Recover deleted mail items – Office 365

Recover-deleted-mail-items-in-the-Exchange-Online-environment-Methods-and-options-part-4-of-7.jpg

In the current article, we will review the four options that we can use for recovering mail items in the Exchange Online environment.

The available tools for recovering mail items are:

  1. Recovering deleted mail items by using Outlook and OWA mail clients.
  2. Recovering deleted mail items by using MFCMAPI utility.
  3. Recovering deleted mail items by using Exchange In-Place eDiscovery and Hold.
  4. Recovering deleted mail items by using the PowerShell cmdlets Search-Mailbox and New-MailboxSearch.

The characters of our scenario are as follows:

An organization user calls us and complain that some of his mail disappeared. We have implemented our due diligence and perform a mailbox search to verify if the mail its still exists in the user mailbox.

In the current time, we are entering into the phase in which we assume that the mail item was deleted and we want to check if we the specific mail items are still “recoverable”.

The two main questions that relate to this scenario are:

Q1: What are the recovery mail methods that are available for us in the Office 365 and Exchange Online environment?

Q2: Does the mail item is still “recoverable” meaning, can we still “save” the deleted mail item?

The available mail recovery method in Office 365 and Exchange Online environment

Before we start to dive into the specific details of the recovery mail methods that we can use it’s important to define a general classification of the mail recovery methods:

  1. Recovery mail method that can be implemented by the user himself (the mailbox owner)
  2. Recovery mail methods that can be implemented only by the Exchange Online administrator.

For example – every user (mailbox owner) has the ability to recover mail items that were deleted form to Exchange inbox “Recycle bin” (the Deleted items folder) by using the OWA or the Outlook option of – Recover Deleted Items.

As mention, the user will have a “grace period” of 14 days in which he can “regret” and restore mail items that were deleted from the Exchange inbox “Recycle bin” (the Deleted items folder). In other words – recover from a scenario of Hard delete.

Note – you can read more information about the term Hard Delete in the section – Soft delete versus Hard delete

The scenario in which only the Exchange Administrator can recover mail items are:

  1. Hard delete
    A scenario in which the user deletes also the mail item that was stored in the Deletion folder (hard delete). In this case, the mail will be placed in the Purges folder.
    The user doesn’t have access permission to the Purges folder (only the Exchange Online Administrator can view the content of this folder).
  2. Mailbox with Litigation Hold or In-Place Hold
    In case that the mailbox was configured with Litigation Hold or In-Place Hold, the ability to recover deleted mail items older than 14 days (the default Deleted Item retention policy in Exchange Online is 14 days), only the Exchange Online administrator has the ability to recover this mail items.

Recovering mail items in Exchange Online  environment.jpg

The available tools for recovering mail items

The available tools that we can use for recovering mail items are:

1. In-place eDiscovery

An Exchange 2013 web-based interface, which enables us to create a query and search for mail items in a specific mailbox or an array of mailboxes.
(Exchange Online is based on Exchange 2013 architecture).

The in-place eDiscovery Exchange infrastructure is a very powerful tool, that consisting of different components and, can use for searching and recovering data from Exchange Online infrastructure and also from other infrastructures such as SharePoint Online.

2. PowerShell cmdlets

Exchange includes two sets of PowerShell cmdlets that was created for searching + recovering mail items from a user mailbox:

  • Search-Mailbox
  • New-MailboxSearch

Booth of the PowerShell cmdlets: Search-Mailbox and New-MailboxSearch serve for searching for data (mail items) in Exchange mailbox.

The graphic interface of the Exchange Online eDiscovery that is used for searching + recovering mail items from user mailboxes is based on the PowerShell cmdlets –
New-MailboxSearch

In addition, Exchange includes support in “older” PowerShell cmdlets named –
Search-Mailbox.

To oblivious question that could appear is: why do we need two PowerShell cmdlets that do the same thing?

The answer is that despite the common between this two PowerShell cmdlets, each PowerShell has different capabilities that the “other” PowerShell cmdlets don’t have.

Theoretically, the “newer” PowerShell cmdlets – New-MailboxSearch was supposed to replace or Inherit the former PowerShell cmdlets (the Search-Mailbox) but, the interesting news is that the PowerShell cmdlets – Search-Mailbox  still have capabilities that are not provided by the newer New-MailboxSearch PowerShell cmdlets.

