1. What is the business problem that In-Place Archiving in Exchange solves, and how does it work for the end-user?
In-Place Archiving solves the compliance and data management problem caused by users storing company data in local .pst files to avoid mailbox size limits. This practice leads to unmanaged files, increased eDiscovery costs, and data theft risks. It works by creating an additional “archive mailbox” visible in the user’s Outlook and Outlook on the web. Users can then move older items to this archive mailbox either manually or via an archive policy, eliminating the need for .pst files and keeping all data within the manageable Exchange environment.
2. Explain the real-time process an email item goes through from initial deletion by a user to being processed by the Recoverable Items folder.
When a user first deletes an item, it moves to the “Deleted Items” folder. If the user empties the “Deleted Items” folder or uses Shift+Delete, the item bypasses the normal folders and moves directly into the Recoverable Items folder, which resides in a non-visible part of the mailbox (the non-IPM subtree). This folder protects against accidental or malicious deletion and is used by features like In-Place Hold and Litigation Hold.
3. What is the key difference in purpose between Retention Policies in Purview and Messaging Records Management (MRM) policies in Exchange?
Purview Retention Policies are primarily for compliance and legal reasons, designed to preserve or delete content across multiple Microsoft 365 services (SharePoint, Teams, Exchange, etc.) to meet regulatory requirements. In contrast, Exchange MRM policies are focused on mailbox management, helping users manage mailbox quotas and performance by moving older items from the primary mailbox to the archive mailbox or deleting them after a certain period.
4. Describe the three types of Exchange Retention Tags and how they interact?.
The three types are:
- Default Policy Tag (DPT): Applies to the entire mailbox for any items that don’t have another tag applied.
- Retention Policy Tag (RPT): Applies to default folders like Inbox, Sent Items, and Deleted Items.
- Personal Tag: Available for users in Outlook to apply manually to individual items or custom folders, overriding any DPT or RPT. A Retention Policy groups these tags and is assigned to a mailbox.
5. A document in SharePoint is subject to two retention policies: one that retains it for five years and another that deletes it after three years. What happens to the document at the three-year mark?
Retention wins over deletion. At the three-year mark, the document will be deleted from the user’s view, but a copy will be preserved in a secure location (the Recoverable Items folder or Preservation Hold library). It will remain there until it reaches the five-year retention period, at which point it will be permanently deleted.
6. How does a retention policy work in real-time when a user edits or deletes a file in a SharePoint site that is included in the policy?
When a user tries to edit or delete a file, the policy checks if the content has changed since the policy was applied. If it’s the first change, a copy of the original content is saved to a special, hidden library called the Preservation Hold library. The user is then allowed to proceed with editing or deleting the original file, often without knowing their content is subject to a policy.
7. Why must an organization create a “file plan” before implementing In-Place Records Management in SharePoint?
A file plan is essential for a successful records management implementation. It is a planning document that defines what information should be considered a record, where records are stored, their retention periods, and who is responsible for managing them. Without this plan, an organization cannot ensure that it is categorizing and retaining documents appropriately to meet legal, business, or regulatory requirements.
8. An organization is deciding between managing records “in-place” versus using a separate “Records Center” site in SharePoint. What is a key question they should ask to make this decision?
A key question is: “How long will the collaboration site be in use?”. If records must be kept for longer than the project is ongoing, selecting an in-place records management strategy means the collaboration site must be maintained even after it’s no longer actively used, which can be an administrative burden. Other important questions include whether regulations mandate record separation and if site administrators can be trusted to manage records.
9. Explain event-driven retention with a real-time example, such as an employee leaving the company.
Event-driven retention starts a retention period based on an event rather than the content’s creation date. For an employee leaving:
Employee records (like performance reviews) are given a label configured for the “Employee Departure” event type.
When an employee leaves, a records manager creates an event in the system, specifying the employee’s ID as the “asset ID” and their departure date.
This event triggers the start of the retention period (e.g., 10 years) for all documents that have that specific label and the matching employee asset ID.
10. How is the retention age of an item calculated differently in Exchange (by the Managed Folder Assistant) versus in the Microsoft Purview)?
