Page 1 of 30 | Recover deleted mail items - Office 365 | 4#7

Recover deleted mail items Office

365 | 4#7

In the current article, we will review the four options that we can use for recovering
mail items in the Exchange Online environment.
The available tools for recovering mail items are:
1. Recovering deleted mail items by using Outlook and OWA mail clients.
2. Recovering deleted mail items by using MFCMAPI utility.
3. Recovering deleted mail items by using Exchange In-Place eDiscovery and
Hold.
4. Recovering deleted mail items by using the PowerShell cmdlets SearchMailbox and New-MailboxSearch.
The characters of our scenario are as follows:

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 2 of 30 | Recover deleted mail items - Office 365 | 4#7

An organization user calls us and complain that some of his mail disappeared. We
have implemented our due diligence and perform a mailbox search to verify if the
mail its still exists in the user mailbox.
In the current time, we are entering into the phase in which we assume that the
mail item was deleted and we want to check if we the specific mail items are still
recoverable.
The two main questions that relate to this scenario are:
Q1: What are the recovery mail methods that are available for us in the Office 365
and Exchange Online environment?
Q2: Does the mail item is still recoverable meaning, can we still save the deleted
mail item?

The available mail recovery method in Office 365 and Exchange

Online environment
Before we start to dive into the specific details of the recovery mail methods that
we can use its important to define a general classification of the mail recovery
methods:
1. Recovery mail method that can be implemented by the user himself (the
mailbox owner)
2. Recovery mail methods that can be implemented only by the Exchange
Online administrator.
For example every user (mailbox owner) has the ability to recover mail items that
were deleted form to Exchange inbox Recycle bin (the Deleted items folder) by
using the OWA or the Outlook option of Recover Deleted Items.
As mention, the user will have a grace period of 14 days in which he can regret
and restore mail items that were deleted from the Exchange inbox Recycle bin
(the Deleted items folder). In other words recover from a scenario of Hard
delete.
Note you can read more information about the term Hard Delete in the section
Soft delete versus Hard delete

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 3 of 30 | Recover deleted mail items - Office 365 | 4#7

The scenario in which only the Exchange Administrator can recover mail items are:
1. Hard delete
A scenario in which the user deletes also the mail item that was stored in
the Deletion folder(hard delete). In this case, the mail will be placed in
the Purges folder.
The user doesnt have access permission to the Purges folder (only the
Exchange Online Administrator can view the content of this folder).
2. Mailbox with Litigation Hold or In-Place Hold
In case that the mailbox was configured with Litigation Hold or In-Place Hold, the
ability to recover deleted mail items older than 14 days (the default Deleted
Item retention policy in Exchange Online is 14 days), only the Exchange Online
administrator has the ability to recover this mail items.

The available tools for recovering mail items

The available tools that we can use for recovering mail items are:
1. In-place eDiscovery

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 4 of 30 | Recover deleted mail items - Office 365 | 4#7

An Exchange 2013 web-based interface, which enables us to create a query and

search for mail items in a specific mailbox or an array of mailboxes.
(Exchange Online is based on Exchange 2013 architecture).
The in-place eDiscovery Exchange infrastructure is a very powerful tool, that
consisting of different components and, can use for searching and recovering data
from Exchange Online infrastructure and also from other infrastructures such as
SharePoint Online.
2. PowerShell cmdlets
Exchange includes two sets of PowerShell cmdlets that was created for searching +
recovering mail items from a user mailbox:

Search-Mailbox
New-MailboxSearch

Booth of the PowerShell cmdlets: Search-Mailbox and New-MailboxSearch serve

for searching for data (mail items) in Exchange mailbox.
The graphic interface of the Exchange Online eDiscovery that is used for searching
+ recovering mail items from user mailboxes is based on the PowerShell cmdlets
New-MailboxSearch
In addition, Exchange includes support in older PowerShell cmdlets named
Search-Mailbox.
To oblivious question that could appear is: why do we need two PowerShell cmdlets
that do the same thing?
The answer is that despite the common between this two PowerShell cmdlets, each
PowerShell has different capabilities that the other PowerShell cmdlets dont
have.
Theoretically, the newer PowerShell cmdlets New-MailboxSearch was
supposed to replace or Inherit the former PowerShell cmdlets (the SearchMailbox) but, the interesting news is that the PowerShell cmdlets SearchMailbox still have capabilities that are not provided by the newer NewMailboxSearch PowerShell cmdlets.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 5 of 30 | Recover deleted mail items - Office 365 | 4#7

