Uncategorized
Misha Hanin  

Recover Deleted Mail Items in The Exchange Online Environment (Office 365)

Many of the Office 365 customers are not aware of the options that are available for them in a scenario in which they need to recover mail items and what are the built-in limitation of the Exchange Online that realities to the operation of recover deleted mail items.

The primary purpose of this article is to help you to get familiar with the options that are available for you for recovering mail items in the Exchange Online environment.

Very Common Scenarios

To be able to get a full thorough undeExchange Online and “Common Misconceptions” Regarding Data Recovery and Backuprstanding on this subject, we will need to be able to answer a couple of major questions:

Q1: How to relate to an event in which users report that the data is “missing” from their mailbox or the need to recover data that deleted in the past?

Q2: What is the built-in mechanism that Exchange server architecture provides for dealing with such scenarios?

Q3: What are the available options when we host our mail infrastructure on Office 365?

So, let’s see some of the answers to this questions.

In other words: Don’t even dream that you can call to the Exchange Online support team instruct them to solve the problem by doing “some magic” and inform the user that “everything is OK”. if This solution doesn’t exist yet! However, we still have ways to deal with this situation!

Many times, during Office 365 deployments, we here something similar: So what are you telling me? Do you say that it’s not passable to deal with a scenario in which we need to recover or restore mail for our Exchange Online users?

Our usual response to those questions: We just say is that in Exchange and Office 365 environment, we can use the built-in capabilities the Exchange architecture offer for – dealing with such scenarios (recover mail items). The available built-in Exchange option are – single item recovery or, other Exchange Online services such as Litigation Hold or In-Place Hold.

To be able to provide good answers and good services for our customers, we will need to know about the available options, the limitations, and the best practices for dealing with a scenario of missing mail and so on.

The purposes of the current blog post:

  • Remove the ambiguity of the subject or recovering mail items in Office 365 (Exchange Online) environment.
  • Review common misconceptions.
  • Define the terms: “My mail disappeared!” and “Deleted Item retention default policy”.
  • Review the 11 major causes for “deleted mail item” scenario.


Exchange Online and “Common Misconceptions” Regarding Data Recovery and Backup


1. The “cloud” backup my mail forever!

The source for this misconception is – when we read about the “high availability of cloud services” (such as office 365) and the “insurance” that we have regarded scenarios of DRP (disaster and recovery plan), we automatically “translate” this information under the assumption that – in a cloud environment, deleted mail items will always be available for us.

It’s a truth that Microsoft has an infrastructure for backing up all the “customer information”. These “backups”, could serve for restoring data in case of “disaster” such as storage corruption, server hardware failure or even a catastrophic event of “complete Data Center failure”. The important thing that we should understand is that this ability, can be used ONLY for scenarios of “Disaster”, and not for a situation of recovering a particular deleted mail item.

2. When using the Office 365 Archive, My Mail is Backed Up!

The source for this misconception is – we are used to associating to term “archive” with another term such as “backup”. I can’t remember even one project where it wasn’t required to do an explanation about this!

In Exchange Online (office 365) environment, the primary purpose of the Exchange Online archive is not to back up the user mail items, but instead, improve the Outlook mail client performance. Mail items that are sent or saved in the Online Archive NOT saved to the local OST file (cache mode).

In case that a user deletes mail from the online archive, the mail item will be deleted like any “standard” mail item.

3. In a scenario that a user wants to recover mail that deleted a long time ago, I could call Microsoft support, and they will recover for me the required information!

Let’s make it clear and very simple – the default Exchange Online deleted mail policy value is – 14 days!

In case that a user implemented “Hard delete” the mail item considers as “recoverable” for a period of ONLY 14 days. After this period, the mail item will be lost forever! There is no option for recovering such as a mail item in the Exchange Online (Office 365) environment!

Office 365 customers who use Exchange Plan E1,E3 or E5 license can extend the default deleted mail item policy for 30 days + use the option of Litigation Hold or In-Place Hold that enable to keep mail items for a longer period or forever, but this option cannot be implemented in retrospect!

In other words – if the Exchange Online administrator didn’t “activate” the described options in advance, we are still subject to the “14 Days Rule”.

4. In O365 environment, I can recover the user mailbox to his “original state”

False assumption 1 – restore the user mailbox snapshot.

