What is the difference between an Archive, a Journal and Litigation Hold?Alex Fields
As I’ve been helping organizations navigate the complexities of Exchange Online and compliance, this question has come up a few times. “What is the difference between an archive and a journal?” I also hear, “What is the difference between a journal and litigation hold?” And finally “What is the difference between litigation hold and an archive?”
Some organizations are already doing one or more of these things for different reasons, and it can be a bit confusing because sometimes a company has something they call an archive informally, but it’s really just journal rules in place on the Exchange server, which send copies of messages to another location, like a journal mailbox or third party service that keeps a journal for them. If you have to talk to your clients or users about these features, here is how to do it.
The term “Archive” in Exchange and Exchange Online
An archive is simply a “long term storage” mailbox. Just enabling this feature has nothing to do with compliance whatsoever. If archiving is enabled, it does not mean that every single email is kept forever–it just gives users another place to put their old mail data, so it doesn’t count against their mailbox quota (at the time of this writing the maximum allowed mailbox size in Exchange Online is 50 GB per user for Exchange Online Plan 1 / Business subscriptions, and 100 GB for plan 2 / Enterprise).
You can turn archiving on per user, by going to Exchange Admin Center > recipients > mailboxes. Edit any of the mailboxes and select mailbox features from the left menu.
Scroll down to find the option to enable archiving.
What this does, is create a new “archive” mailbox for the user. Also, the behavior of the mailbox will change based on whatever archive policy you configure. The default policy in Exchange Online behaves like this:
- Moves items that are two years or older from a user’s primary mailbox to their archive mailbox.
- Moves items that are 14 days or older from the Recoverable Items folder in the user’s primary mailbox to the Recoverable Items folder in their archive mailbox.
Note: The “archive” mailbox will not be counted toward quota. In fact, in Exchange Online, the archive size is unlimited. The current record that I’ve encountered during my days as a consultant was at a law firm where partners had mailboxes in excess of 80 GB (the largest I’ve seen was 85 GB to be precise), and no archive enabled. This meant they could not even migrate their on-premises mailboxes to Office 365 without first archiving a bunch of their old data.
You can enable archiving with Exchange Server Enterprise edition or a qualifying Exchange Online Enterprise plan (such as E1, E3, etc.). I always recommend E3 to my customers who have heavy compliance requirements (but again, an archive doesn’t help you with compliance).
What is a Journal?
A journal is very different from an archive. With a journal, messages can be written to another location (in other words, copies of the messages are sent to another destination, besides the intended destination or mailbox). This can be helpful for compliance requirements, because it provides the organization with another source of truth, to so speak. If an email message has been deleted from a mailbox (or the mailbox no longer exists at an organization), then the journal will still be able to produce these messages, assuming the journal rule was functioning at the time.
You can find the journal rules under Exchange Admin Center > compliance management. From here, you can create whatever rules will best match your compliance requirements. As an example, you may need to journal just a single mailbox, a group, or the entire organization. You may need to include messages sent internally or externally only. Often, we see organizations journal every message for the entire organization, to some third party service somewhere.
Litigation hold (and In-Place hold)
There are actually two types of “hold” in Exchange.
- Litigation hold: This feature places an entire mailbox on hold, meaning that it doesn’t change, and deleted items are kept (even if they appear to be deleted from the user’s perspective). All of its contents are preserved as-is, and are searchable by an eDiscovery admin, who in turn uses a query to retrieve messages.
- In-place hold: The scope of an in-place hold is more narrow than that of litigation hold. With in-place holds, any given mailbox could be placed under one or more holds using specific search criteria that you define with the In-place eDiscovery tool.
A “hold” is technically designed to be temporary–it is most useful when an organization is undergoing active litigation (or there is reasonable expectation for a legal battle on the horizon). When these circumstances exist, you can place any mailbox under “hold.” But holds can also be placed on mailboxes indefinitely. Here are some important notes about holds:
- If you place a hold on a user’s mailbox, it will apply to their primary and archive mailbox
- Retention policies are not suspended; they will continue to function as usual
- Deleting a user whose account is on hold will convert the mailbox to an inactive mailbox–it will not be visible in the GAL, it cannot receive any new emails, but is still “discoverable” until the hold is removed.
Note that litigation hold is another feature which is only available with Enterprise editions of Exchange Server or Exchange Online. Again, you can turn this on per mailbox, in the same area where you enable archiving. Just find and edit the mailbox for which you want to enable the hold, under mailbox features.
You might be thinking that litigation hold accomplishes the same thing as a journal, and is equally useful for compliance. That’s not really true though, as entire mailboxes can still be deleted from an organization, regardless of whether they are on hold or not. And after a user account has been deleted, the contents of that mailbox are no longer searchable. By contrast, the journal will retain copies of messages, period. If a user no longer exists at an organization, their messages will still show up in that journal, even though they would be missing from the eDiscovery query results.
So if you are concerned about meeting compliance requirements, you’re probably looking for a journal-based solution. If you’re trying to retain evidence for building or defending a legal case, litigation hold is a useful tool. And archives are just storage containers.
Oh yeah, and none of these things help you with security–just another friendly reminder that compliance and security are not the same thing.
Nice and useful explanation Alex, thx!
Thanks Alex, very concise.
Lit hold mailboxes that have had the user acct deleted are still searchable via ediscovery and can be kept indefinitely that way if desired. So in many ways, lit hold and journaling are the same.
Other then that. Great article.
Thanks, great explanation.