recover deleted mail items in the exchange online environment | introduction | 1#7

of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

Recover deleted mail items in the

Exchange Online environment |

introduction | 1#7

The current article is a basic introduction into the subject of – recovering mail items

in the Exchange Online based environment.

We will review a couple of common misconceptions that relate to the scenario

in which users report that his mail was deleted.

The need to verify if the scenario is indeed a scenario of “deleted mail items”.

What are the main causes which could lead into a scenario of mail deletion.

Many of the Office 365 customers are not aware of the options that are available

for them in a scenario in which they need to recover mail items and what are the

http://o365info.com/recover-deleted-mail-items-in-the-exchange-online-environment-introduction-part-1-7


https://il.linkedin.com/in/eyaldoron1

http://o365info.com/


introduction | 1#7


built-in limitation of the Exchange Online that realities to the operation of recover

deleted mail items.

The main purpose of this article and the rest of the article series is to help you to

get familiar with the option that are available for you for recovering mail items in

the Exchange Online environment.

Prefix

To be able to get a full thorough understanding on this subject, we will need to be

able to answer a couple of major questions:

Q1: How to relate to an event in which users report that the data is “missing” from

their mailbox or the need to recover data that was deleted in the past?

Q2: What is the built-in mechanism that Exchange server architecture provides for

dealing with such scenarios?

Q3: What are the available options when we host our mail infrastructure on

Exchange Online based infrastructure (Office 365)?

The answers to this question are spread over a series of six articles.

In other words: if you are looking toward a solution in which you will pick up a

phone to the Exchange Online support team instruct them to solve the problem by

doing “some magic” and inform the user that “everything is OK”, you did not come

to the right place!






introduction | 1#7


Q1: So what are you telling me? Do you claim that it’s not passable to deal with a

scenario in which we need to recover or restore mail for our Exchange Online

users?

A1: My “claim” is that in Exchange and Exchange Online environment, we can use

the built-in capabilities the Exchange architecture offer for dealing with such

scenarios (recover mail items) such as the architecture of single item recovery or

other Exchange Online services such as Litigation Hold or In-Place Hold.

To be able to provide good answers and good services for our customers, we will

need to know about the available options, the limitations, and the best practices for

dealing with a scenario of missing mail and so on.

The current article

The purposes of the current article are:






introduction | 1#7


Remove the ambiguity of the subject or recovering mail items in Office 365

(Exchange Online) environment.

Review common misconceptions.

Define the terms: “My mail disappeared!” and “Deleted Item retention default

policy”.

Review the 11 major causes for “deleted mail item” scenario.

Exchange Online and “common misconceptions”

regarding data recover and backup

1. The “cloud” backup my mail forever!

The source for this misconception is – when we read about the “high availability of

cloud services” (such as Exchange Online) and the “insurance” that we have

regarded scenarios of DRP (disaster and recovery plan), we automatically “translate”

this information under the assumption that – in a cloud environment, deleted mail

items will always be available for us.

It’s a truth that Microsoft has infrastructure for backing up all the “customer

information” and these “backups” could serve for restoring data in case of “disaster”

such as storage corruption, server hardware failure or even a catastrophic event of

“complete Data center failure” but this ability can be used only for scenarios of

“disaster”, and not for a scenario of recovering a specific deleted mail item.

Additional reading

Office 365 E1 and E2 plans (Exchange Online Plan 1) Mail Item Recovery

Limitations & Solutions

Office 365 Backup & Recovery

2. When using the Exchange Online archive, my mail is backed up!

The source for this misconception is – we are used to associating to term “archive”

with another term such as “backup”.

In Exchange Online environment, the main purpose of the Exchange Online archive

is not to back up the user mail items, but instead, improve the Outlook mail client





http://blogs.technet.com/b/uspartner_ts2team/archive/2011/11/30/office-365-e1-and-e2-plans-exchange-online-plan-1-mail-item-recovery-limitations-amp-solutions.aspx

http://blogs.technet.com/b/uspartner_ts2team/archive/2011/11/30/office-365-e1-and-e2-plans-exchange-online-plan-1-mail-item-recovery-limitations-amp-solutions.aspx

http://blogs.technet.com/b/uspartner_ts2team/archive/2011/12/16/office-365-backup-amp-recovery.aspx


introduction | 1#7


performance. Mail items that are sent or saved in the Online archive are not saved

to the local OST file (cache mode).