Usually, when Exchange Online (O365) administrator says that sentence their meaning is translated to the option of restoring a snapshot of the user mailbox sometimes refers as “point in time” in which the user mailbox will behave all the mail items and the folder structure that the user had at a particular point in time.

The Exchange Online infrastructure doesn’t include this option. There is no way to restore the user mailbox to a particular point in time.

False assumption 2 – restore mail items to the original location.

For example, in case that the deleted mail item located in the inbox folder, when I use the available option for recovering the specific mail items, it will be restored to “his original folder” meaning – the inbox folder.

In a recovery scenario in which we use Outlook or OWA mail client for recovering a mail item, the mail item will be restored to “his original folder” but not to the folder that we consider as “original.”

When we delete a mail item, “his original folder” become the Deleted items folder

When we restore the mail items from the Recoverable Items folder, the mail item will be restored to the Deleted items folder and not to the inbox folder!

Exchange Online (Office 365) versus Exchange on-Premises

In a scenario that you have Exchange 2013 or Exchange 2016 on-Premises, you will find that most of the infrastructure, the screenshot, and the interfaces are relevant also for the “on-Premises environment.”

The “Cloud” Deleted My Mail

In many of the “deleted mail item” scenario or in the “My mail disappeared!!” There is a common theory described as – “The “cloud” deleted my mail.”

The truth is that there is some logic behind this hypothesis because we all know that at night, the Office 365 deleted mail demon comes and deletes our Poor user’s E-mails ruthlessly!!!

Theoretically, there is a possibility that the causes for the deleted mail item relate in some way to the Exchange Online infrastructure but, my opinion is that chance for this scenario is identical to the chance in which you win the grand prize lottery three weeks in a row.

My Mail Was Disappeared!!

A user calls the help desk support and reports that his mail disappeared!!!

In case that the user is a VIP, or the user makes a lot of noise, we are entering into a panic mode and want to be able to find the “magic formula” that everything returns to the previous state!

Before we get into the panic state, let’s try to answer two important questions

1. What is the meaning of “my mail”?

  • Does the user relate to a single mail item, a couple of mail items or dozens of mail items?
  • When the user says – “mail items” did he means an E-mail message? Calendar meeting? Contact?
  • Are there any specific characters in the mail that were disappearing? For example – mail from a specific date range? Mail with a specific subject? Mail from a specific recipient?

2. What is the meaning of “disappeared”?

When does the user say that his mail “disappeared” does it mean that the mail deleted? Does it mean that the mail exists, but for some reason, he cannot see or find the particular mail item?

I am sure, you all understand that it’s crucial that we will have a clear understanding of the event characters!

Before we start to fire in all directions, we need to verify if this is a simple scenario in which the mail exists, but the user cannot find it or, a scenario in which we cannot locate the specific mail items, and we can assume that the E-mail can consider as “deleted.”

Mail is hidden from the user.

We a user reports that he cannot find his E-mail, many times the meaning is that the mail exists, but not where the user expects to find in his mail.

For example

  1. Drag and drop scenario – a scenario in which the user was a drag and drop mail item\s from their original mail folder to other mail folders without noticing.
    Another variation of this scenario could be a user; that consciously moves mail items from their original folder to another folder and over time, he forgot that he changed the original location of the mail item.
  2. Outlook and OWA view – Outlook and OWA mail client, enable the user to define a view that serves as a “filter” that hides a specific mail item.
    Many times, when a user reports that he cannot find a specific mail item, the “problem” is the particular view that hides the mail item.
  3. Synchronisation problem – for example, a scenario in which users who use Outlook discovers that he cannot find a particular mail item. The mail item exists in the Exchange Online mailbox, but for some reason, was not synchronized to the specific user desktop.

The solution

In a scenario in which users report that his mail was disappeared\deleted\evaporated or any other term, before we start to think about the worst-case scenario, let’s start with a simple “search operation.”

The best practice is to search for the “missing in action” mail items by using the OWA mail client because, when we use the OWA mail client, we eliminate a scenario in which the problem related to a synchronization problem.

The 10 Major Causes for “Deleted Mail Item” Scenario

Let’s assume that we have implemented a thorough search in the user mailbox and, we could not find the mail items that were reported as “missing”. In this stage, we have a reasonable basis to believe that the mail deleted.