For example, the PowerShell cmdlets Search-Mailbox considers is “older” than the “new” PowerShell cmdlets: New-MailboxSearch but, the PowerShell cmdlets
Search-Mailbox includes capabilities that the “newer” PowerShell cmdlets don’t have such as the ability to search and recover mail items only from the Recoverable Items folder.

If you want to get a detailed review of how to use these PowerShell cmdlets, you can read the article –Recovering deleted mail items using PowerShell cmdlets Search-Mailbox | 7#7

3. Mail client (Outlook\OWA)

The mail clients Outlook and OWA, include a built-in option that enables users to recover mail items. The Outlook\OWA recovery mail items interface enables the user (the mailbox owner) to view the content of the Deletion folder + recover mail items. In other words, enable the user to recover mail items from a Soft delete event.

4. MFCMAPI

The MFCMAPI is a very powerful GUI tool, that enables users (the mailbox owner or another user that have Full access permission to the mailbox) to have access to the “behind the scenes” of the mailbox content.

The MFCMAPI tools can provide many capabilities for a variety of troubleshooting scenarios but in this article, we will review only a very specific capability of the MFCMAPI -the capability of enabling users to access the “hiding partition” – Recoverable Items folder.

In the current article, we will review the following methods for recovering mail items in Exchange Online environment:

  • Recovery using Outlook and OWA mail client
  • MFCMAPI

The available options for recovering mail items in Exchange Online based environment .jpg

Best practices and guideline for recovering deleted mail items

When a user reports that his E-mail “disappeared” the recommended troubleshooting flow is:

  1. Verify if the mail items still exist in the user mailbox – in case that you cannot find the mail item in the user mailbox, move to the next step.
  2. Instruct the user to use the OWA\Outlook built-in option of recovering deleted items. The ability of the user to recover mail items by themselves, can save precious time and prevent unnecessary resource allocation for implementing an “administrative recovery process”.
    In simple words – simple is better. If the user manage to recover the mail item by himself, this is a win-win scenario.
  3. Use the “administrative” mail recovery options that exists in an Exchange Online environment, only when the user doesn’t mange to recover mail by himself.

Best practices and guideline for recovering deleted mail items.jpg

1. Recovering deleted mail items by using Outlook and OWA mail clients.

As mentioned, Outlook and OWA mail clients include a built-in interface that enables a user to recover mail items.

The Outlook and OWA recovery mail option enable the user to get access to the hidden subfolder the – Deletion folder.

When we mention the term – “recover mail items by using Outlook\OWA”, the meaning is the ability to recover Soft deleted mail items.

Note – you can read more information about the subject of Soft deleted in the section –Soft delete versus Hard delete

1.1 Recovering deleted mail items by using Outlook mail client.

To be able to recover mail items using Outlook, implement the following steps:

  • Choose the Folder menu
  • Choose the “Recover deleted items” icon.
    In the window that appears, we can see a list of all the deleted items (the mail items that stored in the Deletion folder).
  • When choosing the option of “Restore selected items”, the mail item will be restored back to the Deleted items folder.
  • When choosing the option of “Purge selected items”, the mail item will be sent to the Purges folder (Hard delete).
    Recover mail item using Outlook mail client -01.jpg

One important concept that I would like to emphasize is that, the process of recovering deleted mail items doesn’t restore the mail item to the “original folder” in which the mail item was originally created but instead, to the folder that “host” the mail item before he was deleted meaning – the Deleted items folder.

For example – a scenario in which user delete a mail item that is stored within a mailbox folder named: Customers.

When the user deleted the mail, the mail is “moved” to the Deleted items folder. In case that the mail item was removed (deleted) also from the Deleted items folder and, the user decides that he wants to recover the mail item, the recovered mail items will be restored back to the Deleted items folder and not to the “original folder” (Customer folder in our scenario).

Restoring mail item using the Outlook option - Recover Deleted items.jpg

In the following screenshot, we can see we can see an example in which we recover a specific mail item.

Recover mail item using Outlook mail client -02.jpg

After the mail item is successfully restored, we can see that the “new location” of the mail item is the Deleted items folder.

Recover mail item using Outlook mail client -03.jpg

1.2 Recovering deleted mail items by using OWA mail client.

The ability to recover a mail item can be implemented also by using the OWA mail client.