In case that a user deletes mail from the online archive, the mail item will be

deleted like any “standard” mail item.

3. In a scenario that a user wants to recover mail that was deleted a long

time ago, I could call Microsoft support, and they will recover for me the

required information!

Let’s make it simple – the default Exchange Online deleted mail policy value is – 14

days.

In case that a user implemented “Hard delete” (you can read more information

about Hard delete in the article – Recover deleted mail items in the Exchange

Online environment | Deleted mail flow | 3#7) the mail item considers as

“recoverable” for a period of 14 days.

After this period, the mail item will be lost forever! There is no option for recovering

such as a mail item in the Exchange Online environment.

Office 365 customers who use Exchange Plan 2 license or E3 license can extend the

default deleted item mail policy for a period of 30 days + use the option of Litigation

Hold or In-Place Hold that enable to keep mail items for a longer time period or

forever, but this option cannot be implemented in retrospect.





http://o365info.com/recover-deleted-mail-items-in-the-exchange-online-environment-deleted-mail-flow-part-3-7#SUB-3



introduction | 1#7


In other words – if the Exchange Online administrator didn’t “activate” the described

options in advance, we are still subject to the “14 days rule”.

Note-

You can read more information about extending the default Deleted Item

retention policy in an Exchange Online environment in the article – Recover

deleted mail items in the Exchange Online environment | Deleted mail flow | 3#7

You can read more information about Litigation Hold or In-Place Hold in

Exchange Online environment in the article – Exchange In-Place eDiscovery &

Hold | Introduction | 5#7

4. In Exchange Online environment, I can recover the user mailbox to his

“original state”

False assumption 1 – restore the user mailbox snapshot.

Usually, when Exchange Online administrator says that sentence their meaning is

translated to the option of restoring a snapshot of the user mailbox sometimes

refers as “point in time” in which the user mailbox will behave all the mail items,

and the specific folder structure that the user had in a specific point in time.

The Exchange Online infrastructure doesn’t include this option. There is no way to

restore the user mailbox to a specific point in time.

False assumption 2 – restore mail items to the original location.

For example, in case that the deleted mail item was located in the inbox folder,

when I use the available option for recovering the specific mail items, it will be

restored to “his original folder” meaning – the inbox folder.

In a recovery scenario in which we use Outlook or OWA mail client for recovering a

mail item, the mail item will be restored to “his original folder” but not to the folder

that we consider as “original”.

When we delete a mail item, “his original folder” become the Deleted items folder

When we restore the mail items from the Recoverable Items folder, the mail item

will be restored to the Deleted items folder and not to the inbox folder







http://o365info.com/exchange-in-place-ediscovery-hold-introduction-part-5-7

http://o365info.com/exchange-in-place-ediscovery-hold-introduction-part-5-7


introduction | 1#7


Exchange Online versus Exchange on-Premises

The formal definition of this current article series is reviewing the subject of

recovering mail items in Office 365 based environment meaning – Exchange Online

environment.

Despite that, most of the information on the architecture, the logic and the

available tools are almost identical to the Exchange on-Premises infrastructure.

In the current time, the Exchange Online architecture is based on the Exchange

2013 server version.

So, in a scenario that you have Exchange 2013 on-Premises, you will find that most

of the infrastructure, the screenshot and the interfaces are relevant also for the

“on-Premises environment”.

The “cloud” deleted my mail

In many of the “deleted mail item” scenario or in the “My mail was disappeared!!”

There is a common conspiracy theory described as – “The “cloud” deleted my mail”

The truth is that there is some logic behind this hypothesis because we all know

that at night, the Tooth Fairy, comes to giving gifts to children have fallen tooth and

the Office 365 deleted mail demon come and delete ruthlessly our Poor users E-

mails!!!






introduction | 1#7


If you think that I’m a little cynical, wait until you hear the complaints I hear from

clients.

The point – there is no Tooth Fairy and, no Office 365 deleted mail daemon.

Theoretically, there is a possibility that the causes for the deleted mail item relate in

some way to the Exchange Online infrastructure but, my opinion is that chance for

this scenario is identical to the chance in which you win the grand prize lottery

three weeks in a row.

My mail was disappeared!!

