Delete items in the Recoverable Items folder of cloud-based mailboxes on hold - Admin Help

The Recoverable Items folder for an Exchange Online mailbox exists to protect from accidental or malicious deletions. It's also used to store items that are retained and accessed by Office 365 compliance features, such as holds and eDiscovery searches. However, in some situations organizations might have data that's been unintentionally retained in the Recoverable Items folder that they must delete. For example, a user might unknowingly send or forward an email message that contains sensitive information or information that may have serious business consequences. Even if the message is permanently deleted, it might be retained indefinitely because a legal hold has been placed on the mailbox. This scenario is known as data spillage because data has been unintentionally spilled into Office 365. In these situations, you can delete items in a user's Recoverable Items folder for an Exchange Online mailbox, even if that mailbox is placed on hold with one of the different hold features in Office 365. These types of holds include Litigation Holds, In-Place Holds, eDiscovery holds, and Office 365 retention policies created in the Office 365 Security & Compliance Center.

This article explains how to delete items from the Recoverable Items folder for cloud-based mailboxes that are on hold. This procedure involves disabling access to the mailbox and disabling single item recovery, disabling the Managed Folder Assistant from processing the mailbox, temporarily removing the hold, deleting items from the Recoverable Items folder, and then reverting the mailbox to its previous configuration. Here's the process:

Step 1: Collect information about the mailbox

Step 2: Prepare the mailbox

Step 3: Remove all holds from the mailbox

Step 4: Delete items in the Recoverable Items folder

Step 5: Revert the mailbox to its previous state

Warning: The procedures outlined in this article will result in data being permanently deleted (purged) from an Exchange Online mailbox. That means messages that you delete from the Recoverable Items folder can't be recovered and won't be available for legal discovery or other compliance purposes. If you want to delete messages from a mailbox that's placed on hold as part of a Litigation Hold, In-Place Hold, eDiscovery hold, or Office 365 retention policy created in the Office 365 Security & Compliance Center, check with your records management or legal departments before removing the hold. Your organization might have a policy that defines whether a mailbox on hold or a data spillage incident takes priority.

Before you begin

  • You have to be assigned both of the following management roles in Exchange Online to search for and delete messages from the Recoverable Items folder in Step 4.

    • Mailbox Search    This role lets you to search mailboxes in your organization. Exchange administrators aren't assigned this role by default. To assign yourself this role, add yourself as a member of the Discovery Management role group in Exchange Online.

    • Mailbox Import Export    This role lets you to delete messages from a user's mailbox. By default, this role isn't assigned to any role group. To delete messages from users' mailboxes, you can add the Mailbox Import Export role to the Organization Management role group in Exchange Online.

  • The procedure described in this article isn't supported for inactive mailboxes. That's because you can't re-apply a hold (or Office 365 retention policy) to an inactive mailbox after you remove it. When you remove a hold from an inactive mailbox, it's changed to a normal soft-deleted mailbox and will be permanently deleted from your organization after it's processed by the Managed Folder Assistant.

  • You can't perform this procedure for a mailbox that has been assigned to an Office 365 retention policy that's been locked with a Preservation Lock. That's because a Preservation Lock prevents you from removing or excluding the mailbox from the Office 365 retention policy and from disabling the Managed Folder Assistant on the mailbox. For more information about locking retention policies, see Overview of retention policies.

  • If a mailbox isn't placed on hold (or doesn't have single item recovery enabled), you can simply delete the items from the Recoverable Items folder. For more information about how to do this, see Search for and delete messages.

Return to top

Step 1: Collect information about the mailbox

This first step is to collect selected properties from the target mailbox that will affect this procedure. Be sure to write down these settings or save them to a text file because you'll change some of these properties and then revert back to the original values in Step 5, after you delete items from the Recoverable Items folder. Here's a list of the mailbox properties you need to collect.

  • SingleItemRecoveryEnabled and RetainDeletedItemsFor; if necessary, you'll disable single recovery and increase the deleted items retention period in Step 3.

  • LitigationHoldEnabled and InPlaceHolds; you need to identify all the holds placed on the mailbox so that you can temporarily remove them in Step 3. See the More information section for tips about how to identify the type hold that might be placed on a mailbox.

Additionally, you need to get the mailbox client access settings so you can temporarily disable them so the owner (or other users) can't access the mailbox during this procedure. Finally, you can get the current size and number of items in the Recoverable Items folder. After you delete items in the Recoverable Items folder in Step 4, you'll use this information to verify that items were actually removed.

  1. Connect to Exchange Online PowerShell. Be sure to use a user name and password for an administrator account that's been assigned the appropriate management roles in Exchange Online.

