Page 1 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

Recover deleted mail items in the

Exchange Online environment |
introduction | 1#7

The current article is a basic introduction into the subject of recovering mail items
in the Exchange Online based environment.

We will review a couple of common misconceptions that relate to the scenario

in which users report that his mail was deleted.
The need to verify if the scenario is indeed a scenario of deleted mail items.
What are the main causes which could lead into a scenario of mail deletion.

Many of the Office 365 customers are not aware of the options that are available
for them in a scenario in which they need to recover mail items and what are the

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 2 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

built-in limitation of the Exchange Online that realities to the operation of recover
deleted mail items.
The main purpose of this article and the rest of the article series is to help you to
get familiar with the option that are available for you for recovering mail items in
the Exchange Online environment.

Prefix
To be able to get a full thorough understanding on this subject, we will need to be
able to answer a couple of major questions:
Q1: How to relate to an event in which users report that the data is missing from
their mailbox or the need to recover data that was deleted in the past?
Q2: What is the built-in mechanism that Exchange server architecture provides for
dealing with such scenarios?
Q3: What are the available options when we host our mail infrastructure on
Exchange Online based infrastructure (Office 365)?
The answers to this question are spread over a series of six articles.
In other words: if you are looking toward a solution in which you will pick up a
phone to the Exchange Online support team instruct them to solve the problem by
doing some magic and inform the user that everything is OK, you did not come
to the right place!

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 3 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

Q1: So what are you telling me? Do you claim that its not passable to deal with a
scenario in which we need to recover or restore mail for our Exchange Online
users?
A1: My claim is that in Exchange and Exchange Online environment, we can use
the built-in capabilities the Exchange architecture offer for dealing with such
scenarios (recover mail items) such as the architecture of single item recovery or
other Exchange Online services such as Litigation Hold or In-Place Hold.
To be able to provide good answers and good services for our customers, we will
need to know about the available options, the limitations, and the best practices for
dealing with a scenario of missing mail and so on.
The current article
The purposes of the current article are:

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 4 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

Remove the ambiguity of the subject or recovering mail items in Office 365
(Exchange Online) environment.
Review common misconceptions.
Define the terms: My mail disappeared! and Deleted Item retention default
policy.
Review the 11 major causes for deleted mail item scenario.

Exchange Online and common misconceptions

regarding data recover and backup
1. The cloud backup my mail forever!
The source for this misconception is when we read about the high availability of
cloud services (such as Exchange Online) and the insurance that we have
regarded scenarios of DRP (disaster and recovery plan), we automatically translate
this information under the assumption that in a cloud environment, deleted mail
items will always be available for us.
Its a truth that Microsoft has infrastructure for backing up all the customer
information and these backups could serve for restoring data in case of disaster
such as storage corruption, server hardware failure or even a catastrophic event of
complete Data center failure but this ability can be used only for scenarios of
disaster, and not for a scenario of recovering a specific deleted mail item.
Additional reading

Office 365 E1 and E2 plans (Exchange Online Plan 1) Mail Item Recovery
Limitations & Solutions
Office 365 Backup & Recovery

2. When using the Exchange Online archive, my mail is backed up!

The source for this misconception is we are used to associating to term archive
with another term such as backup.
In Exchange Online environment, the main purpose of the Exchange Online archive
is not to back up the user mail items, but instead, improve the Outlook mail client

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 5 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

performance. Mail items that are sent or saved in the Online archive are not saved
to the local OST file (cache mode).
In case that a user deletes mail from the online archive, the mail item will be
deleted like any standard mail item.
3. In a scenario that a user wants to recover mail that was deleted a long
time ago, I could call Microsoft su pport, and they will recover for me the
required information!
Lets make it simple the default Exchange Online deleted mail policy value is 14
days.
In case that a user implemented Hard delete (you can read more information
about Hard delete in the article Recover deleted mail items in the Exchange
Online environment | Deleted mail flow | 3#7) the mail item considers as
recoverable for a period of 14 days.
After this period, the mail item will be lost forever! There is no option for recovering
such as a mail item in the Exchange Online environment.

