My experience when working with organizations and eDiscovery in Microsoft 365 is the importance of eDiscovery administrators to understand the behavior of deleted emails. Why? Well… some people involved in a case may either maliciously or unintentionally delete important emails…
eDiscovery cases can be sensitive in nature and, in some instances, involved parties may intentionally delete emails with hopes of them not being discovered. This is a primary reason for electronic holds being placed on users’ mailboxes as custodians in a case. Once a hold is in place, the Mailbox Folder Assistant (the “other” MFA) process no longer runs against a user’s mailbox thereby preventing any content from being permanently removed from their mailbox (and all content within it remains discoverable).
Note: A Retention Policy published to Exchange mailboxes will also prevent content from being permanently removed until the retention period is over and uses the same underlying mechanism as an electronic hold to retain content.
It’s important to understand the structure of an Exchange Online mailbox if you’re running content searches and eDiscovery searches as they both return results from all subfolders within the parts of a mailbox visible to an end-user as well as the Recoverable Items partition not visible to an end-user:
Here’s what happens when an end-user “deletes” an email:
- If an end-user soft deletes an email (hits the Delete key), it will go into their Deleted Items folder and is visible to them. An end-user can self-serve restoring and permanently deleting emails from here.
- If an end-user permanently deletes an email (Shift-delete key) or deletes an email from their Deleted Items folder, or empties their Deleted Items folder, it will go to the Deletions folder in the Recoverable items partition.
In an Exchange Online mailbox, an end-user can still act on emails in the Deletions folder in the Recoverable Items partition. They can either restore emails from there or purge them from there using the Outlook client:
- Select Folder
- Select Recover Deleted Items
A popup window will be displayed with all emails permanently deleted from your mailbox. As you can see, an end-user has the option to either restore or purge the items:
If ‘Restore Selected Items’ is chosen, the items will be restored to the end-user’s mailbox. I imagine the intent of providing this capability to an end-user is to allow for self-serve email recovery rather than having to call the service desk.
If ‘Purge Selected Items’ is chosen, the items will move to the Purges folder within the Recoverable Items partition. At that time, they are hidden from the end-user, but they still exist (for 14 days – the setting defined by the RetainDeletedItemsFor mailbox property)! I’ve worked with customers using eDiscovery for internal investigations where end-users go to this length thinking they are permanently removing their emails thereby making them undiscoverable. This is not the case.
The Mailbox Folder Assistant will, however, permanently remove content that is either in the Deletions or Purges folder after 14 days (by default) unless there is an electronic hold or retention policy placed on the user’s mailbox.
Reference: Recoverable Items folder in Exchange Online
This timing is important to know if you are running eDiscovery or Content Searches against Outlook mailboxes as those searches will return results from all folders within the Recoverable Items partition as well as the folders in the user’s mailbox. This is also reason why you should be placing an electronic hold on user’s mailboxes in an eDiscovery case if you want to guarantee that you will be able to discover all content from their mailbox until the hold is released. Without an electronic hold, the emails sitting in the Deletions and Purges folders in the Recoverable Items partition will eventually be permanently removed (unless there is a Retention Policy in place and the retention period hasn’t been met).
Thanks for reading.