In Exchange, the Managed Folder Assistant calculates retention age from the date of delivery or creation. It runs on a cycle (e.g., every seven days), so items may be processed up to seven days after their stamped expiration date. In the SCC, administrators have more control and can choose to calculate the retention period based on either when the content was created OR when it was last modified.
11. What is an “ethical wall” in Exchange, and how is it implemented?
An ethical wall is a restriction that prevents email communication between specific groups of users to avoid conflicts of interest, such as between a company’s marketing and finance departments. It is implemented by creating an Exchange transport rule. Typically, you define the two groups (e.g., as distribution groups) and create a rule that blocks or moderates any message sent between members of those groups.
12. When setting up an ethical wall, what action can a transport rule take on a message that violates the policy? Describe two options.
The two main actions are:
Block: The message is rejected, and a non-delivery report (NDR) is sent back to the sender. You can customize the NDR text to explain why the message was blocked, referring to company policy.
Moderate: The message is not delivered immediately but is sent to a designated moderator for approval. The moderator can then approve or reject the message. If approved, it gets delivered to the recipient.
13. What is the purpose of Compliance Manager, and how does it help an organization with regulations like GDPR?
Compliance Manager is a dashboard in Microsoft 365 that helps organizations manage their compliance posture. It performs a risk assessment for regulations like GDPR against Microsoft cloud services. It works by detailing Microsoft-managed controls (what Microsoft does for compliance) and customer-managed controls (what the organization is responsible for). It provides recommended actions and a workflow to track implementation, helping to simplify the audit process.
14. What is a Data Subject Request (DSR) under GDPR, and which tool in Microsoft 365 is designed to manage these requests?
A DSR is a formal request from an individual (a “data subject”) for an organization to take action on their personal data, such as accessing, correcting, or deleting it. To manage these investigations, you use the DSR case tool in the Security & Compliance Center. This tool allows you to create a case, search for the data subject’s content across all Microsoft 365 services (mailboxes, SharePoint, Teams), and export the data to fulfill the request.
15. Explain the difference between Office 365 labels and Azure Information Protection (AIP) labels for protecting personal data subject to GDPR.
Office 365 labels are recommended for personal data within SharePoint and OneDrive because they work with services like eDiscovery and DLP without encrypting the content in a way that makes it unreadable to the service. AIP labels are recommended for highly regulated files that require strong Azure RMS encryption, especially for files on-premises or in other cloud services. Using AIP encryption on files in Office 365 can prevent services from finding sensitive data within them.
16. An administrator needs to create and publish hundreds of retention labels. What is a more efficient method than using the UI for each one?
Instead of creating labels one-by-one in the UI, a more efficient method is to use PowerShell in combination with a .csv file. The administrator can list all the required labels and label policies in a spreadsheet, save it as a .csv file, and then use a script to bulk create and publish all of them at once.
17. A user reports that a retention policy doesn’t seem to be working on their mailbox, which is very small. What is a likely cause and the solution?
A likely cause is that the MRM retention policy in Exchange Online does not automatically run for mailboxes smaller than 10 MB. To fix this, an administrator must manually trigger the policy for that mailbox by running the Start-ManagedFolderAssistant –Identity <mailbox> cmdlet in PowerShell.
18. Policy tips are not appearing for a user in Outlook 2016. What are two potential causes an administrator should investigate?
Two potential causes are:
The full Microsoft Office Professional Plus suite is not installed. Outlook relies on components from other Office programs for policy tips to function, so a standalone installation will not work.
The policy tip settings are disabled in Outlook. The user’s Outlook options must have “Policy tip notification” enabled under MailTips Options.
19. When would you use Content Search instead of a full eDiscovery case?
You would use Content Search for quick, broad searches across Microsoft 365 when you don’t need the full case management features of eDiscovery. It is ideal for scenarios like finding all instances of a credit card number for a DLP project or running very large searches across all mailboxes and sites, as it has no limits on the number of locations you can search in a single query.
20. A compliance officer needs to find and delete a phishing email that was sent to thousands of users. How can this be accomplished using Content Search tools?
The process is:
First, create and run a Content Search in the Security & Compliance Center with a query that specifically identifies the phishing message (e.g., by subject line and sender).
