• Home
  • Blog
  • Technical
  • What is the difference between an Archive, a Journal and Litigation Hold?

What is the difference between an Archive, a Journal and Litigation Hold?

Back to Blog
24Aug2017

What is the difference between an Archive, a Journal and Litigation Hold?

As I’ve been helping organizations navigate the complexities of Exchange Online and compliance, this question has come up a few times. “What is the difference between an archive and a journal?” I also hear, “What is the difference between a journal and litigation hold?” And finally “What is the difference between litigation hold and an archive?

Some organizations are already doing one or more of these things for different reasons, and it can be a bit confusing because sometimes a company has something they call an archive informally, but it’s really just journal rules in place on the Exchange server, which send copies of  messages to another location, like a journal mailbox or third party service that keeps a journal for them. If you have to talk to your clients or users about these features, here is how to do it.

The term “Archive” in Exchange and Exchange Online

An archive is simply a “long term storage” mailbox. Just enabling this feature has nothing to do with compliance whatsoever. If archiving is enabled, it does not mean that every single email is kept forever–it just gives users another place to put their old mail data, so it doesn’t count against their mailbox quota (at the time of this writing the maximum allowed mailbox size in Exchange Online is 50 GB per user for Exchange Online Plan 1 / Business subscriptions, and 100 GB for plan 2 / Enterprise).

You can turn archiving on per user, by going to Exchange Admin Center > recipients > mailboxes. Edit any of the mailboxes and select mailbox features from the left menu.

Scroll down to find the option to enable archiving.

What this does, is create a new “archive” mailbox for the user.  Also, the behavior of the mailbox will change based on whatever archive policy you configure. The default policy in Exchange Online behaves like this:

  • Moves items that are two years or older from a user’s primary mailbox to their archive mailbox.
  • Moves items that are 14 days or older from the Recoverable Items folder in the user’s primary mailbox to the Recoverable Items folder in their archive mailbox.

Note: The “archive” mailbox will not be counted toward quota. In fact, in Exchange Online, the archive size is unlimited. The current record that I’ve encountered during my days as a consultant was at a law firm where partners had mailboxes in excess of 80 GB (the largest I’ve seen was 85 GB to be precise), and no archive enabled. This meant they could not even migrate their on-premises mailboxes to Office 365 without first archiving a bunch of their old data.

You can enable archiving with Exchange Server Enterprise edition or a qualifying Exchange Online Enterprise plan (such as E1, E3, etc.). I always recommend E3 to my customers who have heavy compliance requirements (but again, an archive doesn’t help you with compliance).

What is a Journal?

A journal is very different from an archive. With a journal, messages can be written to another location (in other words, copies of the messages are sent to another destination, besides the intended destination or mailbox). This can be helpful for compliance requirements, because it provides the organization with another source of truth, to so speak. If an email message has been deleted from a mailbox (or the mailbox no longer exists at an organization), then the journal will still be able to produce these messages, assuming the journal rule was functioning at the time.

You can find the journal rules under Exchange Admin Center > compliance management. From here, you can create whatever rules will best match your compliance requirements. As an example, you may need to journal just a single mailbox, a group, or the entire organization. You may need to include messages sent internally or externally only. Often, we see organizations journal every message for the entire organization, to some third party service somewhere.

Litigation hold (and In-Place hold)

There are actually two types of “hold” in Exchange.

  1. Litigation hold: This feature places an entire mailbox on hold, meaning that it doesn’t change, and deleted items are kept (even if they appear to be deleted from the user’s perspective). All of its contents are preserved as-is, and are searchable by an eDiscovery admin, who in turn uses a query to retrieve messages.
  2. In-place hold: The scope of an in-place hold is more narrow than that of litigation hold. With in-place holds, any given mailbox could be placed under one or more holds using specific search criteria that you define with the In-place eDiscovery tool.

A “hold” is technically designed to be temporary–it is most useful when an organization is undergoing active litigation (or there is reasonable expectation for a legal battle on the horizon). When these circumstances exist, you can place any mailbox under “hold.” But holds can also be placed on mailboxes indefinitely. Here are some important notes about holds:

  • If you place a hold on a user’s mailbox, it will apply to their primary and archive mailbox
  • Retention policies are not suspended; they will continue to function as usual
  • Deleting a user whose account is on hold will convert the mailbox to an inactive mailbox–it will not be visible in the GAL, it cannot receive any new emails, but is still “discoverable” until the hold is removed.

Note that litigation hold is another feature which is only available with Enterprise editions of Exchange Server or Exchange Online. Again, you can turn this on per mailbox, in the same area where you enable archiving. Just find and edit the mailbox for which you want to enable the hold, under mailbox features.

