Recover deleted mail items in the Exchange Online environment | Deleted mail flow | 3#7

In the current article, we will review the following subjects:

• The flow of a “deleted mail item” in an Exchange base environment for a standard mailbox and for Litigation Hold or In-Place Hold enabled mailbox.
• The subject of Deleted Item retention policy, the Exchange server policy that removes deleted mail items after a specific time period and the ability to extend the default value.
• The meaning of the terms Soft delete vs. Hard delete.

As Exchange Online administrator, we will need to understand the deleted mail flow for two primary reasons:

1. To be able to prepare in advance, for a business need in which we need to provide the ability for recovering mail items for a longer period than the “standard 14 days’ period”.
2. To be able to provide the right answer for our users, in a scenario in which our user asks us to recover for then deleted mail items.

For example, in case that the user reports that the mail item deleted two months ago and, we did not use the option of Litigation Hold or In-Place Hold, the answer is that the mail item cannot recover!

The Recoverable Items folder and deleted mail item life cycle

Before we start with the detailed description of the “deleted mail item life cycle” it’s important that we understand the logic of the Recoverable Items folder.

As mention, In Exchange Online environment mail items that were deleted from the Exchange inbox “Recycle bin” (the Deleted items folder) will be moved to the Recoverable Items folder or, if we want to be more specific, to the Deletion folder.

The main question is: for how long this “deleted mail items” will be kept in the Deletion folder?

The answer depends on the setting of the Exchange Online mailbox.

Case 1– in case that the mailbox considers as “standard mailbox” the deleted mail items will be considered as “recoverable” for 14 days.

Case 2– in case that the mailbox considers as Exchange Online mailbox with Litigation Hold or, In-Place Hold enabled, the deleted mail items considered as “recoverable” for a period that will be defined by the Litigation Hold or In-Place Hold policy (a specific period longer than 14 days or forever).

The Recoverable Items folder purpose and the relevance for the subject of deleted mail items.

The Exchange single item recovery architecture and the Recoverable Items folder can be considered as sophisticated architecture and an infrastructure that was created for providing many types of services.

In the current article series, we will relate only to the “part” that relate to the subject of storing and recovering deleted mail items via the Recoverable Items folder.

By default, the Recoverable Items folder can help us to deal with a scenario of Soft deleted and Hard delete for a period of 14 days. This “limitation” is dictated by the Deleted Item retention policy.

The Exchange architecture provides a tool that will enable us to “bypass” the limitation that is imposed by the Deleted Item retention policy for a specific user mailbox or for multiple mailboxes.

The name of the Exchange mechanism that enables us to “bypass” the limitation described as Litigation Hold or In-Place Hold.

Recoverable Items folder, Litigation Hold and, In-Place Hold

One of the most confusing and unclear subject in the Exchange server architecture is the subject of Litigation Hold and In-Place Hold.

In the current article, we will not “dive” into a detailed description of these components.

To simplify the concept of – Exchange Litigation Hold and In-Place Hold, we can relate to these components as a “tool” or mechanism that unable to use to override the values of the Exchange Deleted Item retention policy that is applied on the Exchange mailboxes.

For example –the default Exchange Online Deleted Item retention value is 14 days.

By using the option of Litigation Hold or In-Place Hold, we can set a different Deleted Item retention policy to specific Exchange users.

For example, when we apply Litigation Hold and In-Place Hold to a specific mailbox, we can decide what will be the value of the Deleted Item retention policy.

We can set the value of the Deleted Item retention policy to months, years or even forever.

Litigation Hold vs. In-Place Hold

The Litigation Hold mechanism is applied for all of the items in a specific mailbox such as – calendar items, contact items mail items, etc.

The option of In-Place Hold enables us to define more refined deleted mail item policy.
For example, we can decide to apply the -Place Hold only to calendar items from a specific date, etc.

In reality, the difference between Litigation Hold and In-Place Hold is much more comprehensive but for our purpose, we can be satisfied with this simple explanation.

Deleted mail item flow and “Life Cycle”

To be able to unveil the mystery of the Recoverable Items folder, let’s review the object of Deleted mail item flow and “Life Cycle”.

We can classify the different “deleted mail items scenarios” in Exchange environment to two major groups:

1. Standard mailbox – Exchange mailbox that is subject to the default Deleted Item retention policy.
2. Exchange mailbox with a Litigation Hold or In-Place Hold enabled – an Exchange mailbox that is not subject to the default Deleted Item retention policy. Instead, have a “special” or dedicated Deleted Item retention policy.

What is the Exchange Deleted Item retention policy?

The term – “Deleted Item retention policy” defines an Exchange process that can be described as garbage collection of non-relevant objects (mail items).

