Expedite the permanent deletion of sensitive information from mailboxes
Note
Priority cleanup is rolling out in preview and subject to change.
Use the Priority cleanup feature under Data Lifecycle Management in Microsoft Purview when you need to expedite the permanent deletion of sensitive content from Exchange mailboxes, overriding any existing retention settings or eDiscovery holds. This process might be implemented for security or privacy in response to an incident, or for compliance with regulatory requirements.
Because the deletion is irreversible and can override existing holds, the process requires multiple approvals, specific roles, and is audited. After considering these safeguards, if your organization still has concerns about this capability, you can just continue to use retention policies and retention labels to ensure a compliant deletion of content instead of using priority cleanup.
Under the covers, priority cleanup uses retention labels with auto-apply policies. However, you don't interact manually with these labels and policies, and they supersede the principles of retention to achieve the required expedited deletion.
Note
If an item is subject to multiple priority cleanups, the newest takes priority.
Important exceptions for priority cleanup:
You can't use priority cleanup for items that are marked as a record or regulatory record.
if an item identified for priority cleanup has a retention label applied, approval is needed from a retention management admin in addition to specified priority cleanup admin.
If items approved for permanent deletion are part of an eDiscovery review set, they won't be deleted until the eDiscovery case is closed.
Similar to auto-apply retention labels, priority cleanup supports simulation, so you can check the returned samples in case the policy configuration needs any fine-tuning.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Prerequisites for priority cleanup
Make sure you can meet the prerequisites that must be in place before you can use priority cleanup to expedite the permanent deletion of sensitive data. These requirements include permissions and approvers.
Because of the built-in safeguards, the feature itself is enabled by default at the tenant level. However, priority cleanup can be turned off on the pririty cleanup settings page. If you can't create new priority cleanup policies, see the instructions for turning off the feature to check the status and reverse the configuration.
Note
A mailbox must have at least 10 MB data to support priority cleanup.
Permissions for priority cleanup
To successfully access and manage Priority cleanup in the Microsoft Purview compliance portal, users must have the Priority Cleanup Admin role. This role is required to create and manage priority cleanup policies, enable or disable the feature, or approve items within the initial approval stage. This role is automatically added to the Organization Management role group but must be manually added to any other role group.
Alternatively, the Priority Cleanup Viewer role allows only the visibility of priority cleanup policies and settings without the ability to make changes or create new policies.
Content Explorer List Viewer and Content Explorer Content Viewer roles are required to view item content and details in simulation mode and approval stages.
Required permissions for reviewers
The reviewer at each stage of the review process must have the correct permissions assigned before the policy can be created. If the reviewer at any stage does not have the correct permissions, policy creation will fail with an error.
| Reviewer | Required permissions |
|---|---|
| Priority cleanup reviewer | - Priority Cleanup admin - Data Classification content viewer - Data Classification List viewer - Disposition management role |
| Retention hold reviewer | - Retention hold - Retention management - Data Classification content viewer - Data Classification List viewer - Disposition management role |
| eDiscovery hold reviewer | - Data Classification content viewer - Data Classification List viewer - Disposition management role - Search and purge - Hold - Review |
For instructions to add users to the default roles or create your own role groups, use the following guidance:
Similar to records management disposition, each person that accesses the Priority cleanup > Pending cleanups page sees only items that they're assigned to approve. To monitor the end-to-end process of a priority cleanup, use auditing and the priority cleanup ID as a search term.
Approvers
As a safeguard against accidental or malicious deletions, each item subject to priority cleanup always requires at least one other person to approve the permanent deletion in addition to the person who created the priority cleanup policy. Approvers must be individual users. Mail-enabled security groups are not currently supported.
All reviewers must have the below roles assigned to them prior to creating the policy:
- Data Classification Content Viewer
- Data Classification List Viewer
- Disposition Management
Additional roles that may be needed for each stage:
- Stage one reviewer also requires the Priority Cleanup Admin role to review dispositions for priority cleanup.
- If an item is also subject to retention settings from a retention label or retention policies, approval is also required from an admin who has the RetentionManagement role.
- If an item is also subject to one or more eDiscovery holds, approval is also required from an admin who has the Review, Hold, and SearchAndPurge roles. All three roles are required.
Although you can specify multiple approvers for each stage (priority cleanup, retention, eDiscovery), just one person from each stage is required to approve for their stage.
Enable auditing
Make sure that auditing is enabled at least one day before the first priority cleanup policy. For more information, see Search the audit log.
