Skip to content

Using Exchange In-place eDiscovery & Hold for recovering deleted mail items | 6#7

In the current article, we will review how to use the Exchange In-place eDiscovery & Hold feature as a tool for searching and recovering deleted mail items.
We will review the following subjects:

  • How to create an Exchange In-place eDiscovery & Hold query.
  • How to send a copy of the search results to the Discovery Search Mailbox.
  • How to export the search results to PST file.
  • How to access the Exchange Online In-Place eDiscovery admin interface by Office 365 Business customers.

Scenario description

In the following section, we will demonstrate the way that we use Exchange Online in-place eDiscovery & Hold for searching and recovering mail items.

In our scenario, we get a call from a user named John that reports that he noticed that some of his mail is missing.

John is not sure if the mail items were deleted in a specific date and cannot point out a specific charter of the mail item that deleted.

In this scenario, we would like to create a query that will “scan” John’s mailbox and “send” the search result of the – Discovery Search Mailbox.
Later on, we look for information about deleted mail items located in the Recoverable Items folder in the Purges folder

Step 1 – assign permissions

To be able to create an in-place eDiscovery & hold query, that will search through Exchange users’ mailboxes and in addition, enable us to view data from a user mailbox, we will need to have the required permissions.

The required permissions are membership in a group named:
Discovery Management.

  • In the Exchange Online management portal, choose the permissions menu and then, on the top-bar choose admin roles.
  • Double-click on a group named – Discovery Management
Assign eDiscovery permissions in Exchange
  • In the members sections, click on the plus icon to add the username that needs to have the required permission (the user that will perform the In-place eDiscovery & hold search).
Assign eDiscovery permissions in Exchange

Step 2 – creating in-place eDiscovery & hold search query

In the following section, we will create the required in-place eDiscovery & hold search query. In our specific example, we will not create a specific filter, but instead, search the “whole of John mailbox”.

  • On the left side menu bar, choose the menu – compliance management
  • On the top menu, bar choose the menu – In-place eDiscovery & hold
  • Click on the plus sign for creating a new in-place eDiscovery & hold search
Implementing in place eDiscovery hold search
  • In the text box – Name and description, provide the name for the -place eDiscovery & hold search query. Note – the name cannot contain spaces.
Implementing in place eDiscovery hold search

In our specific scenario, we want to look at John’s mailbox.
For this reason, we will choose the option of – specify the mailbox to search.

  • In the window that appears, we will search for John’s name and then, click on the add button.
Implementing in place eDiscovery hold search

In the following screenshot, we can see that the search query “boundary” is John’s mailbox.

Implementing in-place eDiscovery & hold search

The following window enables us to set the specific parameters of the search query.

  • In our specific scenario, we will choose the option of – include all content.

Note: In case the Filter based on criteria option is “dimmed”, this means that you don’t have the required permissions.

Implementing in-place eDiscovery & hold search -05

On the next screen, we will not select anything because this part is related to a scenario in which we want to put on hold particular mail items (our purpose is only to search and recover mail items).

For this reason, we will click on the finish button

Implementing in-place eDiscovery & hold search -06

In the following screenshot, we can see we can see that the In-place eDiscovery & hold search query successfully created.

Implementing in-place eDiscovery & hold search -07

In the following screenshot, we can see the In-place eDiscovery & hold search query that we have created. Notice that the status is “Search has been queued.”

Exchange server needs some time to look for the required information in the Exchange index database.

Implementing in-place eDiscovery & hold search -08

Step 3 – View the In-place eDiscovery & hold search results

In the section, we want to “take a peek” in the search results, meaning the information (mail items) founded based on our search query.

To view the information, click on the link – Preview search results.

Implementing in-place eDiscovery & hold search -09

In the following screenshot, we can see the result search meaning – the mail items that appear in John mailbox.

Note that the information displayed in a “flat manner.”
The meaning is that the view doesn’t include the “original folder structure and Hierarchy” as at appearing in the “original John mailbox”.

From my experience, this “flat view” is suitable only in a scenario that the search result includes a few mail items.

In a scenario that we create a search query that “fetch” all of the user mailboxes which can contain thousands or even tens of thousands of mail items, the “Flat view” will make it very hard to look for a particular
E-mail item.

But fear not!

In the next section, we will provide a solution for this “display problem”.

Implementing in-place eDiscovery & hold search

Step 4 – copy\save the In-place eDiscovery & hold search results to the Discovery Search Mailbox

In the next section, we will demonstrate how to “export” (copy) the search query results to a special Exchange system mailbox named: Discovery Search Mailbox

The option of saving the search query results to the Discovery Search Mailbox will enable us to get a clear view of the folder structure in John’s mailbox and also, save the information for later use.

Click on the Magnifying glass icon and choose the menu – Copy search results

In-place eDiscovery & hold search – copy search results - 01

In the following windows, we will need to choose where to “store” the search query results.

By default, Exchange creates one dedicated system mailbox named
DiscoverySearchMailbox-GUID

Technically, we can ask to create additional Exchange Discovery Search Mailboxes but for now, let’s satisfied in the “original” Discovery Search Mailbox.

