recover deleted mail items - office 365 | 4#7

of 30 | Recover deleted mail items - Office 365 | 4#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

Recover deleted mail items – Office

365 | 4#7

In the current article, we will review the four options that we can use for recovering

mail items in the Exchange Online environment.

The available tools for recovering mail items are:

1. Recovering deleted mail items by using Outlook and OWA mail clients.

2. Recovering deleted mail items by using MFCMAPI utility.

3. Recovering deleted mail items by using Exchange In-Place eDiscovery and

Hold.

4. Recovering deleted mail items by using the PowerShell cmdlets Search-

Mailbox and New-MailboxSearch.

The characters of our scenario are as follows:

http://o365info.com/recover-deleted-mail-items-office-365/

https://il.linkedin.com/in/eyaldoron1

http://o365info.com/



An organization user calls us and complain that some of his mail disappeared. We

have implemented our due diligence and perform a mailbox search to verify if the

mail it’s still exists in the user mailbox.

In the current time, we are entering into the phase in which we assume that the

mail item was deleted and we want to check if we the specific mail items are still

“recoverable”.

The two main questions that relate to this scenario are:

Q1: What are the recovery mail methods that are available for us in the Office 365

and Exchange Online environment?

Q2: Does the mail item is still “recoverable” meaning, can we still “save” the deleted

mail item?

The available mail recovery method in Office 365 and Exchange

Online environment

Before we start to dive into the specific details of the recovery mail methods that

we can use it’s important to define a general classification of the mail recovery

methods:

1. Recovery mail method that can be implemented by the user himself (the

mailbox owner)

2. Recovery mail methods that can be implemented only by the Exchange

Online administrator.

For example – every user (mailbox owner) has the ability to recover mail items that

were deleted form to Exchange inbox “Recycle bin” (the Deleted items folder) by

using the OWA or the Outlook option of – Recover Deleted Items.

As mention, the user will have a “grace period” of 14 days in which he can “regret”

and restore mail items that were deleted from the Exchange inbox “Recycle bin”

(the Deleted items folder). In other words – recover from a scenario of Hard

delete.

Note – you can read more information about the term Hard Delete in the section

– Soft delete versus Hard delete




http://o365info.com/recover-deleted-mail-items-in-the-exchange-online-environment-deleted-mail-flow-part-3-7#SUB-3



The scenario in which only the Exchange Administrator can recover mail items are:

1. Hard delete

A scenario in which the user deletes also the mail item that was stored in

the Deletion folder(hard delete). In this case, the mail will be placed in

the Purges folder.

The user doesn’t have access permission to the Purges folder (only the

Exchange Online Administrator can view the content of this folder).

2. Mailbox with Litigation Hold or In-Place Hold

In case that the mailbox was configured with Litigation Hold or In-Place Hold, the

ability to recover deleted mail items older than 14 days (the default Deleted

Item retention policy in Exchange Online is 14 days), only the Exchange Online

administrator has the ability to recover this mail items.

The available tools for recovering mail items

The available tools that we can use for recovering mail items are:

1. In-place eDiscovery






An Exchange 2013 web-based interface, which enables us to create a query and

search for mail items in a specific mailbox or an array of mailboxes.

(Exchange Online is based on Exchange 2013 architecture).

The in-place eDiscovery Exchange infrastructure is a very powerful tool, that

consisting of different components and, can use for searching and recovering data

from Exchange Online infrastructure and also from other infrastructures such as

SharePoint Online.

2. PowerShell cmdlets

Exchange includes two sets of PowerShell cmdlets that was created for searching +

recovering mail items from a user mailbox:

Search-Mailbox

New-MailboxSearch

Booth of the PowerShell cmdlets: Search-Mailbox and New-MailboxSearch serve

for searching for data (mail items) in Exchange mailbox.

