Recover deleted mail items in the Exchange Online environment | introduction | 1#7

The current article is a basic introduction to the subject of – recovering mail items in the Exchange Online based environment.

• We will review a couple of common misconceptions that relate to the scenario in which users report that his E-mail deleted.
• The need to verify if the scenario is indeed a case of “deleted mail items.”
• What are the main causes which could lead to a scenario of mail deletion.

Introduction recover mail items

Many Office 365 customers are not aware of the options that are available for them in a scenario in which they need to recover mail items and what are the built-in limitation of the Exchange Online that realities to the operation of recover deleted mail items.

The primary purpose of this article and the rest of the article series is to help you to get familiar with the options that are available for you for recovering mail items in the Exchange Online environment.

Recover deleted mail items FAQs

To be able to get a full thorough understanding of this subject, we will need to be able to answer a couple of major questions:

Q1: How to relate to an event in which users report that the data is “missing” from their mailbox or the need to recover data that deleted in the past?

Q2: What is the built-in mechanism that Exchange server architecture provides for dealing with such scenarios?

Q3: What are the available options when we host our mail infrastructure on Exchange Online based infrastructure (Office 365)?

The answers to this question spread over a series of six articles.

In other words: if you are looking for a solution in which, you will pick up a phone to the Exchange Online support team, instruct them to solve the problem by doing “some magic”, and inform the user that “everything is OK,” you did not come to the right place!

Q1: So what are you telling me? Do you claim that it’s not possible to deal with a scenario in which we need to recover or restore mail for our Exchange Online users?

A1: My “claim” is that in Exchange and Exchange Online environment, we can use the built-in capabilities the Exchange architecture offer for – dealing with such scenarios (recover mail items). The available built-in Exchange option is – single item recovery or, other Exchange Online services such as Litigation Hold or In-Place Hold.

To be able to provide good answers and good services for our customers, we will need to know about the available options, the limitations, and the best practices for dealing with a scenario of missing mail and so on.

The current article

The purposes of the current article are:

• Remove the ambiguity of the subject or recovering mail items in Office 365 (Exchange Online) environment.
• Review common misconceptions.
• Define the terms: “My mail disappeared!” and “Deleted Item retention default policy”.
• Review the 11 major causes for “deleted mail item” scenario.

Exchange Online and “common misconceptions” regarding data recovery and backup

1. The “cloud” backup my mail forever!

The source for this misconception is – when we read about the “high availability of cloud services” (such as Exchange Online) and the “insurance” that we have regarded scenarios of DRP (disaster and recovery plan), we automatically “translate” this information under the assumption that – in a cloud environment, deleted mail items will always be available for us.

It’s a truth that Microsoft has an infrastructure for backing up all the “customer information”. These “backups”, could serve for restoring data in case of “disaster” such as storage corruption, server hardware failure or even a catastrophic event of “complete Data center failure”. The important thing that we should understand is that this ability can be used only for scenarios of “disaster”, and not for a situation of recovering a particular deleted mail item.

2. When using the Exchange Online archive, my mail is backed up!

The source for this misconception is – we are used to associating to term “archive” with another term such as “backup”.

In the Exchange Online environment, the primary purpose of the Exchange Online archive is not to back up the user mail items, but instead, improve the Outlook mail client performance. Mail items that are sent or saved in the Online Archive not saved to the local OST file (cache mode).

In case that a user deletes mail from the online archive, the mail item will be deleted like any “standard” mail item.

3. In a scenario that a user wants to recover mail that deleted a long time ago, I could call Microsoft support, and they will recover for me the required information!

Let’s make it simple – the default Exchange Online deleted mail policy value is – 14 days.

In case that a user implemented “Hard delete” (you can read more information about Hard delete in the article – Recover deleted mail items in the Exchange Online environment | Deleted mail flow | 3#7) the mail item considers as “recoverable” for a period of 14 days.
After this period, the mail item will be lost forever! There is no option for recovering such as a mail item in the Exchange Online environment.

Office 365 customers who use Exchange Plan 2 license or E3 license can extend the default deleted mail item policy for 30 days + use the option of Litigation Hold or In-Place Hold that enables to keep mail items for a longer period or forever, but this option cannot implement in retrospect.

In other words – if the Exchange Online administrator didn’t “activate” the described options in advance, we are still subject to the “14 days rule”.

• You can read more information about extending the default Deleted Item retention policy in an Exchange Online environment in the article – Recover deleted mail items in the Exchange Online environment | Deleted mail flow | 3#7
• You can read more information about Litigation Hold or In-Place Hold in Exchange Online environment in the article – Exchange In-Place eDiscovery & Hold | Introduction | 5#7

4. In the Exchange Online environment, I can recover the user mailbox to his “original state”

False assumption 1 – restore the user mailbox snapshot.

