Covering Your Assets: Office 365 Data Protection Measures for End Users and Administrators

What options are available to you as an end-user to safeguard and recover your lost content in Office 365? As an administrator, how are your end-users protected and what do they need to know (or be taught) so that they can recover from the micro-disasters that happen every day?

Office 365 and the Microsoft Cloud are incredibly resilient. You can be confident that your data is secure and available from natural disasters, but what about a disgruntled employee? How can you protect your content from the very people that have access and either accidentally or intentionally delete important information?

In this session Matthew McDermott, MVP, Principal Technical Marketing Engineer will:

  • Detail the features of Office 365 that support self-service restoration
  • Discuss settings that protect you and your team from loss
  • Look at what administrators can do to help their users’ help themselves
CLICK HERE to read the full transcript

Good morning. Good afternoon. Good evening from wherever you’re joining us, and thank you for attending the webinar. I’m really grateful to have an audience for this content. I’m new to Spanning, this is my first webinar. I’ve been with the company for about a month now, and I’m really excited to share this overview of how to use Office 365 data protection measures for everybody — really, end users all the way through to administrators. We’ll talk about each of their roles in protecting the company’s assets and making sure that they understand what their job is when it comes to covering your assets or protecting your intellectual property in Office 365.

I’m your host, Matthew McDermott. I’m a SharePoint Office 365 MVP and you can reach me on twitter, @MatthewMcD, or you can check out my YouTube channel or contact me directly at [email protected] I’ll be more than happy to talk to you about anything that we cover in this session as well as any of the Spanning products that may apply to you and the workloads that you’re working with. If you want to check out some of my blog posts, you can catch me on and my Instagram account where you’ll see pictures that I’ve taken as I travel around the world talking about things like Office 365, @GoldenDogRuby. Yes, that is Ruby right there underneath my name.

Handles to reach Matthew McDermott via Twitter, YouTube, email, personal blog, and Instagram.

I’m an Office servers and services MVP. Mostly I do stuff around SharePoint and Office 365, but I’m also a Pluralsight author. I have two courses on Pluralsight that might interest you. One is on upgrades and the other is on search. And as I said before, I’m a new employee at Spanning. We’re a cloud services company where we support cloud to cloud backup, but I’ll talk about that later. In this talk, I’m going to talk about the different ways that you as an end user, site administrator, or even a global administrator can be responsible for your company’s assets. I’m going to review storage in Office 365 as it relates to end user content. We’ll also review the roles between our global administrator, site administrator, and end users and what their responsibilities and obligations are to protect the company’s assets. We’ll also talk about limitations, what isn’t covered by your SLA. And then we’ll talk about options that you have and vendors that might be able to support you, like Spanning.


How Much Storage?

How do we calculate how much storage is applied to an Office 365 tenant? Well, it comes down to the end user. It comes down to end user licenses associated with your tenant. Each user is responsible for an allocation of email storage and OneDrive storage. So, for each user, by default, you get 100 gigabytes of email storage. And you get one terabyte of OneDrive storage. Now, technically OneDrive storage associated with an Office 365 tenant is unlimited. But initially, every user is allocated one terabyte, and we’ll talk later about how you can get it up to five terabytes or more. For SharePoint online storage, this is more of a shared pool of storage based on the number of users that you have associated with your Office 365 tenant who are licensed. So, it starts with one terabyte base. So, no matter how many users you have, you get a terabyte. And then for every user, you get an additional 10 gigabytes. So, in this case, what we’re looking at is a shared allocation that’s simply based on the number of users that you have in your organization that are licensed for Office 365.

Visual diagram of the amount of storage applied to an Office 365 tenant.

So, let’s look at some of those numbers using that 1 terabyte plus 10 gigabytes per user, plus a terabyte per user in OneDrive and 100 gigabytes per user in email. If I have 10 users, and we’re looking at D3 licenses here, my base tenant is a terabyte. My SharePoint per user allocation is a tenth of a terabyte. My Exchange Online mailboxes, that adds up to 1 terabyte, and then for OneDrive, since I get 1 terabyte per user, I get an additional 10. So now, I’m looking at 12.1 terabytes for those 10 licenses. Likewise, that bumps up to 102 terabytes if I’m looking at 100 user licenses. And for 5,000 users, we’re looking at over 5,000 terabytes of data potentially in your OneDrive SharePoint online and Exchange mailboxes. So, all of those three things together can add up quite a bit of storage that as an administrator you’re responsible for, or if you consider, if you are an E-Discovery professional that you are responsible for. If you’re a compliance officer, something you’re responsible for.

