Cyclotron's Compliance team helps hundreds of clients per year deploy Microsoft Purview. In large and complex environments, adaptive scopes help our Purview customers target retention policies to large populations, but not all customers can rely on dynamic tagging only. This solution shows a way to enable flexibility with retention strategies using Purview and Cyclotron’s expert knowledge. Cyclotron manages Purview in client environments with its expert Kapton managed service, and we help implement scenarios like this.
Author: Peter Ojum,
Security Architect @ Cyclotron
Overview
Adaptive scopes work seamlessly for cloud-only users, helping enable security and compliance policies at scale (such as retention, DLP, and more). However, for hybrid users, it’s more difficult to implement Adaptive scopes because attribute synchronization adds complexity. Without Entra Cloud Sync, Active Directory remains the authoritative source, so changes must be made through Active Directory rather than Entra portals. This makes it difficult for Purview customers to implement retention strategies at scale when they need exceptions made for specific users or sites.
Challenge
In one enterprise scenario, there were over 11,000 users requiring exclusion from retention policies. Applying adaptive scopes provides a scalable and automated way to manage exclusions. By tagging users with a custom attribute (“ExcludeFromRetention” or similar), these policies dynamically adapt to ensure compliance without manual adjustments. Microsoft Purview’s adaptive scopes are ideal for this purpose. However, since these users are hybrid (managed both on-premises and in the cloud), attribute changes must be made on-premises to synchronize effectively.
Solution
To implement the exclusion, a custom attribute (we will use ExtensionAttribute15) is created or updated in Active Directory. This attribute is then synced to the cloud and mapped to CustomAttribute15 in Microsoft Entra ID. Using Microsoft Purview, an adaptive scope filters users with the “ExcludeFromRetention” value in CustomAttribute15. This scope is applied to retention policies, and it dynamically excludes the tagged users without manual intervention.
The architecture involves synchronizing on-premises Active Directory with Microsoft Entra ID using Entra ID Connect.
On-Premises Configuration: Create or update an attribute (e.g., ExtensionAttribute15) to include the value “ExcludeFromRetention.”
Synchronization Process: Entra ID Connect maps the on-premises attribute to a cloud attribute like CustomAttribute15.
Microsoft Purview Integration: CustomAttribute15 is used to create an adaptive scope to exclude specified users from retention policies.
Dynamic Policy Application: Adaptive scopes dynamically update policies based on attribute changes, ensuring accurate exclusions.
Steps to resolve
Create a new or updating an existing attribute (e.g., msds-CloudExtensionAttribute15) in Active Directory. You can choose the appropriate target attribute; most attributes can be targeted for Adaptive Scopes for this purpose.
Configure Entra ID Connect synchronization rules to map the attribute to ExtensionAttribute15 in the cloud. ExtensionAttribute# is typically already mapped to CustomAttribute# in the cloud.
Policy Name | Description | Settings | Notes |
In from AD – msDs-CloudExtensionAttribute15 (for Adaptive Scopes)
| Inbound synchronization Rule in Active Directory
With this custom attribute mapped to the cloud, users who are designated with “ExcludeFromRetention” will be recognized and excluded by the adaptive scope in the cloud. | Name: In from AD – msDs-CloiudExtensionAttribute15 Connected System: On-prem system like XYZ.onmicrosoft.com - AAD Connected System Object Type: User Metaverse Object Type: Person Link type: Join Precedence: Up to the engineers Tag: No Enable password sync: No Disabled: No Transformations: Flowtype – Direct, Target Attribute – extensionAttribute15, source – msds-cloudeExtensionAttribute15, Apply Or – No, Merge type -Update
| Source: The attribute in the connected system (e.g., on-prem AD). Specifies where the data is coming from.
Target Attribute: The attribute in the target system
Transformation rules (e.g., functions or conditions) are applied to the source attribute.
In the Transformations section of an inbound synchronization rule, the Target Attribute and Source define how data flows from the Connected System to the target directory (e.g., Microsoft Entra ID)
As the goal is to update an attribute for hybrid users (must be done in AD first then sync to the cloud), mapping an attribute available in Purview to an on-premises attribute is what needed to be done.
|
Validating the sync to ensure users with “ExcludeFromRetention” in ExtensionAttribute15 are reflected correctly in Entra ID and Microsoft Purview.
In PowerShell, Get-Mailbox -Identity “UserEmail@Contoso.com” | fl will produce the following output showing the CustomAttribute15 with an “ExcludeFromRetention” tag.
This resolution creates or maps an on-prem attribute to Extension Attribute which is represented as a Custom Attribute in the cloud. This allows Microsoft 365 to see the updated attribute and allow Purview’s Adaptive Scopes to act upon it. Remember that since Active Directory is the source of authority, then the chosen msds-CloudExtensionAttribute must be updated on-premises.
Now, go to Purview’s admin center to complete the Retention implementation.
Navigate to the Microsoft Purview Compliance Portal.
Go to Data lifecycle management > Retention policies.
Select Adaptive scopes under Rules and scopes.
Create a new scope named "ExcludeUsers_CustomAttribute15."
Under Locations, select applicable workloads (e.g., Exchange mailboxes).
Add a filter: CustomAttribute15 eq 'ExcludeFromRetention'.
Save the scope and apply it to a new or existing retention policy.
In the retention policy settings, select Exclude and choose the newly created scope.
Finalize and validate the policy to ensure correct exclusions.
Conclusion
Adaptive scopes in Microsoft Purview allow organizations to dynamically apply or exclude users, groups, or devices from retention policies based on specific attributes. To exclude users who have "ExcludedFromRetention" in CustomAttribute15, you can create an adaptive scope that uses a filter to target this specific attribute. After syncing, users with the “ExcludeFromRetention” value in CustomAttribute15 are dynamically excluded from retention policies. Microsoft Purview’s adaptive scope identifies these users based on the mapped attribute, and as mentioned before, it applies the exclusions without manual policy updates.
At Cyclotron, we specialize in helping clients navigate complex compliance scenarios with our expert knowledge and managed services. If you're interested in getting started with adaptive scopes or need assistance with your retention policies, contact us today!