Date post: | 23-Jul-2016 |
Category: |
Documents |
Upload: | o365infocom |
View: | 225 times |
Download: | 1 times |
Page 1 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Recover deleted mail items – Office
365 | 4#7
In the current article, we will review the four options that we can use for recovering
mail items in the Exchange Online environment.
The available tools for recovering mail items are:
1. Recovering deleted mail items by using Outlook and OWA mail clients.
2. Recovering deleted mail items by using MFCMAPI utility.
3. Recovering deleted mail items by using Exchange In-Place eDiscovery and
Hold.
4. Recovering deleted mail items by using the PowerShell cmdlets Search-
Mailbox and New-MailboxSearch.
The characters of our scenario are as follows:
Page 2 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
An organization user calls us and complain that some of his mail disappeared. We
have implemented our due diligence and perform a mailbox search to verify if the
mail it’s still exists in the user mailbox.
In the current time, we are entering into the phase in which we assume that the
mail item was deleted and we want to check if we the specific mail items are still
“recoverable”.
The two main questions that relate to this scenario are:
Q1: What are the recovery mail methods that are available for us in the Office 365
and Exchange Online environment?
Q2: Does the mail item is still “recoverable” meaning, can we still “save” the deleted
mail item?
The available mail recovery method in Office 365 and Exchange
Online environment
Before we start to dive into the specific details of the recovery mail methods that
we can use it’s important to define a general classification of the mail recovery
methods:
1. Recovery mail method that can be implemented by the user himself (the
mailbox owner)
2. Recovery mail methods that can be implemented only by the Exchange
Online administrator.
For example – every user (mailbox owner) has the ability to recover mail items that
were deleted form to Exchange inbox “Recycle bin” (the Deleted items folder) by
using the OWA or the Outlook option of – Recover Deleted Items.
As mention, the user will have a “grace period” of 14 days in which he can “regret”
and restore mail items that were deleted from the Exchange inbox “Recycle bin”
(the Deleted items folder). In other words – recover from a scenario of Hard
delete.
Note – you can read more information about the term Hard Delete in the section
– Soft delete versus Hard delete
Page 3 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The scenario in which only the Exchange Administrator can recover mail items are:
1. Hard delete
A scenario in which the user deletes also the mail item that was stored in
the Deletion folder(hard delete). In this case, the mail will be placed in
the Purges folder.
The user doesn’t have access permission to the Purges folder (only the
Exchange Online Administrator can view the content of this folder).
2. Mailbox with Litigation Hold or In-Place Hold
In case that the mailbox was configured with Litigation Hold or In-Place Hold, the
ability to recover deleted mail items older than 14 days (the default Deleted
Item retention policy in Exchange Online is 14 days), only the Exchange Online
administrator has the ability to recover this mail items.
The available tools for recovering mail items
The available tools that we can use for recovering mail items are:
1. In-place eDiscovery
Page 4 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
An Exchange 2013 web-based interface, which enables us to create a query and
search for mail items in a specific mailbox or an array of mailboxes.
(Exchange Online is based on Exchange 2013 architecture).
The in-place eDiscovery Exchange infrastructure is a very powerful tool, that
consisting of different components and, can use for searching and recovering data
from Exchange Online infrastructure and also from other infrastructures such as
SharePoint Online.
2. PowerShell cmdlets
Exchange includes two sets of PowerShell cmdlets that was created for searching +
recovering mail items from a user mailbox:
Search-Mailbox
New-MailboxSearch
Booth of the PowerShell cmdlets: Search-Mailbox and New-MailboxSearch serve
for searching for data (mail items) in Exchange mailbox.
The graphic interface of the Exchange Online eDiscovery that is used for searching
+ recovering mail items from user mailboxes is based on the PowerShell cmdlets –
New-MailboxSearch
In addition, Exchange includes support in “older” PowerShell cmdlets named –
Search-Mailbox.
To oblivious question that could appear is: why do we need two PowerShell cmdlets
that do the same thing?
The answer is that despite the common between this two PowerShell cmdlets, each
PowerShell has different capabilities that the “other” PowerShell cmdlets don’t
have.
Theoretically, the “newer” PowerShell cmdlets – New-MailboxSearch was
supposed to replace or Inherit the former PowerShell cmdlets (the Search-
Mailbox) but, the interesting news is that the PowerShell cmdlets – Search-
Mailbox still have capabilities that are not provided by the newer New-
MailboxSearch PowerShell cmdlets.
Page 5 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
For example, the PowerShell cmdlets Search-Mailbox considers is “older” than the
“new” PowerShell cmdlets: New-MailboxSearch but, the PowerShell cmdlets
Search-Mailbox includes capabilities that the “newer” PowerShell cmdlets don’t
have such as the ability to search and recover mail items only from
the Recoverable Items folder.
