In the current article, we will review the four options that we can use for recovering mail items in the Exchange Online environment.
The available tools for recovering mail items are:
- Recovering deleted mail items by using Outlook and OWA mail clients.
- Recovering deleted mail items by using MFCMAPI utility.
- Recovering deleted mail items by using Exchange In-Place eDiscovery and Hold.
- Recovering deleted mail items by using the PowerShell cmdlets Search-Mailbox
Table of content
Article Series Recover Deleted Mail | Table of content
The characters of our scenario are as follows:
An organization user calls us and complains that some of his mail disappeared. We have implemented our due diligence and perform a mailbox search to verify if the mail it still exists in the user mailbox.
In the current time, we are entering into the phase in which we assume that the mail item deleted, and we want to check if we the specific mail items are still “recoverable.”
The two most important questions that relate to this scenario are:
Q1: What are the mail recovery methods that are available for us in the Office 365 and Exchange Online environment?
Q2: Does the mail item is still “recoverable” meaning, can we still “save” the deleted mail item?
The available mail recovery method in Office 365 and Exchange Online environment
Before we start to dive into the specific details of the mail recovery methods that we can use it’s important to define a general classification of the mail recovery methods:
- Recovery mail method that can be implemented by the user himself (the mailbox owner)
- Recovery mail methods, that can be implemented only by the Exchange Online administrator.
For example – every user (mailbox owner) has the ability to recover mail items that were deleted from to Exchange inbox “Recycle bin” (the Deleted items folder) by using the OWA or the Outlook option of – Recover Deleted Items.
As mention, the user will have a “grace period” of 14 days in which he can “regret” and restore mail items that were deleted from the Exchange inbox “Recycle bin” (the Deleted items folder). In other words – recover from a scenario of Hard delete.
The scenario in which only the Exchange Administrator can recover mail items are:
- Hard delete
A scenario in which the user deletes also the mail item that was stored in the Deletion folder (hard delete). In this case, the mail will be placed in the Purges folder.
The user doesn’t have access permission to the Purges folder (only the Exchange Online Administrator can view the content of this folder).
- Mailbox with Litigation Hold or In-Place Hold
In case that the mailbox was configured with Litigation Hold or In-Place Hold, the ability to recover deleted mail items older than 14 days (the default Deleted Item retention policy in Exchange Online is 14 days), only the Exchange Online administrator has the ability to recover these mail items.
The available tools for recovering mail items
The available tools that we can use for recovering mail items are:
1. In-place eDiscovery
An Exchange 2013 web-based interface, which enables us to create a query and search for mail items in a particular mailbox or an array of mailboxes.
(Exchange Online based on Exchange 2013 architecture).
The in-place eDiscovery Exchange infrastructure is a very powerful tool, that consisting of different components and, can use for searching and recovering data from Exchange Online infrastructure and also from other infrastructures such as SharePoint Online.
2. PowerShell cmdlets
Exchange includes two sets of PowerShell cmdlets that were created for searching + recovering mail items from a user mailbox:
Booth of the PowerShell cmdlets: Search-Mailbox and New-MailboxSearch serve for searching for data (mail items) in Exchange mailbox.
The graphics interface of the Exchange Online eDiscovery that is used for searching + recovering mail items from user mailboxes is based on the PowerShell cmdlets –
In addition, Exchange includes support in “older” PowerShell cmdlets named –
To oblivious question that could appear is: why do we need two PowerShell cmdlets that do the same thing?
The answer is that despite the common between these two PowerShell cmdlets, each PowerShell has different capabilities that the “other” PowerShell cmdlets don’t have.
Theoretically, the “newer” PowerShell cmdlets – New-MailboxSearch was supposed to replace or Inherit the former PowerShell cmdlets (the Search-Mailbox) but, the interesting news is that the PowerShell cmdlets – Search-Mailbox still have capabilities that are not provided by the newer New-MailboxSearch PowerShell cmdlets.
For example, the PowerShell cmdlets Search-Mailbox considers is “older” than the “new” PowerShell cmdlets: New-MailboxSearch but, the PowerShell cmdlets
Search-Mailbox includes capabilities that the “newer” PowerShell cmdlets don’t have such as the ability to search and recover mail items only from the Recoverable Items folder.
3. Mail client (Outlook\OWA)
The mail clients Outlook and OWA, include a built-in option that enables users to recover mail items. The Outlook\OWA recovery mail items interface allows the user (the mailbox owner) to view the content of the Deletion folder + recover mail items. In other words, enable the user to recover mail items from a Soft delete event.
