A comprehensive guide on how to recover Deleted Items for a mailbox in Exchange Online
This guide is intended to help both Exchange administrators and regular users that are comfortable using some advanced troubleshooting techniques in order to restore mailbox content.
IMPORTANT: Please note though that if the emails were deleted more than 30 days ago, they cannot be recovered anymore. Also, if you fail to find the items by using this guide, then the emails have been purged and Microsoft Support cannot recover them as well.
Steps to search for deleted emails:
- In Outlook, click on deleted items folder, then look in the Outlook toolbar you will have the following tabs: File, Home, Send/Receive, Folder, View and Search.
- While deleted items is selected, press on the Folder tab and locate in the menu “Recover Deleted Items” and click on it.
- See if the emails are there and try to recover them.
- https://portal.office.com/support/help.aspx?sid=recdelitems&ui=en-US&rs=en-US&ad=US#/487e4d68-d08c-40e3-8994-f7cf12a021a6 – Recover deleted items in Outlook
- https://portal.office.com/support/help.aspx?sid=recdelitems&ui=en-US&rs=en-US&ad=US#/487e4d68-d08c-40e3-8994-f7cf12a021a6 – recover deleted items in Outlook Web App
Use PowerShell to search and recover deleted emails (for Administrators only):
If the previous steps did not resolve the issue, please follow below instructions:
- Please download and install Microsoft Sign-In Assistant: http://www.microsoft.com/en-us/download/details.aspx?id=41950.
- Please download and install Windows Azure AD Module for Windows PowerShell : http://go.microsoft.com/fwlink/p/?linkid=236297
- More information about Windows Azure AD PowerShell Module can be found here : http://technet.microsoft.com/en-us/library/jj151815.aspx#BKMK_Requirements
- Open Windows Azure Module for Windows PowerShell as administrator (right click the icon and run as administrator) and connect to Office 365 using your administrator credentials by executing these commands one at a time:
$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.Office365.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session -allowclobber
Connect-MsolService -Credential $LiveCred
Before continuing with below commands, please perform the following, if a Discovery Search Mailbox does not exist on your tenant:
You need to enable the discovery search mailbox:
First you will need to connect PowerShell to your Office 365 environment and also connect to your admin account using the GUI.
Add your admin account to the discovery management role; these kind of roles are located in the portal (Exchange Admin Center) under “Permissions” =>”Administrator Roles” => “Discovery Management”. Select this role and click details and after this, add your account as a member, click save.
- New-Mailbox -Name “Discovery Search Mailbox” –Discovery (Only if a Discovery Search Mailbox is not created by default in your tenant)
- Set-Mailbox “Discovery Search Mailbox” -HiddenFromAddressListsEnabled $false (Execute this command if you want to see the Discovery Search Mailbox in the Global Address List)
- Add-MailboxPermission “Discovery Search Mailbox” -user email@example.com -accessrights fullaccess (Execute this command if you want to open the Discovery Search Mailbox using another account that has permission over it)
The commands which can be used to recover deleted emails:
- Search-Mailbox firstname.lastname@example.org -SearchDumpsterOnly -TargetMailbox “Discovery Search Mailbox” -TargetFolder inbox -LogLevel Full
- Search-Mailbox “Discovery Search Mailbox” -TargetMailbox email@example.com -TargetFolder inbox
Discovery mailbox will appear as a subfolder on that user’s inbox and will have a tree structure, you will need to expand that structure until you reach purges folder, this is where you will find the emails. Also, folders and subfolders cannot be retrieved, only the content.
Use EWS Editor to check for deleted emails:
B.1. Check the primary mailbox:
- Navigate to this URL: https://ewseditor.codeplex.com/ and download the latest version of the tool.
- Open the program on a Windows computer then select File=>New Exchange service.
- At “Autodiscover Email” field, type the email address of the affected user
- Select the “EWS Schema Version” to be “Exchange2013_SP1”
- Check the “Use the following credentials instead of the default Windows credentials” and ask the user to provide his Office 365 credentials (user name and password; “domain” field is not required)
- Click “Ok” and wait to be prompted to add the account.
- You should now see the account added in EWS Editor so please expand “MsgFolderRoot”
- Locate the “Recoverable Items” folder, expand it and search in the following 2 subfolders: Deletions, Purges
- On the right side of the screen, when you click on each folder, you should see “Total Count”. If you see a high number there, then it means that most of the emails are still on the server and can be recovered, otherwise, they were completely deleted and we cannot recover them anymore.
B.2. How to check the archive mailbox (if there is one):
- After the primary mailbox has been added in EWS Editor, right click the name of the mailbox, the upper most container, and select “Add root container”
- A new window will open, select “Identify folder by well-known name” and select “Archive Root”
- Repeat the steps described at B.1 to check “Deletions” and “Purges” folders inside the archive mailbox
B.3. How to check a shared mailbox
- You will need to first follow the steps at B.1. to add an account which has full access over the shared mailbox.
- After the account has been added, right click on the name of the account and select “Add root container”.
- Select “Identify folder by well-known name” and select “Root”. In the SMTP field type the address of the shared mailbox.
- Repeat the steps described at B.1 to check “Deletions” and “Purges” folders inside the shared mailbox.
Use MFC MAPI to recover your Deleted Items:
- Download MFC MAPI from https://mfcmapi.codeplex.com.
(The advantage of EWS Editor is that it doesn’t require you to have the mailbox configured in Outlook in order to access it, as it will connect to it directly on the server.)
- Configure the affected mailbox in Outlook (after you finish the configuration wizard, you can deselect “Use Exchange cached mode” as we do not want to wait until Outlook downloads the entire mailbox locally).
- After you have the mailbox configured, you will have to open Outlook at least once and let it connect to the mailbox (you can close it afterwards).
- It is now time to open MFC MAPI and connect to the mailbox. Use the instructions in this article to search the mailbox using the tool: https://support.microsoft.com/en-us/kb/2786067
Alternatives to prevent email data loss in Office 365:
D.1. PST backup with Outlook
D.2. In-place archiving:
- https://technet.microsoft.com/en-us/library/jj984357(v=exchg.150).aspx – Enable or disable an archive mailbox in Exchange Online
- https://technet.microsoft.com/en-us/library/archive-features-in-exchange-online-archiving.aspx – Archive Features in Exchange Online Archiving.
- https://technet.microsoft.com/en-us/library/dd979800(EXCHG.150).aspx – In-Place Archiving in Exchange 2013
- http://technet.microsoft.com/en-us/library/ff637980(v=exchg.150).aspx – In-Place Hold
- http://technet.microsoft.com/en-us/library/dd979797(v=exchg.150).aspx – Create or Remove an In-Place Hold
D.4. Litigation Hold:
- https://technet.microsoft.com/en-us/library/dn743673(v=exchg.150).aspx – Place a mailbox on Litigation Hold
- https://technet.microsoft.com/en-us/library/ff637980(v=exchg.150).aspx – In-Place Hold and Litigation Hold
Mailbox audit – it is intended only for non-owners like delegates or administrators. Owner actions are not logged, but it may still give you an idea of what happened on that mailbox. Below you can see some articles that have more details about this:
- https://technet.microsoft.com/en-us/library/dn879651.aspx – Enable Mailbox auditing in Office 365
- https://technet.microsoft.com/library/jj150552(v=exchg.150).aspx – Export mailbox audit logs