Doing e-Discovery / Message Retention / Legal Recovery in Exchange 2010 - Office 365

Native in the Box (Journaling), Lookup, and Recovery

The topic has come up many times recently on how organizations can leverage Microsoft Exchange 2010 (on-premise) or Microsoft Office 365 (in the cloud) to retain messages, legally hold and recover messages, and successfully perform eDiscovery tasks as required by legal counsel, by law, and/or as needed.

This document clarifies what’s included “in the box” in Exchange 2010 and Office 365, and goes through the step by step procedures for setting up what is necessary to retain content and detailed procedures on how to query and look up information.

Basic BackgroundTo be able to retrieve information for legal or official purposes, information must be properly retained (lawyers may say-LMS-"preserved) so that the integrity of the information retrieved is valid (lawyers will request an "audit trail" to "verify" and "authenticate" the information by showing the "chain of custody" and who, and how, it was "preserved" and "collected").  As an example, if the Human Resources department, Legal department, or outside Legal Counsel wants to gather information, it’s not good enough to just go into a user’s mailbox and extract information because the information in a mailbox is considered “fragile.”  It is fragile because a user can easily “delete” a key message or the user can even go in using the Microsoft Outlook client and EDIT a message.  If someone opens a user’s mailbox, the messages in the Outlook client can be tampered (LMS-modified) and are NOT considered valid evidence (even if modified accidentally).

In the past with Exchange 2007, Exchange 2003, or earlier, it required specific technologies and practices to protect the messages from tampering.  The old way of doing things was to buy a 3rd party archiving product like Symantec Enterprise Vault, Iron Mountain / Mimosa NearPoint for Exchange, EMC EmailXtender, Zantaz EAS, or the like.  The 3rd party tools required a separate server, typically a special agent to be installed on all Exchange servers and clients, and a relatively high expense to manage, maintain, and support the archiving server and services.

With Exchange 2007, Microsoft included email “Journaling” that allowed a copy of any/all emails to be forwarded to a Journaling Server so that while a user’s mailbox content might have been tampered with, the Journaling Server mailbox would have a un-modified version of the content.  Legal review of the Journal copy provided assurances that the copy has not been edited.

With the release of Exchange 2010 and the Archiving capabilities of Exchange 2010, some mistakenly believe they must create an “Archive Mailbox” for all users to preserve data, that is not true.  An Archive Mailbox creates a 2nd mailbox store for a user to move content from their Primary mailbox to the Archive mailbox to get it out of their Primary mailbox, but data retention (LMS-"preservation") can actually be done on Exchange 2010 (or Office 365) simply by extending the Deleted Item Retention period and enabling the Single Instance Recovery function of Exchange / Office 365.

The Archive Mailbox feature in Exchange 2010 / Office 365 simply allows users (or the organization through rules) move messages out of their primary mailbox to the Archive box to keep the primary mailbox small, and the archive as large as the user requires.  The Archive Mailbox replaces PST files that users have used for years to backup or archive their messages, but instead of being scattered across filesystems, hard drives, USB drives, and other devices, archived mail can be kept in the user’s Archive Mailbox for quick and easy search and access.  For the balance of this article, the reader can be assured that the Archive Mailbox is completely separate and not needed for the “in the box” message retention / discovery discussed in the balance of this article.

What Can be Done “In the Box” in Exchange 2010 and Office 365

While an organization can continue to buy 3rd party products as well as do Journaling in Exchange 2010 (on-premise) and Office 365 (in the Cloud), an easier way of handling message retention and legal recovery (LMS-"collection") / e-Discovery can be used by making setting changes right in Exchange 2010 / Office 365.

When a user deletes a message from a folder other than the Deleted Items folder, the message is not really deleted but instead moved to the Deleted Items folder and sits in the Deleted Items folder until the message is fully deleted from the Deleted Items folder. When a user deletes an item from the Deleted Items folder or empties the Deleted Items folder, the message disappears from the Deleted Items folder and appears to be “gone”, but the message has actually just been moved to a hidden Recoverable Items folder.  The Recoverable Items folder replaces the feature formerly known as the Dumpster in previous versions of Exchange. The Recoverable Items folder is hidden from the default view of Microsoft Outlook or Outlook WebApp, and other e-mail clients so the user no longer sees deleted messages, but the messages are still sitting on the Exchange 2010 / Office 365 server.

Items in the Recoverable Items folder are retained for the deleted item retention period configured for the user's mailbox or per database in Exchange. By default, the deleted item retention period is set to 14 days (or 30GB of storage, whichever comes first).  This default retention period can be extended by the administrator to a longer period or even indefinitely.  At any point, messages in the Recoverable Items folder can be retrieved by someone in the organization with “Discovery Role” permissions (more on this later).

An important point to note is that even though messages that are deleted by a user are retained on an Exchange 2010 or Office 365 server and hidden from the user, users have the ability of accessing their Recoverable Items / Deletions messages through Outlook 2010.  An Outlook 2010 user simply sits on the Deleted Items folder, selects the Folder tab in the ribbon, and clicks on “Recover Delete Items” which shows messages that are stored in the Recoverable Items folder.  The user can click to recover messages back into their Deleted Items folder or they can click on the “delete” icon and messages are permanently deleted off the Exchange server.

However, the Exchange administrator can control message retention even for this permanent user deletion.  An Exchange administrator only needs to go to the Exchange Management Shell (EMS) and run the command Set-Mailbox -SingleItemRecoveryEnabled $true (when prompted for the Identity, enter in the name of the user’s mailbox you want to protect content).  This will activate Single Item Recovery (SIR).  SIR creates a Recoverable Items / Purges folder that is hidden from the user and is NOT accessible to the user at all.