  2. Run the following command to get information about single item recovery and the deleted item retention period.

    Get-Mailbox <username> | FL SingleItemRecoveryEnabled,RetainDeletedItemsFor

    If single item recovery is enabled, you'll have to disable it in Step 2. If the deleted item retention period isn't set for 30 days (the maximum value in Exchange Online), then you can increase it in Step 2.

  3. Run the following command to get the mailbox access settings for the mailbox.

    Get-CASMailbox <username> | FL EwsEnabled,ActiveSyncEnabled,MAPIEnabled,OWAEnabled,ImapEnabled,PopEnabled

    You'll disable all of these access methods in Step 2.

  4. Run the following command to get information about the holds and Office 365 retention policies applied to the mailbox.

    Get-Mailbox <username> | FL LitigationHoldEnabled,InPlaceHolds

    Tip: If there are too many values in the InPlaceHolds property and not all of them are displayed, you can run the Get-Mailbox <username> | Select-Object -ExpandProperty InPlaceHolds command to display each value on a separate line.

  5. Run the following command to get information about any organization-wide Office 365 retention policies.

    Get-OrganizationConfig | FL InPlaceHolds

    If your organization has any organization-wide Office 365 retention policies, you'll have to exclude the mailbox from these policies in Step 3.

    Tip: If there are too many values in the InPlaceHolds property and not all of them are displayed, you can run the Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds command to display each value on a separate line.

  6. Run the following command to get the current size and total number of items in folders and subfolders in the Recoverable Items folder in the user's primary mailbox.

    Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders

    If the user's archive mailbox is enabled, run the following command to get the size and total number of items in folders and subfolders in the Recoverable Items folder in their archive mailbox.

    Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems -Archive | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders

    When you delete items in Step 4, you can choose to delete or not delete items in the Recoverable Items folder in the user's primary archive mailbox. Note that if auto-expanding archiving is enabled for the mailbox, items in an auxiliary archive mailbox won't be deleted.

Return to top

Step 2: Prepare the mailbox

After collecting and saving information about the mailbox, the next step is to prepare the mailbox by performing the following tasks:

  • Disable client access to mailbox so that the mailbox owner can't access their mailbox and make any changes to the mailbox data during this procedure.

  • Increase the deleted item retention period to 30 days (the maximum value in Exchange Online) so that items aren't purged from the Recoverable Items folder before you can delete them in Step 4.

  • Disable single Item recovery so that items won't be retained (for the duration of the deleted item retention period) after you delete them from the Recoverable Items folder in Step 4.

  • Disable the Managed Folder Assistant so that it doesn't process the mailbox and retain the items that you delete in Step 4.

Perform the following steps in Exchange Online PowerShell.

  1. Run the following command to disable all client access to the mailbox. The command syntax assumes that all client access methods were enabled on the mailbox.

    Set-CASMailbox <username> -EwsEnabled $false -ActiveSyncEnabled $false -MAPIEnabled $false -OWAEnabled $false -ImapEnabled $false -PopEnabled $false

    Note: It might take up to 60 minutes to disable all client access methods to the mailbox. Note that disabling these access methods won't disconnect the mailbox owner they're currently signed in. If the owner isn't signed in, then they won't be able to access their mailbox after these access methods are disabled.

  2. Run the following command to increase the deleted item retention period the maximum of 30 days. This assumes that the current setting is less than 30 days.

     Set-Mailbox <username> -RetainDeletedItemsFor 30
  3. Run the following command to disable single item recovery.

    Set-Mailbox <username> -SingleItemRecoveryEnabled $false

    Note: It might take up to 60 minutes to disable single item recovery. Don't delete items in the Recoverable Items folder until this period has elapsed.

  4. Run the following command to prevent the Managed Folder Assistant from processing the mailbox. As previously explained, you can disable the Managed Folder Assistant only if an Office 365 retention policy with a Preservation Lock is not applied to the mailbox.

    Set-Mailbox <username> -ElcProcessingDisabled $true

Return to top

Step 3: Remove all holds from the mailbox

The last step before you can delete items from the Recoverable Items folder is to remove all holds (that you identified in Step 1) placed on the mailbox. All holds must be removed so that items won't be retained after you delete them from the Recoverable Items folder. The following sections contain information about removing different types of holds on a mailbox. See the More information section for tips about how to identify the type hold that might be placed on a mailbox.

Warning: As previously stated, check with your records management or legal departments before removing a hold from a mailbox.

Litigation Hold

Run the following command in Exchange Online PowerShell to remove a Litigation Hold from the mailbox.