An additional option that is available for us are options such as Enable full logging and more

In-place eDiscovery & hold search – copy search results - 02

To finish the “export” (copy) process of the search results to the Discovery Search Mailbox, click on the OK button.

In-place eDiscovery & hold search – copy search results - 03

In the following screenshot, we can see that a “new section” was added.
To be able to view the search result, click on the [open] link

In-place eDiscovery & hold search – copy search results

In the following screenshot, we can see the content of the Discovery Search Mailbox.

Pay attention to the logic behind the Discovery Search Mailbox structure.

The search results that appear in the Discovery Search Mailbox have the structure and the Hierarchy as it seems in the “original mailbox”. For example, the default inbox folder and so on.

The search results, are saved under a “dedicated folder” that use the name whom we have defined in the earlier steps for the In-place eDiscovery & holds search query
(In our scenario – Search_john_mailbox).

Another interesting thing is that the search results include the Purges folder. This is the folder that will include “hard deleted” mail items and that cannot be seen or accessed by the mailbox owner (John in our scenario).

In-place eDiscovery & hold search – copy search results

Step 5 – export the search results to PST file

A very useful option that includes in the In-place eDiscovery & hold is the option of exporting the search results to a PST file.

To be able to export the particular search result, we will need to choose the result search job (Search_john_mailbox in our scenario) and click on the down arrow icon (Export to a PST file).

In-place eDiscovery & hold search – export to PST search results - 01

Note

The computer you use to export search results to a PST file has to meet the following system requirements:

  • 32- and 64-bit versions of Windows 7 and later versions
  • Microsoft .NET Framework 4.5
  • A supported browser:
  • Internet Explorer 10 and later versions
  • Mozilla Firefox or Google Chrome, with the ClickOnce add-in installed

The export process is implemented by downloading a specific software component that will help us to download the file from Exchange Online to our local desktop.

  • Click on the Run option
In-place eDiscovery & hold search – export to PST search results

Choose a local folder that will be used for saving the exported PST file. In our example, we have created a folder named: John PST

In-place eDiscovery & hold search – export to PST search results

Provide the credentials (user name + password) of a user that have the required permission (membership in the Discovery Management group)

In-place eDiscovery & hold search – export to PST search results - 04

In the following screenshot, we can see the result. The results are the required PST file + Log file

In-place eDiscovery & hold search – export to PST search results - 05

In the following screenshot, we can see an example, in Log file that provided as part as the exported files.

The Log file includes information about every mail item that appears in the search result.

In-place eDiscovery & hold search – export to PST search results - 06

View the mail items in the PST file using an Outlook mail client

In the previous section, we review the steps that are needed for exporting the search result to a PST file.

To be able to view the content of the PST file, we will need to add the PST file to an existing Outlook profile.

In the following example, we will add to existing Outlook mail profile the PST file that we got from the In-place eDiscovery & hold search result of John’s mailbox.

In outlook choose the File menu ==> Account Settings and then again Account Settings

Add the PST file to the local outlook profile

Choose the Data Files tab and click on the Add… button

Add the PST file to the local outlook profile

In our example, John PST is located on drive C: in a folder named: John PST

Add the PST file to the local outlook profile

In the following screenshot, we can see the “new PST” file that added to our Outlook mail profile.

Add the PST file to the local outlook profile -04

In the following screenshot, we can see “John PST” that appear as an additional mailbox in the Outlook mail profile.

Add the PST file to the local outlook profile

How to access the Exchange Online In-Place eDiscovery admin interface by Office 365 Business customers

As mentioned, the option to use Exchange In-place eDiscovery & hold is available for Office 365 customers who have purchased Office 365 Business license but, not via the standard Office 365 portal admin interface.

To be able to view the “Advanced Exchange Online” admin interface, we will need to use a little trick in which we will “rewrite” the URL address.

In the following screenshot, we can see the standard portal interface of Office 365 Business customer.

Office 365 Business customer and Exchange Online admin interface -01

Login into your mailbox using the OWA web mail client – click on the options menu and then on the Mail icon

Office 365 Business customer and Exchange Online admin interface

In the following screenshot, we can see that “standard” OWA mail client URL address.

To be able to access the Exchange Online admin interface, we will need to “remove” the URL part after the address:https:/outlook.office365.com

Office 365 Business customer and Exchange Online admin interface

To be able to access the Exchange Online web-based management, we will need to add the folder name ECP to the URL address

For example, https:/outlook.office365.com/ecp

Office 365 Business customer and Exchange Online admin interface -04

In the following screenshot, we can see the “standard” Exchange Online admin interface that enables us to access the option of Exchange In-Place eDiscovery & Hold.

Office 365 Business customer and Exchange Online admin interface
o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has One Comment

  1. Is there a way to recover emails that were deleted by a rule? I mistakenly setup the rule and I’m trying to recover those emails. I tried following this but it seems it won’t recover the emails deleted by the rule. Please help!

Leave a Reply

Your email address will not be published. Required fields are marked *