A user calls the help desk support and report that his mail disappeared!!!

In case that the user is a VIP or the user makes a lot of noise, we are entering into a

panic mode and want to be able to find the “magic formula” that everything returns

to the previous state!






introduction | 1#7


Before we get into the panic state, I would like to present two important questions

1. What is the meaning of “my mail”?

Does the user relate to a single mail item, a couple of mail items or dozens of

mail items?

When the user says – “mail items” did he means an E-mail message? Calendar

meeting? Contact?

Are there any specific characters in the mail that was disappearing? For

example – mail from a specific date range? Mail with a specific subject? Mail

from a specific recipient?

2. What is the meaning of “disappeared”?

When the user says that his mail “disappeared” does it mean that the mail was

deleted? Does it mean that the mail exists, but for some reason, he cannot see or

find the specific mail item?






introduction | 1#7


You don’t have to act like Sherlock Holmes each time a user reports that his mail

was disappearing, but it’s crucial that we will have a clear understanding about the

characters of the event.

Before we start to fire in all directions, we need to verify if this is a simple scenario

in which the mail exists, but the user cannot find it or a scenario in which we cannot

locate the specific mail items, and we can assume that the mail can be considered

as “deleted”

Mail is hidden from the user.

We a user reports that he cannot find his mail, many times the meaning is that the

mail exists, but not where the user expects to find in his mail.






introduction | 1#7


For example

1. Drag and drop scenario – a scenario in which the user was a drag and drop mail

item\s from their original mail folder to other mail folders without noticing.

Another variation of this scenario could be a scenario in which the user

consciously moves a specific mail item from their original folder to another

folder and over time, he forgot that he changed the original location of the mail

item.

2. Outlook and OWA view – Outlook and OWA mail client, enable the user to define

a specific view that serves as a “filter” that hides a specific mail item.

Many times, when a user reports that he cannot find a specific mail item, the

“problem” is a specific view that hides the mail item.

3. Synchronization problem – for example, a scenario in which users who use

Outlook discovers that he cannot find a specific mail item. The mail item exists in

the Exchange Online mailbox, but for some reason, was not synchronized to the

specific user desktop.






introduction | 1#7


The solution

In a scenario in which users report that his mail was

disappeared\deleted\evaporated or any other term, before we start to think about

the worst-case scenario, let’s start with a simple “search operation”.

The best practice is to search for the “missing in action” mail items by using the

OWA mail client because, when we use the OWA mail client, we eliminate a scenario

in which the problem is related to a synchronization problem.

The 10 major causes for “deleted mail item” scenario

Let’s assume that we have implemented a thorough search in the user mailbox and,

we could not find the mail items that were reported as “missing”.

In this stage, we have a reasonable basis to believe that the mail was deleted.

In this scenario, a common psychological phenomenon is to “find is the element

that is responsible for the mail deletion and only after that, start to see are the

recoverable options that available to us.






introduction | 1#7


I will not be able to help you to find the “person” or the “element” that deletes the

mail items, but, I can introduce to you some of the “common causes” for mail

deletion scenario.

1. Mail item that was deleted by the user himself.

Despite that we are not willing to consider this scenario, in real life, the reason for

the deleted mail item could be the user himself.

It doesn’t matter if the user deleted the mail in the past and, forgot that he deleted

the mail or the mail was accidentally deleted.

What matters is that we should consider this option before we start to fire in all

directions to seek to blame the environment.

2. Antivirus

Most of the time we relate to Antivirus as an element that was created for

protecting the mailbox data, but in some scenarios, the Antivirus application could

recognize a specific mail as a “problematic” and decide to delete the mail items or

remove some parts of the mail item such as attachment, etc.

3. Virus or malware

Any type of hostile code that exists on the user desktop or device and manages to

delete mail items.

4. Variety of mail client and mail protocols.

In a modern environment, users access their mailbox form many different devices,

application using a variety of mail protocols and so on.

In this “complex environment”, it’s reasonable to assume that the scenario of

deleted mail can be caused by a problem with a specific mail client, specific mail

protocol specific device, etc.

5. Other users who have access to the specific user mailbox.

One of the notable characteristics of the Exchange Online environment is the ability

of “sharing resources such as mailbox or calendar.

The scenario in which mail items are deleted, can be caused by users who have

access (permission) to the user mailbox.

