Updated on 29 Jan, 2025
In today's digital world, emails play a crucial role in business communications. However, accidental deletions, malicious actions, or legal investigations often require organizations to have robust email retention policies. This is where Exchange Online's Recoverable Items folder comes into play. It acts as a safety net, ensuring that important emails and documents are not permanently lost too soon and can be retrieved when necessary.
---------------------------------------------------------------------------------------------------------
What is the Recoverable Items Folder?
The Recoverable Items folder is a hidden system folder in Exchange Online that stores deleted items before they are permanently purged. It helps in legal compliance, facilitates eDiscovery (electronic discovery) requests, and prevents unauthorized purging of critical emails.
-------------------------------------------------------------------------------------------------------------
Why is the Recoverable Items Folder Important?
Organizations need to retain emails and documents for compliance, security, and business continuity. The Recoverable Items folder serves multiple purposes, including:
Accidental or malicious deletion protection
Legal and compliance holds (Litigation Hold, eDiscovery Hold, and In-Place Hold)
Retention policies in Microsoft 365 and Office 365
Mailbox audit logging (tracking actions like email deletions and modifications)
Calendar logging for historical calendar entries
-------------------------------------------------------------------------------------------------------------
How Deleted Emails Are Handled in Exchange Online
When a user deletes an email, it doesn't disappear immediately. Instead, Exchange follows a structured process to handle deletions:
Soft Delete – When an email is deleted from the Deleted Items folder or removed using Shift + Delete, it moves to the Deletions subfolder within the Recoverable Items folder. By default, it stays here for 14 days (or up to 30 days if configured).
Purges – Once the retention period expires, emails move to the Purges folder, where they wait for final deletion by the Exchange Managed Folder Assistant.
Hard Delete – When an email is purged, it is permanently deleted and cannot be recovered unless it was under a legal hold.
-------------------------------------------------------------------------------------------------------------
Subfolders in the Recoverable Items Folder
The Recoverable Items folder contains multiple subfolders, each serving a unique purpose:
Deletions – Stores soft-deleted items until their retention period expires.
Purges – Contains emails waiting for permanent deletion.
DiscoveryHold – Holds emails placed under eDiscovery or legal retention policies.
Versions – Stores copies of modified emails under legal hold, using a "copy-on-write" technique.
Auditing Logs – Records mailbox activity, including email deletions and modifications.
Calendar Logging – Retains past calendar entries for reference.
-------------------------------------------------------------------------------------------------------------
Legal Holds and eDiscovery
Organizations can place entire mailboxes or specific items under a Litigation Hold, In-Place Hold, or eDiscovery Hold. This ensures that critical emails are preserved indefinitely until the hold is lifted.
Additionally, query-based holds allow for precise retention of only relevant messages. Multiple holds can be applied to a single email, making it easier to comply with various legal requirements.
Mailbox and Message Auditing
Exchange Online includes audit logging to track user activity, such as:
When emails are created, moved, or deleted
Whether an email was soft or hard deleted
Emails sent from a mailbox
In Microsoft 365, mailbox auditing is enabled by default and logs 90 days of activity via the Unified Audit Log. However, in on-premises Exchange, it must be manually activated for each user.
Message Tracing and Tracking
For better transparency, Exchange Online includes message tracing, which logs details of sent and received emails, such as:
Sender and recipient details
Email subject, size, and timestamps
Delivery status and originating IP address
Message tracing is enabled by default for up to 90 days. However, retrieving messages older than 7 days may take longer and is available only in CSV format.
Below are some commonly used PowerShell commands to work with the "Recoverable Items" folder:
1. Get-MailboxFolderStatistics
Statistics for all folders within a specified mailbox, including the "Recoverable Items" folder.
Get-MailboxFolderStatistics -Identity <MailboxIdentity> | Where-Object {$_.FolderPath -like '*Recoverable Items*'}2. Search-Mailbox
Searches for items within a mailbox that match specified search criteria, including items in the "Recoverable Items" folder.
Search-Mailbox -Identity <MailboxIdentity> -SearchQuery 'folderpath:"Recoverable Items"'3. New-MailboxSearch
Creates a new search query and places the search results into a discovery mailbox.
New-MailboxSearch -Name "RecoverableItemsSearch" -SourceMailboxes <MailboxIdentity> -SearchQuery 'folderpath:"Recoverable Items"'4. Get-RecoverableItems
Retrieves the items from the "Recoverable Items" folder for a specified mailbox.
Get-RecoverableItems -Identity <MailboxIdentity>5. Restore-RecoverableItems
Restores items from the "Recoverable Items" folder back to the primary mailbox or to another mailbox.
Restore-RecoverableItems -Identity <MailboxIdentity> -FilterItemType IPM.NoteFinal Thoughts
The Recoverable Items folder in Exchange Online is a critical component of email retention and compliance strategies. Whether protecting against accidental deletions, enforcing legal holds, or tracking mailbox activities, it ensures organizations have complete control over their email data.
--------------------------------------------------Dean-----------------------------------------------
Comentários