Usually, when Exchange Online administrator says that sentence their meaning is translated to the option of restoring a snapshot of the user mailbox sometimes refers as “point in time” in which the user mailbox will behave all the mail items and the folder structure that the user had at a particular point in time.

The Exchange Online infrastructure doesn’t include this option. There is no way to restore the user mailbox to a particular point in time.

False assumption 2 – restore mail items to the original location.

For example, in case that the deleted mail item located in the inbox folder, when I use the available option for recovering the specific mail items, it will be restored to “his original folder” meaning – the inbox folder.

In a recovery scenario in which we use Outlook or OWA mail client for recovering a mail item, the mail item will be restored to “his original folder” but not to the folder that we consider as “original.”

When we delete a mail item, “his original folder” become the Deleted items folder

When we restore the mail items from the Recoverable Items folder, the mail item will be restored to the Deleted items folder and not to the inbox folder

Exchange Online vs. Exchange on-Premises

The formal definition of this current article series is reviewing the subject of recovering mail items in Office 365 based environment meaning – Exchange Online environment.

Despite that, most of the information on the architecture, the logic, and the available tools are almost identical to the Exchange on-Premises infrastructure.

In the current time, the Exchange Online architecture is based on the Exchange 2013 server version.

So, in a scenario that you have Exchange 2013 on-Premises, you will find that most of the infrastructure, the screenshot, and the interfaces are relevant also for the “on-Premises environment.”

The “cloud” deleted my mail

In many of the “deleted mail item” scenario or in the “My mail disappeared!!”
There is a common conspiracy theory described as – “The “cloud” deleted my mail.”

The truth is that there is some logic behind this hypothesis because we all know that at night, the Tooth Fairy, comes to giving gifts to children have fallen tooth, and the Office 365 deleted mail demon come and delete our Poor user’s E-mails ruthlessly!!!

If you think that I’m a little cynical, wait until you hear the complaints I hear from clients.

The point – there is no Tooth Fairy and, no Office 365 deleted mail daemon.

Theoretically, there is a possibility that the causes for the deleted mail item relate in some way to the Exchange Online infrastructure but, my opinion is that chance for this scenario is identical to the chance in which you win the grand prize lottery three weeks in a row.

My mail was disappeared!!

A user calls the help desk support and reports that his mail disappeared!!!

In case that the user is a VIP, or the user makes a lot of noise, we are entering into a panic mode and want to be able to find the “magic formula” that everything returns to the previous state!

Before we get into the panic state, I would like to present two important questions

1. What is the meaning of “my mail”?

• Does the user relate to a single mail item, a couple of mail items or dozens of mail items?
• When the user says – “mail items” did he means an E-mail message? Calendar meeting? Contact?
• Are there any specific characters in the mail that were disappearing? For example – mail from a specific date range? Mail with a specific subject? Mail from a specific recipient?

2. What is the meaning of “disappeared”?

When does the user say that his mail “disappeared” does it mean that the mail deleted? Does it mean that the mail exists, but for some reason, he cannot see or find the particular mail item?

You don’t have to act like Sherlock Holmes each time a user reports that his mail was disappearing, but it’s crucial that we will have a clear understanding of the event characters.

Before we start to fire in all directions, we need to verify if this is a simple scenario in which the mail exists, but the user cannot find it or, a scenario in which we cannot locate the specific mail items, and we can assume that the E-mail can consider as “deleted.”

Mail is hidden from the user.

We a user reports that he cannot find his E-mail, many times the meaning is that the mail exists, but not where the user expects to find in his mail.

For example

1. Drag and drop scenario – a scenario in which the user was a drag and drop mail item\s from their original mail folder to other mail folders without noticing.
   Another variation of this scenario could be a user; that consciously moves mail items from their original folder to another folder and over time, he forgot that he changed the original location of the mail item.
2. Outlook and OWA view – Outlook and OWA mail client, enable the user to define a view that serves as a “filter” that hides a specific mail item.
   Many times, when a user reports that he cannot find a specific mail item, the “problem” is the particular view that hides the mail item.
3. Synchronization problem – for example, a scenario in which users who use Outlook discovers that he cannot find a particular mail item. The mail item exists in the Exchange Online mailbox, but for some reason, was not synchronized to the specific user desktop.

The solution

In a scenario in which users report that his mail was disappeared\deleted\evaporated or any other term before we start to think about the worst-case scenario, let’s start with a simple “search operation.”

The best practice is to search for the “missing in action” mail items by using the OWA mail client because, when we use the OWA mail client, we eliminate a scenario in which the problem related to a synchronization problem.