For example, the PowerShell cmdlets Search-Mailbox considers is older than the
new PowerShell cmdlets: New-MailboxSearch but, the PowerShell cmdlets
Search-Mailbox includes capabilities that the newer PowerShell cmdlets dont
have such as the ability to search and recover mail items only from
the Recoverable Items folder.
If you want to get a detailed review of how to use these PowerShell cmdlets, you
can read the article Recovering deleted mail items using PowerShell cmdlets
Search-Mailbox | 7#7
3. Mail client (Outlook\OWA)
The mail clients Outlook and OWA, include a built-in option that enables users to
recover mail items. The Outlook\OWA recovery mail items interface enables the
user (the mailbox owner) to view the content of the Deletion folder + recover mail
items. In other words, enable the user to recover mail items from a Soft delete
event.
4. MFCMAPI
The MFCMAPI is a very powerful GUI tool, that enables users (the mailbox owner or
another user that have Full access permission to the mailbox) to have access to the
behind the scenes of the mailbox content.
The MFCMAPI tools can provide many capabilities for a variety of troubleshooting
scenarios but in this article, we will review only a very specific capability of
the MFCMAPI -the capability of enabling users to access the hiding partition
Recoverable Items folder.
In the current article, we will review the following methods for recovering mail
items in Exchange Online environment:

Recovery using Outlook and OWA mail client

MFCMAPI
In the article Using Exchange In-place eDiscovery & Hold for recovering
deleted mail items | 6#7, we will review how to recover mail items using Inplace eDiscovery & Hold

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 6 of 30 | Recover deleted mail items - Office 365 | 4#7

In the article Recovering deleted mail items using PowerShell cmdlets

Search-Mailbox | 7#7, we will review how to recover mail items using the
PowerShell cmdlets Search-Mailbox.

Best practices and guideline for recovering deleted mail items

When a user reports that his E-mail disappeared the recommended
troubleshooting flow is:
1. Verify if the mail items still exist in the user mailbox in case that you cannot
find the mail item in the user mailbox, move to the next step.
2. Instruct the user to use the OWA\Outlook built-in option of recovering deleted
items. The ability of the user to recover mail items by themselves, can save
precious time and prevent unnecessary resource allocation for implementing an
administrative recovery process.
In simple words simple is better. If the user manages to recover the mail item
by himself, this is a win-win scenario.
3. Use the administrative mail recovery options that exists in an Exchange Online
environment, only when the user doesnt mange to recover mail by himself.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 7 of 30 | Recover deleted mail items - Office 365 | 4#7

1. Recovering deleted mail items by using Outlook and

OWA mail clients.
As mentioned, Outlook and OWA mail clients include a built-in interface that
enables a user to recover mail items.
The Outlook and OWA recovery mail option enable the user to get access to the
hidden subfolder the Deletion folder.
When we mention the term recover mail items by using Outlook\OWA, the
meaning is the ability to recover Soft deleted mail items.
Note you can read more information about the subject of Soft deleted in the
section Soft delete versus Hard delete

1.1 Recovering deleted mail items by using Outlook mail client.

To be able to recover mail items using Outlook, implement the following steps:

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 8 of 30 | Recover deleted mail items - Office 365 | 4#7

Choose the Folder menu

Choose the Recover deleted items icon.
In the window that appears, we can see a list of all the deleted items (the
mail items that stored in the Deletion folder).
When choosing the option of Restore selected items, the mail item will be
restored back to the Deleted items folder.
When choosing the option of Purge selected items, the mail item will be
sent to the Purges folder(Hard delete).