Mathematical representation of how much storage is applied to an Office 365 tenant.


Three Main Roles

All right, so who’s responsible for what within our organization? Well, let’s look at the three main roles that I’ll be talking about today. The first here is Lola, she’s our Global Administrator. She’s responsible for doing things that affect the entire tenant and the services within the tenant and making sure that those services are up to speed and working the way that our organization wants them to work. So, that means that she’s responsible for setting quotas and locks. She’s responsible for making sure that the external sharing configuration works. That’s not to say that it’s locked down or that it’s completely permissive. It’s so that it falls in line with what the company anticipates its secure external sharing configuration is supposed to be. She’s also responsible for any requests for additional storage that might be made.

She’s going to implement retention policy and the configuration of E-Discovery holds. She may work hand in hand with the legal department to make sure that those policies are correctly configured and enforced. It’s really not her responsibility to establish the policy. That’s something for the lawyers to do. She’s also responsible for monitoring critical events associated with the tenant. Office 365 Security Compliance Center has a very robust reporting system that allows you to send yourself notifications when different events occur. In this case, we can use that event-ing system to monitor for deletions and sharing events that might pose a risk to our organization. Finally, she’s responsible for interfacing with Microsoft Support in the event, some sort of data incident occurs that might require Microsoft having to do a data restore that, as an administrator, she can’t do. And so, we’ll talk about all of that in just a few moments.

Next up is Oso. Oso is our Site Collection Administrator. He’s got a much narrower scope of responsibility. His responsibility is a single team, a single group, a single SharePoint site collection, and it may expand to other teams, groups, and site collections, but really focusing on that one location. He’s responsible for configuring permissions and making sure the permissions configuration is correct. He’s also responsible for creating new things like sites and libraries and then, of course, maintaining those library settings so that they protect the information contained within them.

And lastly is Ruby. Ruby represents all of our end users and the responsibilities that the end users have for data protection. One of the things she needs to do is manage her own personal OneDrive. She has to be vigilant about threats like malware and phishing, and she needs to understand how to share content from her OneDrive, if the organization allows it, in a secure way to make sure that she’s using best practices to prevent any data breaches from occurring as a result of her sharing activities.

Personas for the three main roles within an Office 365 tenant: Global Administrator, Site Collection Admin, and End User.


Administrator Responsibilities

So, let’s talk about Lola. Let’s talk about the Global Administrator and her responsibilities to the organization. As a Global Administrator, she’s responsible for setting quotas and locks. This means that she might allocate a lot of storage for one site and a little storage for another site, if she chooses to. When those locks occur, in other words, when a particular site reaches its quota limit, it’s going to be up to Lola to release the lock, add more storage if it is part of the company’s policy. She’s also responsible for setting up the initial external sharing configuration and then ensuring that that external sharing configuration remains the way that it is for the organization, so the organization can meet its business needs. That may mean that today, external sharing is absolutely denied in our organization, but that in a few days when it becomes a business necessity, she configures maybe one site collection for external sharing, or she turns on external sharing across the organization so that people can use it in their OneDrives as well as from team sites and teams if they need to. Again, it’s up to her to implement the policy that the organization wants to drive forward with.

She can also set retention and deletion policies. But the critical thing here is to be able to test those policies in a safe way so that she can be sure that she’s not misapplying a retention policy, or worse, a deletion policy. Too broad of a deletion policy can cause tragic, tragic results in an Office 365 tenant, resulting in deletion of data and resulting in you having to contact Microsoft Support to be able to get that content back. Lola is also responsible for monitoring deletion and sharing events. These are the two key events that I look at quite often when I’m concerned about employee behavior or misapplication of our sharing rules. And so, I’ll show you in a little bit a demonstration of how you can use out-of-the box Office 365 monitoring for deletion and sharing events.

Finally, it’s the administrator’s responsibility to interface with Microsoft Support. In the event that additional storage is required, then it’s the administrators that can create a service ticket that Microsoft can respond to, to increase the allocation of storage for a particular user. So, let’s say that our Vice President of Marketing has filled their OneDrive and they need more storage. Well, as an administrator, I can’t go in and add more storage to that OneDrive. I have to create a service ticket for that. What Microsoft will do is they will look at that OneDrive and if it is above 90% of its allocation, in other words, if it’s above 900 gigabytes, then they will allocate more storage to that OneDrive. When they do, that’s where we go from one terabyte up to five terabytes. If you get above 90% of that, Microsoft will further increase the storage.