The MFCMAPI is a very powerful GUI tool, that enables users (the mailbox owner or another user that have Full access permission to the mailbox) to have access to the “behind the scenes” of the mailbox content.
The MFCMAPI tools can provide many capabilities for a variety of troubleshooting scenarios but in this article, we will review only a very specific capability of the MFCMAPI -the capability of enabling users to access the “hiding partition” – Recoverable Items folder.
In the current article, we will review the following methods for recovering mail items in the Exchange Online environment:
- Recovery using Outlook and OWA mail client
- In the article – Using Exchange In-place eDiscovery & Hold for recovering deleted mail items | 6#7, we will review how to recover mail items using In-place eDiscovery & Hold
- In the article – Recovering deleted mail items using PowerShell cmdlets Search-Mailbox | 7#7, we will review how to recover mail items using the PowerShell cmdlets – Search-Mailbox.
Best practices and guideline for recovering deleted mail items
When a user reports that his E-mail “disappeared” the recommended troubleshooting flow is:
- Verify if the mail items still exist in the user mailbox – in case that you cannot find the mail item in the user mailbox, move to the next step.
- Instruct the user to use the OWA\Outlook built-in option of recovering deleted items. The ability of the user to recover mail items by themselves, can save precious time and prevent unnecessary resource allocation for implementing an “administrative recovery process”.
In simple words – simply is better. If the user manages to recover the mail item by himself, this is a win-win scenario.
- Use the “administrative” mail recovery options that exist in an Exchange Online environment, only when the user doesn’t manage to recover mail by himself.
1. Recovering deleted mail items by using Outlook and OWA mail clients.
As mentioned, Outlook and OWA mail clients include a built-in interface that enables a user to recover mail items.
The Outlook and OWA recovery mail option enable the user to get access to the hidden subfolder the – Deletion folder.
When we mention the term – “recover mail items by using Outlook\OWA”, the meaning is the ability to recover Soft deleted mail items.
1.1 Recovering deleted mail items by using Outlook mail client.
To be able to recover mail items using Outlook, implement the following steps:
- Choose the Folder menu
- Choose the “Recover deleted items” icon.
In the window that appears, we can see a list of all the deleted items (the mail items that stored in the Deletion folder).
- When choosing the option of “Restore selected items”, the mail item will be restored back to the Deleted items folder.
- When choosing the option of “Purge selected items”, the mail item will be sent to the Purges folder (Hard delete).
One important concept that I would like to emphasize is that, the process of recovering deleted mail items doesn’t restore the mail item to the “original folder” in which the mail item was originally created but instead, to the folder that “host” the mail item before he was deleted meaning – the Deleted items folder.
For example – a scenario in which a user delete a mail item that is stored in a mailbox folder named: Customers.
When the user deleted the mail, the mail is “moved” to the Deleted items folder. In case that the mail item was removed (deleted) also from the Deleted items folder and, the user decides that he wants to recover the mail item, the recovered mail items will be restored back to the Deleted items folder and not to the “original folder” (Customer folder in our scenario).
In the following screenshot, we can see an example in which we recover a mail item.
After the mail item is successfully restored, we can see that the “new location” of the mail item is the Deleted items folder.
1.2 Recovering deleted mail items by using OWA mail client.
The ability to recover a mail item can be implemented also by using the OWA mail client.
- To be able to display the Deleted items folder, choose the More option.
(The OWA default view in an Exchange Online environment is a minimized view that doesn’t display the Deleted items folder).
- Right-click on the Deleted items folder
- Choose the menu – Recover deleted items …
In the new window that appears, you will be able to see a list of mail items that can be recovered.
On the right bottom of the screen, you can see the option of – Recover or Purge
2. Recovering deleted mail items by using MFCMAPI utility.
The MFCMAPI is a very powerful tool that each Exchange administrator should know.
By using the MFCMAPI tool, we can accomplish tasks and operations, which are not available through the standard Outlook interface.
One of the most relevant examples for the need to use the MFCMAPI tool is a scenario of Hard Delete.
Just a quick reminder – the term “Hard Delete”, define a scenario in which the user (or another element) deletes the mail item from the Deleted items folder + also purges the mail item from the recovery folder (the Deletion folder).
In this scenario, the mail is relocated or moved to the Purges folder and the standard Outlook or the OWA mail client interface doesn’t enable users to get access to the Purges folder.
