRIPTION

Priority Priority Indicates the order that the rules are


applied to messages. The default
priority is based on when the rule is
created (older rules have a higher
priority than newer rules, and higher
priority rules are processed before
lower priority rules).

You change the rule priority in the


EAC by moving the rule up or down in
the list of rules. In the PowerShell, you
set the priority number (0 is the
highest priority).

For example, if you have one rule to


reject messages that include a credit
card number, and another one
requiring approval, you'll want the
reject rule to happen first, and stop
applying other rules.

For more information, see Set the


priority of a mail flow rule.
PROPERTY NAME IN THE EAC PARAMETER NAME IN POWERSHELL DESCRIPTION

Mode Mode You can specify whether you want the


rule to start processing messages
immediately, or whether you want to
test rules without affecting the
delivery of the message (with or
without Data Loss Prevention or DLP
Policy Tips).

Policy Tips present a brief note in


Outlook or Outlook on the web that
provides information about possible
policy violations to the person that's
creating the message. For more
information, see Policy Tips.

For more information about the


modes, see Test a mail flow rule.

Activate this rule on the following ActivationDate Specifies the date range when the rule
date ExpiryDate is active.
Deactivate this rule on the
following date

On check box selected or not selected New rules:Enabled parameter on the You can create a disabled rule, and
New-TransportRule cmdlet. enable it when you're ready to test it.
Existing rules: Use the Enable- Or, you can disable a rule without
TransportRule or Disable- deleting it to preserve the settings.
TransportRule cmdlets.

The value is displayed in the State


property of the rule.

Defer the message if rule RuleErrorAction You can specify how the message
processing doesn't complete should be handled if the rule
processing can't be completed. By
default, the rule will be ignored, but
you can choose to resubmit the
message for processing.

Match sender address in message SenderAddressLocation If the rule uses conditions or


exceptions that examine the sender's
email address, you can look for the
value in the message header, the
message envelope, or both.

Stop processing more rules StopRuleProcessing This is an action for the rule, but it
looks like a property in the EAC. You
can choose to stop applying additional
rules to a message after a rule
processes a message.

Comments Comments You can enter descriptive comments


about the rule.

How mail flow rules are applied to messages


All messages that flow through your organization are evaluated against the enabled mail flow rules in your
organization. Rules are processed in the order listed on the Mail flow > Rules page in EAC, or based on the
corresponding Priority parameter value in the PowerShell.
Each rule also offers the option of stopping processing more rules when the rule is matched. This setting is
important for messages that match the conditions in multiple mail flow rules (which rule do you want applied
to the message? All? Just one?).
Differences in processing based on message type
There are several types of messages that pass through an organization. The following table shows which
messages types can be processed by mail flow rules.

TYPE OF MESSAGE CAN A RULE BE APPLIED?

Regular messages: Messages that contain a single rich Yes


text format (RTF), HTML, or plain text message body or a
multipart or alternative set of message bodies.

Office 365 Message Encryption: Messages encrypted by Rules can always access envelope headers and process
Office 365 Message Encryption in Office 365. For more messages based on conditions that inspect those headers.
information, see Office 365 Message Encryption.
For a rule to inspect or modify the contents of an encrypted
message, you need to verify that transport decryption is
enabled (Mandatory or Optional; the default is Optional).
For more information, see Enable or disable transport
decryption.

You can also create a rule that automatically decrypts


encrypted messages. For more information, see Define rules
to encrypt or decrypt email messages.

S/MIME encrypted messages Rules can only access envelope headers and process
messages based on conditions that inspect those headers.

Rules with conditions that require inspection of the


message's content, or actions that modify the message's
content can't be processed.

RMS protected messages: Messages that had an Active Rules can always access envelope headers and process
Directory Rights Management Services (AD RMS) or Azure messages based on conditions that inspect those headers.
Rights Management (RMS) policy applied.
For a rule to inspect or modify the contents of an RMS
protected message, you need to verify that transport
decryption is enabled (Mandatory or Optional; the default is
Optional). For more information, see Enable or disable
transport decryption.

Clear-signed messages: Messages that have been signed Yes


but not encrypted.

Anonymous messages: Messages sent by anonymous Yes


senders.

Read reports: Reports that are generated in response to Yes


read receipt requests by senders. Read reports have a
message class of IPM.Note*.MdnRead or
IPM.Note*.MdnNotRead .

What else should I know?


The Version or RuleVersion property value for a rule isn't important in Exchange Online.
After you create or modify a mail flow rule, it can take up to 30 minutes for the new or updated rule to
be applied to messages.

For more information


Manage mail flow rules
Use mail flow rules to inspect message attachments in Office 365
Organization-wide Disclaimers, Signatures, Footers, or Headers
Manage message approval
Mail flow rule procedures in Exchange Online
Transport and Inbox rule limits
Mail flow rule conditions and exceptions (predicates) in Exchange
Online
6/24/2019 • 26 minutes to read • Edit Online

Conditions and exceptions in mail flow rules (also known as transport rules) identify the messages that the rule is applied to or not
applied to. For example, if the rule adds a disclaimer to messages, you can configure the rule to only apply to messages that contain
specific words, messages sent by specific users, or to all messages except those sent by the members of a specific distribution group.
Collectively, the conditions and exceptions in mail flow rules are also known as predicates, because for every condition, there's a
corresponding exception that uses the exact same settings and syntax. The only difference is conditions specify messages to include,
while exceptions specify messages to exclude.
Most conditions and exceptions have one property that requires one or more values. For example, the The sender is condition requires
the sender of the message. Some conditions have two properties. For example, the A message header includes any of these words
condition requires one property to specify the message header field, and a second property to specify the text to look for in the header
field. Some conditions or exceptions don't have any properties. For example, the Any attachment has executable content condition
simply looks for attachments in messages that have executable content.
For more information about mail flow rules in Exchange Online, see Mail flow rules (transport rules) in Exchange Online.
For more information about conditions and exceptions in mail flow rules in Exchange Online Protection or Exchange Server, see Mail
flow rule conditions and exceptions (predicates) in Exchange Online Protection or Mail flow rule conditions and exceptions (predicates) in
Exchange Server.

Conditions and exceptions for mail flow rules in Exchange Online


The tables in the following sections describe the conditions and exceptions that are available in mail flow rules in Exchange Online. The
property types are described in the Property types section.
Senders
Recipients
Message subject or body
Attachments
Any recipients
Message sensitive information types, To and Cc values, size, and character sets
Sender and recipient
Message properties
Message headers
Notes:
After you select a condition or exception in the Exchange admin center (EAC ), the value that's ultimately shown in the Apply this
rule if or Except if field is often different (shorter) than the click path value you selected. Also, when you create new rules based
on a template (a filtered list of scenarios), you can often select a short condition name instead of following the complete click path.
The short names and full click path values are shown in the EAC column in the tables.
If you select [Apply to all messages] in the EAC, you can't specify any other conditions. The equivalent in Exchange Online
PowerShell is to create a rule without specifying any condition parameters.
The settings and properties are the same in conditions and exceptions, so the output of the Get-TransportRulePredicate cmdlet
doesn't list exceptions separately. Also, the names of some of the predicates that are returned by this cmdlet are different than the
corresponding parameter names, and a predicate might require multiple parameters.
Senders
For conditions and exceptions that examine the sender's address, you can specify where rule looks for the sender's address.
In the EAC, in the Properties of this rule section, click Match sender address in message. Note that you might need to click More
options to see this setting. In Exchange Online PowerShell, the parameter is SenderAddressLocation. The available values are:
Header: Only examine senders in the message headers (for example, the From, Sender, or Reply-To fields). This is the default
value.
Envelope: Only examine senders from the message envelope (the MAIL FROM value that was used in the SMTP transmission,
which is typically stored in the Return-Path field). Note that message envelope searching is only available for the following
conditions (and the corresponding exceptions):
The sender is ( From)
The sender is a member of ( FromMemberOf)
The sender address includes ( FromAddressContainsWords)
The sender address matches ( FromAddressMatchesPatterns)
The sender's domain is ( SenderDomainIs)
Header or envelope ( HeaderOrEnvelope ) Examine senders in the message header and the message envelope.

CONDITION AND EXCEPTION


CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

The sender is From Addresses Messages that are sent by the


ExceptIfFrom specified mailboxes, mail users, mail
The sender > is this person contacts, or Office 365 groups in
the organization.

For more information about using


Office 365 groups with this
condition, see the Addresses entry
in the Property types section.

The sender is located FromScope UserScopeFrom Messages that are sent by either
ExceptIfFromScope internal senders or external
The sender > is senders.
external/internal

The sender is a member of FromMemberOf Addresses Messages that are sent by a


ExceptIfFromMemberOf member of the specified
The sender > is a member of distribution group, mail-enabled
this group security group, or Office 365.

For more information about using


Office 365 groups with this
condition, see the Addresses entry
in the Property types section.

The sender address includes FromAddressContainsWords Words Messages that contain the
ExceptIfFromAddressContainsWor specified words in the sender's
The sender > address includes ds email address.
any of these words

The sender address matches FromAddressMatchesPatterns Patterns Messages where the sender's email
ExceptIfFromAddressMatchesPatte address contains text patterns that
The sender > address matches rns match the specified regular
any of these text patterns expressions.

The sender is on a recipient's list SenderInRecipientList SupervisionList Messages where the sender is on
ExceptIfSenderInRecipientList the recipient's Allow list or Block
The sender > is on a recipient's list.
supervision list

The sender's specified SenderADAttributeContainsWords First property: ADAttribute Messages where the specified
properties include any of these ExceptIfSenderADAttributeContain Active Directory attribute of the
words sWords Second property: Words sender contains any of the
specified words.
The sender > has specific
properties including any of Note that the Country attribute
these words requires the two-letter country
code value (for example, DE for
Germany).
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

The sender's specified SenderADAttributeMatchesPattern First property: ADAttribute Messages where the specified
properties match these text s Active Directory attribute of the
patterns ExceptIfSenderADAttributeMatches Second property: Patterns sender contains text patterns that
Patterns match the specified regular
The sender > has specific expressions.
properties matching these text
patterns

The sender has overridden the HasSenderOverride n/a Messages where the sender has
Policy Tip ExceptIfHasSenderOverride chosen to override a data loss
prevention (DLP) policy. For more
The sender > has overridden information about DLP policies, see
the Policy Tip Data loss prevention.

Sender's IP address is in the SenderIPRanges IPAddressRanges Messages where the sender's IP


range ExceptIfSenderIPRanges address matches the specified IP
address, or falls within the specified
The sender > IP address is in IP address range.
any of these ranges or exactly
matches

The sender's domain is SenderDomainIs DomainName Messages where the domain of the
ExceptIfSenderDomainIs sender's email address matches the
The sender > domain is specified value.

If you need to find sender domains


that contain the specified domain
(for example, any subdomain of a
domain), use The sender address
matches (
FromAddressMatchesPatterns)
condition and specify the domain
by using the syntax:
'@domain\.com$' .

Recipients
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

The recipient is SentTo Addresses Messages where one of the


ExceptIfSentTo recipients is the specified mailbox,
The recipient > is this person mail user, or mail contact in the
organization. The recipients can be
in the To, Cc, or Bcc fields of the
message.

Note: You can't specify distribution


groups, mail-enabled security
groups, or Office 365 groups. If
you need to take action on
messages that are sent to a group,
use the To box contains (
AnyOfToHeader) condition instead.

The recipient is located SentToScope UserScopeTo Messages that are sent to internal
ExceptIfSentToScope or external recipients.
The recipient > is
external/external
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

The recipient is a member of SentToMemberOf Addresses Messages that contain recipients


ExceptIfSentToMemberOf who are members of the specified
The recipient > is a member of distribution group, mail-enabled
this group security group, or Office 365
group. The group can be in the To,
Cc, or Bcc fields of the message.

For more information about using


Office 365 groups with this
condition, see the Addresses entry
in the Property types section.

The recipient address includes RecipientAddressContainsWords Words Messages that contain the
ExceptIfRecipientAddressContains specified words in the recipient's
The recipient > address includes Words email address.
any of these words
Note: This condition doesn't
consider messages that are sent to
recipient proxy addresses. It only
matches messages that are sent to
the recipient's primary email
address.

The recipient address matches RecipientAddressMatchesPatterns Patterns Messages where a recipient's email
ExceptIfRecipientAddressMatchesP address contains text patterns that
The recipient > address atterns match the specified regular
matches any of these text expressions.
patterns
Note: This condition doesn't
consider messages that are sent to
recipient proxy addresses. It only
matches messages that are sent to
the recipient's primary email
address.

The recipient is on the sender's RecipientInSenderList SupervisionList Messages where the recipient is on
list ExceptIfRecipientInSenderList the sender's Allow list or Block list.

The recipient > is on the


sender's supervision list

The recipient's specified RecipientADAttributeContainsWor First property: ADAttribute Messages where the specified
properties include any of these ds Active Directory attribute of a
words ExceptIfRecipientADAttributeCont Second property: Words recipient contains any of the
ainsWords specified words.
The recipient > has specific
properties including any of Note that the Country attribute
these words requires the two-letter country
code value (for example, DE for
Germany).

The recipient's specified RecipientADAttributeMatchesPatt First property: ADAttribute Messages where the specified
properties match these text erns Active Directory attribute of a
patterns ExceptIfRecipientADAttributeMatc Second property: Patterns recipient contains text patterns
hesPatterns that match the specified regular
The recipient > has specific expressions.
properties matching these text
patterns
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

A recipient's domain is RecipientDomainIs DomainName Messages where the domain of a


ExceptIfRecipientDomainIs recipient's email address matches
The recipient > domain is the specified value.