The “deletion” could be considered as deliberate action or mistake but the






introduction | 1#7


important issue is that in case that other users have access to the user mailbox; the

deletion could be related to another user.

6. Outlook add-in or plugin.

The purpose of Outlook add-in or plugin is “to do something” with the mail items

that existed in the user mailbox. Most of the time, the Outlook add-in or plugin has

unlimited access to the mailbox content and some scenarios; the Outlook add-in or

plugin could “decide” to delete or remove a specific mail item.

7. Mail Migration and corrupted mail items.

In a scenario in which we migrate our mail infrastructure to Exchange Online, our

basic assumption is that all the mailbox content is migrated to the cloud.

This assumption could be wrong in a scenario in which the “original user mailbox”

includes a corrupt mail item. In this case, the corrupt mail items will not be

migrated to the Exchange Online mailbox.

In this type of scenario, the user assumes that the mail items are waiting for him in

the mailbox while, in reality, the E-mail was never reached to the Exchange Online

mailbox.

8. Exchange Online – Retention policy.

Some organization uses an Exchange retention policy and retention policy tag that

“move” mail item with a specific age to the archive mailbox or even deletes old mail

items.

In case that your organization uses retention policy, you will need to verify if the

mail item that was reported as “disappeared” was just moved to the archive

mailbox.

9. Local PST file.

In a scenario in which the user uses a local PST a passable option could be that the

mail item was manually or automatically was moved to the PST store.






introduction | 1#7


Or another option is that the mail is stored in PST file that is saved on the specific

user desktop and at the current time, the user uses a different desktop that doesn’t

include the PST file.

10. Problem with Exchange Online.

I have added this case as the “last case” because technically, this scenario could be

an option.

In order to be honest, my personal opinion is that this type of scenario, in which the

mail items were deleted by a problem in Exchange Online infrastructure can be

considered as a very rare event or, even non possible.

I mention this possible cause because theoretically we cannot fully rule out this

possibility.

Recover a deleted mail item versus a scenario of – recover

deleted Exchange Online mailbox






introduction | 1#7


One of the most popular confusion regarding the “deleted mail” scenario, is related

to the two different scenarios: deleted mail item versus deleted mailbox.

The reason for this confusion is the common denominator – the word “deleted”

and, in addition, both of the scenarios are related to the Exchange infrastructure.

Despite the alleged similarity, these two scenarios are totally different from each

other.

Note – In the current article series, we will relate only to the scenario of – deleted

mail items and not to the scenario of deleted mailbox.

The meaning of “mail item”

Along with this article series, we will mention many times the term – “deleted mail

item”. Most of the time, the association for the term – “Mail item” is an E-mail

message, that was stored in the user mailbox was deleted.

In Exchange and Exchange Online environment, the term “deleted mail item” can be

translated to different type of Exchange mailbox items such as:

Calendar item

Note item

Contact item

Mail item






introduction | 1#7


Each of this item considers as mail item.

Default Deleted mail policy in an Exchange Online environment

The meaning of the term – “Deleted Item retention policy” relate to our ability of

recovering mail items that were deleted for a specific period of time.

The default Exchange Online Deleted Item retention policy defines a “range” of 14

days in which we can recover mail items that was deleted.

We have the ability to “extend” this default range up to 30 days, but we will need to

use the PowerShell interface for implementing this “extension” and in addition; we

will need to run the PowerShell command for each new mailbox that will be

created.

The ability to extend the default 14-day limitation is available only to Office 365

customers who purchase E3 or Exchange Plan 2 license.

Note – you can read more information about this option in the section– Stretching

the Exchange Deleted item policy

Deleted mail item policy | Quotes from public resources

After an item has been removed from the Deleted Items folder, it’s kept in a

Recoverable Items folder for an additional 14 days before being permanently








introduction | 1#7


removed. Users can recover the item during this 14-day period by using the

Recover Deleted Items feature in the Outlook Web App or Outlook.

Using this feature eliminates the need for a mailbox restore. If a user manually

purged an item from the Recoverable Items folder, an administrator can recover

the item within the same 14-day window by using the Single Item Recovery feature

and remote Windows PowerShell.