Now, if you go above storage for SharePoint, if the quota that you have is too little for the amount of content you want to store, then you can file a service ticket with Microsoft, but you will pay for the additional storage that you want. So, it’s a little different depending on whether it’s in a OneDrive site, or it’s in a SharePoint site. But you just need to know that it will take an administrator to interface with Microsoft to make sure that that storage allocation gets increased appropriately.


Site Storage Limits

Now, SharePoint sites have storage limits and by default, inside the user interface, you’ll see that storage limits are set to automatic. In other words, sites will use all the storage they need up to a maximum of 25 terabytes per site collection. That’s an enormous amount of storage, but it’s set to automatic by default. If you choose to change this to manual because, for whatever reason inside your organization, you want to manage that storage yourself, then you can flip the bit to manual and then you’ll be able to change the storage limit for each site collection at the site collection level. That’s the most granular level that you can set the storage limit for. You can also enable or disable notifications. If you’re going to change these storage limits, I urge you to allow notifications when people get to the designated storage limit percentage, shown on the slide here, in this case 98%, they’ll get a notification that they’re approaching their quota or their storage limit. I would also bring the number down to like 80%, so that you have plenty of time to respond to and change the storage limits for any site that reaches its quota.

Interface for changing storage limits within SharePoint sites.


Monitoring for Deletion Activity

Now, as I said earlier, Microsoft has built in to the Security and Compliance Center, a really terrific alerting feature that allows you to establish rules and then be alerted on specific activities by either specific users or broadly across your user base so that you can monitor for those events. In the Security Compliance Center, it’s probably a good idea to monitor file and version deletions, monitor recycle bin activities, like somebody clearing a recycle bin, and create alerts around those activities. If it becomes a commonplace thing, maybe you don’t need to have these going off all the time, but certainly somebody clearing a recycle bin can be a problematic event. Once a site recycle bin is cleared, there is a limited window of time from which you can restore that content.

This is the user interface and I’ll give you a demo in just a moment. But this is the user interface for creating an alert in the Security and Compliance Center. I’ve called out six of the ones that pertain to this particular talk, deleting a file from the second stage recycle bin, deleting all versions of a file, deleting a file. Maybe you don’t want that one, but recycling versions of a file, deleting from the recycle bin, and then recycling all major versions of a file. This could be normal business activity, but it could also be an employee who is clearing out and covering their tracks, something to pay attention to.

Proposed alerts to be activated within the Security and Compliance Center.


Delete Notifications

So, in this demo, let me give you a walkthrough of how to use the Security and Compliance Center as a global administrator to create a delete notification. Creating a delete alert notification involves going into the Security and Compliance Center. And then once you’re in the Security and Compliance Center down here under Search and Investigation, go into Audit Log Search. Inside of Audit Log Search, I can choose the kinds of activities I want to look for.

So, let’s look for deleted file and deleted file from second stage recycle bin. Then you can choose the date range upon which you want to act and specific users, if you’re interested in following a specific user. In our case, we’ll just leave it broad and execute our search. This allows us to find that action that occurred. Now, this would be sort of a reactive way of running your audit logs. What I urge you to do is set up a new alert policy and let’s call this “Deleted Items”. Or you may want to have one that’s just specific to recycle bin. Send this alert when? And you’ll notice when I click on this, that it’s already identified those activities that I previously identified in the search. So, that’s why it’s nice to run your search first in the audit log search, and then create your alert based on that. I didn’t have any users identified, so it’s going to apply broadly across all users. And then who do I want to send it to? Well, I’m logged in as Megan, so we’ll go ahead and send that one to Megan Bowen. But I could also send this to an email distribution group if I wanted to. I’m going to choose Save.

And now that’s set up as an alert. Later when this alert is tripped, what I will get as a recipient of this alert is I will get an email notification. In this case, this was a recycle bin deletion that occurred and it detected that activity. It tells me what the file is, who the user is, and what site it came from. So, I can use these to monitor activities inside my tenant to make sure that it’s working and that people aren’t conducting inappropriate actions in our tenant.


External Sharing

Now, I feel that external sharing is something that should be controlled to the extent that it serves the purposes of the organization. I don’t believe that you should share every single site collection or offer external sharing through every single site collection. I feel it should be tailored to the organization to make sure that you’re meeting the needs of the organization. I have some organizations that don’t allow sharing at all. I have some organizations that allow sharing, but only from one specific site, and then others that allow sharing off of OneDrive because that’s the nature of their business. I get that, it’s important. But most important is that an administrator is paying attention.