One important concept that I would like to emphasize is that, the process of
recovering deleted mail items doesnt restore the mail item to the original folder
in which the mail item was originally created but instead, to the folder that host
the mail item before he was deleted meaning the Deleted items folder.
For example a scenario in which user delete a mail item that is stored within a
mailbox folder named: Customers.
When the user deleted the mail, the mail is moved to the Deleted items folder. In
case that the mail item was removed (deleted) also from the Deleted items
Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 9 of 30 | Recover deleted mail items - Office 365 | 4#7

folder and, the user decides that he wants to recover the mail item, the recovered
mail items will be restored back to the Deleted items folder and not to the
original folder (Customer folder in our scenario).

In the following screenshot, we can see we can see an example in which we recover
a specific mail item.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 10 of 30 | Recover deleted mail items - Office 365 | 4#7

After the mail item is successfully restored, we can see that the new location of
the mail item is the Deleted items folder.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 11 of 30 | Recover deleted mail items - Office 365 | 4#7

1.2 Recovering deleted mail items by using OWA mail client.

The ability to recover a mail item can be implemented also by using the OWA mail
client.

To be able to display the Deleted items folder, choose the More option.
(The OWA default view in an Exchange Online environment is a minimized view
that doesnt display the Deleted items folder).

Right click on the Deleted items folder

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 12 of 30 | Recover deleted mail items - Office 365 | 4#7

Choose the menu Recover deleted items

In the new window that appears, you will be able to see a list of mail items that can
be recovered.
On the right bottom of the screen, you can see the option of: Recover or Purge

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 13 of 30 | Recover deleted mail items - Office 365 | 4#7

Additional reading

Recover deleted items or email in Outlook Web App

2. Recovering deleted mail items by using MFCMAPI

utility.
The MFCMAPI is a very powerful tool that each Exchange administrator should
know.
By using the MFCMAPI tool, we can accomplish tasks and operations, which are not
available through the standard Outlook interface.
The MFCMAPI tool can do many things but, in this article, I would like to focus only
on the subject of recovering a mail item by using the MFCMAPI tool.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 14 of 30 | Recover deleted mail items - Office 365 | 4#7

One of the most relevant examples for the need to use the MFCMAPI tool is a
scenario of Hard Delete.
Just a quick reminder the term Hard Delete, define a scenario in which the user
(or other element) deletes the mail item from the Deleted items folder + also
purges the mail item from the recovery folder (the Deletion folder).
In this scenario, the mail is relocated or moved to the Purges folder and the
standard Outlook or the OWA mail client interface, doesnt enable users to get
access to the Purges folder.
In this case, we have a couple of options -the Exchange Administrator can use the
Exchange Online in-place eDiscovery option (a tool that is available via the
Exchange Online web management interface) for searching and recovering the mail
item.
But in a scenario in which we are not able to access the Exchange Online admin
interface or, in a scenario in which a standard user doesnt have the required
administrative right for accessing the Exchange Online in-place eDiscovery, we can
use the powerful ability of the MFCMAPI tool for trying to recover mail items from a
Hard delete scenarios.

How to recover mail item using the MFCMAPI tool

In the following section, we will demonstrate the use of the MFCMAPI tool for
recovering mail items of a user named: John.
Our demonstration will include to options that the MFCMAPI tool include for
recovering mail items:

Export the deleted mail items into a mail message format (msg file).
Copy deleted mail items into inbox folder.

The characters of the scenario are as follows:

Our user John, empty his deleted item folder and then, empty also the recovery
mail item folder (Hard Delete).
In this scenario, the deleted mail items are located in the Purges folder and as we
know, the content of this directory is not available in the Outlook view.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 15 of 30 | Recover deleted mail items - Office 365 | 4#7

To be able to recover the deleted mail items that is stored in the Purges folder we
will use the MFCMAPI tool. We will use the MFCMAPI tool for login to the John
mailbox and then, recover a specific mail item using the Export option and using
the Copy option.