Office 365 customers who use Exchange Plan 2 license or E3 license can extend the
default deleted item mail policy for a period of 30 days + use the option of Litigation
Hold or In-Place Hold that enable to keep mail items for a longer time period or
forever, but this option cannot be implemented in retrospect.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 6 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

In other words if the Exchange Online administrator didnt activate the described
options in advance, we are still subject to the 14 days rule.
Note

You can read more information about extending the default Deleted Item
retention policy in an Exchange Online environment in the article Recover
deleted mail items in the Exchange Online environment | Deleted mail flow | 3#7
You can read more information about Litigation Hold or In-Place Hold in
Exchange Online environment in the article Exchange In-Place eDiscovery &
Hold | Introduction | 5#7
4. In Exchange Online environment, I can recover the user mailbox to his
original state
False assumption 1 restore the user mailbox snapshot.
Usually, when Exchange Online administrator says that sentence their meaning is
translated to the option of restoring a snapshot of the user mailbox sometimes
refers as point in time in which the user mailbox will behave all the mail items,
and the specific folder structure that the user had in a specific point in time.
The Exchange Online infrastructure doesnt include this option. There is no way to
restore the user mailbox to a specific point in time.
False assumption 2 restore mail items to the original location.
For example, in case that the deleted mail item was located in the inbox folder,
when I use the available option for recovering the specific mail items, it will be
restored to his original folder meaning the inbox folder.
In a recovery scenario in which we use Outlook or OWA mail client for recovering a
mail item, the mail item will be restored to his original folder but not to the folder
that we consider as original.
When we delete a mail item, his original folder become the Deleted items folder
When we restore the mail items from the Recoverable Items folder, the mail item
will be restored to the Deleted items folder and not to the inbox folder

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 7 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

Exchange Online versus Exchange on-Premises

The formal definition of this current article series is reviewing the subject of
recovering mail items in Office 365 based environment meaning Exchange Online
environment.
Despite that, most of the information on the architecture, the logic and the
available tools are almost identical to the Exchange on-Premises infrastructure.
In the current time, the Exchange Online architecture is based on the Exchange
2013 server version.
So, in a scenario that you have Exchange 2013 on-Premises, you will find that most
of the infrastructure, the screenshot and the interfaces are relevant also for the
on-Premises environment.

The cloud deleted my mail

In many of the deleted mail item scenario or in the My mail was disappeared!!
There is a common conspiracy theory described as The cloud deleted my mail
The truth is that there is some logic behind this hypothesis because we all know
that at night, the Tooth Fairy, comes to giving gifts to children have fallen tooth and
the Office 365 deleted mail demon come and delete ruthlessly our Poor users Emails!!!

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 8 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

If you think that Im a little cynical, wait until you hear the complaints I hear from
clients.
The point there is no Tooth Fairy and, no Office 365 deleted mail daemon.
Theoretically, there is a possibility that the causes for the deleted mail item relate in
some way to the Exchange Online infrastructure but, my opinion is that chance for
this scenario is identical to the chance in which you win the grand prize lottery
three weeks in a row.

My mail was disappeared!!

A user calls the help desk support and report that his mail disappeared!!!
In case that the user is a VIP or the user makes a lot of noise, we are entering into a
panic mode and want to be able to find the magic formula that everything returns
to the previous state!

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 9 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

Before we get into the panic state, I would like to present two important questions
1. What is the meaning of my mail?

Does the user relate to a single mail item, a couple of mail items or dozens of
mail items?
When the user says mail items did he means an E-mail message? Calendar
meeting? Contact?
Are there any specific characters in the mail that was disappearing? For
example mail from a specific date range? Mail with a specific subject? Mail
from a specific recipient?

