Microsoft Purview compliance portal: Data Lifecycle Management - Introduction of secure workflow to bypass legal holds and retention policies in Exchange

🚨 The Signal: Microsoft Purview now allows a secure workflow to bypass legal holds and retention policies in Exchange. This introduces a controlled method for deleting data that would otherwise be retained, requiring specific roles, multiple approvals, and full auditing.

The Impact

Security teams and compliance officers are affected by the introduction of a new, highly privileged data deletion capability, increasing the risk of unauthorised data removal if not properly governed.

• Security Teams: Risk of data loss or non-compliance if the new bypass workflow is misused.
• Compliance Officers: Need to update data retention policies and ensure audit trails meet regulatory requirements.
• Legal Teams: Potential for legal hold integrity to be compromised if exceptions are not carefully managed.
• Admins: Elevated responsibility due to new permissions for bypassing retention and legal holds.

The Action

1. Review and update data retention and legal hold policies to account for the new bypass capability.
2. Define and assign the new 'Priority cleanup' security role with strict adherence to the principle of least privilege.
3. Establish a multi-approver workflow for all Priority cleanup requests, ensuring segregation of duties.
4. Regularly audit all Priority cleanup activities to verify compliance with organisational policies and legal obligations.
5. Communicate the existence and proper use of this new workflow to relevant legal, compliance, and IT teams.

Domain: Purview · Impact: high · Workload: Microsoft Purview · Essential Eight: Restrict Administrative Privileges · ISM: ISM-0445, ISM-1175, ISM-1380, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1686, ISM-1688, ISM-1689, ISM-1883, ISM-1897, ISM-1898