If you need to find recipient


domains that contain the specified
domain (for example, any
subdomain of a domain), use The
recipient address matches (
RecipientAddressMatchesPatterns)
condition, and specify the domain
by using the syntax
'@domain\.com$' .

Message subject or body

NOTE
The search for words or text patterns in the subject or other header fields in the message occurs after the message has been decoded from the MIME
content transfer encoding method that was used to transmit the binary message between SMTP servers in ASCII text. You can't use conditions or
exceptions to search for the raw (typically, Base64) encoded values of the subject or other header fields in messages.

CONDITION AND EXCEPTION


CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

The subject or body includes SubjectOrBodyContainsWords Words Messages that have the specified
ExceptIfSubjectOrBodyContainsWo words in the Subject field or
The subject or body > subject rds message body.
or body includes any of these
words

The subject or body matches SubjectOrBodyMatchesPatterns Patterns Messages where the Subject field
ExceptIfSubjectOrBodyMatchesPatt or message body contain text
The subject or body > subject erns patterns that match the specified
or body matches these text regular expressions.
patterns

The subject includes SubjectContainsWords Words Messages that have the specified
ExceptIfSubjectContainsWords words in the Subject field.
The subject or body > subject
includes any of these words

The subject matches SubjectMatchesPatterns Patterns Messages where the Subject field
ExceptIfSubjectMatchesPatterns contains text patterns that match
The subject or body > subject the specified regular expressions.
matches these text patterns

Attachments
For more information about how mail flow rules inspect message attachments, see Use mail flow rules to inspect message attachments
in Office 365.

CONDITION AND EXCEPTION


CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

Any attachment's content AttachmentContainsWords Words Messages where an attachment


includes ExceptIfAttachmentContainsWord contains the specified words.
s
Any attachment > content
includes any of these words
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

Any attachments content AttachmentMatchesPatterns Patterns Messages where an attachment


matches ExceptIfAttachmentMatchesPatter contains text patterns that match
ns the specified regular expressions.
Any attachment > content
matches these text patterns Note: Only the first 150 kilobytes
(KB) of the attachments are
scanned.

Any attachment's content can't AttachmentIsUnsupported n/a Messages where an attachment


be inspected ExceptIfAttachmentIsUnsupported isn't natively recognized by
Exchange Online.
Any attachment > content can't
be inspected

Any attachment's file name AttachmentNameMatchesPatterns Patterns Messages where an attachment's


matches ExceptIfAttachmentNameMatches file name contains text patterns
Patterns that match the specified regular
Any attachment > file name expressions.
matches these text patterns

Any attachment's file extension AttachmentExtensionMatchesWor Words Messages where an attachment's


matches ds file extension matches any of the
ExceptIfAttachmentExtensionMatc specified words.
Any attachment > file extension hesWords
includes these words

Any attachment is greater than AttachmentSizeOver Size Messages where any attachment is
or equal to ExceptIfAttachmentSizeOver greater than or equal to the
specified value.
Any attachment > size is
greater than or equal to In the EAC, you can only specify
the size in kilobytes (KB).

The message didn't complete AttachmentProcessingLimitExceed n/a Messages where the rules engine
scanning ed couldn't complete the scanning of
ExceptIfAttachmentProcessingLimi the attachments. You can use this
Any attachment > didn't tExceeded condition to create rules that work
complete scanning together to identify and process
messages where the content
couldn't be fully scanned.

Any attachment has executable AttachmentHasExecutableContent n/a Messages where an attachment is


content ExceptIfAttachmentHasExecutable an executable file. The system
Content inspects the file's properties rather
Any attachment > has than relying on the file's extension.
executable content

Any attachment is password AttachmentIsPasswordProtected n/a Messages where an attachment is


protected ExceptIfAttachmentIsPasswordProt password protected (and therefore
ected can't be scanned). Password
Any attachment > is password detection only works for Office
protected documents and .zip files.

has these properties, including AttachmentPropertyContainsWor First property: Messages where the specified
any of these words ds DocumentProperties property of an attached Office
ExceptIfAttachmentPropertyContai document contains the specified
Any attachment > has these nsWords Second property: Words words.
properties, including any of
these words This condition helps you integrate
mail flow rules with SharePoint, File
Classification Infrastructure (FCI) in
Windows Server 2012 R2 or later,
or a third-party classification
system.

You can select from a list of built-in


properties, or specify a custom
property.
Any recipients
The conditions and exceptions in this section provide a unique capability that affects all recipients when the message contains at least
one of the specified recipients. For example, let's say you have a rule that rejects messages. If you use a recipient condition from the
Recipients section, the message is only rejected for those specified recipients. For example, if the rule finds the specified recipient in a
message, but the message contains five other recipients. The message is rejected for that one recipient, and is delivered to the five other
recipients.
If you add a recipient condition from this section, that same message is rejected for the detected recipient and the five other recipients.
Conversely, a recipient exception from this section prevents the rule action from being applied to all recipients of the message, not just
for the detected recipients.
Note: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the
recipient's primary email address.

CONDITION AND EXCEPTION


CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

Any recipient address includes AnyOfRecipientAddressContainsW Words Messages that contain the
ords specified words in the To, Cc, or
Any recipient > address ExceptIfAnyOfRecipientAddressCo Bcc fields of the message.
includes any of these words ntainsWords

Any recipient address matches AnyOfRecipientAddressMatchesPa Patterns Messages where the To, Cc, or Bcc
tterns fields contain text patterns that
Any recipient > address ExceptIfAnyOfRecipientAddressMa match the specified regular
matches any of these text tchesPatterns expressions.
patterns

Message sensitive information types, To and Cc values, size, and character sets
The conditions in this section that look for values in the To and Cc fields behave like the conditions in the Any recipients section (all
recipients of the message are affected by the rule, not just the detected recipients).
Notes:
The recipient conditions in this section do not consider messages that are sent to recipient proxy addresses. They only match
messages that are sent to the recipient's primary email address.
For more information about using Office 365 groups with the recipient conditions in this section, see the Addresses entry in the
Property types section.

CONDITION AND EXCEPTION


CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

The message contains sensitive MessageContainsDataClassificati SensitiveInformationTypes Messages that contain sensitive
information ons information as defined by data loss
ExceptIfMessageContainsDataClas prevention (DLP) policies.
The message > contains any of sifications
these types of sensitive This condition is required for rules
information that use the Notify the sender
with a Policy Tip (NotifySender)
action.

The To box contains AnyOfToHeader Addresses Messages where the To field


ExceptIfAnyOfToHeader includes any of the specified
The message > To box contains recipients.
this person

The To box contains a member AnyOfToHeaderMemberOf Addresses Messages where the To field
of ExceptIfAnyOfToHeaderMemberOf contains a recipient who is a
member of the specified
The message > To box contains distribution group, mail-enabled
a member of this group security group, or Office 365
group.

The Cc box contains AnyOfCcHeader Addresses Messages where the Cc field


ExceptIfAnyOfCcHeader includes any of the specified
The message > Cc box contains recipients.
this person
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

The Cc box contains a member AnyOfCcHeaderMemberOf Addresses Messages where the Cc field
of ExceptIfAnyOfCcHeaderMemberOf contains a recipient who is a
member of the specified
The message > contains a distribution group or mail-enabled
member of this group security group.

The To or Cc box contains AnyOfToCcHeader Addresses Messages where the To or Cc


ExceptIfAnyOfToCcHeader fields contain any of the specified
The message > To or Cc box recipients.
contains this person

The To or Cc box contains a AnyOfToCcHeaderMemberOf Addresses Messages where the To or Cc


member of ExceptIfAnyOfToCcHeaderMember fields contain a recipient who is a
Of member of the specified
The message > To or Cc box distribution group or mail-enabled
contains a member of this security group.
group

The message size is greater MessageSizeOver Size Messages where the total size
than or equal to ExceptIfMessageSizeOver (message plus attachments) is
greater than or equal to the
The message > size is greater specified value.
than or equal to
In the EAC, you can only specify
the size in kilobytes (KB).

Note: Message size limits on


mailboxes are evaluated before
mail flow rules. A message that's
too large for a mailbox will be
rejected before a rule with this
condition is able to act on the
message.

The message character set ContentCharacterSetContainsWor CharacterSets Messages that have any of the
name includes any of these ds specified character set names.
words ExceptIfContentCharacterSetConta
insWords
The message > character set
name includes any of these
words

Sender and recipient


CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

The sender is one of the SenderManagementRelationship ManagementRelationship Messages where the either sender
recipient's ExceptIfSenderManagementRelatio is the manager of a recipient, or
nship the sender is managed by a
The sender and the recipient > recipient.
the sender's relationship to a
recipient is

The message is between BetweenMemberOf1 and Addresses Messages that are sent between
members of these groups BetweenMemberOf2 members of the specified
ExceptIfBetweenMemberOf1 and distribution groups or mail-
The sender and the recipient > ExceptIfBetweenMemberOf2 enabled security groups.
the message is between
members of these groups For more information about using
Office 365 groups with this
condition, see the Addresses entry
in the Property types section.
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

The manager of the sender or ManagerForEvaluatedUser and First property: EvaluatedUser Messages where either a specified
recipient is ManagerAddress user is the manager of the sender,
ExceptIfManagerForEvaluatedUser Second property: Addresses or a specified user is the manager
The sender and the recipient > and ExceptIfManagerAddress of a recipient.
the manager of the sender or
recipient is this person

The sender's and any recipient's ADAttributeComparisonAttribute First property: ADAttribute Messages where the specified
property compares as and ADComparisonOperator Active Directory attribute for the
ExceptIfADAttributeComparisonAt Second property: Evaluation sender and recipient either match
The sender and the recipient > tribute and or don't match.
the sender and recipient ExceptIfADComparisonOperator
property compares as

Message properties
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

The message type is MessageTypeMatches MessageType Messages of the specified type.


ExceptIfMessageTypeMatches Note: When Outlook or Outlook
The message properties > on the web (formerly known as
include the message type Outlook Web App) is configured to
forward a message, the
ForwardingSmtpAddress
property is added to the message.
The message type isn't changed to
AutoForward .

The message is classified as HasClassification MessageClassification Messages that have the specified
ExceptIfHasClassification message classification. This is a
The message properties > custom message classification that
include this classification you can create in your organization
by using the New-
MessageClassification cmdlet.

The message isn't marked with HasNoClassification n/a Messages that don't have a
any classifications ExceptIfHasNoClassification message classification.

The message properties > don't


include any classification

The message has an SCL greater SCLOver SCLValue Messages that are assigned a
than or equal to ExceptIfSCLOver spam confidence level (SCL) that's
greater than or equal to the
The message properties > specified value.
include an SCL greater than or
equal to

The message importance is set WithImportance Importance Messages that are marked with the
to ExceptIfWithImportance specified Importance level.

The message properties >


include the importance level

Message headers

NOTE
The search for words or text patterns in the subject or other header fields in the message occurs after the message has been decoded from the MIME
content transfer encoding method that was used to transmit the binary message between SMTP servers in ASCII text. You can't use conditions or
exceptions to search for the raw (typically, Base64) encoded values of the subject or other header fields in messages.
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION

A message header includes HeaderContainsMessageHeader First property: Messages that contain the
and HeaderContainsWords MessageHeaderField specified header field, and the
A message header > includes ExceptIfHeaderContainsMessageH value of that header field contains
any of these words eader and Second property: Words the specified words.
ExceptIfHeaderContainsWords
The name of the header field and
the value of the header field are
always used together.

A message header matches HeaderMatchesMessageHeader First property: Messages that contain the
and HeaderMatchesPatterns MessageHeaderField specified header field, and the
A message header > matches ExceptIfHeaderMatchesMessageHe value of that header field contains
these text patterns ader and Second property: Patterns the specified regular expressions.
ExceptIfHeaderMatchesPatterns
The name of the header field and
the value of the header field are
always used together.

Property types
The property types that are used in conditions and exceptions are described in the following table.

NOTE
If the property is a string, trailing spaces are not allowed.

PROPERTY TYPE VALID VALUES DESCRIPTION


PROPERTY TYPE VALID VALUES DESCRIPTION

ADAttribute Select from a predefined list of Active Directory You can check against any of the following
attributes Active Directory attributes:
City
Company
Country
CustomAttribute1 - CustomAttribute15
Department
DisplayName
Email
FaxNumber
FirstName
HomePhoneNumber
Initials
LastName
Manager
MobileNumber
Notes
Office
OtherFaxNumber
OtherHomePhoneNumber
OtherPhoneNumber
PagerNumber
PhoneNumber
POBox
State
Street
Title
UserLogonName
ZipCode

In the EAC, to specify multiple words or text


patterns for the same attribute, separate the
values with commas. For example, the value
San Francisco,Palo Alto for the City
attribute looks for "City equals San Francisco" or
City equals Palo Alto".

In Exchange Online PowerShell, use the syntax


"AttributeName1:Value1,Value 2 with
spaces,Value3...","AttributeName2:Word4,Value
5 with spaces,Value6..."
, where Value is the word or text pattern that
you want to match. For example,
"City:San Francisco,Palo Alto" or
"City:San Francisco,Palo Alto" ,
"Department:Sales,Finance" .

When you specify multiple attributes, or multiple


values for the same attribute, the or operator is
used. Don't use values with leading or trailing
spaces.

Note that the Country attribute requires the


two-letter ISO 3166-1 country code value (for
example, DE for Germany). To search for values,
see https://go.microsoft.com/fwlink/p/?
LinkId=331680.
PROPERTY TYPE VALID VALUES DESCRIPTION

Addresses Exchange Online recipients Depending on the nature of the condition or


exception, you might be able to specify any
mail-enabled object in the organization (for
example, recipient-related conditions), or you
might be limited to a specific object type (for
example, groups for group membership
conditions). And, the condition or exception
might require one value, or allow multiple
values.

