Page 1 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted

mail flow | 3#7

Recover deleted mail items in the

Exchange Online environment | Deleted
mail flow | 3#7

In the current article, we will review the following subjects:

The flow of a deleted mail item in an Exchange base environment for a

standard mailbox and for Litigation Hold or In-Place Hold enabled mailbox.
The subject of Deleted Item retention policy, the Exchange server policy that
removes deleted mail items after a specific time period and the ability to extend
the default value.
The meaning of the terms Soft delete versus Hard delete.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 2 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

As Exchange Online administrator, we will need to understand the deleted mail flow
for two major reasons:
1. To be able to prepare in advance, for a business need in which we need to
provide the ability for recovering mail items for a longer period than the
standard 14 days period.
2. To be able to provide the right answer for our users, in a scenario in which our
user asks us to recover for then deleted mail items.
For example, in case that the user report that the mail item was deleted two
months ago and, we did not use the option of Litigation Hold or In-Place Hold, the
answer is that the mail item cannot be recovered!

The Recoverable Items folder and deleted mail item life

cycle
Before we start with the detailed description of the deleted mail item life cycle its
important that we understand the logic of the Recoverable Items folder.
As mention, In Exchange Online environment mail items that were deleted from the
Exchange inbox Recycle bin (the Deleted items folder) will be moved to
the Recoverable Items folder or, if we want to be more specific, to the Deletion
folder.
The main question is: for how long this deleted mail items will be kept in
the Deletion folder?
The answer depends on the specific setting of the Exchange Online mailbox.
Case 1 in case that the mailbox considers as standard mailbox the deleted mail
items will be considered as recoverable for a period of 14 days.
Case 2 in case that the mailbox considers as Exchange Online mailbox with
Litigation Hold or In-Place Hold enabled, the deleted mail items will be considered
as recoverable for a period that will be defined by the Litigation Hold or In-Place
Hold policy (a specific time period longer than 14 days or forever).

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 3 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

The Recoverable Items folder purpose and the relevance for the
subject of deleted mail items.
The Exchange single item recovery architecture and the Recoverable Items
folder can be considered as sophisticated architecture and an infrastructure that
was created for providing many types of services.
In the current article series, we will relate only to the part that relate to the subject
of storing and recovering deleted mail items via the Recoverable Items folder.
By default, the Recoverable Items folder can help us to deal with a scenario of
Soft deleted and Hard delete for a period of 14 days. This limitation is dictated by
the Deleted Item retention policy.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 4 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

The Exchange architecture provides a tool that will enable us to bypass the
limitation that is imposed by the Deleted Item retention policy for a specific user
mailbox or for multiple mailboxes.
The name of the Exchange mechanism that enable us to bypass the limitation
described as Litigation Hold or In-Place Hold.

Recoverable Items folder, Litigation Hold and, In-Place

Hold
One of the most confusing and unclear subject in the Exchange server architecture
is the subject of Litigation Hold and In-Place Hold.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 5 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

In the current article, we will not dive into a detailed description of these
components.

To simplify the understanding Exchange Litigation Hold and In-Place Hold, we can
relate to these components as a tool or mechanism that unable to use to override
the values of the Exchange Deleted Item retention policy that is applied on the
Exchange mailboxes.
For example the default Exchange Online Deleted Item retention value is 14
days.
By using the option of Litigation Hold or In-Place Hold, we can set a
different Deleted Item retention policy to specific Exchange users.
For example, when we apply Litigation Hold and In-Place Hold to a specific mailbox,
we can decide what will be the value of the Deleted Item retention policy.
We can set the value of the Deleted Item retention policy to months, years or
even forever.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 6 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

Litigation Hold versus In-Place Hold

The Litigation Hold mechanism is applied for all of the items in a specific mailbox
such as calendar items, contact items mail items etc.
The option of In-Place Hold enables us to define more refined deleted mail item
policy.
For example, we can decide to apply the -Place Hold only to calendar items from a
specific date, etc.
In reality, the difference between Litigation Hold and In-Place Hold is much more
comprehensive but for our purpose, we can be satisfied with this simple
explanation.