Set-Mailbox <username> -LitigationHoldEnabled $false

Note: Similar to disabling the client access methods and single item recovery, it might take up to 60 minutes to remove the Litigation Hold. Don't delete items from the Recoverable Items folder until this period has elapsed.

In-Place Hold

Run the following command in Exchange Online PowerShell to identify the In-Place Hold that's placed on the mailbox. Use the GUID for the In-Place Hold that you identified in Step 1.

Get-MailboxSearch -InPlaceHoldIdentity <hold GUID> | FL Name

After you identify the In-Place Hold, you can use the Exchange admin center (EAC) or Exchange Online PowerShell to remove the mailbox from the hold. For more information, see Create or remove an In-Place Hold.

Office 365 retention policies applied to specific mailboxes

Run the following command in Office 365 Security & Compliance Center PowerShell to identify the Office 365 retention policy that is applied to the mailbox. Use the GUID (not including the mbx or skp prefix) for the retention policy that you identified in Step 1.

Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name

After you identify the retention policy, go to the Date governance > Retention page in the Security & Compliance Center, edit the retention policy that you identified in the previous step, and remove the mailbox from the list of recipients that are included in the retention policy.

Organization-wide Office 365 retention policies

Organization-wide and Exchange-wide Office 365 retention policies are applied to every mailbox in the organization. They are applied at the organization level (not the mailbox level) and are returned when you run the Get-OrganizationConfig cmdlet in Step 1. Run the following command in Security & Compliance Center PowerShell to identify the organization-wide Office 365 retention policies. Use the GUID (not including the mbx prefix) for the organization-wide retention policies that you identified in Step 1.

Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name

After you identify the organization-wide Office 365 retention policies, go to the Date governance > Retention page in the Security & Compliance Center, edit each organization-wide retention policy that you identified in the previous step, and add the mailbox to the list of excluded recipients. Doing this will remove the user's mailbox from the retention policy.

eDiscovery case holds

Run the following commands in Security & Compliance Center PowerShell to identify the hold associated with an eDiscovery case that's applied to the mailbox. Use the GUID (not including the UniH prefix) for the eDiscovery hold that you identified in Step 1. Note that the second command displays the name of the eDiscovery case the hold is associated with; the third command displays the name of the hold.

$CaseHold = Get-CaseHoldPolicy <hold GUID without prefix>
Get-ComplianceCase $CaseHold.CaseId | FL Name
$CaseHold.Name

After you've identified the name of the eDiscovery case and the hold, go to the Search & investigation > eDiscovery page in the Security & Compliance Center, open the case, and remove the mailbox from the hold. For more information, see Manage eDiscovery cases in the Office 365 Security & Compliance Center.

Return to top

Step 4: Delete items in the Recoverable Items folder

Now you're ready to actually delete items in the Recoverable Items folder by using the Search-Mailbox cmdlet in Exchange Online PowerShell. You have three options when running the Search-Mailbox cmdlet.

  • Copy items to a target mailbox before you delete them so that you can review the items, if necessary, before you delete them.

  • Copy items to a target mailbox and delete them in the same command.

  • Delete items without copying them to a target mailbox.

Note that items in the Recoverable Items folder in the user's primary archive mailbox will also be deleted when you run the Search-Mailbox cmdlet. To prevent this, you can include the DoNotIncludeArchive switch. And as previously stated, if auto-expanding archiving is enabled for the mailbox, the Search-Mailbox cmdlet doesn't deleted items in an auxiliary archive mailbox. For more information about auto-expanding archive, see Overview of unlimited archiving in Office 365.

Note: If you include a search query (by using the SearchQuery parameter), the Search-Mailbox cmdlet will return a maximum of 10,000 items in the search results. Therefore if you include a search query, you might have to run the Search-Mailbox command multiple times to delete more than 10,000 items.

The following examples show the command syntax for each of these options. These examples use the -SearchQuery size>0 parameter value, which deletes all items from all subfolders in the Recoverable Items folder. If you need to delete only items that match specific conditions, you can also use the SearchQuery parameter to specify other conditions, such as the subject of a message or a date range. See the examples below.

Example 1

This example copies all items in the user's Recoverable Items folder to a folder in your organization's Discovery Search Mailbox. This lets you review the items before you permanently delete them.

Search-Mailbox <username> -SearchQuery size>0 -SearchDumpsterOnly -TargetMailbox "Discovery Search Mailbox" -TargetFolder "<foldername>"

In the previous example, it isn't required to copy items to the Discovery Search Mailbox. You can copy messages to any target mailbox. However, to prevent access to potentially sensitive mailbox data, we recommend copying messages to a mailbox that has access restricted to authorized personnel. By default, access to the default Discovery Search Mailbox is restricted to members of the Discovery Management role group in Exchange Online.