In Exchange Online PowerShell, separate


multiple values by commas.

This condition doesn't consider messages that


are sent to recipient proxy addresses. It only
matches messages that are sent to the
recipient's primary email address.

The recipient picker in the EAC doesn't allow you


to select Office 365 groups from the list of
recipients. But, you can enter the email address
of an Office 365 group in the box next to Check
names, and then validate the email address by
clicking Check names, which will add the Office
365 group to the add box.

CharacterSets Array of character set names One or more content character sets that exist in
a message. For example: Arabic/iso-8859-6
Chinese/big5
Chinese/euc-cn
Chinese/euc-tw
Chinese/gb2312
Chinese/iso-2022-cn
Cyrillic/iso-8859-5
Cyrillic/koi8-r
Cyrillic/windows-1251
Greek/iso-8859-7
Hebrew/iso-8859-8
Japanese/euc-jp
Japanese/iso-022-jp
Japanese/shift-jis
Korean/euc-kr
Korean/johab
Korean/ks_c_5601-1987
Turkish/windows-1254
Turkish/iso-8859-9
Vietnamese/tcvn

DomainName Array of SMTP domains For example, contoso.com or


eu.contoso.com .

In Exchange Online PowerShell, you can specify


multiple domains separated by commas.

EvaluatedUser Single value of Sender or Recipient Specifies whether the rule is looking for the
manager of the sender or the manager of the
recipient.

Evaluation Single value of Equal or Not equal ( NotEqual ) When comparing the Active Directory attribute
of the sender and recipients, this specifies
whether the values should match, or not match.

Importance Single value of Low, Normal, or High The Importance level that was assigned to the
message by the sender in Outlook or Outlook
on the web.
PROPERTY TYPE VALID VALUES DESCRIPTION

IPAddressRanges Array of IP addresses or address ranges You enter the IPv4 addresses using the
following syntax:
• Single IP address: For example,
192.168.1.1 .
• IP address range: For example,
192.168.0.1-192.168.0.254 .
• Classless InterDomain Routing (CIDR) IP
address range: For example, 192.168.0.1/25 .

In Exchange Online PowerShell, you can specify


multiple IP addresses or ranges separated by
commas.

ManagementRelationship Single value of Manager or Direct report ( Specifies the relationship between the sender
DirectReport ) and any of the recipients. The rule checks the
Manager attribute in Active Directory to see if
the sender is the manager of a recipient, or if
the sender is managed by a recipient.

MessageClassification Single message classification In the EAC, you select from the list of message
classifications that you've created.

In Exchange Online PowerShell, you use the


Get-MessageClassification cmdlet to identify
the message classification. For example, use the
following command to search for messages with
the Company Internal classification and
prepend the message subject with the value
CompanyInternal :
New-TransportRule "Rule Name" -
HasClassification @(Get-
MessageClassification "Company
Internal").Identity -PrependSubject
"CompanyInternal"

MessageHeaderField Single string Specifies the name of the header field. The name
of the header field is always paired with the
value in the header field (word or text pattern
match).The message header is a collection of
required and optional header fields in the
message. Examples of header fields are To,
From, Received, and Content-Type. Official
header fields are defined in RFC 5322. Unofficial
header fields start with X- and are known as X-
headers.

MessageType Single message type value Specifies one of the following message types:
• Automatic reply ( OOF )
• Auto-forward ( AutoForward )
• Encrypted
• Calendaring
• Permission controlled (
PermissionControlled )
• Voicemail
• Signed
• Approval request ( ApprovalRequest )
• Read receipt ( ReadReceipt )

Note: When Outlook or Outlook on the web is


configured to forward a message, the
ForwardingSmtpAddress property is added to
the message. The message type isn't changed to
AutoForward .
PROPERTY TYPE VALID VALUES DESCRIPTION

Patterns Array of regular expressions Specifies one or more regular expressions that
are used to identify text patterns in values. For
more information, see Regular Expression
Syntax.

In Exchange Online PowerShell, you specify


multiple regular expressions separated by
commas, and you enclose each regular
expression in quotation marks (").

SCLValue One of the following values: Specifies the spam confidence level (SCL) that's
• Bypass spam filtering ( -1 ) assigned to a message. A higher SCL value
• Integers 0 through 9 indicates that a message is more likely to be
spam.

SensitiveInformationTypes Array of sensitive information types Specifies one or more sensitive information
types that are defined in your organization. For
a list of built-in sensitive information types, see
What the sensitive information types in
Exchange look for.

In Exchange Online PowerShell, use the syntax


@{<SensitiveInformationType1>},@{<SensitiveInformationType
. For example, to look for content that contains
at least two credit card numbers, and at least
one ABA routing number, use the value
@{Name="Credit Card Number";
minCount="2"},@{Name="ABA Routing
Number"; minCount="1"}
.

Size Single size value Specifies the size of an attachment or the whole
message.

In the EAC, you can only specify the size in


kilobytes (KB).

In Exchange Online PowerShell, when you enter


a value, qualify the value with one of the
following units:
• B (bytes)
• KB (kilobytes)
• MB (megabytes)
• GB (gigabytes)
For example, 20 MB . Unqualified values are
typically treated as bytes, but small values may
be rounded up to the nearest kilobyte.

SupervisionList Single value of Allow or Block Supervision policies were a feature in Live@edu
that allowed you to control who could send mail
to and receive mail from users in your
organization (for example, the closed campus
and anti-bullying policies). In Office 365, you
can't configure supervision list entries on
mailboxes.
PROPERTY TYPE VALID VALUES DESCRIPTION

UserScopeFrom Single value of Inside the organization ( A sender is considered to be inside the
InOrganization ) or Outside the organization if either of the following conditions
organization ( NotInOrganization ) is true:
• The sender is a mailbox, mail user, group, or
mail-enabled public folder that exists inside the
organization.
• The sender's email address is in an accepted
domain that's configured as an authoritative
domain or an internal relay domain, and the
message was sent or received over an
authenticated connection. For more information
about accepted domains, see Accepted
Domains.

A sender is considered to be outside the


organization if either of the following conditions
is true:
• The sender's email address isn't in an accepted
domain.
• The sender's email address is in an accepted
domain that's configured as an external relay
domain.

Note: To determine whether mail contacts are


considered to be inside or outside the
organization, the sender's address is compared
with the organization's accepted domains.

UserScopeTo One of the following values: A recipient is considered to be inside the


• Inside the organization ( InOrganization ) organization if either of the following conditions
• Outside the organization ( is true:
NotInOrganization ) • The recipient is a mailbox, mail user, group, or
mail-enabled public folder that exists inside the
organization.
• The recipient's email address is in an accepted
domain that's configured as an authoritative
domain or an internal relay domain, and the
message was sent or received over an
authenticated connection.

A recipient is considered to be outside the


organization if either of the following conditions
is true:
• The recipient's email address isn't in an
accepted domain.
• The recipient's email address is in an accepted
domain that's configured as an external relay
domain.

Words Array of strings Specifies one or more words to look for. The
words aren't case-sensitive, and can be
surrounded by spaces and punctuation marks.
Wildcards and partial matches aren't supported.
For example, "contoso" matches " Contoso".

However, if the text is surrounded by other


characters, it isn't considered a match. For
example, "contoso" doesn't match the following
values:
• Acontoso
• Contosoa
• Acontosob

The asterisk (*) is treated as a literal character,


and isn't used as a wildcard character.

For more information


Mail flow rules (transport rules) in Exchange Online
Mail flow rule actions in Exchange Online
Mail flow rule procedures in Exchange Online
Mail flow rule conditions and exceptions (predicates) in Exchange Server
New-TransportRule
Mail flow rule actions in Exchange Online
7/10/2019 • 17 minutes to read • Edit Online

Actions in mail flow rules (also known as transport rules) specify what you want to do to messages that match
conditions of the rule. For example, you can create a rule that forwards message from specific senders to a
moderator, or adds a disclaimer or personalized signature to all outbound messages.
Actions typically require additional properties. For example, when the rule redirects a message, you need to
specify where to redirect the message. Some actions have multiple properties that are available or required. For
example, when the rule adds a header field to the message header, you need to specify both the name and value of
the header. When the rule adds a disclaimer to messages, you need to specify the disclaimer text, but you can also
specify where to insert the text, or what to do if the disclaimer can't be added to the message. Typically, you can
configure multiple actions in a rule, but some actions are exclusive. For example, one rule can't reject and redirect
the same message.
For more information about mail flow rules in Exchange Online, see Mail flow rules (transport rules) in Exchange
Online.
For more information about conditions and exceptions in mail flow rules, see Mail flow rule conditions and
exceptions (predicates) in Exchange Online.
For more information about actions in mail flow rules in Exchange Online Protection or Exchange Server, see Mail
flow rule actions in Exchange Online Protection or Mail flow rules (transport rules).

Actions for mail flow rules in Exchange Online


The actions that are available in mail flow rules in Exchange Online are described in the following table. Valid
values for each property are described in the Property values section.
Notes:
After you select an action in the Exchange admin center (EAC ), the value that's ultimately shown in the Do
the following field is often different from the click path you selected. Also, when you create new rules, you
can sometimes (depending on the selections you make) select a short action name from a template (a
filtered list of actions) instead of following the complete click path. The short names and full click path
values are shown in the EAC column in the table.
The names of some of the actions that are returned by the Get-TransportRuleAction cmdlet are different
than the corresponding parameter names, and multiple parameters might be required for an action.

ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION

Forward the message for ModerateMessageByUser Addresses Forwards the message to


approval to these people the specified moderators as
an attachment wrapped in
Forward the message for an approval request. For
approval > to these more information, see
people Common message approval
scenarios. You can't use a
distribution group as a
moderator.
ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION

Forward the message for ModerateMessageByManag n/a Forwards the message to


approval to the sender's er the sender's manager for
manager approval.
This action only works if the
Forward the message for sender's Manager attribute
approval > to the is defined. Otherwise, the
sender's manager message is delivered to the
recipients without
moderation.

Redirect the message to RedirectMessageTo Addresses Redirects the message to


these recipients the specified recipients. The
message isn't delivered to
Redirect the message to > the original recipients, and
these recipients no notification is sent to the
sender or the original
recipients.

Deliver the message to Quarantine n/a Delivers the message to the


the hosted quarantine hosted quarantine. For more
information about the
Redirect the message to > hosted quarantine in Office
hosted quarantine 365, see Quarantine.

Use the following RouteMessageOutboundCo OutboundConnector Uses the specified outbound


connector nnector connector to deliver the
message. For more
Redirect the message to > information about
the following connector connectors, see Configure
mail flow using connectors
in Office 365.

Reject the message with RejectMessageReasonText String Returns the message to the
the explanation sender in a non-delivery
report (also known as an
Block the message > NDR or bounce message)
reject the message and with the specified text as the
include an explanation rejection reason. The
recipient doesn't receive the
original message or
notification.
The default enhanced status
code that's used is 5.7.1 .
When you create or modify
the rule in PowerShell, you
can specify the DSN code by
using the
RejectMessageEnhancedStat
usCode parameter.
ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION

Reject the message with RejectMessageEnhancedStat DSNEnhancedStatusCode Returns the message to the
the enhanced status code usCode sender in an NDR with the
specified enhanced delivery
Block the message > status notification (DSN)
reject the message with code. The recipient doesn't
the enhanced status code receive the original message
of or notification.
Valid DSN codes are 5.7.1
or 5.7.900 through
5.7.999 .
The default reason text
that's used is
Delivery not
authorized, message
refused
.
When you create or modify
the rule in PowerShell, you
can specify the rejection
reason text by using the
RejectMessageReasonText
parameter.

Delete the message DeleteMessage n/a Silently drops the message


without notifying anyone without sending a
notification to the recipient
Block the message > or the sender.
delete the message
without notifying anyone

Add recipients to the Bcc BlindCopyTo Addresses Adds one or more recipients
box to the Bcc field of the
message. The original
Add recipients > to the recipients aren't notified, and
Bcc box they can't see the additional
addresses.

Note: In Exchange Online,


you can't add a distribution
group as a recipient.

Add recipients to the To AddToRecipients Addresses Adds one or more recipients


box to the To field of the
message. The original
Add recipients > to the To recipients can see the
box additional addresses.

Note: In Exchange Online,


you can't add a distribution
group as a recipient.
ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION

Add recipients to the Cc CopyTo Addresses Adds one or more recipients


box to the Cc field of the
message. The original
Add recipients > to the Cc recipients can see the
box additional address.

Note: In Exchange Online,


you can't add a distribution
group as a recipient.

Add the sender's manager AddManagerAsRecipientTyp AddedManagerAction Adds the sender's manager
as a recipient e to the message as the
specified recipient type ( To,
Add recipients > add the Cc, Bcc ), or redirects the
sender's manager as a message to the sender's
recipient manager without notifying
the sender or the recipient.
This action only works if the
sender's Manager attribute
is defined in Active
Directory.

Append the disclaimer ApplyHtmlDisclaimerText First property: Applies the specified HTML
ApplyHtmlDisclaimerFallba DisclaimerText disclaimer to the end of the
Apply a disclaimer to the ckAction Second property: message.
message > append a ApplyHtmlDisclaimerLocati DisclaimerFallbackAction When you create or modify
disclaimer on Third property (PowerShell the rule in PowerShell, use
only): the
DisclaimerTextLocation ApplyHtmlDisclaimerLocati
on parameter with the value
Append .