Deleted mail item flow and Life Cycle

To be able to unveil the mystery of the Recoverable Items folder, lets review the
object of Deleted mail item flow and Life Cycle.
We can classify the different deleted mail items scenarios in Exchange
environment to two major groups:
1. Standard mailbox Exchange mailbox that is subject to the default Deleted
Item retention policy.
2. Exchange mailbox with a Litigation Hold or In-Place Hold enabled an Exchange
mailbox that is not subject to the default Deleted Item retention policy.
Instead, have a special or dedicated Deleted Item retention policy.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 7 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

What is the Exchange Deleted Item retention policy?

The term Deleted Item retention policy define an Exchange process that can
be described as garbage collection of non-relevant objects (mail items).

Technically speaking, when a user decides to delete a specific mail item, the
meaning is that the mail item is not relevant or not needed for the user.
When a user deletes mail item, the mail item is not acutely deleted but instead,
moved or relocated to a new folder the Deleted items folder.
Technically speaking, the user doesnt need to empty or clean the Deleted items
folder. In case that an Exchange user doesnt bother to empty the Deleted items
folder, the deleted mail item will stay in the Deleted items folder forever.
The only disadvantage for not emptying the Deleted items folder is that the
deleted mail item considers as part of the user mailbox quota and over time, the
deleted mail items will consume a significant part from the user mailbox quota.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 8 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

So lets assume that for this reason and for a proper management of mailbox data,
the user decides to empty the content of the Deleted items folder.

The questions now are:

Q1: What happened to the mail items that were deleted from Deleted items
folder? Are they lost forever?
A1: When the user empties the Deleted items folder (delete mail items that were
saved in the Deleted items folder) the mail items are not deleted but instead,
moved or
re located, to an additional folder named: Deletion (one of the folders that are
include in the Recoverable Items folder).
Q2: Can the user access the content of the Deletion folder?
A2: The answer is yes. For example, Outlook user, can choose the option- recover
deleted items. This option will enable him to view the content of
the Deletion folder. The user will see a list of the mail items, that was deleted from
the Deleted items folder.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 9 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

Q3: Is there any time limitation for the mail items that are saved to
the Deletion folder?
A3: Yes there is. The Exchange component that dictates for how long the mail items
will be saved in the Deletion folder is the Deleted Item retention policy.
By default, the Deleted Item retention policy is configured so keep mail items in
the Deletion folder for a period of 14 days.
In Exchange on-Premises environment, the Exchange administrator can configure
the default value of the Deleted Item retention policy to any desired period.
In Exchange Online environment, the default value of the Deleted Item
retention can be extended over to a maximum period of 30 days.
The reason for this time limitation that are being enforced by the Deleted Item
retention is the process that I described as: garbage collection.
The Exchange server, need to manage the user mailbox data effectively.
The meaning verify that the user mailbox will be restricted to a predefined
amount of storage and that this storage will be managed in an effective manner.
new deleted mail items will be saved and old deleted mail items will be removed
(deleted).
Q: What is the Exchange Deleted Item retention policy?
A: The Deleted item policy is an Exchange server policy, which attached to the
Recoverable Items Folder.
The purpose of the Deleted item policy is to optimize the management of
the Recoverable Items folder partition.
By default, the Recoverable Items folder partition serve as a temporary storage for
deleted mail items.
The Recoverable Items folder storage, provide a grace period, in which users can
regret and recover mail items although the mail was deleted from the inbox
Recycle bin (the Deleted items folder).