This is the classic Admin Center view of the controls for sharing outside your organization. You’ll notice that, currently, the setting is to allow sharing to authenticated external users and using anonymous access links. The challenge, though, is that anonymous access links are not set to expire. If you’re going to use this permissive of a setting, I urge you to make sure that anonymous access links are set to expire in a certain number of days. That way, you have at least some level of control. But more than likely, you’re going to work your way back up and either have ‘Allow users to invite and share with authenticated external users’, that means that they have to have an Office 365 or a Microsoft account, or you can ‘Allow sharing only with external users that already exist in your organization’s directory’. In tightly controlled environments this is a great option because what that means is that their account has to already exist, which means that you already have a relationship with this external user or that administrators have already vetted that user and their account prior to allowing external sharing.

Of course, the least permissive is going to be the top option, ‘Do not allow sharing outside your organization’. And that really only applies to the most tightly-controlled organizations that aren’t allowing any level of sharing. And it works, it’s secure. But it sort of defeats the purpose of having any level of external sharing. In the new interface, the controls are a little bit more-simple. It just goes from anyone down to only people in the current organization.

The interface for managing external sharing controls within an Office 365 tenant.

And when we’re looking at OneDrive sharing, the guidance is that SharePoint and OneDrive are sort of two separate sliders. But the important thing to note is that your sharing settings for OneDrive cannot be more permissive than your settings for SharePoint. And so, you have to balance the security versus the sharing need and make sure that you have tailored the sharing experience to work for your organization.


Exchange Online Email

We’ve been talking about documents up to now, let me talk about email for just a little bit from the administrator’s perspective. With Exchange Online email, when a mail item arrives, it goes into my inbox, and then I have the option if I want, I can put that into other folders within my mailbox. But when I delete the item, when I use a regular delete command to delete the item, it moves into my deleted items folder that’s still part of my mailbox. And by default, that item can stay in the deleted items folder indefinitely. When I either clear my deleted items folder, which there’s even an option in Outlook to automatically empty the deleted items folder every time I close Outlook, or if I issue something called a hard delete, which means I hold down the shift key and delete the item, either of those activities — hard delete or empty the recycle bin — is going to move those items into the recoverable items deletions folder.

Once they’re there, a timer starts and they’re only retained inside the deletions folder for 14 days. As an administrator, I could increase that time span up to 30 days, but no longer. Now, from an organizational perspective I could use a litigation hold to prevent those items from being purged. Those will become part of the discovery hold library inside recoverable items and they will be held there until we release the hold, in which case at that point they would then be deleted. If you want to, you can change the limit up to 30 days, but like I said, by default, deleted items are only retained for 14 days.

Exchange Online email inbox and deletion folder structure.

The way that you change those limits is by using a set mailbox command, identify the user and then specify ‘Retain Deleted Items For’ and the numeric value of somewhere between 14 and 30 days.

Now, you can query for recoverable items. So, let’s assume that Ruby has contacted IT Support and needs to recover some items, all of the things where the subject line contains “Dog Toys.” I can do that. I specify the source folder of ‘Recoverable Items/Deletions’ and then subject contains “Dog Toys,” that will get me the list of items that could be recovered. I can also use a time span if I want. So, in this case, I’m using filter start time and filter end time for between 700 and 1400 hundred hours on 11/20. This would allow me to recover or at least list all of the items that could be recovered if I execute the ‘Restore-Recoverable Items’ command. So, using the same query, I can recover those items. They’ll be restored back into Ruby’s mail folder so that she can then review them and decide which one should stay and which one should go.

Now, it is possible to come up with a query that just returns way too much information. So, you can also use ‘Result Size’ parameter to limit the amount of results that you get back. So, maybe set that to 100 or something like that to start with to make sure that your queries run efficiently.

Exchange Online commands to query for recoverable items.

So, let me demonstrate some of the Exchange Online Cmdlets that we can use to search and help our end users recover their content. I’m going to establish an Exchange session and import the modules. And the first one I showed you before was this cmdlet to set the mailbox for the retained items for the user. So, what I’m going to do here is simply get the mailbox for Megan and then show you the ‘Retain Deleted Items For’ default which is 14 days. And, of course, then I could use the Set command to increase that number if I wanted to. I can also, in responding to a support request, let’s say, from Megan, establish a filter time. So, I’ve got a filter start time of 11/18 and an end time of 11/21. And if I run that cmdlet, it’s going to show me all of the possible items that I could recover from her ‘Recoverable Items Deletions’ folder.