Let’s see some of the “common causes” for mail deletion scenario.

1. Mail item that was deleted by the user himself.

Despite that we are not willing to consider this scenario, in real life, the reason for the deleted mail item could be the user himself. It doesn’t matter if the user deleted the mail in the past and, forgot that he deleted the mail or the mail accidentally deleted. What is important is that we should consider this option before we start to fire in all directions to seek to blame the environment.

2. Antivirus

Most of the time we relate to Antivirus as an element that created for protecting the mailbox data, but in some scenarios, the Antivirus application could recognise a mail as a “problematic” and decide to delete the mail items or remove some parts of the mail item such as attachment, etc.

3. Virus or malware

Any hostile code that exists on the user desktop or device and manages to delete mail items.

4. Variety of mail client and mail protocols.

In a modern environment, users access their mailbox from many different devices, application using a variety of mail protocols and so on. In this “complex environment”, it’s reasonable to assume that the scenario of deleted mail can cause a problem with a particular mail client, specific mail protocol-specific device, etc.

5. Other users who have access to the specific user mailbox.

One of the notable characteristics of the Exchange environment is the ability of “sharing resources such as mailbox or calendar. The scenario in which mail items deleted can cause by users who have access (permission) to the user mailbox. The “deletion” could consider as deliberate action or mistake, but the important issue is that in case those other users have access to the user mailbox; the deletion could be related to another user.

6. Outlook add-in or plugin.

The purpose of Outlook add-on or plugin is “to do something” with the mail items that existed in the user mailbox. Most of the time, the Outlook add-in or plug-in has unlimited access to the mailbox content and some scenarios; the Outlook add-in or plugin could “decide” to delete or remove a particular mail item.

7. Mail Migration and corrupted mail items.

In the case in which we migrate our mail infrastructure to Office 365, our underlying assumption is that all the mailbox content migrated to the cloud. This assumption could be wrong in a scenario in which the “original user mailbox” includes a corrupt mail item. In this case, the corrupt E-mail items will not be migrated to the Office 365 Mailbox.

In this type of scenario, the user assumes that the mail items are waiting for him in the mailbox while, in reality, the E-mail never reached to the Office 365 mailbox.

8. Exchange Online – Retention policy.

Some organisation uses an Exchange retention policy and retention policy tag that “move” mail item with a particular age to the archive mailbox or even deletes old mail items.

In case that your organisation uses retention policy, you will need to verify if the mail item that reported as “disappeared” was just moved to the archive mailbox.

9. Local PST file.

In a scenario in which the user uses a local PST, an available option could be that the mail item was manually or automatically moved to the PST store.

Or another option is that the mail stored in PST file that is saved on the user desktop and at the current time, the user uses a different desktop that doesn’t include the PST file.

10. Problem with Office 365

This case added to the list as the “last case” because technically, this scenario could be an option.

To be honest, my opinion is that this type of scenario, in which the mail items were deleted by a “problem” in Office 365 infrastructure considered as a very rare event or, even non-possible.

I mention this possible cause because theoretically, we cannot fully rule out this possibility.

Recover a deleted mail item versus a scenario of – recover deleted Office 365 Mailbox

One of the most popular confusion regarding the “deleted mail” scenario, is related to the two different scenarios: Deleted Mail Item versus Deleted Mailbox.

Despite the so-called similarity, these two situations are entirely different from each other.

The meaning of “mail item”

In Exchange (on-premises) and Office 365 environment, the term “deleted mail item” can be translated to different type of Exchange mailbox items such as:

  • Calendar item
  • Note item
  • Contact item
  • Mail item

Each of this item considers as mail item.

Default Deleted Mail Policy in an Office 365 Environment

The meaning of the term – “Deleted Item Retention Policy” relate to our ability to recover mail items that were deleted for a specific period of time.

The default Office 365 Deleted Item Retention Policy defines a “range” of 14 days in which we can recover mail items that were deleted.

We have the ability to “extend” this default range up to 30 days, but we will need to use the PowerShell interface for implementing this “extension” and also; we will need to run the PowerShell command for each new mailbox that will create.

Example 1: Set Misha Hanin’s mailbox to keep deleted items for 30 days. In Exchange Management Shell, run the following command.

