Skip to main content

Recover Deleted items in Exchange online (Microsoft office 365)

 

In Exchange online we provide 3 layers of Recovery so that messages can be recovered

    1. Deleted Items Folder
    1. Recover Deleted Items Folder
    1. Purges Folder

  

Deleted Items Folder

When a mail is deleted(normal Delete not shift Delete) its moved to Deleted Items folder and its present there until, either we manually delete the messages from there or its deleted automatically as per the Retention Policy of the Organization(default value is 30 days)

 

Recover Deleted Items Folder 

When a mail is Shift deleted(hard deleted), or deleted from Deleted items or removed from deleted items by the Retention policy, its moved to the Recover Deleted Items Folder and it remains there for next 14 days(can be extended to 30 days).

 

There are 2 folders under Recovery Deleted Items

    1. Deleted Folder(its not the normal Deleted folder in the mailbox)
    1. Purges Folder

  

When the mail is present in Recovery Deleted Items(Deleted folder) it can be directly recovered from the users Outlook or OWA

 

In Outlook 2007, click on Tools and select  Recovery Deleted Items  as shown below

 http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/0726.2007-RDI.jpg.png

 

In Outlook 2010 under Folder Option  in the Ribbon bar we have Recovery Deleted Items 

 http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/7178.2010-RDI.jpg

 

In OWA when we right click Delete Items folder we have the option to open Recover Deleted Items Folder.

 http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/0284.OWA-RDI.png

 Purges folder 

When a mail is deleted from Deleted Items folder under Recover Deleted Items its moved to Purges Folder under  Recover Deleted Items folder. Refer the image shown in this link

Remember the shell life of a message moved to Recover Deleted Items is 14 days(can be extended to 30 days) regardless its moved to Deleted Folder or Purges folder. The time starts as soon as the message is moved to Recover Deleted Items.

 

 

Method 2 - Using ECP

 

        http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/4452.1.PNG

  • In Exchange admin center select Permissions > admin roles

                       Double click Discovery Management

                       Under Roles Click on Add and Select Mailbox Import Export

                       Under Member, Add yourself as a Member and Click Save.

 

         http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/1351.0.png

 

     http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/0333.permissions.png

  • Now click on compliance management and select in-place eDiscovery & hold

         http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/0486.2.png

  • Hit + sign to create a new search query
  • Give a Name and Description and hit Next

         http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/6428.3.png 

  • Select the mailboxes that you want to query and click Next.

         http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/3835.4.png

  • In the next screen if options are greyed out as below it means you do not have proper permissions. Revisit the step for adding permissions. If proper permissions have been added sign out and sign in back

       http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/5700.5.PNG

  • In the filed provide the text you want to search. You can use Boolean expression like OR and AND to make robust query

        

  • Once you have specified the search attributes hit on Next
  • You can do a in place hold of the search items.(Note, this option will be greyed out if you have selected all mailboxes during the mailbox selection process) and hit on finish

          http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/8535.6.PNG

                http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/8546.7.PNG

How to see the search results?

As we have added yourself to the Mailbox import export and other permissions we have the below options available

 http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/3146.new-options.PNG

In new O365 we have more robust options to see the results compared to W14

 

 

Estimate search results

This gives us a list a small report of the search. It also tells us what was number of hits for each of the items we entered in search Query  as keywords

 

 

Preview search results

This opens up eDiscovery preview of results in the browser and we could see the results directly in the browser itself

 

 

Copy search results

This option opens up a dialog box where you can select fine tune search results and copy the items to Discovery search mailbox

Once you hit Copy, in the search results field towards the left you will have an option to open Discovery Search mailbox..

 

 http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/4265.Discovery.PNG

 If you click on open it opens the Discovery Search Mailbox in a new browser

 

 

http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/1563.Discovery-mbx.png

 

The mailbox will have a folder by the name of the search (TEST in our case) and put the mail items there as below

 

http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/4812.Ediscovery-mailbox.png

 

 

 

Export to PST

This is a new option that we have in new O365 where we can export the search results to PST to the local computer. It downloads the results based on mailboxes, ie if the search finds there are 10 mbx that has the keyword we are searching for if creates 10 PST one each for each mailbox.