Technically speaking, when a user decides to delete a particular mail item, the meaning is that the mail item is not relevant or not needed for the user.

When a user deletes mail item, the mail item is not acutely deleted but instead, moved or relocated to a new folder – the Deleted items folder.

Technically speaking, the user doesn’t need to “empty or clean the Deleted items folder. In case that an Exchange user doesn’t bother to empty the Deleted items folder, the “deleted mail item” will stay in the Deleted items folder forever.
The only disadvantage for not emptying the Deleted items folder is that the deleted mail item considers as part of the user mailbox quota and over time, the deleted mail items will consume a significant part from the user mailbox quota.

So let’s assume that for this reason and for proper management of mailbox data, the user decides to empty the content of the Deleted items folder.

The questions now are:

Q1: What happened to the mail items that were deleted from Deleted items folder? Are they lost forever?

A1: When the user empties the Deleted items folder (delete mail items that were saved in the Deleted items folder) the mail items are not deleted but instead, moved or
“re located”, to an additional folder named: Deletion (one of the folders that are included in the Recoverable Items folder).

Q2: Can the user access the content of the Deletion folder?

A2: The answer is “yes”. For example, Outlook user, can choose the option- recover deleted items. This option will enable him to view the content of the Deletion folder. The user will see a list of the mail items, that was deleted from the Deleted items folder.

Q3: Is there any “time limitation” for the mail items that are saved to the Deletion folder?

A3: Yes, there is. The Exchange component that dictates for how long the mail items will be saved in the Deletion folder is the Deleted Item retention policy.

By default, the Deleted Item retention policy is configured so “keep” mail items in the Deletion folder for a period of 14 days.

In Exchange on-premises environment, the Exchange administrator can configure the default value of the Deleted Item retention policy to any desired period.

In Exchange Online environment, the default value of the Deleted Item retention can be extended over to a maximum period of 30 days.

The reason for this time limitation that is being enforced by the Deleted Item retention is the process that I described as “garbage collection”.

The Exchange server, need to manage the user mailbox data efficiently.
The meaning – verify that the user mailbox restricted to a predefined amount of storage and that this “storage” managed in an efficient manner. “new deleted email items” will be saved and “old deleted email items” will be removed (deleted).

Q: What is the Exchange Deleted Item retention policy?

A: The Deleted item policy is an Exchange server policy, which “attached” to the Recoverable Items Folder.

The purpose of the “Deleted item policy” is to optimize the management of the Recoverable Items folder partition.

By default, the Recoverable Items folder partition serves as temporary storage for deleted mail items.

The Recoverable Items folder storage, provide a “grace period”, in which users can “regret” and recover mail items although the mail was deleted from the inbox “Recycle bin” (the Deleted items folder).

The Exchange Deleted Item retention policy serves as a “gatekeeper” or as the “Exchange janitor”, that help the Exchange to manage his storage effectively by keeping the Recoverable Items folder neat and tidy.

Q1: Does Exchange Online graphic management interface includes an option for change the default value of the Deleted Item retention policy?

A1: No, the only way to extend the default value of the Deleted Item retention policy to a time period of 30 days, is by using a PowerShell command. The process of running the PowerShell command will be needed to be implemented for each new Exchange Online mailbox that will be created in the future.

In the following screenshot, we can see the interface that is available when using Exchange on-Premises 2010 version. The value of the Deleted Item retention is set by the database level under the section of – Keep deleted items for(Days):

Q2: What will happen to a deleted email item after 14 days?

A2: Exchange server will permanently delete all the mail items that save in the Deletion folder that their “age” is over 14 days.

Q3: Is there any way for recovering mail items that were deleted from the Deletion folder?

A3: No, there is no way!

Q4: Is there any way for “extending” the Deleted Item retention policy for a longer period of for unlimited time?

A4: Yes, Exchange Online and Exchange on-premises server (Exchange version 2013) support two types of “solutions” that enable us to “override” the limitation that is opposed by the
Deleted Item retention policy.

The available options are:

• Exchange litigation Hold
• In-Place Hold

When using one of this option, we are “removing” the time limitation that applied on the deleted mail items that stored in the Deletion folder and the Purges folder.

Soft delete vs. Hard delete

Before we continue, I would like to briefly review two terms related to the flow of the deleted mail item – Soft delete and Hard delete.

Soft Delete

When a user deletes a file and then, delete the file from the Deleted items folder, the operation considered as Soft Delete.

We use the term “Soft” because – although the mail items were deleted from the Deleted items folder, the file is not really deleted.

The user still of an option to recover the mail item by himself for 14 days.