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 10 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

The Exchange Deleted Item retention policy serves as a gatekeeper or as the

Exchange janitor, that help the Exchange to manage his storage effectively by
keeping the Recoverable Items folder neat and tidy.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 11 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

Q1: Does Exchange Online graphic management interface includes an option for
change the default value of the Deleted Item retention policy?
A1: No, the only way for extend the default value of the Deleted Item
retention policy to a time period of 30 days, is by using a PowerShell command.
The process or running the PowerShell command, will be needed to be
implemented for each new Exchange Online mailbox that will be created in the
future.
In the following screenshot, we can see the interface that is available when using
Exchange on-Premises 2010 version. The value of the Deleted Item retention is
set by the database level under the section of Keep deleted items for(Days):

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 12 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

Q2: What will happen to a deleted mail item after 14 days?

A2: Exchange server will permanently delete all the mail items that save in
the Deletion folder that their age is over 14 days.
Q3: Is there any way for recovering mail items that were deleted from
the Deletion folder?
A3: No, there is no way!
Q4: Is there any way for extending the Deleted Item retention policy for a longer
period of for unlimited time?
Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 13 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

A4: Yes, Exchange Online and Exchange on-Premises server (Exchange version
2013) support two types of solutions that enable us to override the limitation
that is opposed by the
Deleted Item retention policy.
The available options are:
Exchange litigation Hold
In-Place Hold
When using one of this option, we are removing the time limitation that applied
on the deleted mail items that stored in the Deletion folder and the Purges folder.

Soft delete versus Hard delete.

Before we continue, I would like to briefly review two terms that relate to the flow
of the deleted mail item Soft delete and Hard delete.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 14 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

Soft Delete
When a user deletes a file and then, delete the file from the Deleted items folder,
the operation considered as Soft Delete.
We use the term Soft because although the mail items were deleted from
the Deleted items folder, the file is not really deleted.
The user still of an option to recover the mail item by himself for a period of 14
days.
The operation of Soft Delete can be implemented by using the keyboard key
combination: SHIFT + DEL.
When select mail item and press on the combination keyboard key SHIFT + DEL,
the deletion bypass the step in which the mail item sent to the Deleted items
folder and instead, the mail item sent directly to the Deletion folder.
Hard Delete
The term Hard Delete define a scenario in which the user access the content of
the Deletion folder (the folder that store mail items that were deleted from
the Deleted items folder) and, delete the mail item\s that store in this folder.
Theoretically, we can assume that is this scenario the mail item is lost forever but
in reality, although the user deletes the mail item\s from the Deletion folder the
mail item is not deleted but instead, relocated to the Purges folder.
We use the term hard because in this scenario, the user lost his ability to recover
the mail item by himself.
Only the Exchange administrator has access to the Purges folder and, only the
Exchange administrator can recover mail items that stored in this folder.
Note an exception for this rule that enables standard user to access
the Purges folder is a utility named MFCMAPI, which we will review in the next
section.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 15 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

General thoughts about Soft delete and Hard delete.

User (mailbox owner) have the ability to implement an event of:
1. Standard mail item deletion
2. Soft delete
3. Hard delete
The Outlook\OWA mail client enables a user to recover mail items in a scenario of
1. Standard mail item deletion
2. Soft delete
The Outlook\OWA mail client doesnt include an option that enables users to
recover mail items in a scenario of Hard delete, in which the mail item was moved
to the Purges folder (or to the DiscoveryHolds folder in case that we use the
option of In-Place Hold).