Refine the search to ensure only the malicious messages are returned.
Finally, connect to Security & Compliance Center PowerShell and run the New-ComplianceSearchAction -Purge cmdlet, referencing the name of the search. This will delete the messages from all user mailboxes and move them to the Recoverable Items folder.
21. What is search permissions filtering and why is it useful?
Search permissions filtering allows an administrator to restrict the scope of what an eDiscovery manager can search. It’s useful for large organizations or those with strict departmental separation. For example, you can create a filter so that an eDiscovery manager for the European division can only search the mailboxes and sites of users located in Europe, ensuring they don’t have access to data outside their jurisdiction.
22. How do you turn on audit logging in Microsoft 365, and what happens if you don’t?
You turn on audit logging by going to the Audit log search page in the Security & Compliance Center and clicking “Start recording user and admin activities”. It’s a one-time setup. If you don’t turn it on, user and administrator activity across services like SharePoint, Exchange, and Teams will not be recorded in the unified audit log, and you will be unable to investigate security incidents or compliance issues.
23. An administrator runs an audit log search and gets 5,000 results. What can they assume, and what should they do to see all the relevant data?
They can assume that more than 5,000 events met the search criteria, as the UI only displays a maximum of 5,000 of the most recent events. To get all the data, they should click Export results > Download all results. This will export up to 50,000 entries into a CSV file, which includes raw data for deeper analysis.
24. What is the primary purpose of Advanced eDiscovery, and what license is required for the user whose data is being analyzed?
The primary purpose of Advanced eDiscovery is to help organizations analyze large, unstructured data sets to reduce eDiscovery costs. It uses machine learning and analytics like near-duplicate detection, email threading, and predictive coding to identify the most relevant content for a legal case. The user (or custodian) whose data is being analyzed must have a Microsoft 365 E5 license or an Advanced eDiscovery standalone license.
25. How does the “Email Threading” feature in Advanced eDiscovery make the review process more efficient in real-time?
Email threading analyzes conversations and identifies only the unique messages in a thread. In a typical email chain, each reply contains all previous messages. This feature groups these messages and allows a legal reviewer to focus only on the new information added in each reply, which significantly reduces redundant content and saves review time.
26. What is “Predictive Coding” in Advanced eDiscovery and how does it work?
Predictive coding is a machine learning feature that helps identify relevant documents. It works by having a legal expert tag a small sample set of documents as “relevant” or “not relevant.” Advanced eDiscovery then “learns” from these decisions and applies that logic to the entire data set, calculating a relevance score for every document. This allows reviewers to prioritize the documents most likely to be important to the case.
27. An eDiscovery Manager needs to analyze image files (e.g., scanned PDFs or JPEGs) in a case. How can Advanced eDiscovery help?
When search results are prepared for analysis, Advanced eDiscovery uses Optical Character Recognition (OCR). This feature automatically extracts text from image files, including loose files and email attachments. The extracted text can then be analyzed using all the standard Advanced eDiscovery tools like near-duplicate detection and themes, just like any other text-based document.
28. An administrator is investigating a security incident and needs to find out who accessed a specific confidential file on SharePoint in the last 24 hours. What tool should they use?
They should use the Audit log search in the Security & Compliance Center. They can filter the search by the specific file name/URL, set the date range to the last 24 hours, and select activities related to file access, such as “Accessed file” or “Viewed page” to see a list of every user who interacted with that file.
29. What is the difference between an eDiscovery Manager and an eDiscovery Administrator?
An eDiscovery Manager can create and manage cases they are a member of. An eDiscovery Administrator has a broader scope. They can view all eDiscovery cases in the organization, add themselves as a member to any case, and perform administrative tasks in Advanced eDiscovery like processing data for analysis and configuring case-wide settings.
30. What is the “Preservation Lock” feature for retention policies, and in what scenario is it critically important?
A Preservation Lock makes a retention policy unchangeable. Once locked, no one—including a global administrator—can turn off the policy, make it less restrictive, or delete content subject to it. This is critically important for organizations that must comply with strict regulatory rules, such as SEC Rule 17a-4 for financial institutions, which mandate that retained data cannot be altered or prematurely deleted.
