Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
introduction | 1#7
The current article is a basic introduction into the subject of recovering mail items
in the Exchange Online based environment.
Many of the Office 365 customers are not aware of the options that are available
for them in a scenario in which they need to recover mail items and what are the
built-in limitation of the Exchange Online that realities to the operation of recover
deleted mail items.
The main purpose of this article and the rest of the article series is to help you to
get familiar with the option that are available for you for recovering mail items in
the Exchange Online environment.
Prefix
To be able to get a full thorough understanding on this subject, we will need to be
able to answer a couple of major questions:
Q1: How to relate to an event in which users report that the data is missing from
their mailbox or the need to recover data that was deleted in the past?
Q2: What is the built-in mechanism that Exchange server architecture provides for
dealing with such scenarios?
Q3: What are the available options when we host our mail infrastructure on
Exchange Online based infrastructure (Office 365)?
The answers to this question are spread over a series of six articles.
In other words: if you are looking toward a solution in which you will pick up a
phone to the Exchange Online support team instruct them to solve the problem by
doing some magic and inform the user that everything is OK, you did not come
to the right place!
Q1: So what are you telling me? Do you claim that its not passable to deal with a
scenario in which we need to recover or restore mail for our Exchange Online
users?
A1: My claim is that in Exchange and Exchange Online environment, we can use
the built-in capabilities the Exchange architecture offer for dealing with such
scenarios (recover mail items) such as the architecture of single item recovery or
other Exchange Online services such as Litigation Hold or In-Place Hold.
To be able to provide good answers and good services for our customers, we will
need to know about the available options, the limitations, and the best practices for
dealing with a scenario of missing mail and so on.
The current article
The purposes of the current article are:
Remove the ambiguity of the subject or recovering mail items in Office 365
(Exchange Online) environment.
Review common misconceptions.
Define the terms: My mail disappeared! and Deleted Item retention default
policy.
Review the 11 major causes for deleted mail item scenario.
Office 365 E1 and E2 plans (Exchange Online Plan 1) Mail Item Recovery
Limitations & Solutions
Office 365 Backup & Recovery
performance. Mail items that are sent or saved in the Online archive are not saved
to the local OST file (cache mode).
In case that a user deletes mail from the online archive, the mail item will be
deleted like any standard mail item.
3. In a scenario that a user wants to recover mail that was deleted a long
time ago, I could call Microsoft su pport, and they will recover for me the
required information!
Lets make it simple the default Exchange Online deleted mail policy value is 14
days.
In case that a user implemented Hard delete (you can read more information
about Hard delete in the article Recover deleted mail items in the Exchange
Online environment | Deleted mail flow | 3#7) the mail item considers as
recoverable for a period of 14 days.
After this period, the mail item will be lost forever! There is no option for recovering
such as a mail item in the Exchange Online environment.
Office 365 customers who use Exchange Plan 2 license or E3 license can extend the
default deleted item mail policy for a period of 30 days + use the option of Litigation
Hold or In-Place Hold that enable to keep mail items for a longer time period or
forever, but this option cannot be implemented in retrospect.
In other words if the Exchange Online administrator didnt activate the described
options in advance, we are still subject to the 14 days rule.
Note
You can read more information about extending the default Deleted Item
retention policy in an Exchange Online environment in the article Recover
deleted mail items in the Exchange Online environment | Deleted mail flow | 3#7
You can read more information about Litigation Hold or In-Place Hold in
Exchange Online environment in the article Exchange In-Place eDiscovery &
Hold | Introduction | 5#7
4. In Exchange Online environment, I can recover the user mailbox to his
original state
False assumption 1 restore the user mailbox snapshot.
Usually, when Exchange Online administrator says that sentence their meaning is
translated to the option of restoring a snapshot of the user mailbox sometimes
refers as point in time in which the user mailbox will behave all the mail items,
and the specific folder structure that the user had in a specific point in time.
The Exchange Online infrastructure doesnt include this option. There is no way to
restore the user mailbox to a specific point in time.
False assumption 2 restore mail items to the original location.
For example, in case that the deleted mail item was located in the inbox folder,
when I use the available option for recovering the specific mail items, it will be
restored to his original folder meaning the inbox folder.
In a recovery scenario in which we use Outlook or OWA mail client for recovering a
mail item, the mail item will be restored to his original folder but not to the folder
that we consider as original.