Limitations of priority cleanup
Applicable for items in user and group Exchange mailboxes only. Items stored in SharePoint or OneDrive aren't currently supported.
For the KQL query, some properties and conditions supported by eDiscovery aren't supported by priority cleanup. These include SenderAuthor, SubjectTitle, (c:c), and (c:s).
In simulation mode, the priority clean up policy may incorrectly show email items marked as records and regulatory records. These items are not actually in scope for policy enforcement outside simulation mode.
Unlike disposition review for retention labels:
- You can't customize the email notification
- Approvers can't nominate additional approvers
- There's no automatic approval after a specified period of time
If an approver doesn't agree to permanently delete an identified item, they must assign an existing retention label (any configuration) to the item. Make sure your approvers know which retention labels are suitable for this action.
Although you can delete a priority cleanup policy, if the approval process for it is complete, items might still be permanently deleted.
Create a priority cleanup policy
Navigate to Priority cleanup:
In the Microsoft Purview compliance portal: Sign in to the Microsoft Purview compliance portal Select Data lifecycle management > Priority cleanup > + Create a priority cleanup.
In the new Microsoft Purview portal, Sign in to Data Lifecycle Management. Select Priority cleanup, and then select + Create a priority cleanup.
Enter a name and description for this priority cleanup policy, and then select Next. The name will be visible to end users, but the optional description is visible only to priority cleanup admins and the policy's specified approvers. This restriction means that any details you enter can be informative and specific, without worrying about unauthorized people seeing these details.
For Choose where to apply the policy, select one of the available options:
- All locations: The safest option if you're not sure where the content might be located. This selection will probably increase the time it takes for the policy to complete but this disadvantage is an acceptable tradeoff if the content might have been forwarded to unidentified mailboxes.
- Specific Exchange mailboxes defined by attributes or properties: For more targeted and dynamic application if you can identify characteristics of mailboxes where the content is located. For example, restricted to a specific region or department. You're asked to select an existing adaptive scope. Don't use this option if the adaptive scope could include more than 1,000,000 mailboxes.
- Individual or multiple Exchange mailboxes: If you're including just a few mailboxes, this is the fastest application of the policy, but you must be confident that only the selected mailboxes contain the content you need to clean up. Or, you can use this option to exclude specific mailboxes that you know won't contain the content, with the result that the policy is quicker to apply than all locations. Don't specify more than 100 mailboxes.
For the Choose where to apply priority clean page: Currently, only Exchange Online is supported.
For the Tell us what you're looking for page, enter text into the KQL editor box to construct a query using Exchange email properties. You can refine your query by using search operators such as AND, OR, and NOT.
For example, to find all content sent after February 2, 2024, with an attachment named ContosoEmployeeSalaries.xlsx: AttachmentNames:ContosoEmployeeSalaries.xlsx AND sent>=2024-02-02
For more information about the query syntax that uses Keyword Query Language (KQL), see Keyword Query Language (KQL) syntax reference.
This query-based policy uses the same search index as eDiscovery content search to identify content. For more information about the searchable properties that you can use for email, see Finding content in Exchange Online.
For the Choose when content should be deleted page, choose whether to permanently delete the matched items as soon as possible or retain them for a specific period and then delete them. Most of the time, you'll select the first option so that you can delete the item as soon as possible. Use the alternative option only if the items should be retained for compliance reasons and you can't use a retention label for this purpose. For example, the item already has a retention label applied with a longer retention period.
Note
A priority cleanup policy overrides the principles of retention that normally determine when an item should be retained or permanently deleted.
For the Assign who'll approve what gets deleted page, this is where you need to specify another priority cleanup approver, an approver for when an identified item has retention settings applied (such as a retention policy, retention label, or litigation hold policy), and an approver for when an identified item has one or more eDiscovery holds applied.
- Priority cleanup admins: Must be assigned the Priority Cleanup Admin role and is the first-stage approver for all priority cleanups for this policy. This should be a different person to the user who created the priority cleanup policy, but isn't enforced.
- Retention managers: Must be assigned the Retention Management role. Approval from specified users is required if the identified content is subject to one or more retention policies or Litigation holds.
- eDiscovery admins: Must be assigned the eDiscovery Administrator role. Approval from specified users is required if the identified content is subject to one or more eDiscovery holds.
For the Choose the policy mode page, choose whether to run the policy first in simulation mode or turn it on, or neither for the time being.
Running the policy in simulation mode will necessarily delay the permanent deletion. However, simulation mode adds the precautionary step of your being able to check that samples match your query, in case you need to fine-tune the query before the approval stages. It also means that you can check the query and sample results with somebody other than another specified approver.
