Recover deleted emails in Microsoft 365

A challenge for businesses supporting the hybrid workforce and cloud environments is recovering data that has been accidentally or intentionally deleted. Let's look at processes to recover recently deleted emails and emails that have aged past the 30-day threshold for deletions.

Author
Recent Posts

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Latest posts by Brandon Lee (see all)

Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
Ten sed command examples - Wed, Aug 23 2023

When an end user deletes an email message using a regular delete (not SHIFT+DELETE), the email message is moved from the Inbox or other folders to the Deleted Items folder. This allows users to quickly move a message that was accidentally deleted back to their Inbox. This is a self-service process that doesn't require the intervention of IT staff.

Deleted Items folder containing deleted email items

When a user empties the Deleted Items folder or SHIFT+DELETEs an email, these go into a special folder located at Recoverable Items > Deletions. The same happens when you right-click the Deleted Items folder and choose Empty Folder. When emails are moved here, there is still an opportunity to recover the items, as we will see.

Emptying the Deleted Items folder

To see the email items in this location, click Deleted Items > Recover items deleted from this folder. The link appears at the top of your email panel when accessed from the web portal or Outlook client.

Recovering emails deleted from Deleted Items

Configuring recoverable items

Microsoft 365 has the following retention periods for emails:

Inbox—persistent until manually deleted
Deleted Items—persistent until manually deleted.
Recoverable items (items deleted from your Deleted Items folder)—14 days by default (max 30)

We can check the configured retention policy for recoverable items with the PowerShell cmdlet below:

Get-Mailbox -identity <your user> | select RetainDeletedItemsFor

As shown below, the default RetainDeletedItemsFor property for a user in a Microsoft 365 subscription is 14 days.

Viewing the retaindeleteditems property for a user

You can use PowerShell to increase the RetainDeletedItemsFor property and set the maximum to 30 days. Notice below that attempting any value higher than 30 is not allowed.

Set-Mailbox -Identity <your user> -RetainDeletedItemsFor 30

Configuring the RetainDeletedItemsFor property for a 30 day retention period

Creating in-place and litigation holds

Businesses do have a way to prevent emails from being deleted due to the default retention settings found natively in Microsoft 365. The in-place hold allows the creation of a granular hold policy to preserve mailbox items. The in-place hold can hold items based on the following:

Indefinite hold—This is similar to the litigation hold, which keeps the mailbox indefinitely
Query-based hold—Hold only items based on a query that contains certain keywords, start and end dates, sender and recipient, addresses, and message types
Time-based hold—Specify the duration for which mail items are held

Litigation holds use the LitigationHoldEnabled property of a mailbox. These are not granular, and place the entire mailbox contents on hold.

Recovering deleted emails after permanent deletion

What happens after your email items roll past the 30-day retention period in the Recoverable items > Deletions folder? If there are no compliance, in-place, or litigation holds that would retain the emails past this point, your emails, from a Microsoft perspective, are not recoverable.

After the 30-day retention period, businesses must use their own solutions and methods to recover deleted emails. Many third-party backup solutions offer the ability to protect Microsoft 365 cloud emails and files. Of course, a third-party backup solution must be in place before the data loss event.

Another way to save a copy of Microsoft 365 emails is to export your mailbox to a PST file.

Wrapping up

It is important for organizations using Microsoft 365 to understand the retention of data and the default policies in place. Both the Deleted Items and the hidden Recoverable Items > Deletions folder are safety nets that help prevent data loss when emails are deleted.

Subscribe to 4sysops newsletter!

After a maximum of 30 days, the Recoverable Items > Deletions folder is emptied, and the emails here are gone forever without additional compliance or other holds put in place. Organizations must then use third-party backup solutions and other means to back up business-critical email data.

Want to write for 4sysops? We are looking for new authors.

4sysops members can earn and read without ads!

1 Comment

Surender Kumar (Rank 4) 1 year ago
Pretty good article for people using Microsoft 365 email solution. Another important command to set the mailboxes of all org users in one go:
```
Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" | Set-Mailbox -RetainDeletedItemsFor 30
```
Source: MS docs

Proactive Microsoft 365 monitoring with ENow

Connect to Exchange Online with PowerShell and certificate-based authentication

How to block emails in Outlook and Microsoft 365 (Office 365)

Connect to Exchange Online with PowerShell

Leave a reply Click here to cancel the reply

Subscribe to Newsletter

Follow 4sysops

CONTACT US