The 10 major causes for “deleted mail item” scenario

Let’s assume that we have implemented a thorough search in the user mailbox and, we could not find the mail items that were reported as “missing”.

In this stage, we have a reasonable basis to believe that the mail deleted.

In this scenario, a common psychological phenomenon is to “find the element that is responsible for the mail deletion and only after that, start to see are the recoverable options available to us.

I will not be able to help you to find the “person” or the “element” that deletes the mail items, but, I can introduce to you some of the “common causes” for mail deletion scenario.

1. Mail item that was deleted by the user himself.

Despite that, we are not willing to consider this scenario, in real life, the reason for the deleted mail item could be the user himself.
It doesn’t matter if the user deleted the mail in the past and, forgot that he deleted the mail or the mail accidentally deleted.
What is important is that we should consider this option before we start to fire in all directions to seek to blame the environment.

2. Antivirus

Most of the time we relate to Antivirus as an element that created for protecting the mailbox data, but in some scenarios, the Antivirus application could recognize a mail as a “problematic” and decide to delete the mail items or remove some parts of the mail item such as attachment, etc.

3. Virus or malware

Any hostile code that exists on the user desktop or device and manages to delete mail items.

4. Variety of mail client and mail protocols.

In a modern environment, users access their mailbox from many different devices, an application using a variety of mail protocols and so on.
In this “complex environment”, it’s reasonable to assume that the scenario of deleted mail can cause a problem with a particular mail client, specific mail protocol-specific device, etc.

5. Other users who have access to the specific user mailbox.

One of the notable characteristics of the Exchange Online environment is the ability of “sharing resources such as mailbox or calendar.
The scenario in which mail items deleted can cause by users who have access (permission) to the user mailbox.
The “deletion” could consider as deliberate action or mistake, but the important issue is that in case those other users have access to the user mailbox; the deletion could be related to another user.

6. Outlook add-in or plugin.

The purpose of Outlook add-on or plugin is “to do something” with the mail items that existed in the user mailbox. Most of the time, the Outlook add-in or plug-in has unlimited access to the mailbox content and some scenarios; the Outlook add-in or plugin could “decide” to delete or remove a particular mail item.

7. Mail Migration and corrupted mail items.

In the case in which we migrate our mail infrastructure to Exchange Online, our underlying assumption is that all the mailbox content migrated to the cloud.

This assumption could be wrong in a scenario in which the “original user mailbox” includes a corrupt mail item. In this case, the corrupt
E-mail items will not be migrated to the Exchange Online mailbox.

In this type of scenario, the user assumes that the mail items are waiting for him in the mailbox while, in reality, the E-mail never reached to the Exchange Online mailbox.

8. Exchange Online – Retention policy.

Some organization uses an Exchange retention policy and retention policy tag that “move” mail item with a particular age to the archive mailbox or even deletes old mail items.

In case that your organization uses retention policy, you will need to verify if the mail item that reported as “disappeared” was just moved to the archive mailbox.

9. Local PST file.

In a scenario in which the user uses a local PST, an available option could be that the mail item was manually or automatically was moved to the PST store.

Or another option is that the mail stored in PST file that is saved on the user desktop and at the current time, the user uses a different desktop that doesn’t include the PST file.

10. Problem with Exchange Online.

I have added this case as the “last case” because technically, this scenario could be an option.

To be honest, my opinion is that this type of scenario, in which the mail items were deleted by a “problem” in Exchange Online infrastructure considered as a very rare event or, even non-possible.

I mention this possible cause because theoretically, we cannot fully rule out this possibility.

Recover a deleted mail item vs. a scenario of – recover deleted Exchange Online mailbox

One of the most popular confusion regarding the “deleted mail” scenario, is related to the two different scenarios: deleted mail item vs. deleted mailbox.

The reason for this confusion is the common denominator – the word “deleted” and, also, both of the scenarios are related to the Exchange infrastructure.

Despite the alleged similarity, these two situations are entirely different from each other.

Note – In the current article series, we will relate only to the scenario of – deleted mail items and not to the scenario of a deleted mailbox.

The meaning of “mail item”

Along with this article series, we will mention many times the term – “deleted mail item.” Most of the time, the association for the term – “Mail item” is an E-mail message, that stored in the user mailbox deleted.

In the Exchange and Exchange Online environment, the term “deleted mail item” can be translated to a different type of Exchange mailbox items such as:

• Calendar item
• Note item
• Contact item
• Mail item

Each of this item considers as mail item.

Default Deleted mail policy in an Exchange Online environment

The meaning of the term – “Deleted Item retention policy” relate to our ability to recover mail items that were deleted for a specific period of time.

