Tags


Administrators can use single item recovery to protect against accidental or malicious deletion of e-mail messages and to facilitate discovery efforts before or during litigation or human resources investigations.

Single item recovery is enabled by default for new user mailboxes created in Exchange Online and for mailboxes migrated to Exchange Online from an on-premises Exchange organization.

How does single item recovery work?

To permanently delete e-mail messages, by what is called a soft delete, a user can do one of the following in Microsoft Office Outlook or Outlook Web App:

  • Delete an item from the Deleted Items folder.
  • Empty the Deleted Items folder.
  • Press Shift + Delete to delete any item.

E-mail messages that have been soft-deleted are moved to the Recoverable Items folder in the user’s mailbox, which was called the dumpster in previous versions of Microsoft Exchange, and into a subfolder named Deletions. Users can recover or purge e-mail messages in the Deletions subfolder by using the Recover Deleted Items feature in Outlook 2010 or Outlook Web App. For more information, see Recover Deleted Items.

If a user purges an e-mail message from the Recoverable Items folder, by what is called a hard delete, the purged message is moved to the Purges subfolder, which isn’t accessible to and can’t be recovered by the user. Only an administrator can recover a purged e-mail message.

Note Because items in the Purges subfolder in the Recoverable Items folder are indexed and discoverable, administrators or discovery managers can use Multi-Mailbox Search to search for purged items. For more information, see Multi-Mailbox Searches.

Retention period for deleted items

By default, in Exchange Online, the retention period for deleted items is 14 days. The retention period starts when the item deleted is moved to the Recoverable Items folder. After 14 days, items in the Deletions subfolder are automatically moved to the Purges subfolder. When the retention period for an item in the Purges subfolder expires, the item is permanently removed from Exchange Online and can’t be recovered by an administrator.

To change the retention period for deleted items in mailboxes in your organization, you must contact the Office 365 support. The retention period can be set to any length of time. However, if you want to retain deleted items for longer than 30 days, the mailbox must have an Exchange Online (Plan 2) user license.

Return to top

Retaining modified versions of messages

Single item recovery also saves the original version of a message if a user makes any modifications to the message. If a user changes a message, the original version of the message is copied to a subfolder named Versions. The Versions subfolder isn’t visible to end users, but items in it are indexed and searchable by an administrator or discovery manager. Like items in the Purges subfolder, items in the Versions subfolder are permanently deleted from Exchange Online after the 14-day retention period for deleted items expires.

The following diagram shows the single item recovery process:

Single item recovery process
Quota for the Recoverable Items folder

The Recoverable Items folder has a maximum quota of 30 GB, and this quota isn’t charged against the quota for the user’s primary mailbox. When the size of the Recoverable Items folder reaches 20 GBs, a warning message is sent to the administrator and the Messaging Records Management (MRM) technology in Exchange Online automatically deletes the oldest items in the Recoverable Items folder until the size of the folder is less than 20 GB. In the unlikely event that the Recoverable Items folder reaches 30 GB, the user can no longer soft delete any items. The administrator is sent a warning message and must manually delete items from the Recoverable Items folder by using the Search-Mailbox cmdlet. For more information, see Search For and Delete Messages from Users’ Mailboxes.

Note The quota for the Recoverable Items folder can’t be modified.

Single item recovery versus litigation hold

As previously stated, single item recovery retains deleted and purged e-mail messages for 14 days. When the retention period for deleted items expires, items are permanently removed from Exchange Online.

In contrast, if litigation hold is enabled for a mailbox, none of the items in the Purges subfolder, Deletions subfolder, or Versions subfolder are permanently deleted from Exchange Online. All items in the Recoverable Items folder are retained until the litigation hold is removed. See Put a Mailbox on Litigation Hold.

Note When a mailbox is on litigation hold, items in the Deletions subfolder are moved to the Purges subfolder after 14 days. By moving items to Purges subfolder, you prevent users from knowing their mailbox is on litigation hold. This is useful for criminal cases where the litigation hold status is hidden from the user.

Return to top

Search for and recover deleted e-mail messages

To search for and recover a deleted e-mail message to a user’s mailbox, follow these steps:

  1. In the Exchange Control Panel, use Multi-Mailbox Search to find the e-mail message that you want to recover from the user’s Recoverable Items folder, and copy the search results to the Discovery Search Mailbox.
  2. In Windows PowerShell, use the Search-Mailbox cmdlet to search the Discovery Search Mailbox for the message that you searched for in the previous step and copy it to the user’s mailbox.
Before you begin

  • To learn how to install and configure Windows PowerShell and connect to the service, see Use Windows PowerShell in Exchange Online.
  • You have to be assigned the following roles to search for and recover messages in users’ mailboxes:
    • Mailbox Search This role allows you to search for messages across multiple mailboxes in your organization. Administrators aren’t assigned this role by default. To search multiple mailboxes, add yourself as a member of the Discovery Management role group. See Add or Remove Role Group Members.
    • Mailbox Import Export This role allows you to use the Search-Mailbox cmdlet to restore recovered items. This role isn’t assigned to administrators by default. To run this cmdlet, add the Mailbox Import Export role to the Organization Management role group. See Edit Role Group Properties.
Step 1 Search for an e-mail message

Use Multi-Mailbox Search in the Exchange Control Panel to search for the e-mail message that you want to recover. By default, Multi-Mailbox Search searches the Recovered Items folder in users’ primary and archive mailboxes. See Create a New Multi-Mailbox Search.