Now, certainly, since it’s in her Deletions folder, she could do this as well. But this just gives me some control so I can try to get in there and get to her email for her. What I notice in her email is that she has a couple that are marked “Business Development.” And so, I can also use the ‘Subject Contains’ parameter to go find those as well. And so, just in terms of how you decide to filter, how you decide to target the content that you’re trying to restore, you can do that by using the ‘Get Recoverable Items’ cmdlet. And then, finally, I can use the ‘Restore Recoverable Items’ cmdlet using that same query to actually recover the content for her. And what you’ll see in the results is whether or not that was successful. So, it was restored to the original folder, it was restored to the original folder path, and it was restored into the inbox. And, of course, once I’m done I’m going to do a ‘Remove Session’ to close out that session.

So, as Megan, I should be able to go back into Outlook and if I search for “Business,” I should see that I’ve got my business items restored into the inbox. So, these are really powerful. They enable an administrator to do the work they need to do to recover content for any users in the organization.


Employee Offboarding

I would be remiss if I didn’t talk about when an employee leaves the organization. Now, employees leave organizations for all sorts of different reasons. And if an employee leaves, whether it’s on good terms or bad, the same thing happens in Office 365 if you delete the user. What happens is a 30-day timer is started. We call this a soft delete. You delete the user in Azure Active Directory. That user is then put on sort of a, I won’t say hold because that’s sort of a legal term, but it’s soft deleted. It isn’t actually deleted for 30 days. So, you have up to 30 days to accomplish a user restore. The user came back, somebody else comes forward and says we need to find out about his email from an E-Discovery perspective, or we need to look in his OneDrive from an E-Discovery perspective.

Visual representation of what may happen to a user's content if an employee leaves an organization.

But prior to that 30-day timer running out, the user’s data is available and is quite simple to restore. But what about after that 30 days? Well, after that 30 days, the user account is deleted, all of their mailbox data is deleted, and all of their OneDrive content becomes available for deletion because there is a OneDrive process for removing user content. What I recommend you do instead is consider disabling the account instead of deleting the account. Eventually, you’ll get around to deleting it. But for now, for today, while we’re escorting this person out, disable their account. Now, while the account is disabled, you’re still consuming an Office 365 license, so there’s still a price associated with that license. And the company should be aware of that. I’m not suggesting that you do this indefinitely, but at least until you have a chance to decide what to do with the disposition of the content associated with the user.

For instance, OneDrive for Business. OneDrive for Business goes through a My Site Cleanup process that’s been around SharePoint for years. You want to ensure that the user has a manager assigned on their user profile. That manager will receive a notification and, quite often, they have no idea what to do with it. But they’ll receive a notification that the user has been removed and their content should be evaluated. What I recommend is that you have an off-boarding procedure that identifies the user’s manager or the appropriate party to review that OneDrive content prior to deletion. There’s also a setting in Office 365 called the My Site Cleanup Secondary Owner. That owner will also receive the email. That means that if OneDrive can’t figure out who their manager is, it’ll automatically set that secondary owner as the person who’s responsible for the disposition of the OneDrive.

For Exchange email, you have a couple of options. You can place a litigation hold on the mailbox that will prevent that mailbox from being deleted even if the employee’s user account is deleted. You could also convert the mailbox to a shared mailbox. This is a very common practice and actually makes off-boarding an employee quite easy because by making it a shared mailbox, you can assign one or more users to share that mailbox, review the content and decide if it needs to be held or disposed of. The other option you have is to convert the mailbox to an inactive mailbox, but just like with litigation holds, the challenge with setting a mailbox to inactive is that somebody has to be assigned to review that content. And unlike a shared mailbox, inactive mailboxes and mailboxes under litigation hold can accidentally be released and then Exchange Online will delete them. So, my preferred technique is to convert them to a shared mailbox until disposition is complete.

For SharePoint, for Teams and Groups, you need to make sure that you reassign ownership. So, again, having a process where you have a script that goes through and takes a username, evaluates whether their OneDrive is set up correctly, make sure that their mailbox is taken care of, and then looks at all of the SharePoint sites where this user is an owner, all the teams and groups where they are the owner, make sure that you reassign ownership. It’s not like some sweeping process is going to come through and delete the content, but it’s a matter of making sure that those sites are appropriately secured for the future of your organization. In addition to this, depending on what the circumstances are around the employee separating from your company, you may also want to look at products like Microsoft Intune, which offers the ability to clear a mobile device of any corporate data, even if it’s a BYOD device. It will not clear their private data, but it will clear all of the corporate data off of that device.

