Join our MVP, Nikki Chapple as she delivers this lightning talk for the Microsoft Security Community YouTube channel with over 38,000 followers!
A routine Purview request uncovered over 9,000 orphaned OneDrives and thousands of inactive mailboxes. Learn how “retain only” policies can create hidden retention debt—and how Adaptive Scopes help separate active users from leavers.
Read the full blogpost: https://nikkichapple.com/ex-employee-onedrive-retention/
Full Transcript
How a Routine Offboarding Request Revealed Hidden Retention Debt (00:00:02 – 00:01:41)
Nikki Chapple:
Hi everyone, I’m Nikki Chapple, a Microsoft 365 and Purview MVP and Principal Cloud Architect.
Today I’m sharing a real-world Purview story called The Day Offboarding Exposed Infinite Retention.
It started with a routine offboarding request:
Can you help us remove data for leavers?
Simple enough—but the investigation uncovered something much larger.
We found more than 9,000 unlicensed OneDrives and inactive mailboxes still storing content long after employees had left the organization.
The root cause was retention-only policies.
“Retain only” means keep the content but do not delete it.
That may be exactly what you want for active users.
But if ex-employees remain in scope, you begin creating retention debt.
Because those policies have no delete action, nothing ever removes content from inactive mailboxes or unlicensed OneDrives.
Purview was doing exactly what it had been configured to do.
The real issue was policy design.
We need different rules for active users and leavers.
This is where Adaptive Scopes help.
Because they are dynamic and attribute-based, the scope automatically follows the user as their scenario changes instead of relying on manual updates.
Now let me show you four things you can check today.
Finding Unlicensed OneDrives and Inactive Mailboxes (00:01:41 – 00:03:31)
Nikki Chapple:
The first thing to check is whether you have unlicensed OneDrives belonging to ex-employees.
Go to the SharePoint Admin Center → Reports → OneDrive Accounts.
This report shows OneDrive accounts belonging to deleted or unlicensed users that remain due to retention policies.
In my test tenant, we can see a user who is unlicensed because deletion is being blocked by a retention policy.
Next, check inactive mailboxes.
Under Purview → Data Lifecycle Management → Policies → Retention Policies, there is a dedicated tab for inactive mailboxes.
This reveals mailboxes from deleted users being retained because they are subject to a retention policy, eDiscovery hold, or litigation hold.
My test tenant only shows limited data—but in real environments you may discover thousands of inactive mailboxes and retained OneDrives.
Identifying Problematic Retention Policies (00:03:31 – 00:04:41)
Nikki Chapple:
Once you’ve identified retained accounts, review your retention policies.
Open a policy and inspect the configuration details.
First, check the policy type.
In this example, the policy is static.
Then look at the locations being targeted—such as mailboxes and OneDrive.
Next, review who is in scope.
Here we have all mailboxes and all users included with no exceptions.
That means the policy applies to active employees—but it also continues to retain data after users leave and their accounts are deleted.
Finally, inspect the retention rules.
You’re specifically looking for policies configured to “retain forever” or “do nothing.”
That’s where the problem begins.
Without a delete action, there is no cleanup mechanism.
The employee leaves, items come out of retention, and the data simply sits there indefinitely.
You’ll need to review each retention policy in your environment this way.
Using Adaptive Scopes to Separate Active Users from Leavers (00:04:41 – 00:05:54)
Nikki Chapple:
Now we move into remediation.
Under Microsoft Purview Settings → Roles and Scopes → Adaptive Scopes, we can create dynamic user groups.
In this example, I’ve created scopes for Active User Mailboxes and Inactive Users.
We’re targeting users because users own both mailboxes and OneDrives.
Using the query builder, we define rules.
For active users, we set:
Recipient Type Details = User Mailbox
IsInactiveMailbox = False
That gives us active user mailboxes only.
For inactive users, we use:
Recipient Type Details = User Mailbox
IsInactiveMailbox = True
Now we have two mutually exclusive groups:
Active users and inactive users.
These groups can then be used to target different retention policies automatically.
Building Retention Policies for Active Users (00:05:54 – 00:07:00)
Nikki Chapple:
Next, we create a new retention policy using Adaptive Scopes.
This policy targets active user mailboxes.
We select the appropriate locations.
In this example, Exchange and OneDrive are selected.
Some workloads are mutually exclusive, so combinations matter.
For example:
– Exchange and OneDrive can be combined
– Teams Chat and Viva Engage can be combined
– Copilot interactions require their own policy
For active users, the goal is to keep data safe without automatically deleting content.
In this example, we retain data for three years and then do nothing.
That’s appropriate because the users are still active.
Creating Retain-and-Delete Policies for Inactive Users (00:07:00 – 00:08:38)
Nikki Chapple:
Inactive users require a different approach.
For leavers, multiple policies must be created.
That’s because Teams chats, Viva Engage communications, and Copilot interactions are stored in different locations and hidden mailbox folders.
In this example:
Policy 1 covers Exchange and OneDrive.
Policy 2 covers Teams Chat and Viva Engage.
Policy 3 covers Copilot interactions.
Each policy targets the inactive-user Adaptive Scope.
Then we define retention duration.
Every organization will have different requirements.
In this scenario, ex-employee data is retained for one year.
But here’s the critical setting:
You must select Delete items automatically.
Over time, content across mailboxes, OneDrives, Teams compliance copies, and other locations is deleted.
Once nothing remains, the mailbox and OneDrive can be purged through normal lifecycle processes.
Final Lessons: Retention Should Follow User Reality (00:08:38 – 00:09:01)
Nikki Chapple:
Before remediation, leaver data stayed in scope indefinitely.
Cleanup only happened when somebody raised a manual request.
Risk increased, storage grew, and retention debt accumulated quietly in the background.
After implementing Adaptive Scopes and targeted retention policies, active users remain protected while leavers are automatically excluded—or moved to policies that include both retention and deletion.
Risk is reduced.
Storage growth is controlled.
Retention stops building debt over time.
Retention isn’t just about how long you keep data.
It’s about who you’re keeping the data for.
When retention follows reality, offboarding stops being a cleanup exercise and becomes part of the user lifecycle.
Thank you for listening today.
“`