The graphic interface of the Exchange Online eDiscovery that is used for searching

+ recovering mail items from user mailboxes is based on the PowerShell cmdlets –

New-MailboxSearch

In addition, Exchange includes support in “older” PowerShell cmdlets named –

Search-Mailbox.

To oblivious question that could appear is: why do we need two PowerShell cmdlets

that do the same thing?

The answer is that despite the common between this two PowerShell cmdlets, each

PowerShell has different capabilities that the “other” PowerShell cmdlets don’t

have.

Theoretically, the “newer” PowerShell cmdlets – New-MailboxSearch was

supposed to replace or Inherit the former PowerShell cmdlets (the Search-

Mailbox) but, the interesting news is that the PowerShell cmdlets – Search-

Mailbox still have capabilities that are not provided by the newer New-

MailboxSearch PowerShell cmdlets.






For example, the PowerShell cmdlets Search-Mailbox considers is “older” than the

“new” PowerShell cmdlets: New-MailboxSearch but, the PowerShell cmdlets

Search-Mailbox includes capabilities that the “newer” PowerShell cmdlets don’t

have such as the ability to search and recover mail items only from

the Recoverable Items folder.

If you want to get a detailed review of how to use these PowerShell cmdlets, you

can read the article –Recovering deleted mail items using PowerShell cmdlets

Search-Mailbox | 7#7

3. Mail client (Outlook\OWA)

The mail clients Outlook and OWA, include a built-in option that enables users to

recover mail items. The Outlook\OWA recovery mail items interface enables the

user (the mailbox owner) to view the content of the Deletion folder + recover mail

items. In other words, enable the user to recover mail items from a Soft delete

event.

4. MFCMAPI

The MFCMAPI is a very powerful GUI tool, that enables users (the mailbox owner or

another user that have Full access permission to the mailbox) to have access to the

“behind the scenes” of the mailbox content.

The MFCMAPI tools can provide many capabilities for a variety of troubleshooting

scenarios but in this article, we will review only a very specific capability of

the MFCMAPI -the capability of enabling users to access the “hiding partition”

– Recoverable Items folder.

In the current article, we will review the following methods for recovering mail

items in Exchange Online environment:

Recovery using Outlook and OWA mail client

MFCMAPI

In the article – Using Exchange In-place eDiscovery & Hold for recovering

deleted mail items | 6#7, we will review how to recover mail items using In-

place eDiscovery & Hold




http://o365info.com/recovering-deleted-mail-items-using-powershell-cmdlets-search-mailbox-part-7-7


http://mfcmapi.codeplex.com/



http://o365info.com/using-exchange-in-place-ediscovery-hold-for-recovering-deleted-mail-items-part-6-7

http://o365info.com/using-exchange-in-place-ediscovery-hold-for-recovering-deleted-mail-items-part-6-7



In the article – Recovering deleted mail items using PowerShell cmdlets

Search-Mailbox | 7#7, we will review how to recover mail items using the

PowerShell cmdlets – Search-Mailbox.

Best practices and guideline for recovering deleted mail items

When a user reports that his E-mail “disappeared” the recommended

troubleshooting flow is:

1. Verify if the mail items still exist in the user mailbox – in case that you cannot

find the mail item in the user mailbox, move to the next step.

2. Instruct the user to use the OWA\Outlook built-in option of recovering deleted

items. The ability of the user to recover mail items by themselves, can save

precious time and prevent unnecessary resource allocation for implementing an

“administrative recovery process”.

In simple words – simple is better. If the user manages to recover the mail item

by himself, this is a win-win scenario.

3. Use the “administrative” mail recovery options that exists in an Exchange Online

environment, only when the user doesn’t mange to recover mail by himself.








1. Recovering deleted mail items by using Outlook and

OWA mail clients.

As mentioned, Outlook and OWA mail clients include a built-in interface that

enables a user to recover mail items.

The Outlook and OWA recovery mail option enable the user to get access to the

hidden subfolder the – Deletion folder.

When we mention the term – “recover mail items by using Outlook\OWA”, the

meaning is the ability to recover Soft deleted mail items.