  • To be able to display the Deleted items folder, choose the More option.
    (The OWA default view in an Exchange Online environment is a minimized view that doesn’t display the Deleted items folder).

Recover mail item using OWA mail client -01.jpg

  • Right click on the Deleted items folder
  • Choose the menu – Recover deleted items …
    Recover mail item using OWA mail client -02.jpg

In the new window that appears, you will be able to see a list of mail items that can be recovered.

On the right bottom of the screen, you can see the option of: Recover or Purge

Recover mail item using OWA mail client -03.jpg

2. Recovering deleted mail items by using MFCMAPI utility.

The MFCMAPI is a very powerful tool that each Exchange administrator should know.
By using the MFCMAPI tool, we can accomplish tasks and operations, which are not available through the standard Outlook interface.

The MFCMAPI tool can “do” many things but, in this article, I would like to focus only on the subject of recovering a mail item by using the MFCMAPI tool.

One of the most relevant examples for the need to use the MFCMAPI tool is a scenario of Hard Delete.

Just a quick reminder – the term  “Hard Delete”, define a scenario in which the user (or other element) deletes the mail item from the Deleted items folder + also purges the mail item from the recovery folder (the Deletion folder).

In this scenario, the mail is relocated or moved to the Purges folder and the standard Outlook or the OWA mail client interface, doesn’t enable users to get access to the Purges folder.

In this case, we have a couple of options -the Exchange Administrator can use the Exchange Online in-place eDiscovery option (a tool that is available via the Exchange Online web management interface) for searching and recovering the mail item.

But in a scenario in which we are not able to access the Exchange Online admin interface or, in a scenario in which a “standard user” doesn’t have the required administrative right for accessing the Exchange Online in-place eDiscovery, we can use the powerful ability of the MFCMAPI tool for trying to recover mail items from a “Hard delete” scenarios.

How to recover mail item using the MFCMAPI tool

In the following section, we will demonstrate the use of the MFCMAPI tool for recovering mail items of a user named: John.

Our demonstration will include to options that the MFCMAPI tool include for recovering mail items:

  • Export the deleted mail items into a mail message format (msg file).
  • Copy deleted mail items into inbox folder.

The characters of the scenario are as follows:

Our user John, empty his deleted item folder and then, empty also the recovery mail item folder (Hard Delete).
In this scenario, the deleted mail items are located in the Purges folder and as we know, the content of this directory is not available in the Outlook view.

To be able to recover the deleted mail items that is stored in the Purges folder we will use the MFCMAPI tool. We will use the MFCMAPI tool for “login” to the John mailbox and then, recover a specific mail item using the Export option and using the Copy option.

  • Download and extract the MFCMAPI
  • Double click MFCMAPI excitable file.
  • In the welcome screen click OK
    Recover mail item using MFCMAPI -01.jpg
  • Click on the Tools menu and choose Options…
    Recover mail item using MFCMAPI -02.jpg
  • In the windows that appear, choose the following options
    • Use the MDB_ONLINE flag when calling OpenMsgStore
    • Use the MAPI_NO_CACHE flag when calling OpenEntry

Recover mail item using MFCMAPI -03.jpg

To be able to view the content of the user mailbox we need to login, to John’s mailbox (the MFCMAPI tool “mimics” Outlook client behavior).

  • Choose the Session menu and the Logon… menu
    Recover mail item using MFCMAPI -04.jpg
  • In our scenario, we will choose the “John mail profile
    Recover mail item using MFCMAPI -05.jpg
  • Double-click on the icon that represents John’s mailbox.
    Recover mail item using MFCMAPI -06.jpg

Using the MFCMAPI tool, enable us to get a clear view of the physical mailbox structure.

The most top container is the Root container that includes sub partitions such as:

  • Recoverable items – this is the Recoverable Items folder.
  • Top of Information store – this is the “mailbox partition” that contains the standard mailbox folder that we know such as: inbox, sent items, etc.Recover mail item using MFCMAPI -06.jpg

To be able to recover the deleted mail items we will click on the Recoverable items folder.

Recover mail item using MFCMAPI -07.jpg

In the Recoverable items folder, click on the Purges folder.
The MFCMAPI interface is a bit confusing because at first glance, it looks like the MFCMAPI view of the Purges folder include only binary code.

To be able to view the mail items stored in the Purges folder, we need to double-click on the Purges folder.

