The following article contains some observations and recommendations when protecting Exchange Online (EOL) mailboxes from the Office 365 platform.


Understand that backing up an EOL mailbox is not the same as archiving the mail flow
Backing up a mailbox should not be considered a suitable solution for audit/compliance requirements for tracking emails. Externally backing up a EOL mailbox is done to ensure that a secure copy of the mailbox is available in the event of data loss, allowing for the recover of the lost data ranging from a single item through to the complete mailbox. This should be used in addition to the built-in data protection features of EOL (https://docs.microsoft.com/en-us/exchange/security-and-compliance/recoverable-items-folder/recoverable-items-folder) thus enabling greater control of the recoverable data and ensuring that critical business data is not held within a single organisations (Microsoft) control.


Ensure that the deleted items folder has regular housekeeping performed (i.e. emptied)
See https://support.office.com/en-us/article/empty-the-deleted-items-folder-9196f9a0-7c10-4802-9afa-269a7dcfd11f on how to enable deleted items to be deleted on exit from Outlook. This can also be enforced via GPOs if the clients are domain members.


If possible reduce the backup schedule so that a mailbox is protected on a weekly basis rather than daily.
When backing up an item from an EOL mailbox the envelope metadata is used to identify the object. If the object is moved between folders, and/or deleted (which is just moving the object to the Deleted Items folder) the metadata will change and the backup client will see the moved item as a new object and back it up again. When protecting a mailbox on a daily basis protecting duplicated data is much more likely to occur.


Example

An email arrives on day 1 to the inbox and is backed up, on day 2 the user moves the email to a sub-folder, and on day 4 they then decide to delete the email. 

  • If we are protecting the mailbox on a daily basis we will have backed up the email 3 times, once from the inbox on day 1, the second time from the sub-folder on day 2 and finally a third time from the deleted items folder on day 4. 
  • However, if we were only scheduled to backup the mailbox on a weekly basis we would only backup one copy of the email in the deleted items – assuming the deleted items had not been emptied).


Enable retention rules to remove backed up data xx days after deletion
When an item is backed up the system will continue to track the item in the live EOL mailbox and record (timestamp) when that item is deleted. Without retention rules the backup system will continue to store ALL EOL objects for life, it is preferred that a retention rule is created that can house keep and delete from the backup store any EOL objects that have been deleted after a set period – this period would be defined by the end user and their business requirements. It should be noted that as mentioned at the start the backup solution is not a replacement for an auditing/compliance solution, rather it is designed to allow for the recovery of accidentally or maliciously deleted items as well as maintain control of the organisations data – thus the retention rule should be based on ‘how long should we hold data that we may want to recover’ not ‘how long must we legally hold data for a compliance requirement’.