Prepend the disclaimer ApplyHtmlDisclaimerText First property: Applies the specified HTML
ApplyHtmlDisclaimerFallba DisclaimerText disclaimer to the beginning
Apply a disclaimer to the ckAction Second property: of the message.
message > prepend a ApplyHtmlDisclaimerLocati DisclaimerFallbackAction When you create or modify
disclaimer on Third property (PowerShell the rule in PowerShell, use
only): the
DisclaimerTextLocation ApplyHtmlDisclaimerLocati
on parameter with the value
Prepend .

Remove this header RemoveHeader MessageHeaderField Removes the specified


header field from the
Modify the message message header.
properties > remove a
message header

Set the message header SetHeaderName First property: Adds or modifies the
to this value SetHeaderValue MessageHeaderField specified header field in the
Second property: String message header, and sets
Modify the message the header field to the
properties > set a specified value.
message header
ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION

Apply a message ApplyClassification MessageClassification Applies the specified


classification message classification to the
message.
Modify the message
properties > apply a
message classification

Set the spam confidence SetSCL SCLValue Sets the spam confidence
level (SCL) to level (SCL) of the message to
the specified value.
Modify the message
properties > set the spam
confidence level (SCL)

Apply Office 365 Message ApplyRightsProtectionTempl RMSTemplate Applies the specified Azure
Encryption and rights ate Rights Management (Azure
protection RMS) template to the
message. Azure RMS is part
Apply Office 365 Message of Azure Information
Encryption and rights Protection. For more
protection to the message information, see Set up new
with Office 365 Message
Encryption capabilities.
Modify the message
security > Apply Office
365 Message Encryption
and rights protection

Require TLS encryption RouteMessageOutboundRe n/a Forces the outbound


quireTls messages to be routed over
Modify the message a TLS encrypted connection.
security > require TLS
encryption
ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION

Encrypt the messages ApplyOME n/a If you haven't moved your


with the previous version Office 365 organization to
of OME Office 365 Message
Encryption (OME) that's built
Modify the message on Azure Information
security > Apply Office Protection, this action
the previous version of encrypts the message and
OME attachments with the
previous version of OME.
Notes:
• We recommend that you
make a plan to move to
OME on Azure Information
Protection as soon as it's
reasonable for your
organization. For
instructions, see Set up new
Office 365 Message
Encryption capabilities.
• If you receive an error
stating that IRM licensing
isn't enabled, you can't setup
the previous version of
OME. If you setup OME
now, you'll setup the OME
capabilities that are built on
Azure Information
Protection.

Remove the previous RemoveOME n/a Decrypt the message and


version of OME from the attachments from the
message previous version of OME so
users don't need to sign in
Modify the message to the encryption portal in
security > Remove the order to view them. This
previous version of OME action is only available for
messages that are sent
within your organization.

Remove Office 365 RemoveOMEv2 n/a Remove the Azure RMS


Message Encryption and template from the message.
rights protection

Modify the message


security > Remove Office
365 Message Encryption
and rights protection
ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION

Prepend the subject of PrependSubject String Adds the specified text to


the message with the beginning of the
Subject field of the
message. Consider using a
space or a colon (:) as the
last character of the
specified text to differentiate
it from the original subject
text.
To prevent the same string
from being added to
messages that already
contain the text in the
subject (for example, replies),
add the The subject
includes (
ExceptIfSubjectContainsWor
ds) exception to the rule.

Notify the sender with a NotifySender First property: Notifies the sender or blocks
Policy Tip RejectMessageReasonText NotifySenderType the message when the
RejectMessageEnhancedStat Second property: String message matches a DLP
usCode (PowerShell only) Third property (PowerShell policy.
only): When you use this action,
DSNEnhancedStatusCode you need to use the The
message contains
sensitive information (
MessageContainsDataClass
ification condition.
When you create or modify
the rule in PowerShell, the
RejectMessageReasonText
parameter is optional. If you
don't use this parameter, the
default text
Delivery not
authorized, message
refused
is used.
In PowerShell, you can also
use the
RejectMessageEnhancedStat
usCode parameter to specify
the enhanced status code. If
you don't use this
parameter, the default
enhanced status code
5.7.1 is used.
This action limits the other
conditions, exceptions, and
actions that you can
configure in the rule.
ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION

Generate incident report GenerateIncidentReport First property: Addresses Sends an incident report
and send it to IncidentReportContent Second property: that contains the specified
IncidentReportContent content to the specified
recipients.
An incident report is
generated for messages that
match data loss prevention
(DLP) policies in your
organization.

Notify the recipient with a GenerateNotification NotificationMessageText Specifies the text, HTML
message tags, and message keywords
to include in the notification
message that's sent to the
message's recipients. For
example, you can notify
recipients that the message
was rejected by the rule, or
marked as spam and
delivered to their Junk Email
folder.

Properties of this rule SetAuditSeverity AuditSeverityLevel Specifies whether to:


section > Audit this rule Prevent the generation of an
with severity level incident report and the
corresponding entry in the
message tracking log.
Generate an incident report
and the corresponding entry
in the message tracking log
with the specified severity
level (low, medium, or high).

Properties of this rule StopRuleProcessing n/a Specifies that after the


section > Stop processing message is affected by the
more rules rule, the message is exempt
from processing by other
More options > rules.
Properties of this rule
section > Stop processing
more rules

Property values
The property values that are used for actions in mail flow rules are described in the following table.

PROPERTY VALID VALUES DESCRIPTION


PROPERTY VALID VALUES DESCRIPTION

AddedManagerAction One of the following values: Specifies how to include the sender's
To manager in messages.
If you select To, Cc, or Bcc, the sender's
Cc manager is added as a recipient in the
specified field.
Bcc If you select Redirect, the message is
only delivered to the sender's manager
Redirect without notifying the sender or the
recipient.
This action only works if the sender's
Manager is defined.

Addresses Exchange recipients Depending on the action, you might be


able to specify any mail-enabled object
in the organization, or you might be
limited to a specific object type.
Typically, you can select multiple
recipients, but you can only send an
incident report to one recipient.

AuditSeverityLevel One of the following values: The values Low, Medium, or High
Uncheck Audit this rule with severity specify the severity level that's assigned
level, or select Audit this rule with to the incident report and to the
severity level with the value Not corresponding entry in the message
specified ( DoNotAudit ) tracking log.
Low The other value prevents an incident
report from being generated, and
Medium prevents the corresponding entry from
being written to the message tracking
High log.

DisclaimerFallbackAction One of the following values: Specifies what to do if the disclaimer


Wrap can't be applied to a message. There are
situations where the contents of a
Ignore message can't be altered (for example,
the message is encrypted). The available
Reject fallback actions are:
• Wrap: The original message is
wrapped in a new message envelope,
and the disclaimer text is inserted into
the new message. This is the default
value.
• Ignore: The rule is ignored and the
message is delivered without the
disclaimer
• Reject: The message is returned to
the sender in an NDR.
Notes:
Subsequent mail flow rules are applied
to the new message envelope, not to
the original message. Therefore,
configure these rules with a lower
priority than other rules.
If the original message can't be
wrapped in a new message envelope,
the original message isn't delivered. The
message is returned to the sender in an
NDR.
PROPERTY VALID VALUES DESCRIPTION

DisclaimerText HTML string Specifies the disclaimer text, which can


include HTML tags, inline cascading
style sheet (CSS) tags, and images by
using the IMG tag. The maximum
length is 5000 characters, including
tags.

DisclaimerTextLocation Single value: Append or Prepend In PowerShell, you use the


ApplyHtmlDisclaimerLocation to
specify the location of the disclaimer
text in the message:
• Append : Add the disclaimer to the
end of the message body. This is the
default value.
• Prepend : Add the disclaimer to the
beginning of the message body.

DSNEnhancedStatusCode Single DSN code value: Specifies the DSN code that's used. You
5.7.1 can create custom DSNs by using the
5.7.900 through 5.7.999 New-SystemMessage cmdlet.
If you don't specify the rejection reason
text along with the DSN code, the
default reason text that's used is
Delivery not authorized, message
refused
.
When you create or modify the rule in
PowerShell, you can specify the
rejection reason text by using the
RejectMessageReasonText parameter.
PROPERTY VALID VALUES DESCRIPTION

IncidentReportContent One or more of the following values: Specifies the original message
Sender properties to include in the incident
report. You can choose to include any
Recipients combination of these properties. In
addition to the properties you specify,
Subject the message ID is always included. The
available properties are:
Cc'd recipients ( Cc ) Sender: The sender of the original
Bcc'd recipients ( Bcc ) message.
Severity Recipients, Cc'd recipients, and Bcc'd
recipients: All recipients of the
Sender override information ( message, or only the recipients in the
Override ) Cc or Bcc fields. For each property, only
Matching rules ( RuleDetections ) the first 10 recipients are included in
False positive reports ( the incident report.
FalsePositive )
Subject: The Subject field of the
original message.
Detected data classifications (
Severity: The audit severity of the rule
DataClassifications )
that was triggered. Message tracking
Matching content ( IdMatch ) logs include all the audit severity levels,
Original mail ( AttachOriginalMail ) and can be filtered by audit severity. In
the EAC, if you clear the Audit this rule
with severity level check box (in
PowerShell, the SetAuditSeverity
parameter value DoNotAudit ), rule
matches won't appear in the rule
reports. If a message is processed by
more than one rule, the highest
severity is included in any incident
reports.
Sender override information: The
override if the sender chose to override
a Policy Tip. If the sender provided a
justification, the first 100 characters of
the justification are also included.
Matching rules: The list of rules that
the message triggered.
False positive reports: The false
positive if the sender marked the
message as a false positive for a Policy
Tip.
Detected data classifications: The list
of sensitive information types detected
in the message.
Matching content: The sensitive
information type detected, the exact
matched content from the message,
and the 150 characters before and after
the matched sensitive information.
Original mail: The entire message that
triggered the rule is attached to the
incident report.
In PowerShell, you specify multiple
values separated by commas.

MessageClassification Single message classification object In the EAC, you select from the list of
available message classifications.
In PowerShell, use the Get-
MessageClassification cmdlet to see
the message classification objects that
are available.
PROPERTY VALID VALUES DESCRIPTION

MessageHeaderField Single string Specifies the SMTP message header


field to add, remove, or modify.
The message header is a collection of
required and optional header fields in
the message. Examples of header fields
are To, From, Received, and Content-
Type. Official header fields are defined
in RFC 5322. Unofficial header fields
start with X- and are known as X-
headers.

NotificationMessageText Any combination of plain text, HTML Specified the text to use in a recipient
tags, and keywords notification message.
In addition to plain text and HTML tags,
you can specify the following keywords
that use values from the original
message:
%%From%%
%%To%%
%%Cc%%
%%Subject%%
%%Headers%%
%%MessageDate%%

NotifySenderType One of the following values: Specifies the type of Policy Tip that the
Notify the sender, but allow them to sender receives if the message violates
send ( NotifyOnly ) a DLP policy. The settings are described
Block the message ( RejectMessage ) in the following list:
Block the message unless it's a false Notify the sender, but allow them to
positive ( send: The sender is notified, but the
RejectUnlessFalsePositiveOverride message is delivered normally.
) Block the message: The message is
Block the message, but allow the rejected, and the sender is notified.
sender to override and send ( Block the message unless it's a false
RejectUnlessSilentOverride ) positive: The message is rejected
Block the message, but allow the unless it's marked as a false positive by
sender to override with a business the sender.
justification and send ( Block the message, but allow the
RejectUnlessExplicitOverride )
sender to override and send: The
message is rejected unless the sender
has chosen to override the policy
restriction.
Block the message, but allow the
sender to override with a business
justification and send: This is similar
to Block the message, but allow the
sender to override and send type,
but the sender also provides a
justification for overriding the policy
restriction.
When you use this action, you need to
use the The message contains
sensitive information (
MessageContainsDataClassification)
condition.
PROPERTY VALID VALUES DESCRIPTION

OutboundConnector Single outbound connector Specifies the identity of outbound


connector that's used to deliver
messages. For more information about
connectors, see Configure mail flow
using connectors in Office 365.
In the EAC, you select the connector
from a list.
In PowerShell, use the Get-
OutboundConnector cmdlet to see
the connectors that are available.

RMSTemplate Single Azure RMS template object Specifies the Azure Rights Management
(Azure RMS) template that's applied to
the message.
In the EAC, you select the RMS
template from a list.
In PowerShell, use the Get-
RMSTemplate cmdlet to see the RMS
templates that are available.
For more information about RMS in
Office 365, see What is Azure
Information Protection?.

SCLValue One of the following values: Specifies the spam confidence level
Bypass spam filtering ( -1 ) (SCL) that's assigned to the message. A
Integers 0 through 9 higher SCL value indicates that a
message is more likely to be spam.

String Single string Specifies the text that's applied to the


specified message header field, NDR, or
event log entry.
In PowerShell, if the value contains
spaces, enclose the value in quotation
marks (").

For more information


Mail flow rules (transport rules) in Exchange Online
Mail flow rule conditions and exceptions (predicates) in Exchange Online
Manage mail flow rules
Mail flow rule actions in Exchange Server
Organization-wide message disclaimers, signatures, footers, or headers in Office 365
Office 365 Message Encryption
Best practices for configuring mail flow rules in
Exchange Online
5/31/2019 • 3 minutes to read • Edit Online

Follow these best practice recommendations for mail flow rules (also known as transport rules) in order to avoid
common configuration errors. Each recommendation links to a topic with an example and step-by-step
instructions.

Test your rules


To make sure unexpected things don't happen to people's email, and to make sure you're really meeting the
business, legal, or compliance intentions of your rule, be sure to test it thoroughly. There are many options, and
rules can interact with each other, so it's important to test messages that you expect both will match the rule and
won't match the rule in case you inadvertently made a rule too general. To learn all the options for testing rules, see
Test a mail flow rule.