When we delete a mail item, his original folder become the Deleted items folder
When we restore the mail items from the Recoverable Items folder, the mail item
will be restored to the Deleted items folder and not to the inbox folder
If you think that Im a little cynical, wait until you hear the complaints I hear from
clients.
The point there is no Tooth Fairy and, no Office 365 deleted mail daemon.
Theoretically, there is a possibility that the causes for the deleted mail item relate in
some way to the Exchange Online infrastructure but, my opinion is that chance for
this scenario is identical to the chance in which you win the grand prize lottery
three weeks in a row.
Before we get into the panic state, I would like to present two important questions
1. What is the meaning of my mail?
Does the user relate to a single mail item, a couple of mail items or dozens of
mail items?
When the user says mail items did he means an E-mail message? Calendar
meeting? Contact?
Are there any specific characters in the mail that was disappearing? For
example mail from a specific date range? Mail with a specific subject? Mail
from a specific recipient?
You dont have to act like Sherlock Holmes each time a user reports that his mail
was disappearing, but its crucial that we will have a clear understanding about the
characters of the event.
Before we start to fire in all directions, we need to verify if this is a simple scenario
in which the mail exists, but the user cannot find it or a scenario in which we cannot
locate the specific mail items, and we can assume that the mail can be considered
as deleted
For example
1. Drag and drop scenario a scenario in which the user was a drag and drop mail
item\s from their original mail folder to other mail folders without noticing.
Another variation of this scenario could be a scenario in which the user
consciously moves a specific mail item from their original folder to another
folder and over time, he forgot that he changed the original location of the mail
item.
2. Outlook and OWA view Outlook and OWA mail client, enable the user to define
a specific view that serves as a filter that hides a specific mail item.
Many times, when a user reports that he cannot find a specific mail item, the
problem is a specific view that hides the mail item.
3. Synchronization problem for example, a scenario in which users who use
Outlook discovers that he cannot find a specific mail item. The mail item exists in
the Exchange Online mailbox, but for some reason, was not synchronized to the
specific user desktop.
The solution
In a scenario in which users report that his mail was
disappeared\deleted\evaporated or any other term, before we start to think about
the worst-case scenario, lets start with a simple search operation.
The best practice is to search for the missing in action mail items by using the
OWA mail client because, when we use the OWA mail client, we eliminate a scenario
in which the problem is related to a synchronization problem.
I will not be able to help you to find the person or the element that deletes the
mail items, but, I can introduce to you some of the common causes for mail
deletion scenario.
1. Mail item that was deleted by the user himself.
Despite that we are not willing to consider this scenario, in real life, the reason for
the deleted mail item could be the user himself.
It doesnt matter if the user deleted the mail in the past and, forgot that he deleted
the mail or the mail was accidentally deleted.
What matters is that we should consider this option before we start to fire in all
directions to seek to blame the environment.
2. Antivirus
Most of the time we relate to Antivirus as an element that was created for
protecting the mailbox data, but in some scenarios, the Antivirus application could
recognize a specific mail as a problematic and decide to delete the mail items or
remove some parts of the mail item such as attachment, etc.
3. Virus or malware
Any type of hostile code that exists on the user desktop or device and manages to
delete mail items.
4. Variety of mail client and mail protocols.
In a modern environment, users access their mailbox form many different devices,
application using a variety of mail protocols and so on.
In this complex environment, its reasonable to assume that the scenario of
deleted mail can be caused by a problem with a specific mail client, specific mail
protocol specific device, etc.
5. Other users who have access to the specific user mailbox.
One of the notable characteristics of the Exchange Online environment is the ability
of sharing resources such as mailbox or calendar.
The scenario in which mail items are deleted, can be caused by users who have
access (permission) to the user mailbox.
The deletion could be considered as deliberate action or mistake but the
important issue is that in case that other users have access to the user mailbox; the
deletion could be related to another user.
6. Outlook add-in or plugin.
The purpose of Outlook add-in or plugin is to do something with the mail items
that existed in the user mailbox. Most of the time, the Outlook add-in or plugin has
unlimited access to the mailbox content and some scenarios; the Outlook add-in or
plugin could decide to delete or remove a specific mail item.
