Single Item Recovery in O365

Ever thought of a situation where you have deleted some important emails by mistake and not being able to recover the same. It’s a dreaded situation and everyone would have thought about this situation.

 

In Exchange online we provide 3 layers of Recovery so that messages can be recovered

    1. Deleted Items Folder
    2. Recover Deleted Items Folder
    3. Purges Folder

 

 

Deleted Items Folder

When a mail is deleted(normal Delete not shift Delete) its moved to Deleted Items folder and its present there until we manually delete the messages from there or its deleted automatically or according ti the duration set by the administrator (By default messages are stored indefinitely)

https://blogs.office.com/2015/02/20/extended-email-retention-deleted-items-office-365/

 

Recover Deleted Items Folder

When a mail is Shift deleted(hard deleted), or deleted from Deleted items or removed from deleted items by the Retention policy, its moved to the Recover Deleted Items Folder and it remains there for next 14 days(can be extended to 30 days).

 

There are 2 folders under Recovery Deleted Items

    1. Deleted Folder(its not the normal Deleted folder in the mailbox)
    2. Purges Folder

 

When the mail is present in Recovery Deleted Items(Deleted folder) it can be directly recovered from the users Outlook or OWA

 

In Outlook 2007, click on Tools and select Recovery Deleted Items as shown below

 

 

In Outlook 2010 under Folder Option in the Ribbon bar we have Recovery Deleted Items 

 

 

In OWA when we right click Delete Items folder we have the option to open Recover Deleted Items Folder.

 

 

 

 

Purges folder

When a mail is deleted from Deleted Items folder under Recover Deleted Items its moved to Purges Folder under Recover Deleted Items folder. Refer the image shown in this link

Remember the shell life of a message moved to Recover Deleted Items is 14 days(can be extended to 30 days) regardless its moved to Deleted Folder or Purges folder. The time starts as soon as the message is moved to Recover Deleted Items.

 

Once the mail moves to Purges Folder its not visible for the end user(either in Outlook 2007/2010 or OWA) and we have 2 ways to recover these messages, if its still present in Purges Folder

Method 1 : Using ECP

Please logon to Portal > Outlook > Options > See All options

At the left top corner select Manage My Organization  

Select Roles & Auditing > Administrator Roles > and double click Discovery Management and make sure you are part of this group

 

Once that is verified please Double click Organization Management > Under Roles Click on Add and Select Mailbox Import Export

Under Member, Add yourself as a Member and Click Save.

 

 

Select Mail Control > Discovery and Select New

 

 

Please fill in the details so that all mails that was sent and received form the particular user's account is selected and click on Save

 

 

Under Search Name, Type and Storage Location make sure Copy the search results to the destination mailbox is selected and default Discovery Mailbox is selected.

Once the search is completed you would get an option to open the the Discovery Search mailbox

Alternatively you can store the results to the users mailbox using Search-Mailbox cmd, refer https://help.outlook.com/en-us/140/hh125820.aspx

 

 

Method 2 : Using MFCMAPI

Note: Although the use of MFCMAPI is supported by Exchange Online we recommend that you use caution be used at all times when making modifications to mailboxes by using this tool. Using the MFCMAPI tool incorrectly can cause permanent damage to a mailbox.

Download MFCMAPI tool from here https://mfcmapi.codeplex.com/

Install this on the user's machine whose messages need to be recovered.

Open MFCMAPI

Select Tools > Options 

 

 

Make sure the below highlighted option is selected and click ok

 

Click Session > Logon > and select the Profile of the user on which you want to do a Single Item Recovery from the dropdown list

 

 

 

 

Double click on user's account Default store

Expand the Root Container and double click on Purges folder as shown below

 

On the Purges folder Window , do a Select All (Ctrl + A) you can either do

1) Export message as (MSG (Ansi)) or

2) Delete Message, this gives us an option “Delete to Deleted Items” and you can find the emails in the deleted folder

 

Being the admin of an Tenant we have the right to increase the Single Item Recovery period of users of our domain to 30 days maximum from the default 14 days .

 

 

We can increase the value for a particular user to 30 days by running the below command

 Set-Mailbox <user alias> -SingleItemRecoveryEnabled $True -RetainDeletedItemsFor 30

 

If we want to increase the recovery period for all users for 30 days we can run the below command

Get-Mailbox | Set-Mailbox -SingleItemRecoveryEnabled $True -RetainDeletedItemsFor 30

 

If we want to recover items for a period of more than 30 days, tenant administrator must consider using Litigation Hold.

 

 

 

For more information on Single Item Recovery refer the below links

Recover Deleted E-Mail Messages in Exchange Online

https://help.outlook.com/en-us/140/hh125820.aspx

Search For and Delete Messages from Users' Mailboxes

https://help.outlook.com/en-us/140/gg315525.aspx

Multi-Mailbox Searches

https://help.outlook.com/en-us/140/cc511392.aspx

Put a Mailbox on Litigation Hold

https://help.outlook.com/en-us/140/ms.exch.ecp.editlitigationhold.aspx

Recover Deleted Items

https://help.outlook.com/en-us/140/ms.exch.owap.recoverdeleteditems.aspx