Recover Deleted E-Mail Messages in Exchange Online

 

Applies to: Office 365 for professionals and small businesses, Office 365 for enterprises, Live@edu

Topic Last Modified: 2014-01-07

Administrators can use single item recovery to protect against accidental or malicious deletion of e-mail messages and to facilitate discovery efforts before or during litigation or human resources investigations.

Single item recovery is enabled by default for new user mailboxes created in Exchange Online and for mailboxes migrated to Exchange Online from an on-premises Exchange organization.

How does single item recovery work?

To permanently delete e-mail messages, by what is called a soft delete, a user can do one of the following in Microsoft Office Outlook or Outlook Web App:

  • Delete an item from the Deleted Items folder.

  • Empty the Deleted Items folder.

  • Press Shift + Delete to delete any item.

E-mail messages that have been soft-deleted are moved to the Recoverable Items folder in the user’s mailbox, which was called the dumpster in previous versions of Microsoft Exchange, and into a subfolder named Deletions. Users can recover or purge e-mail messages in the Deletions subfolder by using the Recover Deleted Items feature in Outlook 2010 or Outlook Web App. For more information, see Recover Deleted Items.

If a user purges an e-mail message from the Recoverable Items folder, by what is called a hard delete, the purged message is moved to the Purges subfolder, which isn’t accessible to and can’t be recovered by the user. Only an administrator can recover a purged e-mail message.

Note   Because items in the Purges subfolder in the Recoverable Items folder are indexed and discoverable, administrators or discovery managers can use Multi-Mailbox Search to search for purged items. For more information, see Multi-Mailbox Searches.

Retention period for deleted items

By default, in Exchange Online, the retention period for deleted items is 14 days. The retention period starts when the item deleted item is moved to the Deletions subfolder in the Recoverable Items folder. Items remain in the Deletions subfolder until the deleted item retention period is reached. After the deleted item retention period elapses, the item is moved to the Purges folder and is no longer visible to the user. When the Managed Folder Assistant processes the mailbox, items in the Purges subfolder are purged from Exchange Online and can’t be recovered by an administrator.

The following diagram shows the single item recovery process:

Single item recovery process

You can use Windows PowerShell to change the retention period for deleted items to a maximum of 30 days. See Change the deleted item retention period. If you need to retain deleted items for longer than 30 days, you can put a mailbox on litigation hold. To put a mailbox on litigation hold, the mailbox must have an Exchange Online (Plan 2) user license. For more information, see Put a Mailbox on Litigation Hold.

Return to top

Quota for the Recoverable Items folder

The Recoverable Items folder has a maximum quota of 30 GB, and this quota isn’t charged against the quota for the user's primary mailbox. When the size of the Recoverable Items folder reaches 20 GBs, a warning message is sent to the administrator and the Messaging Records Management (MRM) technology in Exchange Online automatically deletes the oldest items in the Recoverable Items folder until the size of the folder is less than 20 GB. In the unlikely event that the Recoverable Items folder reaches 30 GB, the user can no longer soft delete any items. The administrator is sent a warning message and must manually delete items from the Recoverable Items folder by using the Search-Mailbox cmdlet. For more information, see Search For and Delete Messages from Users' Mailboxes.

Single item recovery versus litigation hold

As previously stated, single item recovery retains deleted and purged e-mail messages for 14 days. When the retention period for deleted items expires, items are permanently removed from Exchange Online.

In contrast, if litigation hold is enabled for a mailbox, none of the items in the Purges subfolder or Deletions subfolder are permanently deleted from Exchange Online. Also, when a mailbox is on litigation hold, Exchange Online saves the original version of a message if a user makes any modifications to the message. If a user changes a message, the original version of the message is copied to a subfolder named Versions (see the previous graphic). The Versions subfolder isn't visible to end users, but items in it are indexed and searchable by an administrator or discovery manager. None of the items in the Versions subfolder are permanently deleted if the mailbox is on litigation hold. For single item recovery, modifications to a message aren’t copied to the Versions subfolder.

