Body
1.0 Scope
1.1 This standard applies to faculty and staff Microsoft 365 email accounts provisioned through the university identity management process and to the retention, deprovisioning, recovery, and limited access of those accounts after separation from employment.
1.2 This standard does not establish records retention requirements for the content of email messages. Records retention requirements remain governed by applicable university policy, records management requirements, and legal or regulatory obligations.
2.0 Purpose
2.1 The purpose of this standard is to establish requirements for retention, deprovisioning, recovery limitations, exception handling, and forwarding restrictions for APSU employee email accounts in support of operational continuity, security, and compliance.
3.0 Responsibility
3.1 Office of Information Technology (OIT):
3.1.1 OIT shall maintain the technical processes used to provision, disable, de-license, delete, and, when approved, preserve employee email accounts.
3.1.2 OIT shall administer exception handling when a valid business need is identified before the applicable deletion timeline expires.
3.1.3 OIT shall communicate technical limitations related to mailbox recovery after Microsoft purge timelines have passed.
3.2 Supervisors and departments:
3.2.1 Supervisors and departments shall identify any business need for mailbox preservation or delegated access before the applicable retention period expires.
3.2.2 Supervisors and departments shall coordinate with OIT to request approved exception handling when access to a separated employee mailbox is required for university business.
3.2.3 Supervisors and departments shall ensure continuity of university communications through appropriate transition planning and shall not rely on long-term retention of inactive accounts.
3.3.3 Account holders shall conduct university business through approved APSU email services and comply with university requirements governing account use, including restrictions on automatic forwarding.
4.0 Approval Authority
4.1 The Chief Information Officer, or designee, is the approval authority for this standard and any substantive revisions.
5.0 Standards
5.1 Active faculty and staff email accounts shall be provisioned and managed through APSU identity and account management processes. Account access, licensing, and mailbox availability are contingent upon active employment status and continued eligibility for university-provided services.
5.2 Upon an employee separation date recorded in Banner, Microsoft Identity Management (MIM) shall disable the account and remove Microsoft 365 licensing effective immediately. For non-retiree separations, MIM shall delete the account two weeks after the employment end date. Microsoft shall purge the mailbox 30 days after account deletion. Under the standard process, the mailbox remains recoverable for approximately 44 days after the employment end date.
5.3 For retiree separations, the employee work account deletion date shall be extended to six months after the employment end date. Microsoft purge timelines shall still apply after deletion. Under the standard retiree process, the mailbox remains available for approximately seven months after the employment end date. A separate retiree account may be created in accordance with university practice.
5.4 Once Microsoft purges a deleted mailbox, the mailbox and its contents cannot be recovered through standard administrative processes.
5.5 Account preservation:
5.5.1 When a valid university business need is identified before the applicable deletion timeline expires, OIT may preserve the account and grant limited access through an approved exception process.
5.5.2 Requests to preserve an account require initial approval through HR or Legal and final approval from the Chief Information Officer.
5.5.3 Requests to preserve an account require an end date after which the account will proceed through the standard provisioning timelines.
5.5.4 Approved exceptions require removal of the account from the automated MIM deprovisioning workflow before deletion occurs.
5.6 Retention of inactive or unused accounts beyond the approved timeline increases institutional security risk and shall be limited to approved business, legal, or compliance needs.
5.7 Automatic forwarding of APSU employee email to personal or non-university email accounts is prohibited. Forwarding within university-managed services, when permitted by OIT, must comply with university policy, security requirements, and records retention obligations.
6.0 Procedures
6.1 Separation processing: Upon receipt of employment end data from Banner, the automated identity management process shall disable the employee account and remove Microsoft 365 licensing effective on the employment end date.
6.2 Standard deletion timeline: For non-retiree separations, the disabled account shall remain in a deleted-pending state for two weeks and shall then be deleted. Microsoft purge shall occur 30 days after deletion.
6.3 Retiree deletion timeline: For retiree separations, the employee work account deletion date shall be extended to six months after employment end date. Microsoft purge shall occur 30 days after deletion.
6.4 Exception requests: Departments requiring continued access or mailbox preservation shall submit a request to OIT before the applicable deletion date.
6.5 Approved exceptions: When approved, OIT shall remove the account from the automated deprovisioning workflow and apply the least access necessary.
6.6 Recovery limitations: If no exception is requested before deletion and Microsoft purge has occurred, the mailbox will not be recoverable.
6.7 Automatic forwarding: Automatic forwarding to personal or non-university accounts shall not be permitted.
7.0 Associated Documents
7.1 APSU Policy 4:029 Acceptable Use of Information Technology Resources
8.0 RECORD RETENTION TABLE:
| Identification |
Storage |
Retention |
Dispostion |
Protection |
| NA |
NA |
NA |
NA |
NA |
8.0 REVISION HISTORY:
Date: Rev. Description of Revision:
6/1/2026 Initial Release
***End of Standard***