7. Mail Migration and corrupted mail items.
In a scenario in which we migrate our mail infrastructure to Exchange Online, our
basic assumption is that all the mailbox content is migrated to the cloud.
This assumption could be wrong in a scenario in which the original user mailbox
includes a corrupt mail item. In this case, the corrupt mail items will not be
migrated to the Exchange Online mailbox.
In this type of scenario, the user assumes that the mail items are waiting for him in
the mailbox while, in reality, the E-mail was never reached to the Exchange Online
mailbox.
8. Exchange Online Retention policy.
Some organization uses an Exchange retention policy and retention policy tag that
move mail item with a specific age to the archive mailbox or even deletes old mail
items.
In case that your organization uses retention policy, you will need to verify if the
mail item that was reported as disappeared was just moved to the archive
mailbox.
9. Local PST file.
In a scenario in which the user uses a local PST a passable option could be that the
mail item was manually or automatically was moved to the PST store.
Or another option is that the mail is stored in PST file that is saved on the specific
user desktop and at the current time, the user uses a different desktop that doesnt
include the PST file.
10. Problem with Exchange Online.
I have added this case as the last case because technically, this scenario could be
an option.
In order to be honest, my personal opinion is that this type of scenario, in which the
mail items were deleted by a problem in Exchange Online infrastructure can be
considered as a very rare event or, even non possible.
I mention this possible cause because theoretically we cannot fully rule out this
possibility.
One of the most popular confusion regarding the deleted mail scenario, is related
to the two different scenarios: deleted mail item versus deleted mailbox.
The reason for this confusion is the common denominator the word deleted
and, in addition, both of the scenarios are related to the Exchange infrastructure.
Despite the alleged similarity, these two scenarios are totally different from each
other.
Note In the current article series, we will relate only to the scenario of deleted
mail items and not to the scenario of deleted mailbox.
Calendar item
Note item
Contact item
Mail item
removed. Users can recover the item during this 14-day period by using the
Recover Deleted Items feature in the Outlook Web App or Outlook.
Using this feature eliminates the need for a mailbox restore. If a user manually
purged an item from the Recoverable Items folder, an administrator can recover
the item within the same 14-day window by using the Single Item Recovery feature
and remote Windows PowerShell.
The Single Item Recovery period is 14 days by default, but administrators can
increase this to a maximum of 30 days by using remote Windows PowerShell. To
preserve messages for longer than 30 days, organizations can implement long-term
email preservation or time-based In-Place Holds.
[Source of information: High Availability and Business Continuity]
Litigation Hold
In-Place Hold
In the current article, we will not go into a detailed description of this Exchange
Online option but instead, focus on the Deleted Item retention policy and the
Exchange Online architecture that is used for recovering mail items.
As mentioned in the former section, in the current time Exchange Online doesnt
include a backup solution that could be described as: point on time which will
enable us to restore user mailbox status to a specific point in time.
The Exchange Online Backup solutions are based upon the architecture or the
concept which described as single mail item recovery.
The single mail item recovery concept is implemented by using a set of mailbox
hidden folder that serves as a container for deleted mail items.
This technical name for the set of folders is: Recoverable Items folder. The name
that was chosen by Microsoft for this set of a system folder could mislead because
the name reference a folder (singular) instead of reference this folder as plural.
Note- the former term that was used in the past for describing this set of a folder isdumpster.
We use the term hidden because by default, the user cannot see this set of a
folder as part of his standard folder hierarchy.
We use the term set of folders because the deleted mail item is not saved in a
specific folder but instead in a set of folders. Each of the folders has a specific rule
and purpose.
The backup and restore capabilities of Exchange Online are based on accessing this
folder and pull out the mail items that are stored in this set of folders.
Exchange Online Litigation Hold and Exchange Online In -Place Hold
Exchange Online include two features or components that enable us to extend
the process or saving and recovering a specific mail item.
For example, the Exchange Online default Deleted Item retention policy will keep
deleted mail items in the Recoverable Items folder for 14 days.
When we use the feature of litigation Hold or In-Place Hold we can extend this
limitation to an unlimited number of days.
The litigation Hold or In-Place Hold components enable us to manage the required
policy that we want to set for specific mailbox or, on a set of mailboxes and when
we need to recover data (deleted mail items), enable us to search and recover a
specific mail item.