If you want to get a detailed review of how to use these PowerShell cmdlets, you
can read the article –Recovering deleted mail items using PowerShell cmdlets
Search-Mailbox | 7#7
3. Mail client (Outlook\OWA)
The mail clients Outlook and OWA, include a built-in option that enables users to
recover mail items. The Outlook\OWA recovery mail items interface enables the
user (the mailbox owner) to view the content of the Deletion folder + recover mail
items. In other words, enable the user to recover mail items from a Soft delete
event.
4. MFCMAPI
The MFCMAPI is a very powerful GUI tool, that enables users (the mailbox owner or
another user that have Full access permission to the mailbox) to have access to the
“behind the scenes” of the mailbox content.
The MFCMAPI tools can provide many capabilities for a variety of troubleshooting
scenarios but in this article, we will review only a very specific capability of
the MFCMAPI -the capability of enabling users to access the “hiding partition”
– Recoverable Items folder.
In the current article, we will review the following methods for recovering mail
items in Exchange Online environment:
Recovery using Outlook and OWA mail client
MFCMAPI
In the article – Using Exchange In-place eDiscovery & Hold for recovering
deleted mail items | 6#7, we will review how to recover mail items using In-
place eDiscovery & Hold
Page 6 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the article – Recovering deleted mail items using PowerShell cmdlets
Search-Mailbox | 7#7, we will review how to recover mail items using the
PowerShell cmdlets – Search-Mailbox.
Best practices and guideline for recovering deleted mail items
When a user reports that his E-mail “disappeared” the recommended
troubleshooting flow is:
1. Verify if the mail items still exist in the user mailbox – in case that you cannot
find the mail item in the user mailbox, move to the next step.
2. Instruct the user to use the OWA\Outlook built-in option of recovering deleted
items. The ability of the user to recover mail items by themselves, can save
precious time and prevent unnecessary resource allocation for implementing an
“administrative recovery process”.
In simple words – simple is better. If the user manages to recover the mail item
by himself, this is a win-win scenario.
3. Use the “administrative” mail recovery options that exists in an Exchange Online
environment, only when the user doesn’t mange to recover mail by himself.
Page 7 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
1. Recovering deleted mail items by using Outlook and
OWA mail clients.
As mentioned, Outlook and OWA mail clients include a built-in interface that
enables a user to recover mail items.
The Outlook and OWA recovery mail option enable the user to get access to the
hidden subfolder the – Deletion folder.
When we mention the term – “recover mail items by using Outlook\OWA”, the
meaning is the ability to recover Soft deleted mail items.
Note – you can read more information about the subject of Soft deleted in the
section –Soft delete versus Hard delete
1.1 Recovering deleted mail items by using Outlook mail client.
To be able to recover mail items using Outlook, implement the following steps:
Page 8 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Choose the Folder menu
Choose the “Recover deleted items” icon.
In the window that appears, we can see a list of all the deleted items (the
mail items that stored in the Deletion folder).
When choosing the option of “Restore selected items”, the mail item will be
restored back to the Deleted items folder.
When choosing the option of “Purge selected items”, the mail item will be
sent to the Purges folder(Hard delete).
One important concept that I would like to emphasize is that, the process of
recovering deleted mail items doesn’t restore the mail item to the “original folder”
in which the mail item was originally created but instead, to the folder that “host”
the mail item before he was deleted meaning – the Deleted items folder.
For example – a scenario in which user delete a mail item that is stored within a
mailbox folder named: Customers.
When the user deleted the mail, the mail is “moved” to the Deleted items folder. In
case that the mail item was removed (deleted) also from the Deleted items
Page 9 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
folder and, the user decides that he wants to recover the mail item, the recovered
mail items will be restored back to the Deleted items folder and not to the
“original folder” (Customer folder in our scenario).
In the following screenshot, we can see we can see an example in which we recover
a specific mail item.
Page 10 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
After the mail item is successfully restored, we can see that the “new location” of
the mail item is the Deleted items folder.
Page 11 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
1.2 Recovering deleted mail items by using OWA mail client.
The ability to recover a mail item can be implemented also by using the OWA mail
client.
To be able to display the Deleted items folder, choose the More option.
(The OWA default view in an Exchange Online environment is a minimized view
that doesn’t display the Deleted items folder).
Right click on the Deleted items folder
Page 12 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Choose the menu – Recover deleted items …
In the new window that appears, you will be able to see a list of mail items that can
be recovered.
On the right bottom of the screen, you can see the option of: Recover or Purge
Page 13 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Additional reading
Recover deleted items or email in Outlook Web App
2. Recovering deleted mail items by using MFCMAPI
utility.
The MFCMAPI is a very powerful tool that each Exchange administrator should
know.
By using the MFCMAPI tool, we can accomplish tasks and operations, which are not
available through the standard Outlook interface.
The MFCMAPI tool can “do” many things but, in this article, I would like to focus only
on the subject of recovering a mail item by using the MFCMAPI tool.
Page 14 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
One of the most relevant examples for the need to use the MFCMAPI tool is a
scenario of Hard Delete.