Example 2

This example copies all items in the user's Recoverable Items folder to a folder in your organization's Discovery Search Mailbox and then deletes the items from the user's Recoverable Items folder.

Search-Mailbox <username> -SearchQuery size>0 -SearchDumpsterOnly -TargetMailbox "Discovery Search Mailbox" -TargetFolder "<foldername>" -DeleteContent

Example 3

This example deletes all items in the user's Recoverable Items folder, without copying them to a target mailbox.

Search-Mailbox <username> -SearchQuery size>0 -SearchDumpsterOnly -DeleteContent

Other examples of using the SearchQuery parameter

Here are a few examples of using the SearchQuery parameter to find specific messages. If you use the SearchQuery parameter to search for specific items, consider copying the search results to a target mailbox so that you can review the search results and then revise the query if necessary before you delete the results of a search.

This example returns messages that contain a specific phrase in the Subject field.

SearchQuery 'subject:"MAIL_BOX VALIDATION/UPGRADE!!!"' 

This example returns messages that were sent within the specified date range.

SearchQuery 'sent>=06/01/2016 AND sent<=09/01/2016'

This example returns messages that were sent to the specified person.

SearchQuery 'to:garthf@alpinehouse.com'

Verify that items were deleted

To verify that you've successfully deleted items from the Recoverable Items folder of a mailbox, use Get-MailboxFolderStatistics cmdlet in Exchange Online PowerShell to check the size and number of items in Recoverable Items folder. You can compare these statistics with the ones you collected in Step 1.

Run the following command in to get the current size and total number of items in folders and subfolders in the Recoverable Items folder in the user's primary mailbox.

Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders

Run the following command to get the size and total number of items in folders and subfolders in the Recoverable Items folder in the user's archive mailbox.

Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems -Archive | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders

Return to top

Step 5: Revert the mailbox to its previous state

The final step is to revert the mailbox back to its previous configuration. This means resetting the properties that you changed in Step 2 and re-applying the holds that you removed in Step 3. This includes:

  • Changing the deleted item retention period back to its previous value. Alternatively, you can just leave this set to 30 days, the maximum value in Exchange Online.

  • Re-enabling single Item recovery.

  • Re-enabling the client access methods so that the owner can access their mailbox.

  • Re-applying the holds and Office 365 retention policies that you removed.

  • Re-enabling the Managed Folder Assistant to process the mailbox.

Important: We recommend that you wait 24 hours after re-applying a hold or Office 365 retention policy (and verifying that it's in place) before you re-enable the Managed Folder Assistant to process the mailbox.

Perform the following steps (in the specified sequence) in Exchange Online PowerShell.

  1. Run the following command to change the deleted item retention period back to its original value. This assumes that the previous setting is less than 30 days; for example 14 days.

     Set-Mailbox <username> -RetainDeletedItemsFor 14
  2. Run the following command to re-enable single item recovery.

    Set-Mailbox <username> -SingleItemRecoveryEnabled $true
  3. Run the following command to re-enable all client access methods to the mailbox.

    Set-CASMailbox <username> -EwsEnabled $true -ActiveSyncEnabled $true -MAPIEnabled $true -OWAEnabled $true -ImapEnabled $true -PopEnabled $true
  4. Re-apply the holds that you removed in Step 3. Depending on the type of hold, use one of the following procedures.

    Litigation Hold

    Run the following command to re-enable a Litigation Hold for the mailbox.

    Set-Mailbox <username> -LitigationHoldEnabled $true

    In-Place Hold

    Use the EAC (or Exchange Online PowerShell) to add the mailbox back to the In-Place Hold.

    Office 365 retention policies applied to specific mailboxes

    Use the Security & Compliance Center to add the mailbox back to the Office 365 retention policy. Go to the Date governance > Retention page in the Security & Compliance Center, edit the retention policy, and add the mailbox back to the list of recipients that the retention policy is applied to.

    Organization-wide Office 365 retention policies

    If you removed an organization-wide or Exchange-wide retention policy by excluding it from the policy, then use the Security & Compliance Center to remove the mailbox from the list of excluded users. Go to the Date governance > Retention page in the Security & Compliance Center, edit the organization-wide retention policy, and remove the mailbox from the list of excluded recipients. Doing this will re-apply the retention policy to the user's mailbox.

    eDiscovery case holds

    Use the Security & Compliance Center to add the mailbox back the hold that's associated with an eDiscovery case. Go to the Search & investigation > eDiscovery page in the Security & Compliance Center, open the case, and add the mailbox back to the hold.