 

 http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/7484.eDiscovery-PST-Export-Tool.PNG

 

Method 2 : Using MFCMAPI

Note: Although the use of MFCMAPI is supported by Exchange Online we recommend that you use caution be used at all times when making modifications to mailboxes by using this tool. Using the MFCMAPI tool incorrectly can cause permanent damage to a mailbox.

Download MFCMAPI tool from here https://mfcmapi.codeplex.com/

Install this on the user's machine whose messages need to be recovered.

Open MFCMAPI

Select Tools > Options 


http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/2772.MFCMAPI.png

 

 

Make sure the below highlighted option is selected and click ok

 


http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/4135.MFC-online.png

Click Session > Logon > and select the Profile of the user on which you want to do a Single Item Recovery from the dropdown list

 http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/5811.Outlook-Profile.png

 

 

 

Double click on user's account Default store

Expand the Root Container and double click on Purges folder as shown below


http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-60/5153.Purges.png

 

On the Purges folder Window , do a Select All (Ctrl + A) you can either do

1)      Export message as (MSG (Ansi)) or

2)      Delete Message, this gives us an option “Delete to Deleted Items” and you can find the emails in the deleted folder

 

Being the admin of an Tenant we have the right to increase the Single Item Recovery period of users of our domain to 30 days maximum from the default 14 days .

 

 

We can increase the value for a particular user to 30 days by running the below command

 Set-Mailbox  <user alias> -SingleItemRecoveryEnabled $True -RetainDeletedItemsFor 30

 

If we want to increase the recovery period for all users for 30 days we can run the below command

Get-Mailbox | Set-Mailbox -SingleItemRecoveryEnabled $True -RetainDeletedItemsFor 30

 

 

Comments

  1. Nanfor Ibérica3 July 2022 at 19:16

    Thank you very much for sharing such a useful article. Will definitely saved and revisit your site best MS-201: Implementing a Hybrid and Secure Messaging Platform

    ReplyDelete

Post a Comment

Popular posts from this blog

Error - QuarantinedAttributeValueMustBeUnique

Case History. 1. Client already had users created in office 365 2. Client wanted to setup SSO for office 365 users Approach for requirement fullfilment   1. Deployed and configured Azure AD connect      95% users were synced and soft match was successfully done  5% users were getting error - QuarantinedAttributeValueMustBeUnique  (to view the sync issues -  https://aad.portal.azure.com/#blade/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade/SyncErros )  When we checked 2 users were found under Active users  1. one in Cloud (this was created earlier/ already existed ) with active licenses and Mailbox 2. one unlicensed synced with AD Solution - 1. Delete the unwanted user in Azure or AD as per this document.  https://blogs.msdn.microsoft.com/hkong/2017/03/23/how-to-fix-attributevaluemustbeunique-error-message-when-trying-to-sync-an-object-from-on-premises-active-directory-to-office-365/ ...
Post a Comment
Read more

Error - AttributeValueMustBeUnique in Azure AD connect sync

My customer had already created accounts in office 365 and managing them in Azure, however due to some changes in business they wanted to sync AD with Azure to sync Password and Manage Identity form AD. Solution - Deploy Azure AD connect on ADDC, and post that it will do a Soft Match. However there were error with some users, their identities did not sync and their status still reflected as Azure AD. Error -  Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:user@domain.com;].  Correct or remove the duplicate values in your local directory.  Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values. Tracking Id: b8367c95-ae67-46e1-xxxx-xxxxxxxxxx ExtraErrorDetails: [{"Key":"ObjectId","Value":["cd088468-bb6a-4...
4 comments
Read more

Block users from saving data on System Drive on Intune Managed Device

Recently i delivered a project for Intune Deployment and came up with a requirement as follows End Users Should not be able to save data locally on C or D Drive, instead they should be allowed to save data only in One Drive for business (synced with System)  Based on the requirement i did my research and found the Following. its possible to control the Local System settings on a Azure AD joined Machine and Managed by Intune. There is no options to define exceptions in policies to allow data saving in certain folders.  Now most of us will think WIP (windows information protection) policy will help us protecting the data on device, however that's not completely true as . User can change the File Ownership to personal if the WIP policy is set to Allow Override. User can save the file locally on the system User will not be able to copy the data from work file to Personal file if policy is set to Allow override. Unenlightened apps cannot differentiate between personal and corporate...
Post a Comment
Read more