Recover mail item using MFCMAPI -08.jpg

Scenario 1: Export a copy of a deleted mail item

In the first example, we will save a copy of the deleted mail item and save it as a message file format (msg file).

  • Choose a specific mail item
  • Use the right click mouse option and in the menu that appears, choose the Export message… menu
    Recover mail item using MFCMAPI -09.jpg
  • In the option box: Format to save message, choose the suitable format for your needs. In our example, we will choose MSG File (UNICODE)
    Recover mail item using MFCMAPI -10.jpg
  • In our example, we will save a copy of the deleted mail item in a folder named: Recover Mail.
    Recover mail item using MFCMAPI -11.jpg
  • In the windows that appear, click OKRecover mail item using MFCMAPI -12.jpg
  • In the windows that appear, click OK
    Recover mail item using MFCMAPI -13.jpg
  • In the following screenshot, we can see the mail item that was saved in the folder.
    Recover mail item using MFCMAPI -14.jpg

Scenario 2: copy the deleted mail item\s to another mailbox folder.

In the following example, we want to use a different option for recovering mail items.
In this example, we want to restore the mail item to a “dedicated folder” that will be created and serve for storing the recovered mail item\s.

In our example, before we start that recovery process, we will create a folder named:
John recover Mail items

Later on, we will copy all the recovered mail items that are stored in the Purges folder to this folder.

To simplify the instructions, you can follow the steps that were listed in the former scenario.

When we see the content of the Purges folder, we can choose a specific mail or all the mail items (CTRL +A) and use the right mouse click.

In this scenario, we will choose the option of: Copy Messages…

Recover mail item using MFCMAPI -Copy mail item-01.jpg

  • Choose the inbox folder and under the inbox folder choose the specific folder that will be used for saving the copy of the recovered mail items. In our scenario, we choose the folder named: John recover Mail items
  • Right click on the folder and choose the menu – Paste…
    Recover mail item using MFCMAPI -Copy mail item-02.jpg

In our scenario we want to copy the recovered mail items and not move the recovered mail items. We will not check the option box – Move message instead of copy

Recover mail item using MFCMAPI -Copy mail item-03.jpg

In the following screenshot, we can see the mail item that was recovered.

Recover mail item using MFCMAPI -Copy mail item-04.jpg

Recover deleted mail – Exchange Online | Article series index

Now it’s Your Turn!
We really want to know what you think about the article

7 Responses to “Recover deleted mail items – Office 365”

  1. Thanks for informative post, it is possible to recover your deleted email from exchange server request by your administrator, Because Exchange admin has authority to set the time backup of deleted email. If your emails are saved as backup then it is possible you get back your deleted email. But if time limit exceed than admin has not any option except using third party software. Stellar Phoenix introduced an efficient exchange recovery software which can help to recover accidentally deleted mailbox from exchange database.

  2. Anonymous Reply

    can I open purges folder for a user for which I have full owner access rights but do not have password using MFCMAPI.
    In OWA I can open using open other mailbox to view activity. I am the global administrator of office 365. Also is the standard user delete messages from purges folder by using MFCMAPI
    When I run the discovery I do not see some of the messages that were previously present in Recover folder but seems to have been hard deleted.

    • Anonymous Reply

      Yes – you will need to add the mailbox to your Outlook profile. When you ‘logon’ you select your on Outlook profile and it will show the mailboxes your have set up in your Outlook profile.

  3. RZK.jr Reply

    What if we create a new mail profile on a different PC (coz the emails were deleted from MAC outlook 2011) for MFCMAPI to be used in order to get the missing emails.

    Will this work??

  4. Rally Reply

    Is it possible to recover Tasks or Notes items?

    I don’t seem to be able to see those in the MFCMAPI tool.

  5. Simon Reply

    Thanks for this great write up! We have clients that want to move to O365 but a big question that usually came up is how will items be recovered both in Sharepoint and Exchange Online? This blog post answered the second item very clearly!

  6. Michael McNally Reply

    “In the next section we review the “How to” part that relate to Recovering deleted mail item. The operation of “Recovering deleted mail item” could be implemented by the outlook user, and by the Exchange Online administrator.”

    Why does the guide then only cover this from client side? There is no “How to” for the server side operation.

Leave a Reply

Your email address will not be published. Required fields are marked *