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 16 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

Deleted mail item flow scenarios

To understand better the purpose and that way that Recoverable Items
folder work, lets review three scenarios of deleted mail item flow in an
Exchange based environment.
To demonstrate the deleted mail item flow we will review three different
scenarios:

Scenario 1: Standard Exchange mailbox

Scenario 2: Exchange mailbox with Litigation Hold enabled
Scenario 3: Exchange mailbox with In-Place Hold enabled
Scenario 1: standard user mailbox (no use of Litigation Hold or In Place Hold)
Step 1 user decides to delete a specific mail item. The mail item is moved to
the Deleted items folder.
Step 2 the user decides to empty the Deleted items folder and delete all the mail
items that existed.
The mail items are not deleted but instead relocated to the Recoverable Items
folder partition, to the Deletion folder.
The mail item will be kept in the Deletion folder for a period of 14 days. At the end
of the period of 14 days, all the mail item that are older then 14 days will be will
be permanently deleted.
Step 3 as mention, each user has an access to the content of
the Deletion folder when using the option of recover deleted items. In case that
the user decides to empty the content of the Deletion folder, the mail item is
relocated and placed on the Purges folder.
The mail item will be kept in the Purges folder for a period of X days until the age
of the mail items is more than 14 days.
At the end of the period of 14 days, all the mail item that are older then 14 days
will be will be permanently deleted.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 17 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

We use the term X days because, we dont know what was the age of the mail that
is located in the Deletion folder.
For example in a scenario in which the mail item age that is located in the
Deletion folder is four days when the user deletes the mail item, the mail item will
be relocated and saved to the Purges folder for a period to 10 days.
The reason for the 10 days period is that by default the Deleted Item
retention define the range of 14 days for the Deletion folder +
the Purges folder

Scenario 2: Exchange mailbox with Litigation Hold enabled

The option of Exchange Litigation Hold enables us to set a different value for the
deleted mail items stored in the Recoverable Items folder that is different than
the value of the Deleted Item retention policy.
When using the option if Litigation Hold, we are able to block the Deleted Item
retention policy that is applied on the Purges folder.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 18 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

As mention, by default mail items within the Purges folder will be saved up to a
maximum period of 14 days.
When using the option of Litigation Hold, Exchange administrator can decide about
the time period in which the deleted mail items will be saved to the Purges folder.
The time period could be defined a specific value for the number of days or can
be set for an unlimited time period (for forever).
Note the ability to use the Litigation Hold depend on the specific license that is
assigned to the Office 365 user. Only when using Office 365 plan E3 license or
Exchange license plan 2, the option of Litigation Hold is available.
The deleted mail flow in a scenario of Exchange mailbox with Litigation Hold
enabled is almost identical to the former scenario of standard mailbox.
The main difference is that now; the Exchange administrator could recover deleted
mail items locate in the Purges folder for the time period that was defined in the
Litigation Hold policy.
For example in case that the Litigation Hold policy for the mail box was defined
with a value of 3,000 days. The Exchange administrator will have the ability to
recover deleted mail items that their age is up to 3,000 days.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 19 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

Scenario 3: Exchange mailbox with In -Place Hold enabled

The option of In-Place Hold, is similar to the Exchange Online option of Litigation
Hold.
We will not review in details the differences between these two methods but
instead, just mention that the Exchange method of In-Place Hold, consider as more
advanced mechanism, that has more options and capabilities versus the Exchange
Litigation Hold.
The main difference between a scenario in which In-Place Hold is enabled versus
Litigation Hold is that when we use the option of In-Place Hold, a new folder
named:
DiscoveryHolds folder is added to the hierarchy of the Recoverable Items folder.
When the Exchange Online mailbox configure as In-Place Hold is enabled, the
logic of the deleted mail items flow is implemented as follows:

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 20 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

Step 1 user decides to delete a specific mail item. The mail item is moved to
the Deleted items folder.
Step 2 the user decides to empty the Deleted items folder and delete all the mail
items that exist in this folder.
The mail items are not deleted but instead relocated to the Recoverable Items
folder partition, to the Deletion folder.
The mail item will be kept in the Deletion folder for a period of 14 days. At the end
of the period of 14 days, all the mail item that are older then 14 days will be will
be moved to the DiscoveryHolds folder.
Step 3 In case that the user empty the content of the Deletion folder, the mail
is relocated and placed Immediately in the DiscoveryHolds folder.
The Exchange administrator will have the ability to access the content of
the DiscoveryHolds folder and recover\restore mail items, based upon the time
period value that was set by the In-Place Hold and based on the In-Place Hold
terms that was defend.
For example in case that the In-Place Hold policy that was applied to the user
mailbox define to hold only calendar mal items for unlimited time period, the
Exchange administrator will have the ability to recover deleted mail item that
consider as calendar mal items for unlimited time period but this ability, could
not be implemented for other type of mail items such as contact mail item, note
mail items and so on.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 21 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