Download and extract the MFCMAPI

Double click MFCMAPI excitable file.
In the welcome screen click OK

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 16 of 30 | Recover deleted mail items - Office 365 | 4#7

Click on the Tools menu and choose Options

In the windows that appear, choose the following options

o Use the MDB_ONLINE flag when calling OpenMsgStore
o Use the MAPI_NO_CACHE flag when calling OpenEntry

To be able to view the content of the user mailbox we need to login, to Johns
mailbox (the MFCMAPI tool mimics Outlook client behavior).

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 17 of 30 | Recover deleted mail items - Office 365 | 4#7

Choose the Session menu and the Logon menu

In our scenario, we will choose the John mail profile

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 18 of 30 | Recover deleted mail items - Office 365 | 4#7

Double-click on the icon that represents Johns mailbox.

Using the MFCMAPI tool, enable us to get a clear view of the physical mailbox
structure.
The most top container is the Root container that includes sub partitions such as:

Recoverable items this is the Recoverable Items folder.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 19 of 30 | Recover deleted mail items - Office 365 | 4#7

Top of Information store this is the mailbox partition that contains the
standard mailbox folder that we know such as: inbox, sent items, etc.

To be able to recover the deleted mail items we will click on the Recoverable
items folder.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 20 of 30 | Recover deleted mail items - Office 365 | 4#7

In the Recoverable items folder, click on the Purges folder.

The MFCMAPI interface is a bit confusing because at first glance, it looks like the
MFCMAPI view of the Purges folder include only binary code.
To be able to view the mail items stored in the Purges folder, we need to doubleclick on the Purges folder.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 21 of 30 | Recover deleted mail items - Office 365 | 4#7

Scenario 1: Export a copy of a deleted mail item

In the first example, we will save a copy of the deleted mail item and save it as a
message file format (msg file).

Choose a specific mail item

Use the right click mouse option and in the menu that appears, choose
the Export messagemenu

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 22 of 30 | Recover deleted mail items - Office 365 | 4#7

In the option box: Format to save message, choose the suitable format for your
needs. In our example, we will choose MSG File (UNICODE)

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 23 of 30 | Recover deleted mail items - Office 365 | 4#7

In our example, we will save a copy of the deleted mail item in a folder
named: Recover Mail.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 24 of 30 | Recover deleted mail items - Office 365 | 4#7

In the windows that appear, click OK

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 25 of 30 | Recover deleted mail items - Office 365 | 4#7

In the windows that appear, click OK

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 26 of 30 | Recover deleted mail items - Office 365 | 4#7

In the following screenshot, we can see the mail item that was saved in the
folder.

Scenario 2: copy the deleted mail item \s to another mailbox folder.

In the following example, we want to use a different option for recovering mail
items.
In this example, we want to restore the mail item to a dedicated folder that will be
created and serve for storing the recovered mail item\s.
In our example, before we start that recovery process, we will create a folder
named:
John recover Mail items
Later on, we will copy all the recovered mail items that are stored in the Purges
folder to this folder.
To simplify the instructions, you can follow the steps that were listed in the former
scenario.
When we see the content of the Purges folder, we can choose a specific mail or all
the mail items (CTRL +A) and use the right mouse click.
In this scenario, we will choose the option of: Copy Messages

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 27 of 30 | Recover deleted mail items - Office 365 | 4#7

Choose the inbox folder and under the inbox folder choose the specific folder
that will be used for saving the copy of the recovered mail items. In our scenario,
we choose the folder named: John recover Mail items

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 28 of 30 | Recover deleted mail items - Office 365 | 4#7

Right click on the folder and choose the menu Paste

In our scenario we want to copy the recovered mail items and not move the
recovered mail items. We will not check the option box Move message instead of
copy

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 29 of 30 | Recover deleted mail items - Office 365 | 4#7

In the following screenshot, we can see the mail item that was recovered.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 30 of 30 | Recover deleted mail items - Office 365 | 4#7

Additional reading

HOW TO RECOVER DELETED EXCHANGE MAIL IN MICROSOFT OUTLOOK

How to recover missing emails in Office 365
Exchange 2010 Single Item Recovery Architecture

Written by Eyal Doron | o365info.com | Copyright 2012-2015