What happens to my data after my organization’s Office 365 subscription ends?

What happens to my data after my organization’s Office 365 subscription ends? The most common answer circulated in the community refers to a grace period of 30 days, during which you can still retrieve your data.

The answer’s not wrong, but here’s some more detail about the tenant lifecycle after an Office 365 subscription is cancelled, as it relates to the organization’s data.

During the first 30 days after an Office 365 subscription ends, the Office 365 tenant account is in this grace period, known as expired state. During this period, users can still access data. If the subscription ended unintentionally, a rare event I’d argue given the many alerts you get to prevent termination of subscription due to issues such as non-payment, this is a good time to set things right.

After 30 days, the tenant account enters disabled state for 90 days. During this period, users no longer have access to data. The admin can still log in, backup data if required, or reactivate the subscription. At the end of the disabled state, which is 120 days after your subscription has expired, the account enters the de-provisioning state. This is when the data – from user accounts to email data and documents, is deleted permanently.

There are a few compliance-related questions arising out of end of subscription.

1. 1. How quickly will you delete data after my organization’s Office 365 service ends?
   Some time after 120 days. The jobs that delete data do so based on service load. You can expect data to be permanently deleted in a reasonable timeframe after the 120 days have elapsed.
2. 2. How can I ensure my organization’s Office 365 data is deleted quickly after service ends?
   Many security and compliance-minded organizations want to ensure there’s no residual data in a cloud service after they end service. Office 365 customers can request expedited deprovisioning by calling Support. Expedited deprovisioning ensures your data is deleted within 3 days.
3. 3. Is data immutability maintained after service ends? (In other words, are mailboxes placed on In-Place Hold or Litigation Hold retained after service ends?)
   By far one of the most frequently asked questions. Data immutability refers to the ability to preserve data – in essence, protecting it from destruction and tampering. See links to additional resources on Immutability, In-Place Hold and Litigation Hold below.
   
   No. Microsoft’s responsibility as a service provider ends after your service ends, which is when you stop being a customer/subscriber of the service. As noted above, data is permanently deleted when your tenant account enters the deprovisioning state, within a reasonable time after 120 days of end of subscription, or within 3 days if you request expedited deprovisioning. Mailboxes placed on In-Place Hold or Litigation Hold, including inactive mailboxes, are also deleted as part of deprovisioning.

How Lync/SfB clients authenticates to Lync/SfB Server - Simple explanation

How Lync/SfB clients authenticates to Lync/SfB Server

Internal users

When the user is inside the corporate network and signs in to Lync Server from a domain joined computer using their corporate Active Directory user account, Lync/SfB clients uses the following three protocols to authenticate the user when signing in to Lync/SfB Server:

o   Kerberos v5

o   TLS-DSK

o   NTLM v2

1. If the user has no certificate, Lync/SfB clients attempts to sign-in the user to Front-End Server using Kerberos (SIP traffic).

2. The Front-End Server rejects the authentication request, and redirects the Lync/SfB client to the Web Services (https://lync.contoso.com/CertProv/CertProvisioningService.svc) to request a certificate (SIP traffic)

3. Lync/SfB clients authenticates the user to Web Services using NTLM (HTTPS traffic).

4. Once authenticated, Lync/SfB clients requests a certificate for the user (HTTPS traffic). This client certificate is then stored in the user’s Personal certificate store.

5. Lync/SfB client re-authenticates the user to the Front End Server using TLS-DSK (SIP traffic).

6. For all subsequent sign-in requests, Lync/SfB client authenticates to Server using the TLS-DSK protocol with the user’s certificate instead of using Kerberos or NTLM

Note - This user certificate is valid for a period of 180 days, and is automatically renewed one month prior to expiration regardless of whether the user is connected internally or externally.

External users

For remote users connecting over the SIP channel via the Edge Server, Lync/SfB client can only use the following two authentication protocols:

o   TLS-DSK

o   NTLM v.2

1. If the user does not have a certificate, Lync/SfB client attempts to sign-in the user to Server using NTLM through the Edge Server (SIP traffic).

2. The Edge Server rejects the authentication request, and redirects the Lync/SfB client to the Web Services (https://lyncexternal.contoso.com/CertProv/CertProvisioningService.svc) through the reverse proxy to request a certificate (SIP traffic).

3. Lync/SfB client authenticates the user to Web Services using NTLM v2 (HTTPS traffic).

4. After authentication, Lync/SfB client requests a certificate for the user (HTTPS traffic). This client certificate is then stored in the user’s Personal certificate store.

5. Lync/SfB client re-authenticates the user through the Edge Server using TLS-DSK (SIP traffic).