You also want to consider flows and sways. Flows and sways are both personal content, unless the flow is shared, in which case it becomes a team flow. So, when you’re going through and evaluating any of the content that’s been developed by this user, these are just some things to think about. And then finally, you want to revisit this list regularly to look at the workloads that you’ve deployed and decide whether or not those workloads should be evaluated against your corporate privacy policies and the policies for your content.

Proposed tasks to consider and/or execute during an employee off-boarding event.


Site Collection Administrator (Owner)

All right, so the global administrator definitely has a lot of responsibility when it comes to Office 365. But I strongly believe that site administrators and end users do, too. Site collection owners, or site collection administrators, have the responsibility to work within their site and produce an environment that allows their team to collaborate which means that they may be creating sites, they should be configuring permissions, and they should be managing those situations where employees have too much or too little permission.

There is no golden rule, but there is a way for you to prevent accidental deletion, particularly in organizations that haven’t trained their users how to do sharing with Office 365. And that’s the biggest problem I’ve seen is that people don’t know that if they have too much permission, they can delete the entire site. They don’t know that they can delete document libraries as well as just documents. So, how do we prevent accidental deletion? I’ll get on that in just a second. They’re also creating libraries, and then they’re responsible for maintaining those library settings. Microsoft just announced recently that they’re adding major versioning to all document libraries that are created, which means that, by default, 500 major versions are being stored in your document libraries. Now, these major versions count toward your site quota, and maybe you don’t want to keep 500 versions of a document. So, it’s up to the site collection owner to decide how those policies and settings are created and also to establish version trimming if they choose to.

Responsibilities of the Site Collection Admin within an Office 365 tenant.

So, how do we prevent accidental deletion? Well, limit the site collection administrators, use trusted employees, use trained employees. Some of the organizations I’ve worked with don’t allow just anyone to be a site collection administrator. You have to have gone through a few hours of training to understand what the important features of the site are that, as an administrator, you are responsible for. And then change the default permissions. Don’t change the groups that are there, but add additional groups rather than using edit and contribute to remove the delete right. And I’ll show you how to do that in just a moment. Create a new permission that doesn’t include delete. So, what we’re going to do in this demo is show you how to create a permission level for your users to contribute content but not be able to delete it.

Steps to take in order to prevent accidental deletion of content.

What I want to do is set up a special group or special permission level to help me mitigate the risk of people deleting content from my site. I can do that by going to Site Permissions and then at the bottom of this page, choose Advanced Permission Settings. You’ll notice that there is the default Electronic Events Members, Owners, and Visitors, and one of the things I want you to see is that it says Electronic Events Members and they have Edit Permission. If we go and look at the permission levels for this site, you’ll see that Edit means that they can delete lists and delete list items and documents. Likewise, Contribute allows them to delete list items and documents. I don’t want that. I want people to be able to contribute without being able to delete. Now, you could just choose Add Permission Levels and then work your way through the user interface, picking and choosing those items. There’s an easier way though. What I do is start from Contribute. And then down at the bottom of the screen I choose Copy Permission Level.

Now, all of the checkboxes are set for the same level as Contribute. I’m going to call this Contribute, you see I’ve done it before, ‘Contribute (no delete)’. And then I would have walked down and uncheck everywhere that there is an opportunity for the user to delete content from my site. I think that looks pretty good. And I’ll choose Create. So, now, I have a permission level called ‘Contribute (no delete)’. But what I need is I need a group that I can apply that change to. So, let’s go back to permissions and let’s create a group, likewise calling it ‘Contribute (no delete)’. Then I’ll simply come down here and choose my new permission level, Contribute Without Delete. Once I’ve done that, I can add people to this group instead of using the default Members Group. Now, the funny thing about the Members Group is there is a little typo. When you look here it says, “Users in this group to grant Contribute permissions,” but as you know, it’s Edit permissions. So, even this is incorrectly labeled. So, what we want to do now is use our ‘Contribute (no delete)’ group.


End User Recovery

So, what about our end users? You know, talking to end users about what they worry about on their team sites is a very different conversation than talking to administrators. End users are worried about those little micro disasters that happen nearly every day, that “Oh darn” moment where they don’t know if they actually deleted something and it’s gone forever, or they can get it back easily simply because their mouse slipped. The other thing is this stigma of malware. I’ve talked to a number of organizations that have suffered from ransomware attacks and the notion that it’s their fault that the ransomware attack occurred, and that there’s like this victimology that we’ve suffered ransomware is just, we have to get rid of that because the more that organizations discuss how these attacks occurred and how these horrible people were able to take control of their files and ransom them, the better we will be capable of educating our users to help keep it from happening in the first place.

