Microsoft Graph – eDiscovery purges

by

Summary

The issue involves Microsoft Graph eDiscovery purges not removing emails from mailboxes despite the operation reporting success. The process follows Microsoft’s documented steps for creating a case, search, and purge, but the targeted message remains in the mailbox.

Root Cause

The root cause is incorrect interpretation of the purge operation’s scope. The purge operation in Microsoft Graph eDiscovery targets indexed items, not all items in the mailbox. If the message is not indexed (e.g., due to retention policies, encryption, or other factors), it will not be purged.

Why This Happens in Real Systems

  • Indexing limitations: Not all mailbox items are indexed by eDiscovery (e.g., encrypted emails, items in personal archives).
  • Retention policies: Items under retention policies may not be eligible for purge operations.
  • API behavior: The API reports success based on indexed items, not actual mailbox content.

Real-World Impact

  • Data retention risks: Sensitive data may remain in mailboxes despite purge attempts.
  • Compliance issues: Organizations may fail to meet legal or regulatory requirements for data deletion.
  • Operational inefficiency: Engineers spend time debugging and verifying purge operations.

Example or Code

# Step 5: Start purge
body = {
    'purgeAreas': 'mailboxes',
    'purgeType': 'permanentlyDelete',
}
startpurge = graph.post('security/cases/ediscoveryCases/{}/searches/{}/purgeData'.format(case['id'], search['id']), body=body)

# Wait until the purge is finished
while True:
    stats = graph.get(startpurge['responseheaders']['Location'])[0]
    if stats['status'] != 'running':
        break
    time.sleep(15)

How Senior Engineers Fix It

  • Verify indexing: Ensure the target item is indexed by checking indexedItemCount in estimate statistics.
  • Check retention policies: Confirm no retention policies prevent deletion.
  • Use alternative methods: For non-indexed items, consider using mailbox search and delete operations directly.
  • Monitor purge scope: Validate the purge operation’s scope and limitations in Microsoft’s documentation.

Why Juniors Miss It

  • Assumption of full mailbox coverage: Juniors often assume purges target all mailbox items, not just indexed ones.
  • Overreliance on API success: They trust the API’s success status without verifying actual mailbox content.
  • Lack of retention policy awareness: Juniors may overlook retention policies affecting purge operations.

Leave a Comment