By default, all items in the Recoverable Items folder are retained until the litigation hold is removed. Alternatively, you can use Windows PowerShell to configure how long the mailbox is on litigation hold. For more information, see Put a Mailbox on Litigation Hold.

Note   When a mailbox is on litigation hold, items in the Deletions subfolder are moved to the Purges subfolder after 14 days. By moving items to Purges subfolder, you prevent users from knowing their mailbox is on litigation hold. This is useful for criminal cases where the litigation hold status is hidden from the user.

Return to top

Quota for the Recoverable Items folder when a mailbox is on litigation hold

As previously stated, when a mailbox is on litigation hold none of the items in the Recoverable Items folder are permanently deleted. This makes it possible to reach or exceed the 30 GB quota for the Recoverable Items folder. If this happens, you can contact Office 365 support to request an increase of the Recoverable Items quota for a mailbox on litigation hold.

Search for and recover deleted e-mail messages

To search for and recover a deleted e-mail message to a user’s mailbox, follow these steps:

  1. In the Exchange Control Panel, use Multi-Mailbox Search to find the e-mail message that you want to recover from the user’s Recoverable Items folder, and copy the search results to the Discovery Search Mailbox.

  2. In Windows PowerShell, use the Search-Mailbox cmdlet to search the Discovery Search Mailbox for the message that you searched for in the previous step and copy it to the user’s mailbox.

Before you begin

  • To learn how to install and configure Windows PowerShell and connect to the service, see Use Windows PowerShell in Exchange Online.

  • You have to be assigned the Mailbox Search role to search for and delete messages in users' mailboxes. This role allows you to search for messages across multiple mailboxes in your organization. Administrators aren't assigned this role by default. To search multiple mailboxes, add yourself as a member of the Discovery Management role group. See Add or Remove Role Group Members.

Step 1   Search for an e-mail message

Use Multi-Mailbox Search in the Exchange Control Panel to search for the e-mail message that you want to recover. By default, Multi-Mailbox Search searches the Recovered Items folder in users’ primary and archive mailboxes. See Create a New Multi-Mailbox Search.

When you use Multi-Mailbox Search in the Exchange Control Panel, the user’s entire mailbox is searched. If you want to search only the Recoverable Items folder, you have to use Windows PowerShell. Run the following command to search the Recoverable Items folder:

Search-Mailbox <user> -SearchDumpsterOnly -SearchQuery <search query> -TargetMailbox "Discovery Search Mailbox" -TargetFolder <search name> -LogLevel Full

Example   The following command searches the Recoverable Items folder in Esther Valle’s mailbox for a message with the subject line of “Online survey results” and copies any search results to a folder named “EstherV” in the Discovery Search Mailbox:

Search-Mailbox "Esther Valle" -SearchDumpsterOnly -SearchQuery subject: "Online survey results" -TargetMailbox "Discovery Search Mailbox" -TargetFolder EstherV -LogLevel Full
Step 2   Recover the e-mail message

After a message has been saved to the Discovery Search Mailbox, you can recover it to the user's mailbox by using the Search-Mailbox cmdlet. Run the following command:

Search-Mailbox "Discovery Search Mailbox" -SearchQuery <search query> -TargetMailbox <user> -TargetFolder inbox

Example   The following command finds the message with a subject line of “Online survey results” in the Discovery Search Mailbox and copies it to Esther Valle’s Inbox:

Search-Mailbox "Discovery Search Mailbox" -SearchQuery subject: "Online survey results" -TargetMailbox estherv -TargetFolder inbox

Because the Search-Mailbox command searches the Discovery Search Mailbox for the recovered item, the item and the folder structure from the Discovery Search Mailbox is recovered to the Inbox of the user’s mailbox. For example, in the previous example, here’s what the folder structure in Esther Valle’s mailbox looks like after the file is recovered:

Mailbox folder structure for recovered items

Be sure to tell users that they can move the recovered item directly into their Inbox and delete this folder structure.