In this case, we have a couple of options -the Exchange Administrator can use the Exchange Online in-place eDiscovery option (a tool that is available via the Exchange Online web management interface) for searching and recovering the mail item.
But in a scenario in which we are not able to access the Exchange Online admin interface or, in a scenario in which a “standard user” doesn’t have the required administrative right for accessing the Exchange Online in-place eDiscovery, we can use the powerful ability of the MFCMAPI tool for trying to recover mail items from a “Hard delete” scenarios.
How to recover mail item using the MFCMAPI tool
In the following section, we will demonstrate the use of the MFCMAPI tool for recovering mail items of a user named: John.
Our demonstration will include the options that the MFCMAPI tool include for recovering mail items:
- Export the deleted mail items into a mail message format (msg file).
- Copy deleted mail items into inbox folder.
The characters of the scenario are as follows:
Our user John, empty his deleted item folder and then, empty also the recovery mail item folder (Hard Delete).
In this scenario, the deleted mail items are located in the Purges folder and as we know, the content of this directory is not available in the Outlook view.
To be able to recover the deleted mail items that are stored in the Purges folder we will use the MFCMAPI tool. We will use the MFCMAPI tool for “login” to the John mailbox and then, recover a specific mail item using the Export option and using the Copy option.
- Download and extract the MFCMAPI
- Double click MFCMAPI excitable file.
- In the welcome screen click OK
- Click on the Tools menu and choose Options…
- In the windows that appear, choose the following options
- Use the MDB_ONLINE flag when calling OpenMsgStore
- Use the MAPI_NO_CACHE flag when calling OpenEntry
To be able to view the content of the user mailbox we need to log in, to John’s mailbox (the MFCMAPI tool “mimics” Outlook client behavior).
- Choose the Session menu and the Logon… menu
- In our scenario, we will choose the “John mail profile”
- Double-click on the icon that represents John’s mailbox.
Using the MFCMAPI tool, enable us to get a clear view of the physical mailbox structure.
The most top container is the Root container that includes sub-partitions such as:
- Recoverable items – this is the Recoverable Items folder.
- Top of Information store – this is the “mailbox partition” that contains the standard mailbox folder that we know such as – inbox, sent items, etc.
To be able to recover the deleted mail items we will click on the Recoverable items folder.
In the Recoverable items folder, click on the Purges folder.
The MFCMAPI interface is a bit confusing because at first glance, it looks like the MFCMAPI view of the Purges folder includes only binary code.
To be able to view the mail items stored in the Purges folder, we need to double-click on the Purges folder.
Scenario 1: Export a copy of a deleted mail item
In the first example, we will save a copy of the deleted mail item and save it as a message file format (msg file).
- Choose a specific mail item
- Use the right click mouse option and in the menu that appears, choose the Export message… menu
- In the option box: Format to save message, choose a suitable format for your needs. In our example, we will choose MSG File (UNICODE)
- In our example, we will save a copy of the deleted mail item in a folder named: Recover Mail.
- In the windows that appear, click OK
- In the windows that appear, click OK
- In the following screenshot, we can see the mail item that was saved in the folder.
Scenario 2: copy the deleted mail item\s to another mailbox folder.
In the following example, we want to use a different option for recovering mail items.
In this example, we want to restore the mail item to a “dedicated folder” that will be created and serve for storing the recovered mail item\s.
In our example, before we start that recovery process, we will create a folder named:
John recover Mail items
Later on, we will copy all the recovered mail items that are stored in the Purges folder to this folder.
To simplify the instructions, you can follow the steps listed in the former scenario.
When we see the content of the Purges folder, we can choose a specific mail or all the mail items (CTRL +A) and use the right mouse click.
In this scenario, we will choose the option of Copy Messages…
- Choose the inbox folder and under the inbox folder choose the specific folder that will be used for saving the copy of the recovered mail items. In our scenario, we choose the folder named: John recover Mail items
- Right click on the folder and choose the menu – Paste…
In our scenario, we want to copy the recovered mail items and not move the recovered mail items. We will not check the option box – Move message instead of copy
In the following screenshot, we can see the mail item that recovered.
- HOW TO RECOVER DELETED EXCHANGE MAIL IN MICROSOFT OUTLOOK
- How to recover missing emails in Office 365
- Exchange 2010 Single Item Recovery Architecture
- E-mail Forensics in a Corporate Exchange Environment (Part 4)
- Announcing Original Folder Item Recovery
It is important for us to know your opinion on this article