- January 27, 2022
- Bill Tolson|
- Data Privacy|
- Archive Migration|
- Cloud archiving|
- Data Migration|
- Information Security|
- Zero Trust
If you have inactive users in your archives, you can simply delete them or migrate them all when you move to Office 365, right? Unfortunately, it’s not that simple. This article outlines the technical, regulatory, and compliance challenges you’re likely to face, the alternatives available, and why Microsoft’s suggested method for inactive user migration may not be (in our opinion) your best option.
I never asked my friend what happened with the potential deal but, for me, it highlighted an important missing process in many companies – that of treating departing employee data as valuable (also, in some cases, legally required).
At the end of the day, companies hire employees for their abilities, know-how, creativity, and experience. Blindly destroying the data, they work with and create is a huge waste for the sake of freeing up a Microsoft 365 license, especially when options exist to both store leaver data securely and reassign their licenses without risking legal or business disruption.
Some of our customers do think about the implications of reassigning the license of a departing employee. Many come to us with questions like: "We're spending a fortune on Microsoft 365 licenses for employees that have left the organization. We want to recycle them, but what should we do with all of the departed employee's Microsoft 365 data?" Believe it or not, this shows a great deal of progress in their thinking. Unfortunately, however, many companies, as in the example above, still reassign the Microsoft 365 licenses of departed employees indiscriminately and, in doing so, delete all their data.
As IT and corporate legal departments well know, inactive and departed employee data – including inactive Microsoft 365 mailboxes, OneDrive accounts, Teams conversations and files (including videos), can put a strain on the IT department, including the costly consumption of Microsoft 365 licenses, rising privacy risk, and expensive eDiscovery response. That said, an important part of the employee exit process, safeguarding employee data should be top of mind for HR, IT, and Corporate Legal, and when an employee gives notice or is RIF'd, an HR checklist should be followed, with a set of actions to perform before the employee departs.
However, in many cases (if the checklist even exists), it does not address what to do with the employee's most valuable asset – their accumulated work data. In fact, valuable corporate data exists in all Microsoft 365 mailboxes, OneDrive accounts, local workstation data, and SharePoint servers, but many HR processes don't include the proactive collection of employee data before departure. Jumping too quickly to delete a departed user's account (and the associated data) can rid you of the chance to access crucial information and runs the risk of regulatory non-compliance. Once you go far enough down the line and data is permanently deleted, there's no magic button marked 'recover inactive mailbox'. Microsoft 365 simply kills those files for good.
The process should see IT alerted immediately to begin capturing and consolidating leaver data and migrating it into data repositories, such as those in a corporate cloud, where it can be secured, managed, and accessed by authorized employees. The immediate thinking should never be 'delete inactive mailbox'. Microsoft 365 licenses shouldn't be valued more than often crucial leaver data. Your GC may want to keep all email and OneDrive data for an extended time in case lawsuits (i.e., wrongful termination) crop up during the statute of limitations, as well as keeping it available for use and reference for current employees.
It's hard to say definitively, but in my experience, most companies simply haven't thought of it or haven't developed a standardized process to collect employee data. Often, it's because the IT department is overworked and so instead chooses to keep the departed employee's mailbox and Microsoft 365 account "as is" until the time they have more data. Eventually, someone in IT notices the growing number of departed employee mailboxes and wonders how much the company is spending on licenses for Microsoft 365. Show inactive mailboxes to whoever controls the company purse strings, and they'll likely jump at the chance to claw back some of the outlay. Look at your own Microsoft 365 inactive mailbox cost, and you'll probably want to do the same.
In a recent example, a customer noticed they were paying for 8,000 inactive mailboxes in an Microsoft 365 BPOS subscription and 7,000 inactive mailboxes in their standard Microsoft 365 subscription – totaling 15,000 Microsoft 365 E5 licenses. They had estimated that the 15,000 Microsoft 365 inactive mailboxes were costing them approximately $5 million annually in subscription costs. In another example, a mid-size U.S. city told me that over 55% of their current Microsoft 365 mailboxes were from departed employees.
Currently, when an employee leaves a company, many organizations will quickly reassign the employee's Microsoft 365 account to pass the license to another employee. Alternatively, they'll cancel it altogether to save on cost. The departed employee's mailbox data is retained for 30 days after the license is removed. During this period, the company can still recover the mailbox data by undeleting the account. However, after 30 days, the data is permanently deleted – raising the risk of destruction of evidence or spoliation claims if the data is potentially responsive in current or anticipated litigation.
A common method for preserving departed employee data is by converting an Microsoft 365 mailbox to a "shared mailbox." The main driver for the popularity of this strategy is that Microsoft 365 shared mailboxes are free. However, there are several complicating issues with shared mailboxes:
Depending on access rights to the shared mailbox, approved employees can still delete or edit content in a shared mailbox – also a legal defensibility issue. To mitigate the risk of data loss due to delegates deleting shared mailbox content, the organization should apply read-only access policies instead of the default full mailbox access. However, this does not apply immutability to the data and could cause the data to be called into question later by regulators, auditors, or opposing counsel in a litigation setting.
The immutability issue (#5 above) can catch many by surprise, especially corporate attorneys. If immutability is required for legal reasons, i.e., proof that evidence has not been altered, the shared mailbox should have an "In-Place Hold" applied, which requires costly Microsoft 365 licenses – defeating the "no-cost" benefit. Transferring inactive users to a shared mailbox also means you can't search for information effectively (#6 above) because the shared mailbox becomes the owner of all the messages within it. This means you can't look up the inactive user by name and are forced to carry out searches using the To and From fields or as full-text searches based on a specific SMTP address. It adds time and complexity in the case of an investigation or specific request.
Furthermore, the shared mailbox size limitation (#2 above) will force the creation of additional shared mailboxes. Looking at the previous example where the company had 68 TB of inactive mailboxes, it would take 1,360 shared mailboxes to hold 68 TB of departed employee mailbox data – a management and legal nightmare.
Alternatively, the Microsoft-recommended method for preserving departed employee mailbox data is through declaring (programmatically) the mailbox inactive. Declaring a mailbox inactive is also free and allows the release of the corresponding Microsoft 365 license. How to mark a Microsoft 365 mailbox as inactive is a fairly easy process too.
To setup inactive mailboxes in Microsoft 365, you first need to apply an In-Place Hold on the entire mailbox; you can then delete the corresponding user object. Any licenses assigned to the user will be released for reuse at that stage. This approach seems to be a simple one but, when you dig into the details, there are a number of issues (as we've outlined in this post) when it comes to an inactive mailbox. Microsoft 365 has a few quirks that might lead you to rethink your strategy.
In Part II of this post, we’ll discuss alternative and best practice strategies for managing inactive user mailboxes. This includes how to address inactive user data during a migration to Microsoft 365 and during a legacy archive migration.
Archive360's Archive2Azure is the cloud archive trusted by enterprises and government agencies worldwide. Purpose-built to run in the hyperscale cloud, it is installed and run in your organization's own public cloud tenancy, where you retain all the power, flexibility, and management while maintaining complete control of your data and its security including encryption keys that only you have access to. Additionally, unlike on-premises and SaaS archiving solutions, you are free to unlock valuable insights via data analytics and carry out powerful searches on your data using the latest cloud-based tools that will benefit multiple teams across your business, from HR to legal and compliance.
Find out why major, regulated organizations around the world trust Archive360 with their most sensitive data. Get in touch to request a demo today.