2. What is the meaning of disappeared?

When the user says that his mail disappeared does it mean that the mail was
deleted? Does it mean that the mail exists, but for some reason, he cannot see or
find the specific mail item?

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 10 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

You dont have to act like Sherlock Holmes each time a user reports that his mail
was disappearing, but its crucial that we will have a clear understanding about the
characters of the event.
Before we start to fire in all directions, we need to verify if this is a simple scenario
in which the mail exists, but the user cannot find it or a scenario in which we cannot
locate the specific mail items, and we can assume that the mail can be considered
as deleted

Mail is hidden from the user.

We a user reports that he cannot find his mail, many times the meaning is that the
mail exists, but not where the user expects to find in his mail.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 11 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

For example
1. Drag and drop scenario a scenario in which the user was a drag and drop mail
item\s from their original mail folder to other mail folders without noticing.
Another variation of this scenario could be a scenario in which the user
consciously moves a specific mail item from their original folder to another
folder and over time, he forgot that he changed the original location of the mail
item.
2. Outlook and OWA view Outlook and OWA mail client, enable the user to define
a specific view that serves as a filter that hides a specific mail item.
Many times, when a user reports that he cannot find a specific mail item, the
problem is a specific view that hides the mail item.
3. Synchronization problem for example, a scenario in which users who use
Outlook discovers that he cannot find a specific mail item. The mail item exists in
the Exchange Online mailbox, but for some reason, was not synchronized to the
specific user desktop.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 12 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

The solution
In a scenario in which users report that his mail was
disappeared\deleted\evaporated or any other term, before we start to think about
the worst-case scenario, lets start with a simple search operation.
The best practice is to search for the missing in action mail items by using the
OWA mail client because, when we use the OWA mail client, we eliminate a scenario
in which the problem is related to a synchronization problem.

The 10 major causes for deleted mail item scenario

Lets assume that we have implemented a thorough search in the user mailbox and,
we could not find the mail items that were reported as missing.
In this stage, we have a reasonable basis to believe that the mail was deleted.
In this scenario, a common psychological phenomenon is to find is the element
that is responsible for the mail deletion and only after that, start to see are the
recoverable options that available to us.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 13 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

I will not be able to help you to find the person or the element that deletes the
mail items, but, I can introduce to you some of the common causes for mail
deletion scenario.
1. Mail item that was deleted by the user himself.
Despite that we are not willing to consider this scenario, in real life, the reason for
the deleted mail item could be the user himself.
It doesnt matter if the user deleted the mail in the past and, forgot that he deleted
the mail or the mail was accidentally deleted.
What matters is that we should consider this option before we start to fire in all
directions to seek to blame the environment.
2. Antivirus
Most of the time we relate to Antivirus as an element that was created for
protecting the mailbox data, but in some scenarios, the Antivirus application could
recognize a specific mail as a problematic and decide to delete the mail items or
remove some parts of the mail item such as attachment, etc.
3. Virus or malware
Any type of hostile code that exists on the user desktop or device and manages to
delete mail items.
4. Variety of mail client and mail protocols.
In a modern environment, users access their mailbox form many different devices,
application using a variety of mail protocols and so on.
In this complex environment, its reasonable to assume that the scenario of
deleted mail can be caused by a problem with a specific mail client, specific mail
protocol specific device, etc.
5. Other users who have access to the specific user mailbox.
One of the notable characteristics of the Exchange Online environment is the ability
of sharing resources such as mailbox or calendar.
The scenario in which mail items are deleted, can be caused by users who have
access (permission) to the user mailbox.
The deletion could be considered as deliberate action or mistake but the

