Entra Compliance Update: New retryPolicy for eDiscovery Hold, Graph API Enhancements, & What’s Next for Admins

WHAT JUST CHANGED
Microsoft has added the retryPolicy method to the ediscoveryHoldPolicy resource in Microsoft Graph API (beta). This enhancement is live as of June 2024 and is available in the Public Preview channel. It targets tenants with Microsoft 365 E5 Compliance, Purview, or equivalent licenses enabled, and applies to organizations using Entra ID for compliance automation and eDiscovery workflows.
- Feature: retryPolicy method for eDiscovery Hold Policies
- Status: Public Preview
- Effective: June 2024
- Affected: Tenants using Microsoft Graph API for compliance, specifically with eDiscovery Hold Policies
WHAT’S NEXT ON THE ROADMAP
Microsoft is accelerating investments in compliance automation, including:
- General Availability of eDiscovery API enhancements — retryPolicy will likely move to GA in late 2024, with expanded error handling and reporting.
- Purview Advanced Audit features — further integration with Entra ID for more granular access controls and audit log retention.
- Entra External ID/B2B compliance policies — soon, admins will be able to set hold/release policies for guest users and external data sources.
- Graph v1 endpoint parity — most compliance APIs currently in beta are expected to reach v1 status, with full support in Microsoft.Graph PowerShell.
Admins should monitor the Microsoft Tech Community for announcements and regularly check the Microsoft Graph What’s New page.
WHY THIS DIRECTION IS BETTER
The new retryPolicy method brings clear advantages:
- Improved Resilience: Automatically retries failed hold operations, reducing manual intervention and minimizing risk of missed holds due to transient errors.
- Operational Transparency: Logs and exposes retry attempts and outcomes, enabling better auditability compared to previous silent failures.
- Automation Friendly: Integrates with Graph-based workflows, allowing admins and SIEM/SOAR solutions to programmatically handle compliance exceptions.
- Competitor Edge: Microsoft’s approach surfaces retry logic directly in Graph APIs, while many competing solutions (e.g., Okta, Google Workspace) force admins to handle retries externally or lack granular eDiscovery hold APIs.
Previously, failed hold policy operations required manual investigation and re-application, leading to gaps in compliance and risk exposure.
ADJACENT ENTRA CHANGES TO KNOW
- Purview Data Lifecycle: New retention label APIs in Microsoft Graph (beta) allow advanced automation of content lifecycle — consider integrating these with your hold/release workflows.
- Entra Admin Center Navigation: Compliance and eDiscovery are now surfaced under “Protection & Governance” in the left navigation (rolled out May 2024), streamlining access for Identity and Security Admin roles.
- Role-Based Access Control: The “Compliance Admin” role now includes granular permissions for eDiscovery Hold Policy management; review role assignments to ensure proper separation of duties.
- Graph API Rate Limits: Recent adjustments (April 2024) to Graph API throttling for compliance endpoints — retryPolicy can help mitigate these, but plan for downstream impacts to automation scripts.
WHAT TO DO: ADMIN ACTIONS
- Review eDiscovery Hold Policies: Audit current holds for retry status and failures.
- Update Automation Scripts: Incorporate retryPolicy handling in Graph-based compliance workflows.
- Train Compliance Teams: Update standard operating procedures for eDiscovery management to account for automated retries and new logging.
- Monitor Beta-to-GA Transition: Test retryPolicy in beta and prepare for GA changes (schema, error codes).
CHECK IT YOURSELF: Microsoft.Graph PowerShell Audit
Use the following script to enumerate all eDiscovery Hold Policies and inspect their retryPolicy status and failure logs. This script supports pagination and error handling, and is read-only.
# Requires Microsoft.Graph module
Connect-MgGraph -Scopes 'Security.Read.All'
function Get-EdiscoveryHoldPolicyRetryStatus {
$uri = 'https://graph.microsoft.com/beta/security/ediscoveryHoldPolicies'
$headers = @{ 'Authorization' = "Bearer $(Get-MgGraphAccessToken -Scopes 'Security.Read.All')" }
$policies = @()
$nextLink = $uri
do {
try {
$response = Invoke-RestMethod -Uri $nextLink -Headers $headers -Method Get
$policies += $response.value
$nextLink = $response.'@odata.nextLink'
} catch {
Write-Warning "Failed to retrieve policies: $_"
break
}
} while ($nextLink)
foreach ($policy in $policies) {
try {
$retryStatus = Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/security/ediscoveryHoldPolicies/$($policy.id)/retryPolicy" -Headers $headers -Method Get
[PSCustomObject]@{
PolicyName = $policy.displayName
PolicyId = $policy.id
RetryPolicyStatus = $retryStatus.status
RetryAttempts = $retryStatus.attempts
LastError = $retryStatus.lastError
}
} catch {
Write-Warning "Failed to retrieve retryPolicy for $($policy.displayName): $_"
}
}
}
Get-EdiscoveryHoldPolicyRetryStatus | Format-Table -AutoSize
Note: This script audits the status and does not modify any policy. Always use the beta endpoint cautiously and validate results against the admin center.
PORTAL PATH
- Go to Entra Admin Center → Protection & Governance → Compliance → eDiscovery.
- Select Hold Policies to view and manage retry statuses.
- Click any policy to see retry logs and failure history.
BOTTOM LINE
- Priority: High for tenants with regulated workloads or ongoing litigation.
- Audit and update eDiscovery Hold workflows now to leverage retryPolicy and avoid compliance gaps.
- Prepare for roadmap changes by monitoring Graph API updates and role assignments.
Stay proactive: Microsoft is rapidly evolving compliance automation in Entra. Ensure your team and scripts are ready for retryPolicy, future Purview integrations, and new admin center navigation.