Just a quick reminder – the term “Hard Delete”, define a scenario in which the user
(or other element) deletes the mail item from the Deleted items folder + also
purges the mail item from the recovery folder (the Deletion folder).
In this scenario, the mail is relocated or moved to the Purges folder and the
standard Outlook or the OWA mail client interface, doesn’t enable users to get
access to the Purges folder.
In this case, we have a couple of options -the Exchange Administrator can use the
Exchange Online in-place eDiscovery option (a tool that is available via the
Exchange Online web management interface) for searching and recovering the mail
item.
But in a scenario in which we are not able to access the Exchange Online admin
interface or, in a scenario in which a “standard user” doesn’t have the required
administrative right for accessing the Exchange Online in-place eDiscovery, we can
use the powerful ability of the MFCMAPI tool for trying to recover mail items from a
“Hard delete” scenarios.
How to recover mail item using the MFCMAPI tool
In the following section, we will demonstrate the use of the MFCMAPI tool for
recovering mail items of a user named: John.
Our demonstration will include to options that the MFCMAPI tool include for
recovering mail items:
Export the deleted mail items into a mail message format (msg file).
Copy deleted mail items into inbox folder.
The characters of the scenario are as follows:
Our user John, empty his deleted item folder and then, empty also the recovery
mail item folder (Hard Delete).
In this scenario, the deleted mail items are located in the Purges folder and as we
know, the content of this directory is not available in the Outlook view.
Page 15 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
To be able to recover the deleted mail items that is stored in the Purges folder we
will use the MFCMAPI tool. We will use the MFCMAPI tool for “login” to the John
mailbox and then, recover a specific mail item using the Export option and using
the Copy option.
Download and extract the MFCMAPI
Double click MFCMAPI excitable file.
In the welcome screen click OK
Page 16 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Click on the Tools menu and choose Options…
In the windows that appear, choose the following options
o Use the MDB_ONLINE flag when calling OpenMsgStore
o Use the MAPI_NO_CACHE flag when calling OpenEntry
To be able to view the content of the user mailbox we need to login, to John’s
mailbox (the MFCMAPI tool “mimics” Outlook client behavior).
Page 17 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Choose the Session menu and the Logon… menu
In our scenario, we will choose the “John mail profile”
Page 18 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Double-click on the icon that represents John’s mailbox.
Using the MFCMAPI tool, enable us to get a clear view of the physical mailbox
structure.
The most top container is the Root container that includes sub partitions such as:
Recoverable items – this is the Recoverable Items folder.
Page 19 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Top of Information store – this is the “mailbox partition” that contains the
standard mailbox folder that we know such as: inbox, sent items, etc.
To be able to recover the deleted mail items we will click on the Recoverable
items folder.
Page 20 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the Recoverable items folder, click on the Purges folder.
The MFCMAPI interface is a bit confusing because at first glance, it looks like the
MFCMAPI view of the Purges folder include only binary code.
To be able to view the mail items stored in the Purges folder, we need to double-
click on the Purges folder.
Page 21 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Scenario 1: Export a copy of a deleted mail item
In the first example, we will save a copy of the deleted mail item and save it as a
message file format (msg file).
Choose a specific mail item
Use the right click mouse option and in the menu that appears, choose
the Export message…menu
Page 22 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the option box: Format to save message, choose the suitable format for your
needs. In our example, we will choose MSG File (UNICODE)
Page 23 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In our example, we will save a copy of the deleted mail item in a folder
named: Recover Mail.
Page 24 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the windows that appear, click OK
Page 25 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the windows that appear, click OK
Page 26 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the following screenshot, we can see the mail item that was saved in the
folder.
Scenario 2: copy the deleted mail item\s to another mailbox folder.
In the following example, we want to use a different option for recovering mail
items.
In this example, we want to restore the mail item to a “dedicated folder” that will be
created and serve for storing the recovered mail item\s.
In our example, before we start that recovery process, we will create a folder
named:
John recover Mail items
Later on, we will copy all the recovered mail items that are stored in the Purges
folder to this folder.
To simplify the instructions, you can follow the steps that were listed in the former
scenario.
When we see the content of the Purges folder, we can choose a specific mail or all
the mail items (CTRL +A) and use the right mouse click.
In this scenario, we will choose the option of: Copy Messages…
Page 27 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Choose the inbox folder and under the inbox folder choose the specific folder
that will be used for saving the copy of the recovered mail items. In our scenario,
we choose the folder named: John recover Mail items
Page 28 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Right click on the folder and choose the menu – Paste…
In our scenario we want to copy the recovered mail items and not move the
recovered mail items. We will not check the option box – Move message instead of
copy
Page 29 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the following screenshot, we can see the mail item that was recovered.
Page 30 of 30 | Recover deleted mail items - Office 365 | 4#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Additional reading
HOW TO RECOVER DELETED EXCHANGE MAIL IN MICROSOFT OUTLOOK
How to recover missing emails in Office 365
Exchange 2010 Single Item Recovery Architecture