Microsoft has recently announced changes to the way that unlicensed OneDrive will be handled in most people's tenants1. These changes have implications for Records Managers, which will need to be carefully considered when planning their architecture in Microsoft 365. This announcement will affect the approach you might wish to take when managing the OneDrive accounts of former members of staff.
Currently, when a user’s licence2 is removed and there is a policy preventing content in their OneDrive account from being deleted (e.g. retention policy or legal hold), then the OneDrive account will be retained for the duration of that policy.
From the 27th of January 2025, however, when a user’s licence is removed and there is a policy preventing content in their OneDrive account from being deleted (e.g. retention policy or legal hold), then their OneDrive account will be automatically archived 93 days after the licence was removed.
This change is important to understand because there are no costs associated with the current process, however, after this change, there will be ongoing fees for both storage and reactivation of archived OneDrive accounts.
What happens when a OneDrive account is ‘archived’?
Firstly, it’s important to mention that what Microsoft calls ‘archive’ has nothing to do with the sort of archive that an archivist might be interested in maintaining. Information that is archived in Microsoft 365 is neither preserved, nor is it made immutable, and you can’t even easily search or browse through it. Instead, in Microsoft 365 you need to understand that the word ‘archive’ really means ‘cold storage’ – i.e. data that is rarely accessed and typically stored at a cheaper cost.
As soon as a OneDrive account is ‘archived’, it will effectively disappear. While archived, nobody in your organisation will be able to access or view the content inside it, even if you are an administrator or previously had permission to access content in the account.
In fact, while your administrators will be aware of the existence of archived accounts, they only have a limited number of options for managing the content within them:
They can reactivate the accounts (for a fee!). This will restore the OneDrive account, but only for 30 days – as unless a licence is assigned, the reactivated account will be automatically archived again after 30 days (if the retention policy/litigation hold is still active).
They can delete archived accounts, but only after the retention label/retention policy/litigation hold no longer applies to the account (i.e. when the policy is revoked, or when the last file reaches the end of its retention period).
Thankfully, content within archived OneDrive accounts can still be found when running eDiscovery searches and is also included when using Purview’s Content Search capability (for example when facilitating Subject Access Request).
What are the costs associated with this change?
As mentioned above, while there are currently no costs associated with removing a licence from a OneDrive account, fees could potentially be incurred after this change. Don't forget that these fees will only be charged if an unlicensed OneDrive account is archived, which will only happen automatically if a policy (such as a retention policy or legal hold)prevents the account from being deleted.
The following table provides an indication of the potentially costs you might incur:
OneDrive data volume | Current monthly fees | OneDrive account with typical usage – 10 GB | OneDrive account at maximum capacity - 1TB |
Storage fee (per year) | $0.05/GB/Month | $6.14 USD (c. £5.06 GBP) per account, per year | $614.4 USD (c. £506 GBP) per account, per year |
Reactivation fee | $0.60/GB
| $6 USD (c. £4.94 GBP) | $600 USD (c. £494 GBP) |
What are our options?
I personally can’t see too many organisations being happy paying ongoing storage fees for information that they can’t easily find or use. While the fees are relatively small, they will add up quite quickly. I can easily see them becoming quite noticeable, especially for organisations with larger staff numbers. As a result, most people will probably want to start ensuring that they avoid allowing their OneDrive accounts being archived.
One approach that could be taken is to remove retention from OneDrive altogether. Without retention being applied, the OneDrive accounts of leavers will be deleted, rather than being archived when staff leave the organisation. However, this approach presents a significant risk that information of organisational value will be lost when OneDrive accounts are deleted.
Alternatively, in the 30 days after the licence is removed, OneDrive accounts could be reviewed and they could be excluded from the scope of any retention policies, so that they are deleted, rather than being archived.
Ultimately, I feel that this change places even more emphasis on trying to ensure that OneDrive accounts see appropriate usage. Content of wider value to the organisation should not be stored in OneDrive and a combination of approaches should be used to encourage better information storage practices. Some of the approaches I’d personally consider include:
Updating OneDrive policies, procedures and guidance
Reducing OneDrive storage quotas
Disabling external sharing from OneDrive
Monitoring for users with large OneDrive storage volumes
Considering using a deletion policy (i.e. a retention policy in deletion mode) to routinely delete content stored in OneDrive accounts – possibly anything not modified in the past 5 years for example. NB - a deletion policy shouldn't prevent the OneDrive account from being automatically archived if the licence is removed - as this will not inhibit deletion of the account.
Another ramification of this update is that it is now far less likely that an organisation might consider applying retention policies or retention labels (in 'retention mode') to their OneDrive accounts. Prior to this change being announced one of the approaches I regularly suggested was to apply a deletion policy to OneDrive accounts, while also providing users with a single retention label to allow them to tag legitimate content (such as their appraisal or PDR) as being personal. The retention label would then supersede the deletion policy, allowing personal content to be kept, while auto-deleting other items. This approach served primarily to help discourage staff from using their OneDrive accounts for storing information of value to the wider organisation.
Unfortunately, this approach is now likely to result in OneDrive accounts being archived - as the retention label would prevent the account from being deleted when licences are removed. As such, I'll no longer be able to recommend considering this option for my clients.
Footnote
1 The changes detailed in this blog post do not apply to the following Microsoft 365 tenants: EDU (Education), GCC (US Government) or DoD (US Department of Defense).
2 For anyone wondering about my spelling of the word 'licence' in this blog post - please take a look at this wonderful post made by my colleague Charlotte Lincoln