Scope your rule


Make sure your rule applies only to the messages you intend it to. For example:
Restrict a rule to messages either coming into or going out of the organization
By default, a new rule applies to messages that are either sent or received by people in your organization.
So if you want the rule to apply only one way, be sure to specify that in the conditions for the rule. For an
example, see Common attachment blocking scenarios for mail flow rules.
Restrict a rule based on the sender's or receiver's domain
By default, a new rule applies to messages sent from or received at any domain. Sometimes you want a rule
to apply to all domains except for one, or to just one domain. For examples, see Create organization-wide
safe sender or blocked sender lists in Office 365.
For a complete list of all the conditions and exceptions that are available for mail flow rules, see Mail flow rule
conditions and exceptions (predicates) in Exchange Online.

Know when you need two rules


Sometimes it takes two rules to do what you want. Mail flow rules are processed in order, so multiple rules can
apply to the same message. For example, if one of the actions is to block the message, and you also have another
action you'd like to apply, such as copying the message to the sender's manager or changing the subject for the
notification message, you would need two rules. The first rule could copy the message to the sender's manager and
change the subject, and the second rule could block the message.
If you use two rules like this, be sure that the conditions are identical. To see examples, look at example 3 in
Common message approval scenarios in Exchange Online, example 3 in Common attachment blocking scenarios
for mail flow rules in Exchange Online, and Organization-wide message disclaimers, signatures, footers, or headers
in Exchange Online.

Don't repeat an action on every email in a conversation


The chain of email in a conversation can include many individual messages, and repeating the action on each
message in the thread might get annoying. For example, if you have an action such as adding a disclaimer, you
might want it to apply only to the first message in the thread. If so, add an exception for messages that already
include the disclaimer text. For an example, see Organization-wide message disclaimers, signatures, footers, or
headers in Exchange Online.

Know when to stop rule processing


Sometimes it makes sense to stop rule processing once a rule is matched. For example, if you have one rule to
block messages with attachments and one to insert a disclaimer in messages that match a pattern, you probably
should stop rule processing once the message is blocked. There's no need for further action.
To stop rule processing after a rule is triggered, in the rule, select the Stop processing more rules check box.

If you have lots of keywords or patterns to match, load them from a file
For example, you might want to prevent emails from being sent if they contain a list of unacceptable or bad words.
You can create a text file containing these words and phrases, and then use PowerShell to set up a mail flow rule
that blocks messages that use them.
The text file can contain regular expressions for patterns. These expressions are not case-sensitive. Common
regular expressions include:

EXPRESSION MATCHES

. Any single character

* Any additional characters

\d Any decimal digit

[character_group] Any single character in character_group.

For an example that shows a text file with regular expressions and the Exchange module Windows PowerShell
commands to use, see Use mail flow rules to route email based on a list of words, phrases, or patterns in Exchange
Online.
To learn how to specify patterns using regular expressions, see Regular Expression Reference.
Use mail flow rules to inspect message attachments
in Exchange Online
5/31/2019 • 8 minutes to read • Edit Online

You can inspect email attachments in your Exchange Online organization by setting up mail flow rules (also
known as transport rules). Exchange Online offers mail flow rules that provide the ability to examine email
attachments as a part of your messaging security and compliance needs. When you inspect attachments, you can
then take action on the messages that were inspected based on the content or characteristics of those
attachments. Here are some attachment-related tasks you can do by using mail flow rules:
Search for files with text that matches a pattern you specify, and add a disclaimer to the end of the
message.
Inspect content within attachments and, if there are any keywords you specify, redirect the message to a
moderator for approval before it's delivered.
Check for messages with attachments that can't be inspected and then block the entire message from
being sent.
Check for attachments that exceed a certain size and then notify the sender of the issue if you choose to
prevent the message from being delivered.
Check whether the properties of an attached Office document match the values that you specify. With this
condition, you can integrate the requirements of your mail flow rules and DLP policies with a third-party
classification system, such as SharePoint or the Windows Server File Classification Infrastructure (FCI).
Create notifications that alert users if they send a message that has matched a mail flow rule.
Block all messages containing attachments. For examples, see Common attachment blocking scenarios for
mail flow rules in Exchange Online.

NOTE
All of these conditions will scan compressed archive attachments.

Exchange Online admins can create mail flow rules in the Exchange admin center (EAC ) at Mail flow > Rules.
You need to be assigned permissions before you can perform this procedure. After you start to create a new rule,
you can see the full list of attachment-related conditions by clicking More options > Any attachment under
Apply this rule if. The attachment-related options are shown in the following diagram.
For more information about mail flow rules, including the full range of conditions and actions that you can
choose, see Mail flow rules (transport rules) in Exchange Online. Exchange Online Protection (EOP ) and hybrid
customers can benefit from the mail flow rules best practices provided in Best Practices for Configuring EOP. If
you're ready to start creating rules, see Manage mail flow rules in Exchange Online.

Inspect the content within attachments


You can use the mail flow rule conditions in the following table to examine the content of attachments to
messages. For these conditions, only the first one megabyte (MB ) of text extracted from an attachment is
inspected. Note that the 1 MB limit refers to the extracted text, not the file size of the attachment. For example, a 2
MB file may contain less than 1 MB of text, so all of the text would be inspected.
In order to start using these conditions when inspecting messages, you need to add them to a mail flow rule.
Learn about creating or changing rules at Manage mail flow rules in Exchange Online.

CONDITION NAME IN EXCHANGE ONLINE


CONDITION NAME IN THE EAC POWERSHELL DESCRIPTION

Any attachment's content includes AttachmentContainsWords This condition matches messages with
Any attachment > content includes supported file type attachments that
any of these words contain a specified string or group of
characters.

Any attachment's content matches AttachmentMatchesPatterns This condition matches messages with
Any attachment > content matches supported file type attachments that
these text patterns contain a text pattern that matches a
specified regular expression.

Any attachment's content can't be AttachmentIsUnsupported Mail flow rules only can inspect the
inspected content of supported file types. If the
Any attachment > content can't be mail flow rule encounters an
inspected attachment that isn't supported, the
AttachmentIsUnsupported condition is
triggered. The supported file types are
described in the next section.

Notes:
The conditions names in Exchange Online PowerShell are parameters names on the New-TransportRule
and Set-TransportRule cmdlets. For more information, see New -TransportRule.
Learn more about property types for these conditions at Mail flow rule conditions and exceptions
(predicates) in Exchange Online and Mail flow rule conditions and exceptions (predicates) in Exchange
Online Protection.
To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online
PowerShell.
Supported file types for mail flow rule content inspection
The following table lists the file types supported by mail flow rules. The system automatically detects file types by
inspecting file properties rather than the actual file name extension, thus helping to prevent malicious hackers
from being able to bypass mail flow rule filtering by renaming a file extension. A list of file types with executable
code that can be checked within the context of mail flow rules is listed later in this topic.

CATEGORY FILE EX TENSION NOTES

Office 2007 and later .docm, .docx, .pptm, .pptx, .pub, .one, Microsoft OneNote and Microsoft
.xlsb, .xlsm, .xlsx Publisher files aren't supported by
default.
The contents of any embedded parts
contained within these file types are
also inspected. However, any objects
that aren't embedded (for example,
linked documents) aren't inspected.

Office 2003 .doc, .ppt, .xls None

Additional Office files .rtf, .vdw, .vsd, .vss, .vst None

Adobe PDF .pdf None

HTML .html None

XML .xml, .odp, .ods, .odt None

Text .txt, .asm, .bat, .c, .cmd, .cpp, .cxx, .def, None
.dic, .h, .hpp, .hxx, .ibq, .idl, .inc, inf, .ini,
inx, .js, .log, .m3u, .pl, .rc, .reg, .txt, .vbs,
.wtx

OpenDocument .odp, .ods, .odt No parts of .odf files are processed. For
example, if the .odf file contains an
embedded document, the contents of
that embedded document aren't
inspected.

AutoCAD Drawing .dxf AutoCAD 2013 files aren't supported.

Image .jpg, .tiff Only the metadata text associated with


these image files is inspected. There is
no optical character recognition.
CATEGORY FILE EX TENSION NOTES

Compressed archive files .bz2, cab, .gz, .rar, .tar, .zip, .7z The content of these files, which were
originally in a supported file type
format, are inspected and processed in
a manner similar to messages that have
multiple attachments. The properties of
the compressed archive file itself are
not inspected. For example, if the
container file type supports comments,
that field isn't inspected.

Inspect the file properties of attachments


The following conditions can be used in mail flow rules to inspect different properties of files that are attached to
messages. In order to start using these conditions when inspecting messages, you need to add them to a mail
flow rule. For more information about creating or changing rules, see Manage mail flow rules.

CONDITION NAME IN EXCHANGE ONLINE


CONDITION NAME IN THE EAC POWERSHELL DESCRIPTION

Any attachment's file name matches AttachmentNameMatchesPatterns This condition matches messages with
attachments whose file name contains
Any attachment > file name the characters you specify.
matches these text patterns

Any attachment's file extension AttachmentExtensionMatchesWords This condition matches messages with
matches attachments whose file name extension
matches what you specify.
Any attachment > file extension
includes these words

Any attachment is greater than or AttachmentSizeOver This condition matches messages with
equal to attachments when those attachments
are greater than or equal to the size
Any attachment > size is greater you specify.
than or equal to

The message didn't complete AttachmentProcessingLimitExceeded This condition matches messages when
scanning an attachment is not inspected by the
mail flow rules agent.
Any attachment > didn't complete
scanning

Any attachment has executable AttachmentHasExecutableContent This condition matches messages that
content contain executable files as attachments.
The supported file types are listed here.
Any attachment > has executable
content

Any attachment is password AttachmentIsPasswordProtected This condition matches messages with


protected attachments that are protected by a
password. Password detection only
Any attachment > is password works for Office documents and .zip
protected files.
CONDITION NAME IN EXCHANGE ONLINE
CONDITION NAME IN THE EAC POWERSHELL DESCRIPTION

Any attachment has these AttachmentPropertyContainsWords This condition matches messages


properties, including any of these where the specified property of the
words attached Office document contains
specified words. A property and its
Any attachment > has these possible values are separated with a
properties, including any of these colon. Multiple values are separated
words with a comma. Multiple property/value
pairs are also separated with a comma.

Notes:
The conditions names in Exchange Online PowerShell are parameters names on the New-TransportRule
and Set-TransportRule cmdlets. For more information, see New -TransportRule.
Learn more about property types for these conditions at Mail flow rule conditions and exceptions
(predicates) in Exchange Online and Mail flow rule conditions and exceptions (predicates) in Exchange
Online Protection.
To learn how to connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
Supported executable file types for mail flow rule inspection
The mail flow rules use true type detection to inspect file properties rather than merely the file extensions. This
helps to prevent malicious hackers from being able to bypass your rule by renaming a file extension. The
following table lists the executable file types supported by these conditions. If a file is found that is not listed here,
the AttachmentIsUnsupported condition is triggered.

TYPE OF FILE NATIVE EX TENSION

32-bit Windows executable file with a dynamic link library .dll


extension.

Self-extracting executable program file. .exe

Uninstallation executable file. .exe

Program shortcut file. .exe

32-bit Windows executable file. .exe

Microsoft Visio XML drawing file. .vxd

OS/2 operating system file. .os2

16-bit Windows executable file. .w16

Disk-operating system file. .dos

European Institute for Computer Antivirus Research standard .com


antivirus test file.

Windows program information file. .pif


TYPE OF FILE NATIVE EX TENSION

Windows executable program file. .exe

IMPORTANT
.rar (self-extracting archive files created with the WinRAR archiver), .jar (Java archive files), and .obj (compiled source code,
3D object, or sequence files) files are not considered to be executable file types. To block these files, you can use mail flow
rules that look for files with these extensions as described earlier in this topic, or you can configure an antimalware policy
that blocks these file types (the common attachment types filter). For more information, see Configure Anti-Malware
Policies.

Data loss prevention policies and attachment mail flow rules


To help you manage important business information in email, you can include any of the attachment-related
conditions along with the rules of a data loss prevention (DLP ) policy.
DLP policies and attachment-related conditions can help you enforce your business needs by defining those
needs as mail flow rule conditions, exceptions, and actions. When you include the sensitive information inspection
in a DLP policy, any attachments to messages are scanned for that information only. However, attachment-related
conditions such as size or file type are not included until you add the conditions listed in this topic. DLP is not
available with all versions of Exchange; learn more at Data loss prevention.

For more information


For information on broadly blocking email with attachments, regardless of malware status, see Reducing Malware
Threats Through File Attachment Blocking in Exchange Online Protection.
Enable message encryption and decryption in Office
365
5/31/2019 • 2 minutes to read • Edit Online

Office 365 Message Encryption lets email users send encrypted messages to people inside or outside their
organization. For information about Office 365 Message Encryption, see Set up new Office 365 Message
Encryption capabilities. To learn how to create mail flow rules (also known as transport rules) for encryption, see
Define rules to encrypt or decrypt email messages .