When you use Multi-Mailbox Search in the Exchange Control Panel, the user’s entire mailbox is searched. If you want to search only the Recoverable Items folder, you have to use Windows PowerShell. Run the following command to search the Recoverable Items folder:

Search-Mailbox -SearchDumpsterOnly -SearchQuery -TargetMailbox "Discovery Search Mailbox" -TargetFolder -LogLevel Full

Example The following command searches the Recoverable Items folder in Esther Valle’s mailbox for a message with the subject line of “Online survey results” and copies any search results to a folder named “EstherV” in the Discovery Search Mailbox:

Search-Mailbox "Esther Valle" -SearchDumpsterOnly -SearchQuery subject:"Online survey results" -TargetMailbox "Discovery Search Mailbox" -TargetFolder EstherV -LogLevel Full
Step 2 Recover the e-mail message

After a message has been saved to the Discovery Search Mailbox, you can recover it to the user’s mailbox by using the Search-Mailbox cmdlet. Run the following command:

Search-Mailbox "Discovery Search Mailbox" -SearchQuery -TargetMailbox -TargetFolder inbox

Example The following command finds the message with a subject line of “Online survey results” in the Discovery Search Mailbox and copies it to Esther Valle’s Inbox:

Search-Mailbox "Discovery Search Mailbox" -SearchQuery subject:"Online survey results" -TargetMailbox estherv -TargetFolder inbox

Because the Search-Mailbox command searches the Discovery Search Mailbox for the recovered item, the item and the folder structure from the Discovery Search Mailbox is recovered to the Inbox of the user’s mailbox. For example, in the previous example, here’s what the folder structure in Esther Valle’s mailbox looks like after the file is recovered:

Recovered item in user's inbox

Be sure to tell users that they can move the recovered item directly into their Inbox and delete this folder structure.

Note When you use the Search-Mailbox cmdlet, you can’t specify the same mailbox as the source and target mailbox. That’s why you have to use Multi-Mailbox Search to copy the message to the Discovery Search Mailbox.

Return to top

Disable single item recovery

Run the following command to disable single item recovery for a mailbox:

Set-Mailbox -SingleItemRecoveryEnabled $false

To disable single item recovery for all user mailboxes in your organization, run the following command:

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Set-Mailbox -SingleItemRecoveryEnabled $false

Important If you disable single item recovery, items are still retained in the Recoverable Items folder for 14 days after they are deleted. However, if a user purges an e-mail message from the Recoverable Items folder, it is permanently deleted and can’t be recovered by an administrator.

Best practices for searching for deleted e-mail messages

  • Narrow the search to minimize the number of search results When you configure the search in Multi-Mailbox Search, use the settings in the Messages To or From Specific E-Mail Addresses and Mailboxes to Search sections to narrow the search as much as possible. For example, search messages sent to the user and only search the user’s mailbox. This will reduce the number of related but not directly relevant messages returned in the search.
  • Enable deduplication for the multi-mailbox search to find a recoverable item When you recover an item to a user’s mailbox, the whole folder structure from the search results is copied to the user’s mailbox if you don’t enable deduplication. When you enable deduplication, the subfolder structure is simplified.
  • Use Advanced Query Syntax (AQS) so you can search for keywords in different properties of an e-mail message For example, you can search for a keyword in the subject line or message body. For more information, see Advanced Keyword Searches. The following table shows common message properties that you can include in your keyword search:

     

    Property Example Search results
    Attachments attachment:annualreport.ppt Messages that have an attachment that is named annualreport.ppt. The use of attachment:annualreport or attachment:annual* returns the same results as using the full name of the attachment.
    Cc cc:”gurinder singh”cc:gurinders

    cc: gurinders@fineartschool.edu

    Messages with Gurinder Singh in the Cc field
    From from:”Max Stevens”from:maxs

    from:maxs@contoso.com

    Messages sent by Max Stevens
    Sent sent:10/19/2010 Messages that were sent on October 19, 2010
    Subject subject:”Quarterly Financials” Messages that contain the exact phrase “Quarterly Financials” in the subject line
    To to:”Judy Lew”to:judyl

    to:judyl@contoso.com

    Messages sent to Judy Lew
Best practices for recovering deleted e-mail messages

  • Use the same keyword search query that you used in Multi-Mailbox Search If you enabled full logging during the search, use the value from the Subject column in the CSV file, which is attached to the search log, for the value of the SearchQuery parameter. This allows you to restore the exact message to a user’s mailbox. Or you can use the exact subject line from the message in the Discovery Search Mailbox.
  • Delete unnecessary items in the Discovery Search Mailbox Before you use the Search-Mailbox cmdlet to recover an e-mail message, you can delete items that met your search criteria from the Discovery Search Mailbox, but don’t have to be recovered.
  • Suppress the sending of a search results e-mail sent to the user By default, an e-mail message that contains information about the search is sent to the mailbox specified by the TargetMailbox parameter. This is useful because it indicates to the user when a recovered e-mail message has been returned to their Inbox. To prevent a message from being sent, include the Loglevelsuppress parameter in the command
Advertisements