Moving from Single-Workload Holds to Microsoft 365 Holds

Many tenants use litigation holds (also known as legal holds) to retain the complete content of Exchange Online mailboxes. The feature has been available since Exchange 2010 and can hold mailbox items (including associated archive mailboxes) indefinitely or for a specified period. The good thing about litigation holds, which is probably why people use them, is that it’s very easy to put one or more mailboxes on hold using PowerShell or the Exchange admin center (Figure 1).

The PowerShell equivalent to set litigation hold on a mailbox is:

Set-Mailbox -Identity Brian.Weakliam -LitigationHoldEnabled $True -LitigationHoldOwner "Tony.Redmond@office365itpros.com" -LitigationHoldDate "21-Apr-2025 16:00" -LitigationHoldDuration Unlimited -RetentionURL "https://office365itpros.com/AllAboutLitigationHold.Html"

While this command lists the set of mailboxes with litigation hold enabled:

Get-ExoMailbox -RecipientTypeDetails UserMailbox -Properties LitigationHoldEnabled, LitigationHoldDate, LitigationHoldDuration, LitigationHoldOwner -Filter {LitigationHoldEnabled -eq $True} -ResultSize Unlimited | Format-Table DisplayName, LitigationHoldDate, LitigationHoldOwner, LitigationHoldDuration

Inactive mailboxes can also be on litigation hold (and the hold might be the reason why Exchange Online retains these mailboxes):

Get-ExoMailbox -InactiveMailbox -Properties LitigationHoldEnabled, LitigationHoldDate, LitigationHoldDuration, LitigationHoldOwner -Filter {LitigationHoldEnabled -eq $True} -ResultSize Unlimited | Format-Table DisplayName, LitigationHoldDate, LitigationHoldOwner, LitigationHoldDuration

To release the litigation hold for a mailbox, set its LitigationHoldEnabled property to $false.

Set-Mailbox -Identity Kim.Akers -LitigationHoldEnabled $False

Or for an inactive mailbox:

Set-Mailbox -InactiveMailbox Dylan.Webb -LitigationHoldEnabled $False

This action clears the other litigation properties. Enabling or removing a litigation hold from a mailbox is usually effective within a few minutes but can take several hours.

The Bad Thing about Litigation Holds

Litigation Holds are easy to apply and manage and are available for all Exchange Online mailboxes. But their big downside is that litigation holds only cover mailbox items. That was an acceptable state when the need to preserve personal information for an employee only extended to email. Today, Microsoft 365 apps store so much information in a user’s OneDrive account that it is imperative to preserve this data when someone leaves.

Within Microsoft 365 today there are many other ways to communicate, including Teams, OneDrive for Business, Microsoft 365 Groups, and Viva Engage. Along with mailboxes, those locations are all covered by Microsoft 365 retention policies, which are the modern alternative to litigation hold.

However, I’m not going to cover retention policies here. Instead, I’m going to throw out a different idea, which is to use an in-place hold imposed by a standard eDiscovery case (available with Office 365 E3 and above or Microsoft E5 compliance licenses). Perhaps the recent GUI overhaul for Purview eDiscovery prompted me to investigate this solution.

Holds are only one part of eDiscovery cases, which also include searches, review sets, and exports covering multiple data sources. In the scenario where an organization wants to keep personal information for employees for a period (perhaps after employees leave), an eDiscovery case might replace litigation holds and deliver the additional benefit of holding OneDrive for Business accounts.

Creating an eDiscovery Case with PowerShell

The eDiscovery case we need is simple. It consists of:

• The case (created with New-ComplianceCase). A container for the case elements, like holds and searches,
• A case hold policy (created with New-CaseHoldPolicy) defines the set of locations (mailboxes and OneDrive for Business accounts) that the hold will apply to.
• A case hold rule associated with the case hold policy (created with New-CaseHoldRule). The rule specifies the KQL query used by the hold. In this case, to create a hold that applies to everything in the mailboxes and OneDrive for Business accounts, the KQL query is empty.

Before running any of these cmdlets, you must connect to Exchange Online and the compliance endpoint, and the account used must have the eDiscovery manager role.

An example script is worth hundreds of words. You can download my example from GitHub.

Delegated Permissions and OneDrive for Business

The script is intended for use with delegated permissions. It would be possible to use app-only mode, but I wanted to illustrate an important an important aspect of dealing with OneDrive for Business accounts.

The Sites.Read.All permission allows the signed-in user to read details of all SharePoint Online sites – but not OneDrive for Business accounts, even if the account is a SharePoint administrator. This is a little strange because the SharePoint administrative interfaces allow access to OneDrive.

The full URL for a OneDrive account is needed to add it to an eDiscovery case hold policy (or a retention policy). This is a value like:

https://office365itpros-my.sharepoint.com/personal/brian_weakliam_office365itpros_com

Even with the Sites.Read.All delegatedpermission, you can’t use the Get-MgUserDrive or Get-MgUserDefaultDrive cmdlets to get the OneDrive URL (you can with the application permission). I therefore use a little trick of retrieving the OneDrive usage report data for the last 90 days and extracting the user principal name and site identifier from the data. The script can use the site identifier with the Get-MgSite cmdlet to find the OneDrive URL. It’s a little complicated, but the code works. It would be nice if the usage report data included the site URL. However, a longstanding problem that Microsoft seems incapable of solving means that the site URL is missing from SharePoint Online and OneDrive usage reports.

Easier Solutions Exist

It would be easier to use the Microsoft Graph PowerShell SDK in app-only mode and have full access to the OneDrive account information, but this is an example of how it’s often possible to get at Microsoft 365 data when it seems to be blocked. It would also be easier to move mailboxes (and their OneDrive accounts) from litigation hold to a retention policy instead of an eDiscovery case, but where’s the fun in always taking the easy route?

If you’re still using litigation holds, the question is why? In 2010, litigation holds were the best we could do in terms of preserving mailbox content. In 2025, we can do better, and there’s many ways to satisfy the need to preserve data, including OneDrive.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.