See also
Encryption in Office 365
Common attachment blocking scenarios for mail
flow rules in Exchange Online
5/31/2019 • 4 minutes to read • Edit Online

Your organization might require that certain types of messages be blocked or rejected in order to meet legal or
compliance requirements, or to implement specific business needs. This article discusses examples of common
scenarios for blocking all attachments which you can set up using mail flow rules (also known mail flow rules) in
Exchange Online.
For additional examples showing how to block specific attachments, see:
Using mail flow rules to inspect message attachments (Exchange Server)
Use mail flow rules to inspect message attachments in Office 365 (Exchange Online, Exchange Online
Protection)
The malware filter includes a Common Attachment Types Filter. In the Exchange admin center (EAC ), go to
Protection, then click New ( ) to add filters. In the Exchange Online portal, browse to Protection, and then
select Malware Filter.
To get started implementing any of these scenarios to block certain message types:
1. Open the Exchange admin center (EAC ). For more information, see Exchange admin center in Exchange
Online.
2. Go to Mail flow > Rules.
3. Click New ( ) and then select Create a new rule.
4. In the Name box, specify a name for the rule, and then click More options.
5. Select the conditions and actions you want.
Note: In the EAC, the smallest attachment size that you can enter is 1 kilobyte, which should detect most
attachments. However, if you want to detect every possible attachment of any size, you need to use PowerShell to
adjust the attachment size to 1 byte after you create the rule in the EAC. To learn how to connect to Exchange
Online PowerShell, see Connect to Exchange Online PowerShell. To learn how to connect to Exchange Online
Protection PowerShell, see Connect to Exchange Online Protection PowerShell.
Replace <Rule Name> with the name of the existing rule, and run the following command to set the attachment
size to 1 byte:

Set-TransportRule -Identity "<Rule Name>" -AttachmentSizeOver 1B

After you adjust the attachment size to 1 byte, the value that's displayed for the rule in the EAC is 0.00 KB.

Example 1: Block messages with attachments, and notify the sender


If you don't want people in your organization to send or receive attachments, you can set up a mail flow rule to
block all messages with attachments.
In this example, all messages sent to or from the organization with attachments are blocked.
If all you want to do is block the message, you might want to stop rule processing once this rule is matched. Scroll
down the rule dialog box, and select the Stop processing more rules check box.

Example 2: Notify intended recipients when an inbound message is


blocked
If you want to reject a message but let the intended recipient know what happened, you can use the Notify the
recipient with a message action.
You can include placeholders in the notification message so that it includes information about the original
message. The placeholders must be enclosed in two percent signs (%%), and when the notification message is
sent, the placeholders are replaced with information from the original message. You can also use basic HTML
such as <br>, <b>, <i>, and <img> in the message.

TYPE OF INFORMATION PLACEHOLDER

Sender of the message. %%From%%

Recipients listed on the "To" line. %%To%%

Recipients listed on the "Cc" line. %%Cc%%

Subject of the original message. %%Subject%%

Headers from the original message. This is similar to the list of %%Headers%%
headers in a delivery status notification (DSN) generated for
the original message.

Date the original message was sent. %%MessageDate%%

In this example, all messages that contain attachments and are sent to people inside your organization are
blocked, and the recipient is notified.
Example 3: Modify the subject line for notifications
When a notification is sent to the recipient, the subject line is the subject of the original message. If you want to
modify the subject so that it is clearer to the recipient, you must use two mail flow rules:
The first rule adds the word "undeliverable" to the beginning of the subject of any messages with
attachments.
The second rule blocks the message and sends a notification message to the sender using the new subject
of the original message.

IMPORTANT
The two rules must have identical conditions. Rules are processed in order, so the first rule adds the word "undeliverable",
and the second rule blocks the message and notifies the recipient.

Here's what the first rule would look like if you want to add "undeliverable" to the subject:

And the second rule does the blocking and notification (the same rule from Example 2):
Example 4: Apply a rule with a time limit
If you have a malware outbreak, you might want to apply a rule with a time limit so that you temporarily block
attachments. For example, the following rule has both a start and stop day and time:

See also
Mail flow rules (transport rules) in Exchange Online
Mail flow rules (Exchange Server)
Mail flow rules (Exchange Online Protection)
Organization-wide message disclaimers, signatures,
footers, or headers in Exchange Online
6/24/2019 • 4 minutes to read • Edit Online

You can add an HTML or plain text legal disclaimer, disclosure statement, signature, or other information to the
top or bottom of email messages that enter or leave your organization. To do this, you create a mail flow rule (also
known as a transport rule) that adds the required information to messages.
Notes:
Users can apply signatures to their own outgoing messages in Outlook or Outlook on the web (formerly
known as Outlook Web App). For more information, see Create and add an email signature in Outlook on
the web.
If you want the information to be added only to outgoing messages, you need to add a corresponding
condition (for example, recipients located outside the organization). By default, mail flow rules are applied
to incoming and outgoing messages.
To avoid multiple disclaimers being added in an email conversation, add an exception that looks for unique
text in your disclaimer. This ensures that the disclaimer is only added to the original message.
Test the disclaimer. When you create the mail flow rule, you have the option to start using it immediately (
Enforce), or to test it first and view the results in the messaging log. We recommend testing all mail flow
rules prior to setting them to Enforce.
For examples and information about how to scope and format disclaimers, signatures, and other additions to
email messages, see Organization-wide disclaimers, signatures, footers, or headers in Exchange 2016.

What do you need to know before you begin?


Estimated time to complete each procedure: 7 minutes.
For information about how to access the Exchange admin center (EAC ), see Exchange admin center in
Exchange Online. To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Mail flow" entry in the Feature permissions in Exchange Online topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Use the EAC to add a disclaimer or other email header or footer


1. Open the EAC and go to Mail flow > Rules.
2. Click Add , and then click Apply disclaimers.
3. In the New rule window that appears, enter a unique name the rule.
4. In the Apply this rule if box, select the conditions for displaying the disclaimer. For example, select The
recipient is located condition, and then select Outside the organization. If you want this rule to apply
to every message that enters or leaves your organization, select [Apply to all messages].
5. Next to the Do the following box, select Enter text to enter the text of your disclaimer. For information
about what can be added, see Formatting your disclaimer.
6. Click Select one, and select one of the Fallback options if the disclaimer can't be added.
7. Specify the audit severity level to assign the severity level that appears in the message log.
8. Select the mode for the rule. Select Enforce to turn on the disclaimer immediately, or select Test without
Policy Tips to put a message in the message tracking log instead of adding the disclaimer.
9. If you have additional conditions or exceptions that you want to add, select More options at the bottom of
the page, which will show additional settings. For example, to add the exception that prevents multiple
disclaimers being added in an email conversation, select Add exception and then select The subject or
body > Subject or body matches these text patterns, and then specify the words or phrases in your
disclaimer. Or, to put your disclaimer at the top of the email message instead of the bottom, in Do the
following, select Apply a disclaimer to the message > prepend a disclaimer.
10. When you're finished, click Save.
For more examples of how to scope your disclaimer, see Scoping your disclaimer.

Use Exchange Online PowerShell to add a disclaimer or other email


header or footer
Use the New -TransportRule cmdlet to create the disclaimer rule. For detailed parameter information, see Mail
flow rule conditions and exceptions (predicates) in Exchange Online or Mail flow rule conditions and exceptions
(predicates) in Exchange Online Protection.
This example creates a new mail flow rule that adds a disclaimer with an image to the end of all email messages
that are sent outside the organization.

New-TransportRule -Name "External Disclaimer" -SentToScope NotInOrganization -ApplyHtmlDisclaimerText "


<h3>Disclaimer Title</h3><p>This is the disclaimer text.</p><img alt='Contoso logo'
src='http://www.contoso.com/images/logo.gif'>"

This example creates a new mail flow rule that adds an advertisement for one month to the beginning of all
outgoing messages.

New-TransportRule -Name "March Special" -Enabled $true -SentToScope NotInOrganization -


ApplyHtmlDisclaimerLocation Prepend -ActivationDate '03/1/2017' -ExpiryDate '03/31/2017'-
ApplyHtmlDisclaimerText "<table align=center width=200 border=1 bordercolor=blue bgcolor=green cellpadding=10
cellspacing=0><tr><td nowrap><a href=http://www.contoso.com/marchspecials.htm>Click to see March specials</a>
</td></tr></table>"

For more examples of how to scope your disclaimer, see Scoping your disclaimer.

How do you know this worked?


To verify that you've successfully created a disclaimer, and that the disclaimer works as expected, do the following
steps:
Send yourself both a plain text email and an HTML email that match the conditions and exceptions you
defined, and verify that the text appears as you intended.
If you added an exception to avoid adding the disclaimer to successive messages in a conversation, forward
your test messages to yourself to make sure that they don't get an extra copy of the disclaimer.
Send yourself some messages that should not get the disclaimer and verify that the disclaimer is not
included.

For more information


After you configure a disclaimer or email header or footer, see Manage mail flow rules for information about how
to view, modify, enable, disable, or remove a rule.
Mail flow rule procedures in Exchange Online
5/31/2019 • 2 minutes to read • Edit Online

You can begin using mail flow rules (also known as transport rules) in Exchange Online by using the following
procedures. To learn about concepts and objectives for mail flow rules, see Mail flow rules (transport rules) in
Exchange Online.
Organization-wide message disclaimers, signatures, footers, or headers in Exchange Online Information to help
you set up a legal disclaimer, email disclaimer, consistent signature, email header, or email footer by using mail
flow rules.
Create organization-wide safe sender or blocked sender lists in Office 365 Information to help you create domain
or user-based safe sender and blocked sender lists by using mail flow rules.
Manage message approval Information to help you create moderated distribution groups, and forward messages
matching a wide variety of criteria to specific approvers.
Use mail flow rules to route email based on a list of words, phrases, or patterns Information to help you comply
with your organization's email policies.
Use mail flow rules so messages can bypass Clutter Information to help you make sure messages are sent to an
inbox instead of the Clutter folder.
Topics related to preventing spam:
Use mail flow rules to set the spam confidence level (SCL ) in messages
Use mail flow rules to inspect message attachments in Office 365
Common attachment blocking scenarios for mail flow rules
https://docs.microsoft.com/office365/SecurityCompliance/use-transport-rules-to-configure-bulk-email-filtering)
Additional considerations when configuring IP Allow lists
Manage mail flow rules Information to help you create, view, modify, enable, disable, or remove a mail flow rule,
and information about importing and exporting mail flow rule collections.
Test a mail flow rule Information on various ways to test a mail flow rule.
Best practices for configuring mail flow rules Information to help you avoid common configuration errors.
Use mail protection reports in Office 365 to view data about malware, spam, and rule detections Information on
how to view summary and detail reports about mail flow rule matches.
Manage mail flow rules in Exchange Online
7/11/2019 • 14 minutes to read • Edit Online

You can use mail flow rules (also known as transport rules) in Exchange Online to look for specific conditions on
messages that pass through your organization and take action on them. This topic shows you how to create,
copy, adjust the order, enable or disable, delete, or import or export rules, and how to monitor rule usage.

TIP
To make sure your rules work the way you expect, be sure to thoroughly test each rule and interactions between rules.

Interested in scenarios where these procedures are used? See the following topics:
Common attachment blocking scenarios for mail flow rules
Use mail flow rules to route email based on a list of words, phrases, or patterns
Common message approval scenarios
Use mail flow rules so messages can bypass Clutter
Best practices for configuring mail flow rules
Use mail flow rules to inspect message attachments in Office 365
Define rules to encrypt or decrypt messages

What do you need to know before you begin?


Estimated time to complete each procedure: 5 minutes.
You need to be assigned permissions before you can perform these procedures. To see what permissions
you need, see the "Mail flow" entry in Feature permissions in Exchange Online.
When a rule is listed as version 14, this means that the rule is based on an Exchange Server 2010 mail
flow rule format. All options are available for these rules.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online
Protection.

Create a mail flow rule


You can create a mail flow rule by setting up a Data Loss Prevention (DLP ) policy, creating a new rule, or by
copying a rule. You can use the Exchange admin center (EAC ) or Exchange Online PowerShell.
NOTE
After you create or modify a mail flow rule, it can take up to 30 minutes for the new or updated rule to be applied to email.