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 14 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

important issue is that in case that other users have access to the user mailbox; the
deletion could be related to another user.
6. Outlook add-in or plugin.
The purpose of Outlook add-in or plugin is to do something with the mail items
that existed in the user mailbox. Most of the time, the Outlook add-in or plugin has
unlimited access to the mailbox content and some scenarios; the Outlook add-in or
plugin could decide to delete or remove a specific mail item.
7. Mail Migration and corrupted mail items.
In a scenario in which we migrate our mail infrastructure to Exchange Online, our
basic assumption is that all the mailbox content is migrated to the cloud.
This assumption could be wrong in a scenario in which the original user mailbox
includes a corrupt mail item. In this case, the corrupt mail items will not be
migrated to the Exchange Online mailbox.
In this type of scenario, the user assumes that the mail items are waiting for him in
the mailbox while, in reality, the E-mail was never reached to the Exchange Online
mailbox.
8. Exchange Online Retention policy.
Some organization uses an Exchange retention policy and retention policy tag that
move mail item with a specific age to the archive mailbox or even deletes old mail
items.
In case that your organization uses retention policy, you will need to verify if the
mail item that was reported as disappeared was just moved to the archive
mailbox.
9. Local PST file.
In a scenario in which the user uses a local PST a passable option could be that the
mail item was manually or automatically was moved to the PST store.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 15 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

Or another option is that the mail is stored in PST file that is saved on the specific
user desktop and at the current time, the user uses a different desktop that doesnt
include the PST file.
10. Problem with Exchange Online.
I have added this case as the last case because technically, this scenario could be
an option.
In order to be honest, my personal opinion is that this type of scenario, in which the
mail items were deleted by a problem in Exchange Online infrastructure can be
considered as a very rare event or, even non possible.
I mention this possible cause because theoretically we cannot fully rule out this
possibility.

Recover a deleted mail item versus a scenario of recover

deleted Exchange Online mailbox

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 16 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

One of the most popular confusion regarding the deleted mail scenario, is related
to the two different scenarios: deleted mail item versus deleted mailbox.
The reason for this confusion is the common denominator the word deleted
and, in addition, both of the scenarios are related to the Exchange infrastructure.
Despite the alleged similarity, these two scenarios are totally different from each
other.
Note In the current article series, we will relate only to the scenario of deleted
mail items and not to the scenario of deleted mailbox.

The meaning of mail item

Along with this article series, we will mention many times the term deleted mail
item. Most of the time, the association for the term Mail item is an E-mail
message, that was stored in the user mailbox was deleted.
In Exchange and Exchange Online environment, the term deleted mail item can be
translated to different type of Exchange mailbox items such as:

Calendar item
Note item
Contact item
Mail item

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 17 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

Each of this item considers as mail item.

Default Deleted mail policy in an Exchange Online environment

The meaning of the term Deleted Item retention policy relate to our ability of
recovering mail items that were deleted for a specific period of time.
The default Exchange Online Deleted Item retention policy defines a range of 14
days in which we can recover mail items that was deleted.
We have the ability to extend this default range up to 30 days, but we will need to
use the PowerShell interface for implementing this extension and in addition; we
will need to run the PowerShell command for each new mailbox that will be
created.
The ability to extend the default 14-day limitation is available only to Office 365
customers who purchase E3 or Exchange Plan 2 license.
Note you can read more information about this option in the section Stretching
the Exchange Deleted item policy
Deleted mail item policy | Quotes from public resources
After an item has been removed from the Deleted Items folder, its kept in a
Recoverable Items folder for an additional 14 days before being permanently

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 18 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

removed. Users can recover the item during this 14-day period by using the
Recover Deleted Items feature in the Outlook Web App or Outlook.
Using this feature eliminates the need for a mailbox restore. If a user manually
purged an item from the Recoverable Items folder, an administrator can recover
the item within the same 14-day window by using the Single Item Recovery feature
and remote Windows PowerShell.
The Single Item Recovery period is 14 days by default, but administrators can
increase this to a maximum of 30 days by using remote Windows PowerShell. To
preserve messages for longer than 30 days, organizations can implement long-term
email preservation or time-based In-Place Holds.
[Source of information: High Availability and Business Continuity]

