Understand data lifecycle - destruction
Microsoft Data Handling Standard specifies how long customer data is retained after deletion. There are generally two scenarios in which customer data is deleted:
- Active Deletion: The tenant has an active subscription and a user or administrator deletes data, or administrators delete a user.
- Passive Deletion: The tenant subscription ends.
When a customer ends their subscription, Microsoft retains customer data in a limited function account for 90 days to enable the customer to extract the data. After the 90-day retention period ends, Microsoft will delete customer data unless authorized to retain it or required to retain it by law. No more than 180 days after expiration or termination of a subscription to Microsoft 365, Microsoft disables the account and deletes all customer data from the account. Once the maximum retention period for any data has elapsed, the data is rendered commercially unrecoverable.
Microsoft also deletes all service-generated and diagnostic data as part of the standard Microsoft data lifecycle, unless needed to maintain the security and stability of the service. For any subscription, a subscriber can contact Microsoft Support and request expedited subscription de-provisioning. In this process, all user data is deleted three days after the administrator enters the lockout code provided by Microsoft. This includes data in SharePoint Online and Exchange Online under hold or stored in inactive mailboxes.