  5. Run the following command to allow the Managed Folder Assistant to process the mailbox again. As previously stated, we recommend that you wait 24 hours after re-applying a hold or Office 365 retention policy (and verifying that it's in place) before you re-enable the Managed Folder Assistant.

    Set-Mailbox <username> -ElcProcessingDisabled $false
  6. To verify that the mailbox has been reverted back to its previous configuration, you can run the following commands and then compare the settings to the ones that you collected in Step 1.

    Get-Mailbox <username> | FL ElcProcessingDisabled,InPlaceHolds,LitigationHoldEnabled,RetainDeletedItemsFor,SingleItemRecoveryEnabled
    Get-CASMailbox <username> | FL EwsEnabled,ActiveSyncEnabled,MAPIEnabled,OWAEnabled,ImapEnabled,PopEnabled

Return to top

More information

Here's a table that describes how to identify different types of holds based on the values in the InPlaceHolds property when you run the Get-Mailbox or Get-OrganizationConfig cmdlets. As previously explained, you have to remove all holds and Office 365 retention policies from a mailbox before you can successfully delete items in the Recoverable Items folder.

Hold type

Example value

How to identify the hold

Litigation Hold

True

The LitigationHoldEnabled property is set to True.

In-Place Hold

c0ba3ce811b6432a8751430937152491

The InPlaceHolds property contains the GUID of the In-Place Hold that's placed on the mailbox. You can tell this is an In-Place Hold because the GUID doesn't start with a prefix.

You can use the Get-MailboxSearch -InPlaceHoldIdentity <hold GUID> | FL command in Exchange Online PowerShell to get information about the In-Place Hold on the mailbox.

Office 365 retention policies in the Security & Compliance Center applied to specific mailboxes

mbxcdbbb86ce60342489bff371876e7f224

or

skp127d7cf1076947929bf136b7a2a8c36f

When you run the Get-Mailbox cmdlet, the InPlaceHolds property also contains GUIDs of Office 365 retention policies applied to the mailbox. You can identify retention policies because the GUID starts with the mbx prefix. Note that if the GUID of the retention policy starts with the skp prefix, that indicates that the retention policy is applied to Skype for Business conversations.

To identity the Office 365 retention policy that's applied to the mailbox, run the following command in Security & Compliance Center PowerShell.

Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name

Be sure to remove the mbx or skp prefix when you run this command.

Organization-wide Office 365 retention policies in the Security & Compliance Center

No value

or

-mbxe9b52bf7ab3b46a286308ecb29624696 (indicates that the mailbox is excluded from an organization-wide policy)

Even if the InPlaceHolds property is empty when you run the Get-Mailbox cmdlet, there still might be one or more organization-wide Office 365 retention policies applied to the mailbox.

To verify this, you can run the Get-OrganizationConfig | FL InPlaceHolds command in Exchange Online PowerShell to get a list of the GUIDs for organization-wide Office 365 retention policies. The GUID for organization-wide retention policies applied to Exchange mailboxes start with the mbx prefix; for example mbxa3056bb15562480fadb46ce523ff7b02.

To identity the organization-wide Office 365 retention policy that's applied to the mailbox, run the following command in Security & Compliance Center PowerShell.

Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name

Note that if a mailbox is excluded from an organization-wide Office 365 retention policy, the GUID for the retention policy is displayed in the InPlaceHolds property of the user's mailbox when you run the Get-Mailbox cmdlet; it's identified by the prefix -mbx; for example, -mbxe9b52bf7ab3b46a286308ecb29624696

eDiscovery case hold in the Security & Compliance Center

UniH7d895d48-7e23-4a8d-8346-533c3beac15d

The InPlaceHolds property also contains the GUID of any hold associated with an eDiscovery case in the Security & Compliance Center that might be placed on the mailbox. You can tell this is an eDiscovery case hold because the GUID starts with the UniH prefix.

You can use the Get-CaseHoldPolicy cmdlet in Security & Compliance Center PowerShell to get information about the eDiscovery case that the hold on the mailbox is associated with. For example, you can run the command Get-CaseHoldPolicy <hold GUID without prefix> | FL Name to display the name of the case hold that's on the mailbox. Be sure to remove the UniH prefix when you run this command.

To identity the eDiscovery case that the hold on the mailbox is associated with, run the following commands.

$CaseHold = Get-CaseHoldPolicy <hold GUID without prefix>
Get-ComplianceCase $CaseHold.CaseId | FL Name

Return to top

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×