Conclusions

You might be thinking that litigation hold accomplishes the same thing as a journal, and is equally useful for compliance. That’s not really true though, as entire mailboxes can still be deleted from an organization, regardless of whether they are on hold or not. And after a user account has been deleted, the contents of that mailbox are no longer searchable.  By contrast, the journal will retain copies of messages, period. If a user no longer exists at an organization, their messages will still show up in that journal, even though they would be missing from the eDiscovery query results.

So if you are concerned about meeting compliance requirements, you’re probably looking for a journal-based solution. If you’re trying to retain evidence for building or defending a legal case, litigation hold is a useful tool. And archives are just storage containers.

Oh yeah, and none of these things help you with security–just another friendly reminder that compliance and security are not the same thing.

Technical , , , , 4 Comments
Share:

Comments (4)

  • Chris Claessens Reply

    Nice and useful explanation Alex, thx!

    August 24, 2017 at 9:11 am
  • Jesus Gonzalez Reply

    Thanks Alex, very concise.

    Jesus

    June 18, 2018 at 2:04 am
  • Jon Reply

    Lit hold mailboxes that have had the user acct deleted are still searchable via ediscovery and can be kept indefinitely that way if desired. So in many ways, lit hold and journaling are the same.
    Other then that. Great article.

    January 29, 2019 at 8:55 pm
  • D Reply

    Thanks, great explanation.

    July 13, 2022 at 11:56 am

Leave a Reply

Back to Blog

Related Posts

01Apr

Still Considering Office 365 E3? Think again.

I have a previous article on this topic, but the Microsoft 365 Business SKU seems to be getting new features left and right all the time. Recently we had the addition of password write-back (enabling self-service resets for hybrid users), which was a feature... read more
12Dec

Navigating Device management in Microsoft 365: Registered vs. Joined vs. Hybrid Joined… and Intune

Device management is not a straightforward thing in Azure AD.  I think that one major point of confusion for people is understanding the difference between various device states--for example, what is the difference between a device which is merely registered with Azure AD, versus one... read more
12Jan

Monitoring identity, cloud apps and email at different service tiers

Today I want to give you two ideas that you can take to your customers as new offerings. Some of you may already be doing some form of this, but based on my recent survey results, identity protection and monitoring in the cloud is still... read more
30Jun

Troubleshooting weird Azure AD Join issues

If you are starting to do more Azure AD Join (or disjoin/rejoin) operations, you may run into some issues at times where the computer reports an error. These can take several forms, but generally the message is, "Sorry dude, but you can't join/register this device." Here... read more
08Apr

Updated! Checklist co-developed with Microsoft: Set up your SMB customers for secure remote working

I had the great pleasure to participate in a webinar today with David Bjurman-Birr (Partner Architect) and Jon Orton (Director of Product Marketing for Microsoft 365 SMB). David and I recently developed a checklist together for Microsoft 365 Business Premium, aimed at helping partners who... read more
13Nov

Deploying Microsoft Office applications using Microsoft 365 Business (and Intune)

Microsoft 365 Business is an excellent subscription--the best bundle available for the money in my opinion (in the SMB space).  One of the benefits of this subscription is the ease of deployment for Office 365 Business (the desktop apps)--shaving precious time off any new PC... read more
06Mar

Can OneDrive and SharePoint replace my file server? Probably, with Files On-Demand.

The real answer to this question is: it depends. But the shorter version is: probably. You'll just want to enable Files On-Demand first.* OneDrive has been great for personal files for a long time--I usually recommend clients start by replacing redirected "Documents" folders with OneDrive for... read more
20Jul

How to Encrypt your Hyper-V Host Server using the GUI

Full disk encryption is becoming more important in the SMB.  I recommend this for every Windows 10 Pro PC, and also for your Windows Servers. Small businesses often have a single physical Hyper-V host server, maybe two. And these are usually located in a network... read more
The Underwhelming MAM for Edge
22Aug

The Underwhelming MAM for Edge and What Else We Can Do

A while back I had written about a solution that I have been anxiously awaiting since its announcement: MAM for Edge on Windows. Let me explain the background a bit. We used to have Windows Information Protection (WIP). Well, we still have it for enrolled devices,... read more
01Aug

Hyper-V Failover Cluster: Affordable HA for the SMB

Next to Office 365, virtualization is still the number one recommendation I make to small businesses. It's a no-brainer. Enabling Hyper-V opens up so many great opportunities--grow your server's CPU, RAM or storage on the fly, perform host-level backups, Live Migrate to new hardware with no downtime, use... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me