Adding OneDrive Locations to an Existing Retention Policy

Yesterday, while working with a customer, I was asked if there is a way to programmatically add OneDrive locations to an existing retention policy.  Say, for example, you have a blanket retention policy that covers all of your tenant at a base level (which is what I typically recommend to ensure you at least have either belt or suspenders), but then you have a second set of users that need a longer policy.

[toc]

Background

As a refresher, an object in Office 365 can have multiple retention policies applied to it.  If you haven't seen this graphic, I heartily suggest you take a deep, long look into its blue hues:

If you have multiple retention and/or deletion policies applied to an object, they follow this framework.  Retention always wins.  Let's take a simple example:

[ninja_tables id="7231"]

So, imagine Jim, Nestor, and Adele all work for an organization that has the previously listed policies in place.  Jim works in Sales, while Nestor and Adele work in HR.  They're all part of the "All Employees" group, since ... well, they're employees.  Nestor and Adele, however, are part of the HR group, so HR policies apply to them.  How will the retention policies affect them differently?

Jim, Nestor, and Adele, as part of "All Employees," will have the 3 Year All Employees retention policy applied to them as well as the 5 Year Rolling Purge All Employees policy.  In essence, what this means is that:

  • All data will be kept for a minimum of 3 years
  • After a piece of data reaches the 3 year mark, if it had been "deleted" and stored in Recoverable Items (mailbox) or Preservation Hold Library (OneDrive), it will be removed from the system.  If the item had not been deleted by the user, it will continue to exist.
  • After a piece of data reaches the 5 year mark, it will be deleted.

But wait! Adele and Nestor are also members of the HR Employees group, so they have an extra policy that applies to them: 7 Year HR Employees.  So, since Retention Always Wins, their data will live for another 2 years past the 5 Year Rolling Purge All Employees policy.  But, after 7 years, if there is no other mechanism protecting their data (such as an eDiscovery case hold or a litigation hold), data will start being purged.

Back to the question at hand ... my customer has a requirement to extend the length of retention for a certain group of OneDrive sites.  If you've ever used the Retention interface for managing OneDrive, you'll notice that it is NOT intuitive (meaning you can't select users from a list and have it insert their OneDrive sites, nor do you have a browsable or searchable list of OneDrive sites).  In order to manually include or exclude a OneDrive site in a Retention Policy, you need to know the exact URL of the user's OneDrive for Business Site.

Gross.

Bring on the 'Shell

Fortunately, there's a way to solve this problem. And, it doesn't even involve a lot of work for you, since I've already done most of it.

Get a list of OneDrive for Business sites

We don't have a good way to do this natively.  For that, [shameless plug coming] I built the OneDrive for Business Admin tool.  There are a lot of great features in there, but we're going to focus on one that allows us to enumerate the OneDrive sites.

The -ListOneDriveSites parameter allows you to enumerate all of the OneDrive sites in your tenant, all the OneDrive sites for users supplied in a list, or all of the users passed in the Identity parameter.

In this case, we want to add Nestor and Adele to the OneDrive - 7 Years policy in our tenant to extend their retention past the 3 year mandatory.   So, we're going to use the OneDrive for Business Admin tool to figure out what their OneDrive sites are so we can add them to the policy.

  1. Download the OneDrive for Business Admin tool from https://aka.ms/OneDriveAdmin.

  2. Generate a list of OneDrive sites:

     $cred = Get-Credential
    .\OneDriveForBusinessAdmin.ps1 -Credential $cred -Tenant ems340903 -ListOneDriveSites -Identity adelev@ems340903.onmicrosoft.com,nestorw@ems340903.onmicrosoft.com
    


    With this, now we'll be able to explicitly add the OneDrive sites to the retention policy.

Connect to the Security & Compliance Center Powershell Endpoint

We're going to be managing the retention policy that exists in the Security & Compliance center, so it stands to reason that we need to connect to it.  The SCC requires a different endpoint.  I have them both in a single function inside my PowerShell profile (and I recommend you do it, too).

 Function o365Logon([switch]$Skype,[switch]$Compliance,$Credential,$EOP)
  {
  If (!$Credential) { $Credential = Get-Credential }
  If ($EOP)
    {
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session
    }
  Else
    {
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
    Import-PSSession $Session
    }
  Connect-MsolService -Credential $Credential
  If ($Skype)
    {
    $SkypeSession = New-CSOnlineSession -Credential $Credential
    Import-PSSession $SkypeSession
    }
  If ($Compliance)
    {
    $ComplianceSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $Credential -Authentication Basic -AllowRedirection
    Import-PSSession $ComplianceSession -AllowClobber 
    }
  }

Using the above function, you can connect using the credential you previously saved.

 o365logon -Credential -Compliance

Update the Retention Policy

  1. First, we need to locate the retention policy.

     Get-RetentionCompliancePolicy
    

  2. Set the retention policy name to $policy and import the new locations to add to a variable.

     $policy = 'onedrive - 7 years'
    $new = import-csv sitestoadd.csv
    $newlocations = $new.OD4BSite
    

  3. Update the retention policy.

     Set-RetentionCompliancePolicy -Identity $policy -AddOneDriveLocation $newlocations
    
  4. Verify in the portal.  Log in to https://protection.office.com and navigate to Data Governance | Retention, select the policy, and then choose Edit policy.

  5. Select Locations Applied, and then select Choose accounts under OneDrive accounts.

  6. Verify that the new accounts have been added.

Happy adding to retention policies!