The Single Item Recovery period is 14 days by default, but administrators can

increase this to a maximum of 30 days by using remote Windows PowerShell. To

preserve messages for longer than 30 days, organizations can implement long-term

email preservation or time-based In-Place Holds.

[Source of information: High Availability and Business Continuity]

“Override” the default Deleted Item retention policy

One of the most common questions that are raised by Office 365 customers is the

question about the possibility to save mail items for an unlimited time period.

In other words, “override” the default Deleted mail item policy

The good news is that Exchange Online offers this option by using one of the

following Exchange Online features:

Litigation Hold

In-Place Hold

The option of Exchange Online Litigation hold or Exchange Online, enables us to

“override” the default deleted mail items retention policy and enable a

configuration in which we can “hold” and recover (restore) mail items forever!

The important thing regarding Litigation Hold or In-Place Hold option, is that this

“feature” exists only when purchasing a specific Exchange Online license:

Exchange Online E3 license

Exchange Plan 2 license





http://technet.microsoft.com/en-us/library/exchange-online-high-availability-and-business-continuity.aspx


introduction | 1#7


In the current article, we will not go into a detailed description of this Exchange

Online option but instead, focus on the Deleted Item retention policy and the

Exchange Online architecture that is used for recovering mail items.

Mailbox and Backup solution in Office 365 and Exchange Online

environment

The common question among Exchange Online client is the question regarding the

possibility of implementing some kind of user mailbox solutions.

Most of the time, the idea behind the backup \ restore solution is the ability to

restore the user mailbox to a specific “point in time”. This option described

sometimes as a snapshot because the backup enabled us to capture a snapshot of

the user mailbox and view the mailbox content as at appear at a specific time

during the past.

At the current time, the Exchange Online infrastructure doesn’t provide this type of

service.

This type of “solutions” are provided by third party backup and restores products

that can provide this service in the Exchange Online base environment.

Exchange Online and Recoverable Items Folder






introduction | 1#7


As mentioned in the former section, in the current time Exchange Online doesn’t

include a backup solution that could be described as: “point on time” which will

enable us to restore user mailbox status to a specific point in time.

The Exchange Online “Backup solutions” are based upon the architecture or the

concept which described as single mail item recovery.

The single mail item recovery concept is implemented by using a “set of mailbox

hidden folder” that serves as a “container” for deleted mail items.

This technical name for the “set of folders” is: Recoverable Items folder. The name

that was chosen by Microsoft for this set of a system folder could mislead because

the name reference a “folder” (singular) instead of reference this folder as plural.

Note- the former term that was used in the past for describing this set of a folder is-

dumpster.

We use the term “hidden” because by default, the user cannot see this set of a

folder as part of his “standard folder hierarchy”.

We use the term “set of folders” because the deleted mail item is not saved in a

specific folder but instead in a set of folders. Each of the folders has a specific “rule”

and purpose.

The backup and restore capabilities of Exchange Online are based on accessing this

folder and “pull out” the mail items that are stored in this set of folders.

Exchange Online Litigation Hold and Exchange Online In-Place Hold

Exchange Online include two features or components that enable us to “extend”

the process or saving and recovering a specific mail item.

For example, the Exchange Online default Deleted Item retention policy will keep

deleted mail items in the Recoverable Items folder for 14 days.

When we use the feature of litigation Hold or In-Place Hold we can “extend” this

limitation to an unlimited number of days.

The litigation Hold or In-Place Hold components enable us to manage the required

policy that we want to set for specific mailbox or, on a set of mailboxes and when






introduction | 1#7


we need to recover data (deleted mail items), enable us to search and recover a

specific mail item.

[Source of information – Compare Exchange Online plans]

Additional reading

In Place Hold and Litigation Hold

Recover deleted mail items in the Exchange Online environment |

The article series

The current article series includes six articles.

The reason for writing a series of articles is because there are many aspects that

relate to this subject and many options and solutions that we can implement.





https://products.office.com/en-us/exchange/compare-microsoft-exchange-online-plans

http://community.office365.com/en-us/f/148/t/299399.aspx


introduction | 1#7


Q: Do I need to read all the article series?

A: No, it’s a Democracy; you don’t have to, but if you want to be entitled to the title –

recover mail items in Exchange Online MOD (Master Of Disaster) its recommend

reading each of the articles included in this article series.





recover deleted mail items in the exchange online environment | introduction | 1#7

Documents