The “operation” of Soft Delete can implement by using the keyboard key combination: SHIFT + DEL.
When select mail item and press on the combination keyboard key – SHIFT + DEL, the deletion “bypass” the step in which the mail item sent to the Deleted items folder and instead, the mail item sent directly to the Deletion folder.

Hard Delete

The term “Hard Delete” define a scenario in which the user access the content of the Deletion folder (the folder that store mail items that were deleted from the Deleted items folder) and, delete the mail item\s that store in this folder.

Theoretically, we can assume that is this scenario the mail item is “lost forever” but in reality, although the user deletes the mail item\s from the Deletion folder the mail item is not deleted but instead, relocated to the Purges folder.

We use the term “hard” because in this scenario, the user “lost” his ability to recover the mail item by himself.
Only the Exchange administrator has access to the Purges folder and, only the Exchange administrator can recover mail items that stored in this folder.

General thoughts about Soft delete and Hard delete.

User (mailbox owner) have the potential to implement an event of:

1. Standard mail item deletion
2. Soft delete
3. Hard delete

The Outlook\OWA mail client enables a user to recover mail items in a scenario of

1. Standard mail item deletion
2. Soft delete

The Outlook\OWA mail client doesn’t include an option that enables users to recover mail items in a scenario of Hard delete, in which the mail item was moved to the Purges folder (or to the DiscoveryHolds folder in case that we use the option of In-Place Hold).

Deleted mail item flow scenarios

To understand better the purpose and that way that Recoverable Items folder “work”, let’s review three scenarios of “deleted mail item flow” in an Exchange-based environment.

To demonstrate the “deleted mail item flow” we will review three different scenarios:

• Scenario 1: Standard Exchange mailbox
• Scenario 2: Exchange mailbox with Litigation Hold enabled
• Scenario 3: Exchange mailbox with In-Place Hold enabled

Scenario 1: standard user mailbox (no use of Litigation Hold or In-Place Hold)

Step 1 – the user decides to delete a specific mail item. The mail item is “moved” to the Deleted items folder.

Step 2 – the user decides to empty the Deleted items folder and delete all the mail items that existed.

The mail items are not deleted but instead – relocated to the Recoverable Items folder “partition”, to the Deletion folder.

The mail item will be kept in the Deletion folder for a period of 14 days. At the end of the period of 14 days, all the mail items that are “older” than 14 days will be permanently deleted.

Step 3 – as mention, each user has access to the content of the Deletion folder when using the option of – “recover deleted items”. In case the user decides to “empty” the content of the Deletion folder, the mail item is relocated and placed on the Purges folder.

The mail item will be kept in the Purges folder for a period of X days until the “age” of the mail items is more than 14 days.

At the end of the period of 14 days, all the mail items that are “older” than 14 days will be permanently deleted.

We use the term “X days” because we don’t know what was the age of the mail that is located in the Deletion folder.

For example – in a scenario in which the mail item age that is located in the
Deletion folder is four days when the user deletes the mail item, the mail item will be relocated and saved to the Purges folder for a period to 10 days.

The reason for the “10 days” period is that by default the Deleted Item retention define the range of “14 days” for the Deletion folder + the Purges folder”

Scenario 2: Exchange mailbox with Litigation Hold enabled

The option of Exchange Litigation Hold enables us to set a different value for the deleted mail items stored in the Recoverable Items folder that is different than the value of the Deleted Item retention policy.

When using the option if Litigation Hold, we are able to “block” the Deleted Item retention policy that is applied to the Purges folder.

As mention, by default mail items within the Purges folder will be saved up to a maximum period of 14 days.

When using the option of Litigation Hold, Exchange administrator can decide about the time period in which the deleted mail items will be saved to the Purges folder.

The “period” could be defined value for the number of days or set for an unlimited period (for forever).

The deleted email flow in a scenario of – “Exchange mailbox with Litigation Hold enabled” is almost identical to the previous scenario of standard mailbox.

The main difference is that now, the Exchange administrator can recover deleted mail items located in the Purges folder for the time period that was defined in the Litigation Hold policy.

For example – in case that the Litigation Hold policy for the mailbox defined with a value of 3,000 days. The Exchange administrator will have the ability to recover deleted email items that their “age” is up to 3,000 days.

Scenario 3: Exchange mailbox with In-Place Hold enabled

The option of – In-Place Hold, is similar to the Exchange Online option of – Litigation Hold.

We will not review in detail the differences between these two methods but instead, just mention that the Exchange method of In-Place Hold, consider as a more advanced mechanism, which has more options and capabilities vs. the Exchange Litigation Hold.

The main difference between a scenario in which In-Place Hold is enabled vs. Litigation Hold is that when we use the option of – In-Place Hold, a new folder named:
DiscoveryHolds folder is added to the hierarchy of the Recoverable Items folder.