Specific to priority cleanup, you must acknowledge by selecting a checkbox that you understand how this policy can override eDiscovery holds and other applied retention settings.
On the Your priority cleanup policy has been created page, you see the Cleanup ID that's used to track and monitor this policy. Use the Copy function, or copy it later from the policy details so you can monitor the progress of this policy from auditing details.
If you chose to run the policy in simulation mode:
- You might need to wait a couple of hours for results, depending on the number of mailboxes to search.
- You can turn on the policy for up to seven days. After seven days, the simulation must be restarted.
If you turn on the policy, as with auto-apply retention label policies, it can take up to seven days to apply the policy to items and trigger the approval process.
Approval process for a priority cleanup policy
When the priority cleanup policy is turned on and items are identified, approvers for the policy are notified by email, with a reminder once a week. They can click the link in the notification and reminder emails to go directly to the Data lifecycle management > Priority cleanup > Pending cleanups page in the portal to review the content to approve. Alternately, the approvers can manually navigate to this page in the portal.
To implement the security control that uses the two-person rule, each priority cleanup always requires another priority cleanup admin to approve the permanent deletion of identified items. Then if the items have retention settings applied, they require a next stage approval from retention admins. And finally, if the items are included in an eDiscovery hold, they also require another approval from an eDiscovery admin. When all the required approvals are complete, items are permanently deleted and cannot be restored by users, by admins, or by Microsoft.
On the Pending cleanups page, items identified by a priority cleanup policy are listed with a status of Pending disposition and an estimated count of how many items are identified. These might be different items, or the same item in multiple mailboxes.
When the approver selects one of the list items, the next page shows them the individual items with the item names, locations, and senders. When an item is selected, the preview pane displays the item's subject, source, details, and history. The history displays any priority cleanup approvals to date for that item, with approver comments if available.
After reviewing all the items, the approver can individually or multi-select them, and select Approve disposal. They must then acknowledge the action with an optional comment, and select Apply.
Alternatively, if the item shouldn't be permanently deleted as soon as possible, the approver must select Relabel, and select an existing retention label.
Items that are approved or relabeled are then moved to the Disposed items tab. Allow up to seven days for items to be permanently deleted.
Export the views
An approver can use the Export option from the Pending cleanups and Disposed items pages to export information about the items in either view as a .csv file that they can then sort and manage with Excel.
How to monitor priority cleanup
You can monitor the status of priority cleanups for each policy from Data lifecycle management > Priority cleanup. For example, the status displays In simulation, or Enabled (Pending) that changes to Enabled (Success).
Use the details of a policy to identify its cleanup ID, and paste this number as a keyword search string from the auditing solution. To use the date range, remember to specify the dates in UTC.
Auditing results include:
The creation, editing, and deletion of a priority cleanup policy
When an item is identified for priority cleanup, and if this resulted in removing an existing retention label
The approval or relabel action by each approver
The permanent deletion of an item by priority cleanup
The end user experience for priority cleanup
Because priority cleanup doesn't use a soft-delete process, users see a Retention: message bar on their emails in Outlook when they're identified for priority cleanup. They also see the name of the priority cleanup policy, then (-1 days) to indicate that it should be deleted as soon as possible, and an estimated expiry day and time based on that -1 days.
For example, if your priority cleanup policy is named "Cleanup policy test":
Retention: Cleanup policy test (-1 days) Expires: Thu 2/62024 AM
Tip
If you prefer end users to not see the retention message, you can achieve this by first using eDiscovery search and purge that soft-deletes items. When that completes, then apply the priority cleanup policy to permanently delete the soft deleted items.
After the final priority cleanup approval, the item silently disappears from Outlook.
Turn off priority cleanup for the tenant
After considering the safeguards of additional permissions and multiple approvals, if your organization still has concerns about this capability, you can turn off the ability to create priority cleanup policies:
Navigate to Priority cleanup:
In the Microsoft Purview compliance portal: Sign in to the Microsoft Purview compliance portal Select Data lifecycle management > Priority cleanup.
In the new Microsoft Purview portal, Sign in to Data Lifecycle Management. Select Priority cleanup.
From the top right, select Priority cleanup settings.
From the Configuration page, turn off the control for priority cleanup, and select Save.
New priority cleanup policies can't be created until you turn on the control and select Save again.
If priority cleanup policies are already created when you turn off the control:
Existing priority cleanup policies continue to function
Existing priority cleanup policies can be deleted
Existing priority cleanup policies can't be modified