There’s also just the usual end user mistake. I was helping a client restore some sites that have been deleted and I asked, “How did this happen?” And the honest answer was, “We didn’t think we could, so we tried.” And they ended up deleting a whole bunch of sites that they did not know how to get back. So, practicing, practicing, and practicing the recovery efforts makes you a better administrator, a better site collection administrator, and a better end user. Then there’s malicious intentional deletion. This might be an employee who’s getting ready to leave, who wants to just trash a site that he has access to. An intentional deletion where somebody deletes the documents, deletes them out of the first stage recycle bin, and then deletes them out of the second stage recycle bin is the result of somebody having too much access.

And finally, automated deletion. One little SharePoint Online PowerShell script with one little token out of place, and suddenly you have mayhem because the script is simply crawling through your sites and deleting content. Unintentional side effects of automation can also cause end users to suffer from data loss. So, making sure that you understand what your scripts do, what the permissions are that are associated with any apps that you’re using, and understanding how those interactions occur is very important from an end user perspective.

Concerns of end users within an Office 365 tenant.

But what about the recycle bin? I mean, aren’t I protected because Office 365, just like SharePoint on-prem, Office 365 and SharePoint Online, they have a recycle bin. Well, there is a recycle bin, and, collectively, the site collection recycle bin collects documents, lists, items and sub-sites that are deleted, and it stores them until such time as the time expires and they’re removed. Now, there’s also a site collection recycle bin, but that takes Lola, our global administrator, to recover.

What the Site Collection recycle bin collects: documents, lists items, and sub-sites.

There are limits to the recycle bin as well. Educating your users that once an item is deleted, there is a 93-day clock on those items. The items are only restored (or only retained) and restorable for 93 days. There is this 14-day emergency backup, but that requires a call to Microsoft and requires you to get the site restored. It could mean that any content created since the deletion occurred and that 14-day window started could get overwritten. So, you want to make sure that if you’re going to have to go back seven days and restore a site that the content is recovered correctly. So, here’s the scenario. I’ve created a document and it has existed long enough for SharePoint to recognize it as a document in a document library, for example. Then I delete it. That starts that 93-day clock ticking.

At some point at the 93-day mark, a purge occurs, the document leaves the recycle bin and is now only available through an emergency restore following a call to Microsoft. Once the 14 days elapses, the content is unrecoverable. Now, it is possible that if your site is very close to its quota, that content will be purged out of the recycle bin prior to the 93-day mark. So, if you have a site that’s very close to its quota, you want to know that the content in the recycle bin is at risk.

Retention cycle & limits for the recycle bin.


OneDrive Files Restore

Now, Microsoft very proudly announced OneDrive Files Restore. This is a fantastic feature. It allows you to recover vast amounts of changed content in your OneDrive. So, for instance, you accidentally delete 200 files out of your OneDrive. Well, Files Restore lets you pick the day that you want to restore back to, in this case in the user interface we have yesterday, and then click ‘Restore’. And it will restore all of the documents or just one document if you want into your OneDrive. So, you can kind of roll back the clock by 30 days with Files Restore.

There are limits to Files Restore though because Files Restore uses version history and the recycle bin. Deleted files cannot be restored if they’ve been removed from the recycle bin. Also, if you upload a file or folder after you’ve deleted it, so let’s say that I have a Marketing folder and I’ve deleted it and then I’ve created a new Marketing folder and put files in it, well, Files Restore is going to skip over that content. It’s not going to allow me to restore over the top of that. Also, if files can’t be restored, you’ll get an error log that you’ll be able to review and see what was not able to be restored.

Allowances & capabilities of the OneDrive Files Restore feature.


What are the Limits?

So, what are our limitations? Let’s kind of review where we’re at right now. Within Exchange Online, we know that deleted items can be retained for 14 to 30 days. Within OneDrive, it’s 30 days if we’re going to use the files restore feature, but since it’s really SharePoint under the hood, it’s 93 days in the recycle bin. And then for SharePoint, it’s 93 days in the recycle bin unless we bump up against that site quota, in which case it’ll be less. One of the other important things to note about SharePoint content deletion is that if you have metadata columns associated with lists and libraries and you delete those columns, they are not protected. So, even trying to restore a column is not protected in SharePoint. So, you’ll lose all the metadata that’s associated with that column upon deletion.