When the Exchange Online mailbox configured as – In-Place Hold is enabled, the logic of the deleted mail items flow is implemented as follows:

Step 1 – the user decides to delete a specific mail item. The mail item is “moved” to the Deleted items folder.

Step 2 – the user decides to empty the Deleted items folder and delete all the mail items that exist in this folder.

The mail items are not deleted but instead – relocated to the Recoverable Items folder “partition”, to the Deletion folder.

The mail item will be kept in the Deletion folder for a period of 14 days. At the end of the period of 14 days, all the mail item that is “older” than 14 days will be moved to the DiscoveryHolds folder.

Step 3 – In case that the user “empty” the content of the Deletion folder, the mail is relocated and placed “Immediately” in the DiscoveryHolds folder.

The Exchange administrator will have the ability to access the content of the DiscoveryHolds folder, and recover\restore mail items, based upon the time period value that was set by the – In-Place Hold and based on the In-Place Hold “terms” that was defined.

For example – in case that the In-Place Hold policy that was applied to the user mailbox define to “hold” only calendar mail items for unlimited time period, the Exchange administrator will have the ability to recover deleted email item that consider as “calendar mail items” for unlimited time period but this “ability”, could not be implemented for another type of email items such as contact email item, note mail items and so on.

Recoverable Items Folder and Mailbox Quota

Each time when a new Exchange mailbox is created, Exchange allocates a dedicated storage quota for the Recoverable Items folder.

The quota that is allocated to the user mailbox is not affected in any way by the quota that allocated to the Recoverable Items folder.

In the Exchange Online environment, each mailbox has a storage limit of 50 GB and additional
30 GB storage allocated for the Recoverable Items folder.

When we apply Litigation Hold or In-Place Hold for an Exchange Online mailbox, Exchange Online, automatically extend the Recoverable Items folder quota size to 100 GB.

To demonstrate the subject of – Recoverable Items folder and mailbox quota, let’s use the following example.

John is an Exchange Online user who has a “standard mailbox”.

To be able to see the default size of the Recoverable Items folder partition, we will use the following PowerShell command:

Get-Mailbox John | fl Recoverable*

In the following screenshot, we can see that Exchange Online allocate a “dedicated” quota for the Recoverable Items folder that described as RecoverableItemsquota

We can see that the default Recoverable Items folder quota is 30 GB

After we have assigned the option of Litigation Hold to John mailbox and, run again the same PowerShell command, we can see that the Recoverable Items folder quota is 100 GB

Stretching the Exchange Deleted item policy

In the Exchange on-premises environment, Exchange administrator can decide how to set the default value of the Deleted Item Retention.

In the Exchange Online environment, the default value of the Deleted item policy is set to 14 days.

For Office 365 customers who have purchased Office 365 business license, this value cannot be updated into “higher” value.

For Office 365 customers who have purchased Office 365 Enterprise E1, E3, E4 licenses or Exchange Plan 2 license, Exchange Online administrator have the privilege to extend the default value up to 30 days.

The ability to “starch” the value of the Deleted Item retention policy is implemented by using PowerShell command.

The property that represents the value of the Deleted Item retention policy is – RetainDeletedItemsFor

In the following screenshot, we can see an example of the default value of the Deleted item policy.

The value of the property RetainDeletedItemsFor is 14 days.

To change this value of the Deleted Item retention policy, we can use a PowerShell command.

For example, to “extend” the Deleted Item retention policy of John mailbox up to 30 days, we can use the following PowerShell command:

Get-Mailbox John| Set-Mailbox -SingleItemRecoveryEnabled $True -RetainDeletedItemsFor 30

In the following screenshot, we can see that the value of the RetainDeletedItemsFor, was updated in now the value is – 30 days.

In case we want to test this “Hard limit”, let’s use the PowerShell with a value greater than 30 days.

In the following example, we try to use the PowerShell command with a value of 31 days.
The result is the following error:

The operation on the mailbox “John” failed because it’s out of the current user’s write scope. The value of properties ‘RetainDeletedItemsFor’ exceeds the maximum allowed for user ‘John’ with license ‘BPOS_S_Enterprise.’

In case we want to extend the value of the Deleted Item retention policy for all of the Exchange Online users, we can use the following PowerShell command:

Get-Mailbox | Set-Mailbox -SingleItemRecoveryEnabled $True -RetainDeletedItemsFor 30

PowerShell script, that will help you to perform an administrative task that’s related to the subject of – extending existing “Single mail item recovery” for – a single Exchange Online mailbox or for multiple Exchange Online mailboxes (Bulk mode).

Download Extend-Single-Mail-Item-Recovery.ps1 PowerShell script.