Override the default Deleted Item retention policy

One of the most common questions that are raised by Office 365 customers is the
question about the possibility to save mail items for an unlimited time period.
In other words, override the default Deleted mail item policy
The good news is that Exchange Online offers this option by using one of the
following Exchange Online features:

Litigation Hold
In-Place Hold

The option of Exchange Online Litigation hold or Exchange Online, enables us to

override the default deleted mail items retention policy and enable a
configuration in which we can hold and recover (restore) mail items forever!
The important thing regarding Litigation Hold or In-Place Hold option, is that this
feature exists only when purchasing a specific Exchange Online license:

Exchange Online E3 license

Exchange Plan 2 license

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 19 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

In the current article, we will not go into a detailed description of this Exchange
Online option but instead, focus on the Deleted Item retention policy and the
Exchange Online architecture that is used for recovering mail items.

Mailbox and Backup solution in Office 365 and Exchange Online

environment
The common question among Exchange Online client is the question regarding the
possibility of implementing some kind of user mailbox solutions.
Most of the time, the idea behind the backup \ restore solution is the ability to
restore the user mailbox to a specific point in time. This option described
sometimes as a snapshot because the backup enabled us to capture a snapshot of
the user mailbox and view the mailbox content as at appear at a specific time
during the past.
At the current time, the Exchange Online infrastructure doesnt provide this type of
service.
This type of solutions are provided by third party backup and restores products
that can provide this service in the Exchange Online base environment.

Exchange Online and Recoverable Items Folder

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 20 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

As mentioned in the former section, in the current time Exchange Online doesnt
include a backup solution that could be described as: point on time which will
enable us to restore user mailbox status to a specific point in time.
The Exchange Online Backup solutions are based upon the architecture or the
concept which described as single mail item recovery.
The single mail item recovery concept is implemented by using a set of mailbox
hidden folder that serves as a container for deleted mail items.
This technical name for the set of folders is: Recoverable Items folder. The name
that was chosen by Microsoft for this set of a system folder could mislead because
the name reference a folder (singular) instead of reference this folder as plural.
Note- the former term that was used in the past for describing this set of a folder isdumpster.
We use the term hidden because by default, the user cannot see this set of a
folder as part of his standard folder hierarchy.
We use the term set of folders because the deleted mail item is not saved in a
specific folder but instead in a set of folders. Each of the folders has a specific rule
and purpose.
The backup and restore capabilities of Exchange Online are based on accessing this
folder and pull out the mail items that are stored in this set of folders.
Exchange Online Litigation Hold and Exchange Online In -Place Hold
Exchange Online include two features or components that enable us to extend
the process or saving and recovering a specific mail item.
For example, the Exchange Online default Deleted Item retention policy will keep
deleted mail items in the Recoverable Items folder for 14 days.
When we use the feature of litigation Hold or In-Place Hold we can extend this
limitation to an unlimited number of days.
The litigation Hold or In-Place Hold components enable us to manage the required
policy that we want to set for specific mailbox or, on a set of mailboxes and when

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 21 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

we need to recover data (deleted mail items), enable us to search and recover a
specific mail item.

[Source of information Compare Exchange Online plans]

Additional reading

In Place Hold and Litigation Hold

Recover deleted mail items in the Exchange Online environment |

The article series
The current article series includes six articles.
The reason for writing a series of articles is because there are many aspects that
relate to this subject and many options and solutions that we can implement.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 22 of 22 | Recover deleted mail items in the Exchange Online environment |

introduction | 1#7

Q: Do I need to read all the article series?

A: No, its a Democracy; you dont have to, but if you want to be entitled to the title
recover mail items in Exchange Online MOD (Master Of Disaster) its recommend
reading each of the articles included in this article series.

Written by Eyal Doron | o365info.com | Copyright 2012-2015