Note   When you use the Search-Mailbox cmdlet, you can't specify the same mailbox as the source and target mailbox. That’s why you have to use Multi-Mailbox Search to copy the message to the Discovery Search Mailbox.

Return to top

Change the deleted item retention period

These examples increase the deleted item retention period to 30 days, which is the maximum duration for Exchange Online mailboxes. The default retention period is 14 days. As previously stated, if you need to retain deleted items for longer than 30 days, you can put a mailbox on litigation hold.

This example increases the deleted item retention period for the mailbox of Emily Maier.

Set-Mailbox -Identity "Emily Maier" -RetainDeletedItemsFor 30

This example increases the deleted item retention period for all user mailboxes in the organization.

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Set-Mailbox -RetainDeletedItemsFor 30
Disable single item recovery

Run the following command to disable single item recovery for a mailbox:

Set-Mailbox <mailbox> -SingleItemRecoveryEnabled $false

To disable single item recovery for all user mailboxes in your organization, run the following command:

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Set-Mailbox -SingleItemRecoveryEnabled $false

Important   If you disable single item recovery, items are still retained in the Recoverable Items folder for 14 days by default after they are deleted. However, if a user purges an e-mail message from the Recoverable Items folder, it is permanently deleted and can’t be recovered by an administrator.

Best practices for searching for deleted e-mail messages

  • Narrow the search to minimize the number of search results   When you configure the search in Multi-Mailbox Search, use the settings in the Messages To or From Specific E-Mail Addresses and Mailboxes to Search sections to narrow the search as much as possible. For example, search messages sent to the user and only search the user’s mailbox. This will reduce the number of related but not directly relevant messages returned in the search.

  • Enable deduplication for the multi-mailbox search to find a recoverable item   When you recover an item to a user’s mailbox, the whole folder structure from the search results is copied to the user’s mailbox if you don’t enable deduplication. When you enable deduplication, the subfolder structure is simplified.

  • Use Advanced Query Syntax (AQS) so you can search for keywords in different properties of an e-mail message   For example, you can search for a keyword in the subject line or message body. For more information, see Advanced Keyword Searches. The following table shows common message properties that you can include in your keyword search:

     

    Property Example Search results

    Attachments

    attachment:annualreport.ppt

    Messages that have an attachment that is named annualreport.ppt. The use of attachment:annualreport or attachment:annual* returns the same results as using the full name of the attachment.

    Cc

    cc:"gurinder singh"

    cc:gurinders

    cc: gurinders@fineartschool.edu

    Messages with Gurinder Singh in the Cc field

    From

    from:"Max Stevens"

    from:maxs

    from:maxs@contoso.com

    Messages sent by Max Stevens

    Sent

    sent:10/19/2010

    Messages that were sent on October 19, 2010

    Subject

    subject:"Quarterly Financials"

    Messages that contain the exact phrase "Quarterly Financials" in the subject line

    To

    to:"Ann Beebe"

    to:annb

    to:annb@contoso.com

    Messages sent to Ann Beebe

Best practices for recovering deleted e-mail messages

  • Use the same keyword search query that you used in Multi-Mailbox Search   If you enabled full logging during the search, use the value from the Subject column in the CSV file, which is attached to the search log, for the value of the SearchQuery parameter. This allows you to restore the exact message to a user’s mailbox. Or you can use the exact subject line from the message in the Discovery Search Mailbox.

  • Delete unnecessary items in the Discovery Search Mailbox   Before you use the Search-Mailbox cmdlet to recover an e-mail message, you can delete items that met your search criteria from the Discovery Search Mailbox, but don’t have to be recovered.

  • Suppress the sending of a search results e-mail sent to the user   By default, an e-mail message that contains information about the search is sent to the mailbox specified by the TargetMailbox parameter. This is useful because it indicates to the user when a recovered e-mail message has been returned to their Inbox. To prevent a message from being sent, include the Loglevelsuppress parameter in the command.

Return to top

 
Related help topics
Loading...
No resources were found.