Note – you can read more information about the subject of Soft deleted in the

section –Soft delete versus Hard delete

1.1 Recovering deleted mail items by using Outlook mail client.

To be able to recover mail items using Outlook, implement the following steps:




http://o365info.com/recover-deleted-mail-items-in-the-exchange-online-environment-deleted-mail-flow-part-3-7#SUB-



Choose the Folder menu

Choose the “Recover deleted items” icon.

In the window that appears, we can see a list of all the deleted items (the

mail items that stored in the Deletion folder).

When choosing the option of “Restore selected items”, the mail item will be

restored back to the Deleted items folder.

When choosing the option of “Purge selected items”, the mail item will be

sent to the Purges folder(Hard delete).

One important concept that I would like to emphasize is that, the process of

recovering deleted mail items doesn’t restore the mail item to the “original folder”

in which the mail item was originally created but instead, to the folder that “host”

the mail item before he was deleted meaning – the Deleted items folder.

For example – a scenario in which user delete a mail item that is stored within a

mailbox folder named: Customers.

When the user deleted the mail, the mail is “moved” to the Deleted items folder. In

case that the mail item was removed (deleted) also from the Deleted items






folder and, the user decides that he wants to recover the mail item, the recovered

mail items will be restored back to the Deleted items folder and not to the

“original folder” (Customer folder in our scenario).

In the following screenshot, we can see we can see an example in which we recover

a specific mail item.






After the mail item is successfully restored, we can see that the “new location” of

the mail item is the Deleted items folder.






1.2 Recovering deleted mail items by using OWA mail client.

The ability to recover a mail item can be implemented also by using the OWA mail

client.

To be able to display the Deleted items folder, choose the More option.

(The OWA default view in an Exchange Online environment is a minimized view

that doesn’t display the Deleted items folder).

Right click on the Deleted items folder






Choose the menu – Recover deleted items …

In the new window that appears, you will be able to see a list of mail items that can

be recovered.

On the right bottom of the screen, you can see the option of: Recover or Purge






Additional reading

Recover deleted items or email in Outlook Web App

2. Recovering deleted mail items by using MFCMAPI

utility.

The MFCMAPI is a very powerful tool that each Exchange administrator should

know.

By using the MFCMAPI tool, we can accomplish tasks and operations, which are not

available through the standard Outlook interface.

The MFCMAPI tool can “do” many things but, in this article, I would like to focus only

on the subject of recovering a mail item by using the MFCMAPI tool.




https://support.office.com/en-in/article/Recover-deleted-items-or-email-in-Outlook-Web-App-c3d8fc15-eeef-4f1c-81df-e27964b7edd4







One of the most relevant examples for the need to use the MFCMAPI tool is a

scenario of Hard Delete.

Just a quick reminder – the term “Hard Delete”, define a scenario in which the user

(or other element) deletes the mail item from the Deleted items folder + also

purges the mail item from the recovery folder (the Deletion folder).

In this scenario, the mail is relocated or moved to the Purges folder and the

standard Outlook or the OWA mail client interface, doesn’t enable users to get

access to the Purges folder.

In this case, we have a couple of options -the Exchange Administrator can use the

Exchange Online in-place eDiscovery option (a tool that is available via the

Exchange Online web management interface) for searching and recovering the mail

item.

But in a scenario in which we are not able to access the Exchange Online admin

interface or, in a scenario in which a “standard user” doesn’t have the required

administrative right for accessing the Exchange Online in-place eDiscovery, we can

use the powerful ability of the MFCMAPI tool for trying to recover mail items from a

“Hard delete” scenarios.

How to recover mail item using the MFCMAPI tool

In the following section, we will demonstrate the use of the MFCMAPI tool for

recovering mail items of a user named: John.

Our demonstration will include to options that the MFCMAPI tool include for

recovering mail items:

Export the deleted mail items into a mail message format (msg file).