Recoverable Items Folder and Mailbox quota

Each time when a new Exchange mailbox is created, Exchange allocates a dedicated
storage quota for the Recoverable Items folder.
The quota that is allocated to the user mailbox is not affected in any way by the
quota that allocated to the Recoverable Items folder.
In Exchange Online environment, each mailbox has a storage limit of 50 GB and
additional
30 GB storage allocated for the Recoverable Items folder.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 22 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

When we apply Litigation Hold or In-Place Hold for an Exchange Online mailbox,
Exchange Online, automatically extend the Recoverable Items folder quota size to
100 GB.
To demonstrate the subject of Recoverable Items folder and mailbox quota, lets
use the following example.
John is an Exchange Online user who has a standard mailbox.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 23 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

To be able to see the default size of the Recoverable Items folder partition, we will
use the following PowerShell command:
Get-Mailbox John | fl Recoverable*
In the following screenshot, we can see that Exchange Online allocate a dedicated
quota for the Recoverable Items folder that described as RecoverableItemsquota
We can see that the default Recoverable Items folder quota is 30 GB

After we have assigned the option of Litigation Hold to John mailbox and, run again
the same PowerShell command, we can see that the Recoverable Items
folder quota is 100 GB

Stretching the Exchange Deleted item policy

In Exchange on-Premises environment, Exchange administrator can decide how to
set the default value of the Deleted Item retention.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 24 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

In Exchange Online environment, the default value of the Deleted item policy is set
to 14 days.
For Office 365 customers who have purchased Office 365 business license, this
value cannot be updated into higher value.
For Office 365 customers who have purchased Office 365 Enterprise E1, E3, E4
licenses or Exchange plan 2 license, Exchange Online administrator have the
privilege to extend the default value up to 30 days.
The ability to starch the value of the Deleted Item retention policy is
implemented by using PowerShell command.

The property that represent the value of the Deleted Item retention policy is
RetainDeletedItemsFor

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 25 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

In the following screenshot, we can see we can see an example to the default value
of the Deleted item policy.
The value of the property RetainDeletedItemsFor is 14 days.

To change this value of the Deleted Item retention policy, we can use a
PowerShell command.
For example, to extend the Deleted Item retention policy of John mailbox up to
30 days, we can use the following PowerShell command:
Get-Mailbox John| Set-Mailbox -SingleItemRecoveryEnabled $True -RetainDele
tedItemsFor 30
In the following screenshot, we can see that the value of
the RetainDeletedItemsFor was updated in now the value is: 30 days.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 26 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7

In case that we want to test this Hard limit, lets use the PowerShell with a value
greater than 30 days.
In the following example, we try to use the PowerShell command with a value of 31
days.
The result is the following error:
The operation on mailbox John failed because its out of the current users write
scope. The value of properties RetainDeletedItemsFor exceeds the maximum
allowed for user John with license BPOS_S_Enterprise.

In case that we want to extend the value of the Deleted Item retention policy for
all of the Exchange Online users, we can use the following PowerShell command:
Get-Mailbox | Set-Mailbox -SingleItemRecoveryEnabled $True -RetainDeletedI
temsFor 30
Additional reading

Configure Deleted Item retention and Recoverable Items quotas

Change the deleted item retention period for a mailbox in Exchange Online
Single Item Recovery in Exchange Server 2010

Written by Eyal Doron | o365info.com | Copyright 2012-2015