Recover Deleted items in Exchange online (Microsoft office 365)

 

In Exchange online we provide 3 layers of Recovery so that messages can be recovered

1. Deleted Items Folder

2. Recover Deleted Items Folder

3. Purges Folder

  

Deleted Items Folder

When a mail is deleted(normal Delete not shift Delete) its moved to Deleted Items folder and its present there until, either we manually delete the messages from there or its deleted automatically as per the Retention Policy of the Organization(default value is 30 days)

 

Recover Deleted Items Folder 

When a mail is Shift deleted(hard deleted), or deleted from Deleted items or removed from deleted items by the Retention policy, its moved to the Recover Deleted Items Folder and it remains there for next 14 days(can be extended to 30 days).

 

There are 2 folders under Recovery Deleted Items

1. Deleted Folder(its not the normal Deleted folder in the mailbox)

2. Purges Folder

  

When the mail is present in Recovery Deleted Items(Deleted folder) it can be directly recovered from the users Outlook or OWA

 

In Outlook 2007, click on Tools and select  Recovery Deleted Items  as shown below

 

 

In Outlook 2010 under Folder Option  in the Ribbon bar we have Recovery Deleted Items 

 

 

In OWA when we right click Delete Items folder we have the option to open Recover Deleted Items Folder.

 

 Purges folder 

When a mail is deleted from Deleted Items folder under Recover Deleted Items its moved to Purges Folder under  Recover Deleted Items folder. Refer the image shown in this link

Remember the shell life of a message moved to Recover Deleted Items is 14 days(can be extended to 30 days) regardless its moved to Deleted Folder or Purges folder. The time starts as soon as the message is moved to Recover Deleted Items.

 

 

Method 2 - Using ECP

 

• Log on to http://portal.microsoftonline.com with O365 Administrator credentials
• At the tabs at the top hit on Admin and select Exchange

       

• In Exchange admin center select Permissions > admin roles

                       Double click Discovery Management

                       Under Roles Click on Add and Select Mailbox Import Export

                       Under Member, Add yourself as a Member and Click Save.

 

        

 

    

• Now click on compliance management and select in-place eDiscovery & hold

        

• Hit + sign to create a new search query
• Give a Name and Description and hit Next

          

• Select the mailboxes that you want to query and click Next.

        

• In the next screen if options are greyed out as below it means you do not have proper permissions. Revisit the step for adding permissions. If proper permissions have been added sign out and sign in back

      

• In the filed provide the text you want to search. You can use Boolean expression like OR and AND to make robust query

        

• Once you have specified the search attributes hit on Next
• You can do a in place hold of the search items.(Note, this option will be greyed out if you have selected all mailboxes during the mailbox selection process) and hit on finish

         

               

How to see the search results?

As we have added yourself to the Mailbox import export and other permissions we have the below options available

 

In new O365 we have more robust options to see the results compared to W14

 

 

Estimate search results

This gives us a list a small report of the search. It also tells us what was number of hits for each of the items we entered in search Query  as keywords

 

 

Preview search results

This opens up eDiscovery preview of results in the browser and we could see the results directly in the browser itself

 

 

Copy search results

This option opens up a dialog box where you can select fine tune search results and copy the items to Discovery search mailbox

Once you hit Copy, in the search results field towards the left you will have an option to open Discovery Search mailbox..

 

 

 If you click on open it opens the Discovery Search Mailbox in a new browser

 

 

 

The mailbox will have a folder by the name of the search (TEST in our case) and put the mail items there as below

 

 

 

 

Export to PST

This is a new option that we have in new O365 where we can export the search results to PST to the local computer. It downloads the results based on mailboxes, ie if the search finds there are 10 mbx that has the keyword we are searching for if creates 10 PST one each for each mailbox.

 

 

 

Method 2 : Using MFCMAPI

Note: Although the use of MFCMAPI is supported by Exchange Online we recommend that you use caution be used at all times when making modifications to mailboxes by using this tool. Using the MFCMAPI tool incorrectly can cause permanent damage to a mailbox.

Download MFCMAPI tool from here https://mfcmapi.codeplex.com/

Install this on the user's machine whose messages need to be recovered.

Open MFCMAPI

Select Tools > Options 

 

 

Make sure the below highlighted option is selected and click ok

 

Click Session > Logon > and select the Profile of the user on which you want to do a Single Item Recovery from the dropdown list

 

 

 

 

Double click on user's account Default store

Expand the Root Container and double click on Purges folder as shown below

 

On the Purges folder Window , do a Select All (Ctrl + A) you can either do

1)      Export message as (MSG (Ansi)) or

2)      Delete Message, this gives us an option “Delete to Deleted Items” and you can find the emails in the deleted folder

 

Being the admin of an Tenant we have the right to increase the Single Item Recovery period of users of our domain to 30 days maximum from the default 14 days .

 

 

We can increase the value for a particular user to 30 days by running the below command

 Set-Mailbox  <user alias> -SingleItemRecoveryEnabled $True -RetainDeletedItemsFor 30

 

If we want to increase the recovery period for all users for 30 days we can run the below command

Get-Mailbox | Set-Mailbox -SingleItemRecoveryEnabled $True -RetainDeletedItemsFor 30