The default Exchange Online Deleted Item retention policy defines a “range” of 14 days in which we can recover mail items that were deleted.

We have the ability to “extend” this default range up to 30 days, but we will need to use the PowerShell interface for implementing this “extension” and also; we will need to run the PowerShell command for each new mailbox that will create.

The ability to extend the default 14-day limitation is available only to Office 365 customers who purchase E3 or Exchange Plan 2 license.

You can read more information about this option in the section – Stretching the Exchange Deleted item policy of the third article series.

Deleted mail item policy | Quotes from public resources

After an item has removed from the Deleted Items folder, it’s kept in a Recoverable Items folder for an additional 14 days before being permanently removed. Users can recover the item during this 14-day period by using the Recover Deleted Items feature in the Outlook Web App or Outlook.
Using this feature eliminates the need for a mailbox restore. If a user manually purged an item from the Recoverable Items folder, an administrator can recover the item within the same 14-day window by using the Single Item Recovery feature and remote Windows PowerShell.
The Single Item Recovery period is 14 days by default, but administrators can increase this to a maximum of 30 days by using remote Windows PowerShell. To preserve E-mail for longer period than 30 days, organizations can implement long-term email preservation or time-based In-Place Holds.
[Source of information: High Availability and Business Continuity]

“Override” the default Deleted Item Retention policy

One of the most common questions that are raised by Office 365 customers is the question about the possibility to save mail items for an unlimited period.

In other words, “override” the default Deleted mail item policy

The good news is that Exchange Online offers this option by using one of the following Exchange Online features:

• Litigation Hold
• In-Place Hold

The option of Exchange Online Litigation hold or Exchange Online enables us to “override” the default deleted mail items retention policy and enable a configuration in which we can “hold” and recover (restore) mail items forever!

The important thing regarding Litigation Hold or In-Place Hold option is that this “feature” exists only when purchasing a specific Exchange Online license:

• Exchange Online E3 license
• Exchange Plan 2 license

In the current article, we will not go into a detailed description of this Exchange Online option but instead, focus on the Deleted Item retention policy and the Exchange Online architecture that is used for recovering mail items.

Mailbox and Backup solution in Office 365 and Exchange Online environment

The common question among Exchange Online client is the question regarding the possibility of implementing some kind of user mailbox solutions.

Most of the time, the idea behind the backup \ restore solution is the ability to restore the user mailbox to a specific “point in time”. This option sometimes described as a snapshot because the backup enabled us to capture a snapshot of the user mailbox and view the mailbox content as at appearing at a particular time during the past.

At the current time, the Exchange Online infrastructure doesn’t provide this type of service.

This kind of “solutions” are provided by third-party backup and restores products that can provide this service in the Exchange Online base environment.

Exchange Online and Recoverable Items Folder

As mentioned in the previous section, in the current time Exchange Online doesn’t include a backup solution that could describe as: “point on time” which will enable us to restore user mailbox status to a particular point in time.

The Exchange Online “Backup solutions” are based on the architecture or the concept which described as single mail item recovery.

The single mail item recovery concept implemented by using a “set of mailbox hidden folder” that serves as a “container” for deleted mail items.

This technical name for the “set of folders” is Recoverable Items folder. The name that was chosen by Microsoft for this set of a system folder could mislead because of the name reference a “folder” (singular) instead of referencing this folder as a plural.

Note- the previous term that used in the past for describing this set of “recovery folders” is- dumpster.

We use the term “hidden” because by default the user cannot see this set of “recovery folders” as part of his “standard folder hierarchy.”

We use the term “set of folders” because the deleted mail item is not saved in a specific folder but instead in a set of folders. Each of the folders has a particular “rule” and purpose.

The backup and restore capabilities of Exchange Online based on accessing this folder and “pull out” the mail items that stored in this set of folders.

Exchange Online Litigation Hold and Exchange Online In-Place Hold

Exchange Online includes two features or components that enable us to “extend” the process of saving and recovering an E-mail item.

For example, the Exchange Online default Deleted Item retention policy will keep deleted mail items in the Recoverable Items folder for 14 days.

When we use the feature of Litigation Hold or In-Place Hold we can “extend” this limitation to an unlimited number of days.

The Litigation Hold or In-Place Hold components enable us to manage the required policy that we want to set for a specific mailbox or, on a set of mailboxes and when we need to recover data (deleted mail items), enable us to search and recover E-mail item.

Read more: Compare Exchange Online plans »

Conclusion

The current article series includes six articles. The reason for writing a series of articles is because of many aspects related to this subject and many options and solutions we can implement. If you want to be entitled to the title, recover mail items in Exchange Online MOD (Master Of Disaster), it is recommended to read each of the articles included in this article series.