Use a DLP policy to create mail flow rules


Each DLP policy is a collection of mail flow rules. After you create the DLP policy, you can fine-tune the rules
using the procedures below.
1. Create a DLP policy. For instructions, see:
Exchange Server DLP Procedures
Exchange Online DLP procedures
2. Modify the mail flow rules created by the DLP policy. See View or modify a mail flow rule.
Use the EAC to create a mail flow rule
The EAC allows you to create mail flow rules by using a template, copying an existing rule, or from scratch.
1. Go to Mail flow > Rules.
2. Create the rule by using one of the following options:
To create a rule from a template, click Add and select a template.
To copy a rule, select the rule, and then select Copy .
To create a new rule from scratch, Add and then select Create a new rule.
3. In the New rule dialog box, name the rule, and then select the conditions and actions for this rule:
a. In Apply this rule if..., select the condition you want from the list of available conditions.
Some conditions require you to specify values. For example, if you select The sender is...
condition, you must specify a sender address. If you're adding a word or phrase, note that
trailing spaces are not allowed.
If the condition you want isn't listed, or if you need to add exceptions, select More options.
Additional conditions and exceptions will be listed.
If you don't want to specify a condition, and want this rule to apply to every message in your
organization, select [Apply to all messages] condition.
b. In Do the following..., select the action you want the rule to take on messages matching the
criteria from the list of available actions.
Some of the actions will require you to specify values. For example, if you select the
Forward the message for approval to... condition, you will need to select a recipient in
your organization.
If the condition you want isn't listed, select More options. Additional conditions will be
listed.
c. Specify how rule match data for this rule is displayed in the Data Loss Prevention (DLP ) reports
and the Mail protection reports.
Under Audit this rule with severity level, select a level to specify the severity level for this rule.
The Office 365 activity reports for mail flow rules group rule matches by severity level. Severity
level is just a filter to make the reports easier to use. The severity level has no impact on the
priority in which the rule is processed.
NOTE
If you clear the Audit this rule with severity level checkbox, rule matches will not show up in the rule
reports.

d. Set the mode for the rule. You can use one of the two test modes to test the rule without impacting
mail flow. In both test modes, when the conditions are met, an entry is added to the message trace.
Enforce: This turns on the rule and it starts processing messages immediately. All actions
on the rule will be performed.
Test with Policy Tips: This turns on the rule, and any Policy Tip actions ( Notify the
sender with a Policy Tip) will be sent, but no actions related to message delivery will be
performed. Data Loss Prevention (DLP ) is required in order to use this mode. To learn more,
see Policy Tips.
Test without Policy Tips: Only the Generate incident report action will be enforced. No
actions related to message delivery are performed.
4. If you are satisfied with the rule, go to step 5. If you want to add more conditions or actions, or if you want
to specify exceptions or set additional properties, click More options. After you click More options,
complete the following fields to create your rule:
a. To add more conditions, click Add condition. If you have more than one condition, you can
remove any one of them by clicking Remove X next to it. Note that there are a larger variety of
conditions available once you click More options.
b. To add more actions, click Add action. If you have more than one action, you can remove any one
of them by clicking Remove X next to it. Note that there are a larger variety of actions available
once you click More options.
c. To specify exceptions, click Add exception, then select exceptions using the Except if... dropdown.
You can remove any exceptions from the rule by clicking the Remove X next to it.
d. If you want this rule to take effect after a certain date, click Activate this rule on the following
date: and specify a date. Note that the rule will still be enabled prior to that date, but it won't be
processed.
Similarly, you can have the rule stop processing at a certain date. To do so, click Deactivate this
rule on the following date: and specify a date. Note that the rule will remain enabled, but it won't
be processed.
e. You can choose to avoid applying additional rules once this rule processes a message. To do so,
click Stop processing more rules. If you select this, and a message is processed by this rule, no
subsequent rules are processed for that message.
f. You can specify how the message should be handled if the rule processing can't be completed. By
default, the rule will be ignored and the message will be processed regularly, but you can choose to
resubmit the message for processing. To do so, check the Defer the message if rule processing
doesn't complete check box.
g. If your rule analyzes the sender address, it only examines the message headers by default.
However, you can configure your rule to also examine the SMTP message envelope. To specify
what's examined, click one of the following values for Match sender address in message:
Header: Only the message headers will be examined.
Envelope: Only the SMTP message envelope will be examined.
Header or envelope: Both the message headers and SMTP message envelope will be
examined.
h. You can add comments to this rule in the Comments box.
5. Click Save to complete creating the rule.
Use Exchange Online PowerShell to create a mail flow rule
This example uses the New -TransportRule cmdlet to create a new mail flow rule that prepends "
External message to Sales DG: " to messages sent from outside the organization to the Sales Department
distribution group.

New-TransportRule -Name "Mark messages from the Internet to Sales DG" -FromScope NotInOrganization -SentTo
"Sales Department" -PrependSubject "External message to Sales DG:"

The rule parameters and action used in the above procedure are for illustration only. Review all the available mail
flow rule conditions and actions to determine which ones meet your requirements.
How do you know this worked?
To verify that you have successfully created a new mail flow rule, do the following:
In the EAC, verify that the new mail flow rule you created is listed in the Rules list.
From Exchange Online PowerShell, verify that you created the new mail flow rule successfully by running
the following command (the example below verifies the rule created in Exchange Online PowerShell
example above):

Get-TransportRule "Mark messages from the Internet to Sales DG"

View or modify a mail flow rule


NOTE
After you create or modify a mail flow rule, it can take up to 30 minutes for the new or updated rule to be applied to email.

Use the EAC to view or modify a mail flow rule


1. In the EAC, go to Mail flow > Rules.
2. When you select a rule in the list, the conditions, actions, exceptions and select properties of that rule are
displayed in the details pane. To view all the properties of a specific rule, double click it. This opens the
rule editor window, where you can make changes to the rule. For more information about rule properties,
see Use the EAC to create a mail flow rule section, earlier in this topic.
Use Exchange Online PowerShell to view or modify a mail flow rule
The following example gives you a list of all rules configured in your organization:

Get-TransportRule

To view the properties of a specific mail flow rule, you provide the name of that rule or its GUID. It is usually
helpful to send the output to the Format-List cmdlet to format the properties. The following example returns all
the properties of the mail flow rule named Sender is a member of Marketing:
Get-TransportRule "Sender is a member of marketing" | Format-List

To modify the properties of an existing rule, use the Set-TransportRule cmdlet. This cmdlet allows you to change
any property, condition, action or exception associated with a rule. The following example adds an exception to
the rule "Sender is a member of marketing" so that it won't apply to messages sent by the user Kelly Rollin:

Set-TransportRule "Sender is a member of marketing" -ExceptIfFrom "Kelly Rollin"

How do you know this worked?


To verify that you have successfully modified a mail flow rule, do the following:
From the rules list in the EAC, click the rule you modified in the Rules list and view the details pane.
From Exchange Online PowerShell, verify that you modified the mail flow rule successfully by running the
following command to list the properties you modified along with the name of the rule (the example
below verifies the rule modified in Exchange Online PowerShell example above):

Get-TransportRule "Sender is a member of marketing" | Format-List Name,ExceptIfFrom

Mail flow rule properties


You can also use the Set-TransportRule cmdlet to modify existing mail flow rules in your organization. Below is a
list properties not available in the EAC that you can change. For more information on using the Set-
TransportRule cmdlet to make these changes see Set-TransportRule

CONDITION NAME IN EXCHANGE ONLINE


CONDITION NAME IN THE EAC POWERSHELL DESCRIPTION

Stop Processing Rules StopRuleProcessing Enables you to stop processing


additional rules

Header/Envelope matching SenderAddressLocation Enables you to examine the SMTP


message envelope to ensure the
header and envelop match

Audit severity SetAuditSeverity Enables you to select a severity level


for the audit

Rule modes Mode Enables you to set the mode for the
rule

Set the priority of a mail flow rule


The rule at the top of the list is processed first. This rule has a Priority of 0.
Use the EAC to set the priority of a rule
1. In the EAC, go to Mail flow > Rules. This displays the rules in the order in which they are processed.
2. Select a rule, and use the arrows to move the rule up or down the list.
Use Exchange Online PowerShell to set the priority of a rule
The following example sets the priority of "Sender is a member of Marketing" to 2:
Set-TransportRule "Sender is a member of Marketing" -Priority "2"

How do you know this worked?


To verify that you have successfully modified a mail flow rule, do the following:
From the rules list in the EAC, look at the order of the rules.
From Exchange Online PowerShell, verify the priority of the rules (the example below verifies the rule
modified in Exchange Online PowerShell example above):

Get-TransportRule * | Format-List Name,Priority

Enable or disable a mail flow rule


Rules are enabled when you create them. You can disable a mail flow rule.
Use the EAC to enable or disable a mail flow rule
1. In the EAC, go to Mail flow > Rules.
2. To disable a rule, clear the check box next to its name.
3. To enable a disabled rule, select the check box next to its name.
Use Exchange Online PowerShell to enable or disable a mail flow rule
The following example disables the mail flow rule "Sender is a member of marketing":

Disable-TransportRule "Sender is a member of marketing"

The following example enables the mail flow rule "Sender is a member of marketing":

Enable-TransportRule "Sender is a member of marketing"

How do you know this worked?


To verify that you have successfully enabled or disabled a mail flow rule, do the following:
In the EAC, view the list of rules in the Rules list and check the status of the check box in the ON column.
From Exchange Online PowerShell, run the following command which will return a list of all rules in your
organization along with their status:

Get-TransportRule | Format-Table Name,State

Remove a mail flow rule


Use the EAC to remove a mail flow rule
1. In the EAC, go to Mail flow > Rules.
2. Select the rule you want to remove and then click Delete .
Use Exchange Online PowerShell to remove a mail flow rule
The following example removes the mail flow rule "Sender is a member of marketing":
Remove-TransportRule "Sender is a member of marketing"

How do you know this worked?


To verify that you have successfully removed the mail flow rule, do the following:
In the EAC, view the rules in the Rules list and verify that the rule you removed is no longer shown.
From Exchange Online PowerShell, run the following command and verify that the rule you remove is no
longer listed:

Get-TransportRule

Monitor rule usage


If you're using Exchange Online or Exchange Online Protection, you can check the number of times each rule is
matched by using a rules report. In order to be included in the reports, a rule must have the Audit this rule
with severity level check box selected. You can look at a report online, or download an Excel version of all the
mail protection reports.

NOTE
While most data is in the report within 24 hours, some data may take as long as 5 days to appear.

Use the Microsoft 365 admin center to generate a rules report


1. In the Microsoft 365 admin center, select Reports.
2. In the Rules section, select Top rule matches for mail or Rule matches for mail.
To learn more, see View mail protection reports.
Download an Excel version of the reports
1. On the Reports page in the Microsoft 365 admin center, select Mail protection reports (Excel).
2. If it is your first time using the Excel mail protection reports, a tab opens to the download page.
a. Select Download to download the Microsoft Office 365 Excel Plugin for Exchange Online
Reporting.
b. Open the download.
c. In the Mail Protection reports for Office 365 Setup dialog box, select Next, accept the terms of
the license agreement, and then select Next.
d. Select the service you are using, and then select Next.
e. Verify the prerequisites, and then select Next.
f. Select Install. A shortcut to the reports is placed on your desktop.
3. On your desktop, select Office 365 Mail Protection Reports.
4. In the report, select the Rules tab.

Import or export a mail flow rule collection


You must use Exchange Online PowerShell to import or export a mail flow rule collection. For information about
how to import a mail flow rule collection from an XML file, see Import-TransportRuleCollection.
For information about how to export a mail flow rule collection to an XML file, see Export-
TransportRuleCollection.

Need more help?


Resources for Exchange Online:
Mail flow rules (transport rules) in Exchange Online
Mail flow rule conditions and exceptions (predicates) in Exchange Online
Mail flow rule actions in Exchange Online
Journal, Transport, and Inbox rule limits
Resources for Exchange Online Protection:
Mail flow rules (transport rules) in Exchange Online Protection
Journal, Transport, and Inbox rule limits
Resources for Exchange Server:
Mail flow rules in Exchange Server
Mail flow rule conditions and exceptions (predicates) in Exchange Server
Mail flow rule actions in Exchange Server
Test a mail flow rule in Exchange Online
5/31/2019 • 5 minutes to read • Edit Online

Each time you create a mail flow rule (also known as a transport rule) you should test it before turning it on. This
way, if you accidentally create a condition that doesn't do exactly what you want or interacts with other rules in
unexpected ways, you won't have any unintended consequences.

IMPORTANT
Wait 30 minutes after creating a rule before you test it. If you test immediately after you create the rule, you may get
inconsistent behavior. If you're using Exchange Server and have multiple Exchange servers, it may take even longer for all
the servers to receive the rule.

Step 1: Create a rule in test mode


You can evaluate the conditions for a rule without taking any actions that impact mail flow by choosing a test
mode. You can set up a rule so that you get an email notification any time the rule is matched, or you can look at
the Look at the message trace for messages that might match the rule. There are two test modes:
Test without Policy Tips: Use this mode together with an incident report action, and you can receive an
email message each time an email matches the rule.
Test with Policy Tips: This mode is only available if you're using Data loss prevention (DLP ), which is
available with some Exchange Online and Exchange Online Protection (EOP ) subscription plans. With this
mode, a message is set to the sender when a message they are sending matches a policy, but no mail flow
actions are taken.
Here's what you'll see when a rule is matched if you include the incident report action:

Use a test mode with an incident report action


1. In the Exchange admin center (EAC ), go to Mail flow > Rules.
2. Create a new rule, or select an existing rule, and then select Edit.
3. Scroll down to the Choose a mode for this rule section, and then select Test without Policy Tips or
Test with Policy Tips.
4. Add an incident report action:
a. Select Add action, or, if this isn't visible, select More options, and then select Add action.
b. Select Generate incident report and send it to.
c. Click Select one... and select yourself or someone else.
d. Select Include message properties, and then select any message properties that you want
included in the email you receive. If you don't select any, you will still get an email when the rule is
matched.
5. Select Save.

Step 2: Evaluate whether your rule does what you intend


To test a rule, you can either send enough test messages to confirm that what you expect happens, or look at the
message trace for messages that people in your organization send. Be sure to evaluate the following types of
messages:
Messages that you expect to match the rule
Messages that you don't expect to match the rule
Messages sent to and from people in your organization
Messages sent to and from people outside your organization
Replies to messages that match the rule
Messages that might cause interactions between multiple rules
Tips for sending test messages
One way to test is to sign in as both the sender and recipient of a test message.
If you don't have access to multiple accounts in your organization, you can test in an Office 365 trial
account or create a few temporary fake users in your organization.
Because a web browser typically doesn't let you have simultaneous open sessions on the same computer
signed in to multiple accounts, you can use Internet Explorer InPrivate Browsing, or a different computer,
device, or web browser for each user.
Look at the message trace
The message trace includes an entry for each rule that is matched for the message, and an entry for each action
the rule takes. This is useful for tracking what happens to test messages, and also for tracking what happens to
real messages going through your organization.

1. In the EAC, go to Mail flow > Message trace.


2. Find the messages that you want to trace by using criteria such as the sender and the date sent. For help
specifying criteria, see Run a Message Trace and View Results.
3. After locating the message you want to trace, double-click it to view details about the message.
4. Look in the Event column for Transport rule. The Action column shows the specific action taken.

Step 3: When you're done testing, set the rule to enforce


1. In the EAC, go to Mail flow > Rules.
2. Select a rule, and then select Edit.
3. Select Enforce.
4. If you used an action to generate an incident report, select the action and then select Remove.
5. Select Save.