Now, if a user is deleted, it removes their mailbox and their OneDrive after 30 days. But SharePoint Teams, Groups, there’s no impact to user deletion. All of this can be impacted with a legal hold. So, using legal holds is one option that you have to secure your content across all of these different services. The challenge with legal holds is they must be placed by an administrator and they’re sort of like using a sledgehammer to squash a bug. Because legal holds are not intended for backup and restore, although you kind of could, it’s just really not what it’s there for. What it’s there for is making sure that the content that is proprietary to your organization or that is required by law to be retained is properly retained.

Diagram detailing the retention limits for Exchange, OneDrive, and SharePoint.


Spanning Backup for Office 365

So, what’s the easy solution to recovering our files, getting them back and extending those timeframes for content recovery beyond the 30-, 60-, 90-day windows that we’ve been talking about? Well, my company, Spanning, offers a solution for OneDrive for Business, SharePoint Online and Exchange, email and calendars. What I’d like to show you is how an end user can restore their own content going back as far as we have backups for you because Spanning offers unlimited content retention.

List of assets that are covered by Spanning backup for Office 365.

All right, so, Megan is an administrator, but it really doesn’t matter for this particular demo. She’s going to go in and here’s the business card, we’ll delete that. And then if I go into the recycle bin we’ll see the business card is there along with this contact.csv file. Go ahead and get rid of those. And then we’ll go into her second stage recycle bin and do the same. We’ll get rid of both of those files. So, just remember the business card is what we deleted. Once we’ve deleted the content out of the second stage recycle bin, it’s no longer available for us to do a restore in the traditional sense. What we need is we need a solution that will allow us not only to recycle or return the content that we deleted today, but anything that we’ve deleted beyond 93 days.

In this case, I can go into All Apps, I can scroll down and find the Spanning Backup app. And as I said before, Megan happens to be an administrator here and so she’s seeing everything in her organization for managing licenses. But what I’m going to do is drop into Megan’s site and I’ll see her backup history and I’ll see that mail, calendar and OneDrive have all been 100% effective. And I’m going to choose to view those backups. Here in the user interface, we have the mail, the calendar, and the backups for OneDrive. Because these are user-related, these are the user content that we’re backing up. If I wanted to restore something to a SharePoint site I would simply go to the SharePoint tab. I’m going to go in and find the business card, it’s right here. But I could also have searched for it using the word “card” to find it. I can find that document. And if I have more than one version of the document, I can view versions, but what I want to do is simply restore this document. So, we’ll go ahead and click Restore. I’m going to restore it as the same user right back into Megan’s OneDrive.

But here’s another thing to consider. Spanning Backup for Office 365 allows you to restore to a different user. So, even after a user’s account is deleted and their OneDrive has been erased, as an administrator, I can go back to that deleted user in Spanning Backup for Office 365 and I can restore their documents to another user’s OneDrive, which is very powerful if you think about the off-boarding and onboarding scenarios where users may want to have some sort of continuity of their documentation. So, the restored item has been replaced in the restored folder inside the account, we’ll go ahead and choose OK. The restore was successfully initiated. If I look at the past history I’ll see that the OneDrive Restore was accomplished. Go back into Megan’s OneDrive, here’s the restored content and here’s our business card PDF. So, what Spanning Backup for Office 365 allows us to do is have very, very easy restores of content beyond the windows of restoration that Office 365 affords.



So, I want to leave you with a few resources so that you understand where I got a lot of the information from. For mailbox storage limits, for SharePoint Online limits, for OneDrive for Business, and this overview of retention policies is a phenomenal article from Microsoft on really how security compliance work together for your retention policies and how as an organization you can stand up retention policies and understand how retention policies work in conjunction with deletion policies, and who wins, which is probably the most important lesson in that article. If you’re looking for a guide that will help you with Office 365 overall, I highly recommend my friend Tony Redmond’s book, “Office 365 for IT Pros.” To say it’s just Tony’s book is to down sell the entire team that’s responsible for putting together this content. It is an evergreen book.

A list of resources for the information contained in this presentation.

So, if you buy a copy now, any updates that occur to that book during the life of the book, so in this case, they’re on the 2019 version which is the fifth edition, if you buy it now, every time they update the book until they roll to the next edition, you get the updates. So, fantastic book, has a lot of real-world guidance for how to manage your Office 365 tenant. I highly recommend it. And with that, I’d be more than happy to take any additional questions that I haven’t answered already in the queue.