Office 365 Retention Policy
Retention policies do two basic things: they either protect data from deletion or delete unnecessary items.
- Retain content - content cannot be permanently deleted before the end of the retention period.
- Delete content - unnecessary content is permanently deleted at the end of the retention period.
You can create and manage retention policies on the:
- Policies page in the Microsoft 365 compliance center.
- Retention page under Data governance in the Office 365 Security & Compliance Center.
For details, see https://docs.microsoft.com/en-us/office365/securitycompliance/retention-policies.
As an alternative to retention policies, you can place a mailbox on Litigation Hold to preserve all mailbox content, including deleted items and original versions of modified items.
For more information, see https://docs.microsoft.com/en-us/exchange/policy-and-compliance/holds/litigation-holds?view=exchserver-2019.
Quest On Demand provides permission-based roles to determine what permission level a user has and what tasks the user can perform.
For more details, see Adding users to an organization section in the On Demand Global Settings User Guide.
List of permissions that can be assigned to Recovery module users
- Can manage backup settings
- Can download hybrid credentials
- Can run backup manually
- Can unpack backups
- Can run difference report
- Can restore from objects
- Can restore from differences
- Can read backup history
- Can read unpacked objects
- Can read differences
- Can read task history
- Can read events
- Can read restore attributes
- Can read UI projects
- Can read UI collections
- Can manage events
Note: On Demand administrators have full access to global settings and all module permissions.
Working with On Demand Recovery
Working with On Demand Recovery
This section provides step-by-step instructions on how to use On Demand Recovery.
- For Office 365 tenants: On Demand Recovery can backup and restore Office 365 users, Office 365 groups and security groups. Group membership and ownership is restored for both types of groups. The product does not restore any resources associated with Office 365 groups and Microsoft Teams, such as conversations, Planner tasks and plans.
- Email notifications about failed backups can be enabled by request. For assistance, contact Quest Support.
- Go to Quest On Demand and sign up for Quest On Demand. For more details, refer to Sign up for Quest On Demand.
- Add your Azure Active Directory tenant as described in the Tenant Management section in the On Demand Global Settings User Guide.
- After the tenant is added, make sure that the permissions required to work with Azure Active Directory tenant are granted. To grant the required permissions, click Go on the tenant tile and check that the Recovery module has the Granted status. For details, please see the Admin Consent Status section in the On Demand Global Settings User Guide. For a list of permissions that need to be granted consent for On Demand Recovery, refer to Consent permissions.
Note: Microsoft admin consent status is "expired" after 90 days and the Recovery module status is changed to "Not Granted". Once expired, you must grant admin consent again to continue using the module.
- To perform Exchange tasks, you will need to grant consent to Exchange Online PowerShell, and assign the Exchange Admin Role. For details, please see the About admin consent status and the Granting and regranting admin consent sections in the On Demand Global Settings User Guide.
- To launch On Demand Recovery, click Recovery on the left pane. The Dashboard screen opens.
- To configure a hybrid connection with on-premises Active Directory, see Integration with Recovery Manager for Active Directory.
- To configure the backup settings, perform the following steps:
- Click Manage backups on the Dashboard screen.
- Select the tenant from the list and click Edit. The Configure backup dialog opens.
- To enable the backup creation, select Enabled next to the Schedule option. On Demand Recovery will attempt up to 4 backups per day. Depending on the completion time required for each, the number of backups may be less.
- Choose to immediately run the backup by selecting the Run backup immediately option. Deselecting this option will allow backups to only run when scheduled.
- Specify the backup retention period using the Retention policy option in days. The backup retention policy is also applied to backups that are started manually. If no policy is set, the default retention policy is five years (1825 days). If the retention period is changed, the new policy will only affect new backups.
- To backup multifactor authentication settings, select the Backup MFA settings option.
- To backup data related to inactive mailboxes, select the Backup data related to inactive mailboxes option.
- To backup Application Proxy settings, select the Backup Application proxy settings and connector groups option.
- To backup service principal default policies and Conditional Access policies, select the Backup Conditional Access Policies and Service Principal Default Policies option.
- By selecting this option, service principal default policies such as ClaimIssuancePolicy and TokenIssuancePolicy and their relation to service principals will be backed up.
- You will need to specify service account credentials for the tenant if selecting this option. For details about required permissions, see Required permissions.
- Check the status of the module admin consent.
- If you need to run the backup creation manually, go to the Tasks screen, select the Backup task and click Start.
- To start the backup creation manually, you can use the Create Backup option on the Dashboard screen.
- To unpack a backup:
- Go to the Backups screen. Here, you will find each packed backup, and the properties associated with that backup.
Note:The Users column reflects the total number of users including guest accounts. The Guest column reflects only guest accounts.
- From the Tenant drop-down list, select the tenant, then select the backup you want.
- You can specify predefined or custom date ranges to narrow the search results by selecting Custom range.
- Click Unpack in the actions menu.
- If the option Unpack service principals and devices is not selected, the unpack operation will work faster and the Differences report will contain only changes related to users and groups. For more details about this option, see Backup Unpacking.
- In the Backup Unpacking dialog, click Unpack.
- When the Unpack backup task is completed, go to the Unpacked Objects screen and select the users and groups that you want to restore and click Restore.
Note: If you do not unpack a backup, the Unpacked Objects screen will contain no objects or show a list of objects that were extracted from the previously unpacked backup.
- In the Restore Objects dialog, select the options for restore. See the To restore objects section in the Restoring Objects page for information on each option.
- Also, you can view differences between the selected backup and live Azure Active Directory or Office 365 and revert the selected changes using the Differences report tool. For more details, see the Reporting section. You can export the selected report data to the CSV file.
- You can view the status of your Restore objects task on the Tasks screen.
- Open the Events screen to view errors or warnings, if they occur during the restore operation.
- Use the Export option to export the selected log data to the CSV format.
- Use the Acknowledge option to hide events that are not actual anymore. The status of acknowledged events is changed from 'Current' to 'Obsolete'. To view the list of obsolete events, click Obsolete on the left side of the screen.