TIP
To avoid surprises, inform your users about new rules.

Troubleshooting suggestions
Here are some common problems and resolutions:
Everything looks right, but the rule isn't working.
Occasionally it takes longer than 15 minutes for a new mail flow to be available. Wait a few hours, and then
test again. Also check to see if another rule might be interfering. Try changing this rule to priority 0 by
moving it to the top of the list.
Disclaimer is added to original message and all replies, instead of just the original message.
To avoid this, you can add an exception to your disclaimer rule to look for a unique phrase in the disclaimer.
My rule has two conditions, and I want the action to happen when either of the conditions is
met, but it only is matched when both conditions are met.
You need to create two rules, one for each condition. You can easily copy the rule by selecting Copy and
then remove one condition from the original and the other condition from the copy.
I'm working with distribution groups, and The sender is ( SentTo) doesn't seem to be working.
SentTo matches messages where one of the recipients is a mailbox, mail-enabled user, or contact, but you
can't specify a distribution group with this condition. Instead, use To box contains a member of this
group ( SentToMemberOf).

Other testing options


If you're using Exchange Online or Exchange Online Protection, you can check the number of times each rule is
matched by using a rules report. In order to be included in the reports, a rule must have the Audit this rule with
severity level check box selected. These reports help you spot trends in rule usage and identify rules that are not
matched.
To view a rules report, in the Microsoft 365 admin center, select Reports.

NOTE
While most data is in the report within 24 hours, some data may take as long as 5 days to appear.
To learn more, see View mail protection reports.

Need more help?


Manage mail flow rules
Mail flow rules (transport rules) in Exchange Online
Mail flow rules (transport rules) in Exchange Online Protection
Mail flow rules (transport rules) in Exchange Server
Use mail flow rules so messages can bypass Clutter in
Exchange Online
5/31/2019 • 2 minutes to read • Edit Online

If you want to be sure that you receive particular messages, you can create a mail flow rule (also known as a
transport rule) that makes sure that these messages bypass your Clutter folder. Check out Use Clutter to sort low -
priority messages in Outlook for more info on Clutter.
For additional management tasks related to mail flow rules, check out Mail flow rules (transport rules) in Exchange
Online and the New -TransportRule PowerShell topic. If you're new to Exchange Online PowerShell, check out
Connect to Exchange Online PowerShell.

What do you need to know before you begin?


Estimated time to complete: 5 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Mail flow" entry in the Feature permissions in Exchange Online topic.
For more information about opening and using the Exchange admin center (EAC ), see Exchange admin
center in Exchange Online.
To learn how to connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

Use the Exchange admin center to create a mail flow rule to bypass the
clutter folder
This example allows all messages with title "Meeting" to bypass clutter.
1. In the Exchange admin center (EAC ), go to Mail flow > Rules. Click New and then choose Create a
new rule....
2. After you're done creating the new rule, click Save to start the rule.

Use Exchange Online PowerShell to create a mail flow rule to bypass


the clutter folder
This example allows all messages with title "Meeting" to bypass clutter.

New-TransportRule -Name "<Unique rule name>" -SubjectContainsWords "Meeting" -SetHeaderName "X-MS-Exchange-


Organization-BypassClutter" -SetHeaderValue "true"

IMPORTANT
In this example, both X-MS-Exchange-Organization-BypassClutter and true are case sensitive.

For detailed syntax and parameter information, see New -TransportRule.

How do you know this worked?


You can check email message headers to see if the email messages are landing in the Inbox due to the Clutter mail
flow rule bypass. Pick an email message from a mailbox in your organization that has the Clutter bypass mail flow
rule applied. Look at the headers stamped on the message, and you should see the X-MS -Exchange-
Organization-BypassClutter: true header. This means the bypass is working. Check out the View the internet
header information for an email message topic for info on how to find the header information.

NOTE
Calendar items (accepted, sent, or declined meetings notifications) won't contain this header.
Use mail flow rules to route email based on a list of
words, phrases, or patterns
5/28/2019 • 2 minutes to read • Edit Online

To help your users comply with your organization's email policies, you can use Exchange mail flow rules (also
known as transport rules) to determine how email containing specific words or patterns is routed. For a short list
of words or phrases, you can use the Exchange admin center (EAC ). For a longer list, you might want to use
Exchange Online PowerShell to read the list from a text file.
If your organization uses Data Loss Prevention (DLP ), see Data loss prevention for additional options for
identifying and routing email that contains sensitive information.

Example 1: Use a short list of unacceptable words


If your list of words or phrases is short, you can create a rule using the Exchange admin center. For example, if you
want to make sure no one sends email with bad words or with misspellings of your company name, internal
acronyms or product names, you could create a rule to block the message and tell the sender. Note that words,
phrases, and patterns are not case sensitive.
This example blocks messages with common typos.

Example 2: Use a long list of unacceptable words


If your list of words, phrases, or patterns is long, you can put them in a text file with each word, phrase, or pattern
on its own line. Use Exchange Online PowerShell to read in the list of keywords into a variable, create a mail flow
rule, and assign the variable with the keywords to the mail flow rule condition. For example, the following script
takes a list of misspellings from a file called C:\My Documents\misspelled_companyname.txt.

$Keywords=Get-Content "C:\My Documents\misspelled_companyname.txt"


New-TransportRule -Name "Block messages with unacceptable words" -SubjectOrBodyContainsWords $Keywords -
SentToScope "NotInOrganization" -RejectMessageReasonText "Do not use internal acronyms, product names, or
misspellings in external communications."
Using phrases and patterns in the text file
The text file can contain regular expressions for patterns. These expressions are not case-sensitive. Common
regular expressions include:

:----- :-----

. Any single character

* Any additional characters

\d Any decimal digit

[character_group] Any single character in character_group.

For example, this text file contains common misspellings of Microsoft.

[mn]sft
[mn]icrosft
[mn]icro soft
[mn].crosoft

To learn how to specify patterns using regular expressions, see Regular Expression Reference.
Use mail flow rules to automatically add meetings to
calendars in Exchange Online
6/25/2019 • 5 minutes to read • Edit Online

With the Direct to Calendar feature in Exchange Online, administrators can configure mail flow rules (also known
as transport rules) that allow designated users to add meetings to calendars. The benefits of Direct to Calendar are:
The event is automatically added to the recipient's calendar without any action from them. If the user
received the meeting invitation, it's on their calendar.
The sender doesn't need to deal with Out of Office or other unwanted response messages that result from
sending meeting invitations to a large number of recipients.
No meeting-related messages are seen by attendees unless the meeting is cancelled.
Direct to Calendar requires two mail flow rules with specific conditions and actions. These rules are described in
the following table:

RULE DESCRIPTION CONDITION ACTION COMMENTS

This mail flow rule turns The sender is or The Set the message header to We recommend that you use
regular meeting invitations sender > is this person this value or Modify the dedicated mailboxes (shared
into Direct to Calendar (the From parameter). message properties > set mailboxes are OK) for
meeting invitations. This condition identifies the a message header (the sending Direct to Calendar
users who are authorized to SetHeaderName and meeting invitations, because
send Direct to Calendar SetHeaderValue any meeting invitations from
meeting invitations. parameters). these senders will be
Although you can use other This action sets the X-MS- automatically added to
conditions, restricting the Exchange-Organization- recipient calendars.
invitations by sender helps CalendarBooking- The dedicated mailboxes
prevent unauthorized use of Response header to the require no special
Direct to Calendar meeting value Accept . Other valid permissions to send Direct
invitations. values are Tentative and to Calendar meeting
Decline . invitations.

This mail flow rule prevents The sender is or The Set the message header to Technically, this rule is
Direct to Calendar meeting sender > is this person this value or Modify the optional (without it,
invitations from appearing in (the From parameter). message properties > set meetings are still
the Inbox of recipients. a message header (the automatically added to
SetHeaderName and recipient calendars).
SetHeaderValue Note that this rule doesn't
parameters). prevent meeting cancellation
This action sets the X-MS- messages for Direct to
Exchange-Organization- Calendar meetings from
CalendarBooking- appearing in the Inbox of
TriageAction header to the recipients.
value MoveToDeletedItems .
The other valid value is
None .

For more information about mail flow rules, see Mail flow rules (transport rules) in Exchange Online.

What do you need to know before you begin?


Estimated time to complete: 10 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Mail flow" entry in the Feature permissions in Exchange Online topic.
The designated accounts for sending Direct to Calendar meeting invitations need to exist.
For more information about opening and using the Exchange admin center (EAC ), see Exchange admin
center in Exchange Online.
To learn how to connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.

TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Use the Exchange admin center to create Direct to Calendar mail flow
rules
1. In the EAC, go to Mail flow > rules.
2. Click New ( ), and then select Create a new rule.
3. In the New rule page that opens, click More options.

4. Configure these additional settings on the New rule page:


Name: Direct to Calendar response (or anything descriptive).
Apply this rule if > The sender > is this person: Select one or more users to send Direct to
Calendar meeting invitations.
Do the following > Modify the message properties > set a message header: Enter the
following values:
Set the message header X-MS-Exchange-Organization-CalendarBooking-Response

to the value Accept

When you're finished, click Save.

5. Back at Mail flow > Rules, click New ( ) again, and then select Create a new rule.
6. In the New rule page that opens, click More options.

7. Configure these additional settings on the New rule page:


Name: Direct to Calendar triage action (or anything descriptive).
Apply this rule if > The sender > is this person: Select the same users as in step 3.
Do the following > Modify the message properties > set a message header: Enter the
following values:
Set the message header X-MS-Exchange-Organization-CalendarBooking-TriageAction
to the value MoveToDeletedItems

When you're finished, click Save.

Use Exchange Online PowerShell to create Direct to Calendar mail flow


rules
1. To create the mail flow rule that turns regular meeting invitations into Direct to Calendar meeting
invitations, use the following syntax:

New-TransportRule -Name "Direct to Calendar response" -From "<designated sender 1>","<designated sender
2>"... -SetHeaderName "X-MS-Exchange-Organization-CalendarBooking-Response" -SetHeaderValue Accept

This example configures the rule using the dedicated mailbox named Direct to Calendar invites.

New-TransportRule -Name "Direct to Calendar response" -From "Direct to Calendar invites" -SetHeaderName
"X-MS-Exchange-Organization-CalendarBooking-Response" -SetHeaderValue Accept

2. To create the mail flow rule that prevents Direct to Calendar meeting invitations from appearing in the Inbox
of recipients, use the following syntax:

New-TransportRule -Name "Direct to Calendar triage action" -From "<designated sender 1>","<designated
sender 2>"... -SetHeaderName "X-MS-Exchange-Organization-CalendarBooking-TriageAction" -SetHeaderValue
MoveToDeletedItems

This example configures the rule using the dedicated mailbox named Direct to Calendar invites.

New-TransportRule -Name "Direct to Calendar triage action" -From "Direct to Calendar invites" -
SetHeaderName "X-MS-Exchange-Organization-CalendarBooking-TriageAction" -SetHeaderValue
MoveToDeletedItems

For detailed syntax and parameter information, see New -TransportRule.

How do you know this worked?


To verify that you have successfully configured Direct to Calendar meeting invitations, use the designated sender
mailbox to send a test meeting invitation to a small number of recipients. Verify that the meeting automatically
appears in the calendars of the recipients, and verify there are no meeting-related messages in the Inbox (the
second rule should automatically move these messages to the Deleted Items folder).
More information
The designated sender mailbox will receive meeting acceptance responses to Direct to Calendar meetings.
Use the following strategies to help minimize the impact of these messages on the designated sender:
In Outlook, enable the Update tracking information, and then delete responses that don't
contain comments and After updating tracking information, move receipt to <Deleted
Items> settings in Mail > Tracking for the designated sender mailbox. For more information, see
Change how meeting requests, polls, and read or delivery receipts are processed.
Clearing the Request Responses setting in Direct to Calendar meeting invitations doesn't prevent
responses from being sent back to the designated sender mailbox.
If the designated mailbox sends a meeting cancellation for a Direct to Calendar meeting, the cancelled
meeting title is always changed to CANCELED: <previous meeting title>, and the cancelled meeting
remains in the calendars of attendees until they manually remove it.
Meeting cancellation messages for Direct to Calendar meetings will always appear in the Inbox of recipients.
Manage message approval in Exchange Online
5/31/2019 • 3 minutes to read • Edit Online

Sometimes it makes sense to have a second set of eyes on a message before the message is delivered. As an
Exchange administrator, you can set this up. This process is called moderation, and the approver is called the
moderator. Depending on which messages need approval, you can use one of two approaches:
Change the distribution group properties
Create a mail flow rule
This article explains:
How to decide which approval approach to use
How the approval process works
To learn how to implement common scenarios, see Common message approval scenarios.

How to decide which approval approach to use


Here's a comparison of the two approaches to message approval.

WHAT DO YOU WANT TO DO? APPROACH FIRST STEP

Create a moderated distribution group Set up message approval for the Go to the Exchange admin center (EAC)
where all messages to the group must distribution group. > Recipients> Groups, edit the
be approved. distribution group, and then select
Message approval.

Require approval for messages that Create a mail flow rule (also known as a Go to the EAC > Mail flow > Rules.
match specific criteria or that are sent transport rule) using the Forward the
to a specific person. message for approval action.
You can specify message criteria,
including text patterns, senders, and
recipients. Your criteria can also contain
exceptions.

How the approval process works


When someone sends a message to a person or group that requires approval, if they're using Outlook on the web
(formerly known as Outlook Web App), they're notified that their message might be delayed.
The moderator receives an email with a request to approve or reject the message. The text of the message includes
buttons to approve or reject the message, and the attachment includes the original message to review.

The moderator can take one of three actions: