This chapter covers Microsoft 365 data portability and export, a key topic in the M365 Security domain for the MS-900 exam (Objective 3.4). You will learn the mechanisms Microsoft provides to export your organizational data from Exchange Online, SharePoint Online, OneDrive, Teams, and other services. Understanding these tools is critical because approximately 5-10% of exam questions touch on data retention, export, and portability scenarios, often testing your knowledge of who can export what and what limitations apply.
Jump to a section
Think of Microsoft 365 data portability as an interlibrary loan system. You are a patron (the data owner) who wants to take a book (your data) from Library A (Microsoft 365) to Library B (another service). Microsoft provides a standardized request form (the Data Export API) that you fill out specifying which book you want. The librarian (the Microsoft 365 admin) processes the request and retrieves the book from the shelves (your Exchange mailboxes, SharePoint sites, etc.). The book is then placed in a secure, tamper-evident package (a .pst file or .csv export) and handed to you. You then take that package to Library B, which has its own cataloging system (different data format). You may need to convert the package into a format Library B understands (data transformation). Microsoft does not guarantee that Library B can read the package; it only guarantees that the package contains your data in a standard format. The interlibrary loan system ensures you can move physical books between libraries, but the receiving library must have the shelf space and cataloging rules to integrate them. Similarly, Microsoft 365 data export gives you the raw data, but you are responsible for importing it into the target system and handling any incompatibilities.
What Is Data Portability and Why Does It Exist?
Data portability refers to the ability of customers to export their data from Microsoft 365 in a structured, commonly used format. This is mandated by regulations like GDPR (Article 20) and other data protection laws, which require that data controllers (organizations) can transfer personal data to another controller without hindrance. Microsoft 365 provides several built-in tools to facilitate this, but the responsibility for extracting and moving data lies with the tenant administrator.
How Data Export Works in Microsoft 365
Microsoft 365 data export is not a single button but a collection of tools and APIs. The primary methods are:
Microsoft Purview Compliance Portal – Data Export: This is the main admin tool for exporting content from Exchange, SharePoint, OneDrive, and Teams. It creates a .pst file for mailboxes and a .csv or .json for other data.
eDiscovery Export: Used for legal or compliance investigations, this exports data from Exchange, SharePoint, and Teams in a structured format (e.g., .pst, .msg, .csv).
Microsoft Graph API: Programmatic access to export data at scale. Developers can write scripts to extract user data, files, messages, etc.
Microsoft 365 Admin Center – Export all data: A simplified option for small tenants to export a subset of data.
Step-by-Step Mechanism of the Data Export Process
When an admin initiates a data export from the Microsoft Purview compliance portal:
Authentication and Authorization: The admin must have the necessary permissions (e.g., Compliance Administrator, eDiscovery Manager). The system checks RBAC roles.
Search Scope Definition: The admin defines the data to export by specifying users, sites, date ranges, and content types (email, documents, Teams messages).
Search Execution: Microsoft 365 runs a search across Exchange, SharePoint, OneDrive, and Teams indexes. For Exchange, it uses the Content Search feature; for SharePoint, it queries the search index.
Export Preparation: Once the search is complete, the admin clicks 'Export'. The system copies the results to a secure Azure Storage location (Microsoft-managed). This can take minutes to hours depending on data volume.
Download: The admin receives a link to download the exported data. The data is packaged into .pst files for mailboxes and a results.csv file with metadata. For SharePoint, files are downloaded in their native format (e.g., .docx, .pdf) with a manifest.json.
Data Integrity: Each download includes a hash file (SHA256) to verify integrity.
Key Components, Values, Defaults, and Timers
Export Size Limits: Per export job, the maximum size is 5 TB. Individual files larger than 10 MB are compressed into .zip files.
Export Duration: Exported data is available for download for 14 days after the export job completes. After that, the data is deleted from Azure Storage.
Parallel Exports: You can run up to 10 export jobs simultaneously per tenant.
.pst File Size: Each .pst file is limited to 10 GB. If a mailbox exceeds this, it is split into multiple .pst files.
Supported Data Types: Exchange mailboxes, SharePoint sites, OneDrive accounts, Teams messages (in mailboxes), and public folders.
Unsupported Data Types: Azure AD data (users, groups) is not exported through Purview; use Azure AD Graph or Microsoft Graph for directory data.
Configuration and Verification Commands
To initiate a data export using PowerShell (Exchange Online module):
# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com
# Create a compliance search
New-ComplianceSearch -Name "ExportAllMail" -ExchangeLocation All -ContentMatchQuery "received>01/01/2023"
# Start the search
Start-ComplianceSearch -Identity "ExportAllMail"
# Once completed, create an export action
New-ComplianceSearchAction -SearchName "ExportAllMail" -Export
# Check export status
Get-ComplianceSearchAction -Identity "ExportAllMail_Export"For Microsoft Graph API:
GET https://graph.microsoft.com/v1.0/users/{user-id}/messages?$top=1000Interaction with Related Technologies
Data Retention Policies: Data subject to retention policies may still be exported, but the retention labels are preserved in the metadata. However, deleted items that are in the Recoverable Items folder (due to retention) are also exported.
eDiscovery vs. Data Export: eDiscovery is for legal holds and compliance, while data export is for general data portability. The export format is similar, but eDiscovery includes advanced features like review sets.
Azure Information Protection: If data is protected with Azure Information Protection (AIP), the exported files retain the protection labels but may not be readable if the target system does not support AIP.
Microsoft 365 Backup: This is separate from export. Backup is for disaster recovery, while export is for data portability.
Limitations and Considerations
Export of Teams Chat: Teams 1:1 and group chat messages are stored in the individual users' mailboxes. Channel messages are stored in the group mailbox associated with the Team. Exporting Teams data requires exporting the relevant mailboxes.
Export of Shared Mailboxes: Shared mailboxes can be exported by an admin if they have the necessary permissions.
Export of Inactive Mailboxes: Inactive mailboxes (soft-deleted) can be exported using eDiscovery but not through the simple admin export tool.
Performance: Exporting large tenants can take days. Microsoft recommends using Microsoft Graph API for bulk exports.
Data Portability Beyond Export
Data portability also includes the ability to import data into another service. Microsoft provides tools to import .pst files into Exchange Online, but moving data to a non-Microsoft service is the customer's responsibility. Microsoft does not provide direct integration to migrate to Google Workspace or other providers, but they do provide open standards like IMAP for email and REST APIs for files.
Security Considerations
Access Control: Only users with the eDiscovery Manager role group or Compliance Administrator can export data. This is a sensitive permission.
Audit Logs: All export actions are logged in the audit log. Review logs regularly.
Data in Transit: Exported data is encrypted in transit (HTTPS). At rest in Azure Storage, it is encrypted using Microsoft-managed keys.
Data at Rest in Download: Once downloaded, the data is no longer protected by Microsoft. The organization must secure it.
Create a Compliance Search
The admin defines the scope of data to export. This is done in the Microsoft Purview compliance portal under 'Content search'. The admin specifies the data sources (Exchange mailboxes, SharePoint sites, OneDrive accounts, or public folders) and optionally a date range or keyword query. The search runs against the indexed content. For Exchange, it queries the Exchange search index; for SharePoint, it uses the SharePoint search index. The search can take from minutes to hours depending on the number of items. The admin can save the search for reuse. At this stage, no data is copied; only metadata is returned. The search result shows the number of items and total size.
Review Search Results
After the search completes, the admin can preview a sample of the results to verify that the correct data is included. This preview shows up to 1000 items per search. For Exchange, the preview shows email headers; for SharePoint, it shows document properties. The admin can refine the search query if needed. This step is optional but recommended to avoid exporting unnecessary data. The preview does not count against the export quota.
Initiate Export Action
Once satisfied with the search, the admin clicks 'Export results' and chooses the export format. The available options are: 'Exported items' (full content) or 'Results log only' (metadata CSV). For Exchange, the admin can choose to export items in a single .pst file per mailbox or multiple .pst files if the mailbox is large. The system then creates an export action in the backend. This action submits a job to copy the search results from the index to Azure Storage. The job is queued and processed asynchronously. The admin can monitor the progress in the compliance portal.
Data Copy to Azure Storage
Microsoft 365 copies the search results to a temporary Azure Storage blob container. This is a Microsoft-managed subscription. The data is encrypted at rest using Azure Storage Service Encryption (SSE). During this step, the system also generates a hash file for integrity verification. The time required depends on the total data size and the current load. For large exports, this can take several hours. The admin receives no notification; they must refresh the portal to see the status change to 'Export completed'.
Download Exported Data
When the export is complete, the admin can download the data. The download is a .zip file containing the .pst files (for mailboxes) and/or native files (for SharePoint) plus a results.csv and manifest.json. The download link is available for 14 days. The admin must have the necessary permissions to download; typically, the same admin who initiated the export. The download is over HTTPS and can be resumed if interrupted using a download manager. After 14 days, the Azure Storage container is deleted, and the data is permanently removed.
Scenario 1: GDPR Data Subject Request (DSR)
A large European company receives a DSR from an employee who has left the company. The employee requests all personal data stored in Microsoft 365. The compliance team uses the Microsoft Purview compliance portal to create a content search for the employee's mailbox, OneDrive, and any SharePoint sites where the employee had access. They export the data to .pst and .csv files. The export includes emails, documents, and Teams chat messages. The team then reviews the data to redact any third-party personal data before delivering it to the employee. A common challenge is that the export includes data from shared mailboxes or distribution groups where the employee was a member, which may contain other individuals' data. To handle this, the team uses eDiscovery with advanced filtering. Performance-wise, exporting a mailbox with 50 GB of data takes about 2-4 hours. The 14-day download window is sufficient but requires careful scheduling.
Scenario 2: Migration to Another Provider
A mid-sized company decides to move from Microsoft 365 to Google Workspace. They need to export all mailboxes, files, and Teams data. For mailboxes, they use the Exchange admin center to export each user's mailbox to .pst files. For OneDrive and SharePoint, they use the SharePoint Online Management Shell to download files via PowerShell. For Teams, they export channel messages from the associated group mailbox. The total data is 2 TB across 500 users. They run multiple export jobs in parallel (up to 10) to speed up the process. They encounter a problem: the .pst files for some users exceed 10 GB and are split into multiple files, complicating the import into Google Workspace. They use third-party migration tools to handle the splitting. The migration takes two weeks. Key lesson: start exports early and test one user first.
Scenario 3: Legal Hold and Export
A company is involved in litigation and must preserve all data related to a specific project. They place a legal hold on the relevant mailboxes and SharePoint sites. Later, they need to export the preserved data for the legal team. They use eDiscovery instead of the standard export tool because eDiscovery allows them to export only the data on hold, not the entire mailbox. The export includes metadata like hold status. The legal team imports the .pst files into a review platform. A common mistake is using the standard export tool, which exports all data, including data not on hold, potentially violating data minimization principles.
What MS-900 Tests on Data Portability and Export
The MS-900 exam (Objective 3.4) focuses on understanding the capabilities and limitations of data export tools. You will not be asked to perform exports but to identify which tool to use in a given scenario. Key areas:
Microsoft Purview compliance portal as the primary export tool for compliance and DSRs.
eDiscovery for legal holds and advanced export needs.
Data retention vs. export: retention policies affect what can be exported.
Limitations: 5 TB per export, 14-day download window, 10 parallel exports.
Who can export: Only admins with specific roles (Compliance Administrator, eDiscovery Manager).
Common Wrong Answers and Why Candidates Choose Them
'Any user can export their own data' – Wrong. GDPR gives users the right to portability, but Microsoft 365 does not provide a self-service export for end users. An admin must perform the export. Candidates confuse the right with the implementation.
'Data export includes Azure AD user data' – Wrong. The export tool only exports content from Exchange, SharePoint, OneDrive, Teams, and public folders. Azure AD data (users, groups) must be exported via Azure AD Graph or Microsoft Graph. Candidates assume all data is in one place.
'Exported data is automatically deleted after 30 days' – Wrong. It is 14 days. Candidates misremember the retention period for export downloads.
'You can export an unlimited amount of data' – Wrong. There is a 5 TB limit per export job. Candidates think because Microsoft 365 is cloud-scale, there are no limits.
Specific Numbers and Terms That Appear on the Exam
5 TB: maximum export job size.
14 days: download availability.
10 GB: maximum .pst file size (causes splitting).
10: maximum concurrent export jobs.
.pst format for mailboxes.
.csv for results log.
manifest.json for SharePoint exports.
Edge Cases and Exceptions
Inactive mailboxes can be exported only via eDiscovery, not the standard export.
Teams chat messages are stored in user mailboxes; channel messages in group mailboxes.
Public folders are exportable but only as .pst files.