Set-Mailbox -Identity "Misha Hanin" -RetainDeletedItemsFor 30

Example 2: Set all user mailboxes in the organisation to keep deleted items for 30 days. In Exchange Management Shell, run the following command

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Set-Mailbox -RetainDeletedItemsFor 30

Note: The ability to extend the default 14-day limitation is available only to Office 365 customers who purchase at least E1,E3 or E5 license.

Deleted Mail Item Policy | Quotes from public resources

After an item has removed from the Deleted Items folder, it’s kept in a Recoverable Items folder for an additional 14 days before being permanently removed. Users can recover the item during this 14-day period by using the Recover Deleted Items feature in the Outlook Web App or Outlook.

Using this feature eliminates the need for a mailbox restore. If a user manually purged an item from the Recoverable Items folder, an administrator can recover the item within the same 14-day window by using the Single Item Recovery feature and remote Windows PowerShell.

The Single Item Recovery period is 14 days by default, but administrators can increase this to a maximum of 30 days by using remote Windows PowerShell. To preserve E-mail for longer period than 30 days, organizations can implement long-term email preservation or time-based In-Place Holds.

[Source of information: High Availability and Business Continuity]

“Override” the default Deleted Item Retention policy

One of the most common questions that are raised by Office 365 customers is the question about the possibility to save mail items for an unlimited period.

In other words, “override” the default Deleted mail item policy

The good news is that office 365 offers this option by using one of the following Exchange Online features:

  • Litigation Hold
  • In-Place Hold

The option of Exchange Online Litigation Hold or Exchange Online, enables us to “override” the default deleted mail items retention policy and enable a configuration in which we can “hold” and recover (restore) mail items forever!

The important thing regarding Litigation Hold or In-Place Hold option, is that this “feature” exists only when purchasing a specific Exchange Online license, like:

  • Exchange Online E1, E3 or E5 license

Legal-Hold-E1-E3-E5-1
[Source of information: Office 365 Business Plans]

In the current blog post, we will not go into a detailed description of this Office 365 option but instead, focus on the Deleted Item retention policy and the Exchange Online architecture that is used for recovering mail items.

Mailbox and Backup solution in Office 365 Environment

The common question among Office 365 clients is the question regarding the possibility of implementing some kind of user mailbox solutions.

Most of the time, the idea behind the backup \ restore solution is the ability to restore the user mailbox to a specific “point in time”. This option sometimes described as a snapshot because the backup enabled us to capture a snapshot of the user mailbox and view the mailbox content as at appear at a particular time during the past.

At the current time, the Exchange Online infrastructure doesn’t provide this type of service. This kind of “solutions” are provided by third party backup and restores products that can provide this service in the office 365 base environment. As an example, you can take a look on CodeTwo Backup for Office 365

Exchange Online and Recoverable Items Folder

As mentioned in the former section, in the current time Exchange Online doesn’t include a backup solution that could describe as: “point on time” which will enable us to restore user mailbox status to a particular point in time.

The office 365 “Backup solutions” are based on the architecture or the concept which described as single mail item recovery.

The single mail item recovery concept implemented by using a “set of mailbox hidden folder” that serves as a “container” for deleted mail items.

This technical name for the “set of folders” is: Recoverable Items folder.

Note: The previous term that used in the past for describing this set of “recovery folders” is- dumpster.

We use the term “hidden” because by default the user cannot see this set of “recovery folders” as part of his “standard folder hierarchy.”

We use the term “set of folders” because the deleted mail item is not saved in a specific folder but instead in a set of folders. Each of the folders has a particular “rule” and purpose.

The backup and restore capabilities of Office 365 based on accessing this folder and “pull out” the mail items that stored in this set of folders.

Exchange Online Litigation Hold and Exchange Online In-Place Hold

office 365 include two features or components that enable us to “extend” the process or saving and recovering an E-mail item.

For example, the Exchange Online default Deleted Item retention policy will keep deleted mail items in the Recoverable Items folder for 14 days.

When we use the feature of Litigation Hold or In-Place Hold we can “extend” this limitation to an unlimited number of days.

The Litigation Hold or In-Place Hold components enable us to manage the required policy that we want to set for a specific mailbox or, on a set of mailboxes and when we need to recover data (deleted mail items), enable us to search and recover E-mail item.

I hope it was informative for you! If you have any further questions, please don’t hesitate to contact me.