Copy deleted mail items into inbox folder.

The characters of the scenario are as follows:

Our user John, empty his deleted item folder and then, empty also the recovery

mail item folder (Hard Delete).

In this scenario, the deleted mail items are located in the Purges folder and as we

know, the content of this directory is not available in the Outlook view.










To be able to recover the deleted mail items that is stored in the Purges folder we

will use the MFCMAPI tool. We will use the MFCMAPI tool for “login” to the John

mailbox and then, recover a specific mail item using the Export option and using

the Copy option.

Download and extract the MFCMAPI

Double click MFCMAPI excitable file.

In the welcome screen click OK







Click on the Tools menu and choose Options…

In the windows that appear, choose the following options

o Use the MDB_ONLINE flag when calling OpenMsgStore

o Use the MAPI_NO_CACHE flag when calling OpenEntry

To be able to view the content of the user mailbox we need to login, to John’s

mailbox (the MFCMAPI tool “mimics” Outlook client behavior).






Choose the Session menu and the Logon… menu

In our scenario, we will choose the “John mail profile”






Double-click on the icon that represents John’s mailbox.

Using the MFCMAPI tool, enable us to get a clear view of the physical mailbox

structure.

The most top container is the Root container that includes sub partitions such as:

Recoverable items – this is the Recoverable Items folder.






Top of Information store – this is the “mailbox partition” that contains the

standard mailbox folder that we know such as: inbox, sent items, etc.

To be able to recover the deleted mail items we will click on the Recoverable

items folder.






In the Recoverable items folder, click on the Purges folder.

The MFCMAPI interface is a bit confusing because at first glance, it looks like the

MFCMAPI view of the Purges folder include only binary code.

To be able to view the mail items stored in the Purges folder, we need to double-

click on the Purges folder.






Scenario 1: Export a copy of a deleted mail item

In the first example, we will save a copy of the deleted mail item and save it as a

message file format (msg file).

Choose a specific mail item

Use the right click mouse option and in the menu that appears, choose

the Export message…menu






In the option box: Format to save message, choose the suitable format for your

needs. In our example, we will choose MSG File (UNICODE)






In our example, we will save a copy of the deleted mail item in a folder

named: Recover Mail.






In the windows that appear, click OK






In the following screenshot, we can see the mail item that was saved in the

folder.

Scenario 2: copy the deleted mail item\s to another mailbox folder.

In the following example, we want to use a different option for recovering mail

items.

In this example, we want to restore the mail item to a “dedicated folder” that will be

created and serve for storing the recovered mail item\s.

In our example, before we start that recovery process, we will create a folder

named:

John recover Mail items

Later on, we will copy all the recovered mail items that are stored in the Purges

folder to this folder.

To simplify the instructions, you can follow the steps that were listed in the former

scenario.

When we see the content of the Purges folder, we can choose a specific mail or all

the mail items (CTRL +A) and use the right mouse click.

In this scenario, we will choose the option of: Copy Messages…






Choose the inbox folder and under the inbox folder choose the specific folder

that will be used for saving the copy of the recovered mail items. In our scenario,

we choose the folder named: John recover Mail items






Right click on the folder and choose the menu – Paste…

In our scenario we want to copy the recovered mail items and not move the

recovered mail items. We will not check the option box – Move message instead of

copy






In the following screenshot, we can see the mail item that was recovered.






Additional reading

HOW TO RECOVER DELETED EXCHANGE MAIL IN MICROSOFT OUTLOOK

How to recover missing emails in Office 365

Exchange 2010 Single Item Recovery Architecture




http://dalaris.com/how-to-recover-deleted-exchange-mail-in-microsoft-outlook/

http://blogs.catapultsystems.com/jstocker/archive/2013/02/06/how-to-recover-missing-emails-in-office-365/

http://msexchangeguru.com/2012/02/02/sir-architecture/

recover deleted mail items - office 365 | 4#7

Documents