Data subject to retention policies is still exportable, but retention labels are preserved.
How to Eliminate Wrong Answers
If the scenario mentions 'user self-service', eliminate that answer because only admins can export.
If the scenario mentions 'Azure AD users', eliminate the Purview export answer.
If the scenario mentions 'legal hold', look for eDiscovery, not standard export.
If the scenario mentions 'large export over 5 TB', the answer should mention multiple export jobs or using Graph API.
Data export is initiated by admins via Microsoft Purview compliance portal, not by end users.
Maximum export job size is 5 TB; maximum concurrent exports is 10.
Exported data is available for download for 14 days only.
Mailboxes are exported as .pst files; SharePoint files are exported in native format with a manifest.json.
Teams data is exported via user or group mailboxes.
Azure AD data is not included in Purview export; use Microsoft Graph API.
eDiscovery export is for legal holds; standard export is for DSRs and portability.
Data subject to retention policies is still exportable.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Purview Data Export
Used for general data portability and DSRs.
Exports all data matching search criteria.
Simple UI with limited filtering.
No legal hold preservation; exports current state.
Available to Compliance Administrators and eDiscovery Managers.
eDiscovery Export
Used for legal holds and compliance investigations.
Can export only data on hold or specific custodians.
Advanced features like review sets, redactions, and tagging.
Preserves hold status and metadata.
Requires eDiscovery Manager role; more granular permissions.
Mistake
Users can export their own data from Microsoft 365.
Correct
End users have no self-service export capability. Only administrators with appropriate roles (Compliance Administrator, eDiscovery Manager) can initiate exports. Users must submit a request to their IT department.
Mistake
Data export includes all Microsoft 365 data, including Azure AD.
Correct
The standard data export from the Purview compliance portal only exports content from Exchange Online, SharePoint Online, OneDrive for Business, Teams, and public folders. Azure AD data (user profiles, group memberships) must be exported separately using Azure AD Graph or Microsoft Graph API.
Mistake
Exported data is available for download indefinitely.
Correct
Exported data is stored in Azure Storage for only 14 days after the export job completes. After that, the data is permanently deleted. Admins must download within this window.
Mistake
There is no limit on export size.
Correct
Each export job is limited to 5 TB of data. For larger exports, you must run multiple jobs or use the Microsoft Graph API.
Mistake
Exporting data from Microsoft 365 guarantees it can be imported into another service without issues.
Correct
Microsoft provides data in standard formats (.pst, .csv, native files), but the target service may not support these formats or may have import limitations. The customer is responsible for data transformation and import.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The time depends on the amount of data and current system load. For a typical mailbox (10 GB), the search and export can take 1-2 hours. For large exports (several TB), it can take days. The export job runs asynchronously; you can monitor its status in the compliance portal. There is no way to accelerate it beyond running multiple jobs in parallel (up to 10).
Yes, but only using eDiscovery, not the standard data export tool. Inactive mailboxes are those that have been soft-deleted (no license) but still have data due to a hold or retention policy. You must add the inactive mailbox as a source in an eDiscovery case and then export the results. Standard content search does not include inactive mailboxes.
For Exchange mailboxes: .pst format. For SharePoint and OneDrive: files are exported in their native format (e.g., .docx, .pdf, .pptx) along with a manifest.json that contains metadata. For Teams: messages are exported as part of the mailbox export. Additionally, a results.csv file is always included with metadata about each exported item.
Create a content search in the Purview compliance portal with the user's mailbox, OneDrive, and any SharePoint sites they have access to. You can specify the user's email address in the search. For SharePoint, you must know the site URL. After the search completes, export the results. This will include emails, documents, and Teams chats (stored in the mailbox).
Yes, you can use PowerShell with the Exchange Online module to create and start compliance searches and export actions. You can also use the Microsoft Graph API to programmatically export data, but this requires custom development. Automation is useful for recurring exports (e.g., monthly DSRs).
The export job will fail. You must reduce the scope by using date filters or splitting the export into multiple jobs. For example, export data for different departments separately. Alternatively, use the Microsoft Graph API to export data in smaller chunks.
Yes, if you have the necessary permissions. The admin must have the 'Mailbox Import Export' role and be assigned to the shared mailbox. You can add the shared mailbox as a source in a content search and export it like any other mailbox.
You've just covered M365 Data Portability and Export — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?