By enabling Single Item Recovery for a user’s mailbox, messages that are edited / modified (and not necessarily deleted) are ALSO now retained for the length of the Deleted Item Retention.  Instead of ending up in a hidden Recoverable Items / Deletions folder for deleted messages, messages that are edited/modified end up in a hidden Recoverable Items / Versions folder.  So for every edited version of the message, there is also a copy of the message prior to the modification / edit.

Therefore all hard deleted or modified/edited messages are preserved for the default length of 14-days (or 30GB) or whatever the organization has set as the default retention period, whether that’s 60-days, 90-days, a year, 7-years, forever, etc.  To run the Single Item Recovery on all mailboxes in a database, run the EMS command Get-Mailbox -Database <DatabaseName> | Set-Mailbox -SingleItemRecoveryEnabled $true

Note, for organizations using Office 365 (in the cloud), per Microsoft’s Office 365 administrator guide ( “Single item recovery is enabled by default for new user mailboxes created in Exchange Online and for mailboxes migrated to Exchange Online from an on-premises Exchange organization.”  As such, there is nothing an Office 365 administrator needs to do, all message deletions, edits, modifications are retained for the length of the organization’s Deleted Item Retention period.  To extend the default 15 and 30 day retention policies set in Office 365, see on Messaging Records Management (MRM).

For Microsoft’s Tech article from which the following Exchange Management Shell (EMS) commands for configuring Deleted Item Retention / Recoverable Items Quota was extracted, see  To run any of these EMS commands, you need to be assigned “Organization Management,” “Recipient Management,” and “Records Management” role group permissions. For more details on configuring permissions, see the "Retention and legal holds" entry in the Mailbox Permissions topic at  Using the Shell to Configure Deleted Item Retention for a Mailbox Set-Mailbox -Identity - "April Stewart" -RetainDeletedItemsFor 30

This example configures April Stewart's mailbox to retain deleted items for 30 days.

     Using the Shell to Configure Recoverable Items Quotas for a Mailbox Set-Mailbox -Identity "April Stewart” -RecoverableItemsWarningQuota 12GB –RecoverableItemsQuota 15GB -UseDatabaseQuotaDefaults $false

This example configures a Recoverable Items warning quota of 12 GB and a Recoverable Items quota of 15 GB for April Stewart's mailbox.

Note:  To configure a mailbox to use different Recoverable Items quotas than the mailbox database in which it resides, you must set the UseDatabaseQuotaDefaults parameter to $false.

Using the Shell to Configure Deleted Item Retention for a Mailbox Database Set-MailboxDatabase -Identity MDB2 -DeletedItemRetention 10

This example configures a deleted item retention period of 10 days for the mailbox database MDB2.

     Using the Shell to Configure Recoverable Items Quotas for a Mailbox Database Set-MailboxDatabase -Identity MDB2 -RecoverableItemsWarningQuota 15GB -RecoverableItemsQuota 20GB

This example configures a Recoverable Items warning quota of 15 GB and a Recoverable Items quota of 20 GB on mailbox database MDB2.

Handling Legal Hold in Exchange 2010 / Office 365

Legal Hold or Litigation Hold are terms used in the legal profession to designate that “potential evidence” is to be retained, specific to email, all email messages and attachments need to be preserved (ie: prevent a user from deleting or modifying messages that might be used in a legal case).

As mentioned earlier in this article, with previous versions of Exchange, typically a 3rd party product needed to be purchased to retain content such as when a user’s mailbox is put on Legal Hold.  However with Exchange 2010 and Office 365 using the Deleted Item Retention process covered in this article, since all deleted and modified messages are automatically retained for a period of time, the only thing that needs to be done is make sure content is not automatically deleted after the default 14-days, by the user, or by some other full deletion process.  Specifically putting a user’s mailbox on Legal Hold ensures an indefinite retention on all content in the user’s mailbox until the mailbox is removed from Legal Hold.

To put a Mailbox on Litigation Hold, the person making that decision needs to be part of the “Discovery Management” Role in Exchange.  By default, NO ONE in the organization, including the Exchange Administrator, has the right to put a user’s mailbox on Litigation Hold.  However, even though the Exchange Administrator doesn’t have the default right to put a mailbox on Litigation Hold, the Exchange Administrator can go into the Exchange Control Panel and give themself (and anyone else) the right to enable Litigation Hold for a mailbox.  For that individual (administrator, HR personnel, legal counsel) to be given the rights to make Litigation Hold changes to a user’s mailbox, do the following:

1.  Logon  to Outlook WebApp with a user that has administrator rights (just like you are logging in to check your email)

2.  On the upper right corner, select “Options” and “See All Options”

3. In the upper left corner, select “Manage” “My Organization”

4.  In the Roles & Auditing / Administrator Roles section, select the “Discovery Management” role and click on “Details”

5.  In the Discovery Management details, under “Members”, add the person (or people) in your organization that you want to have the ability to put a mailbox on Litigation Hold, then click Save

This individual (or individuals) now have the ability to proceed with actually putting a mailbox on Litigation Hold.

To put a mailbox on Litigation Hold in Exchange 2010 or Office 365, an administrator needs to do the following:

1.  Logon  to Outlook WebApp as a user who has been given the Discovery Management role permissions in the previous series of steps

2.  On the upper right corner, select “Options” and “See All Options”

3.  In the upper left corner, select “Manage” “My Organization”

4.  In the Users & Groups / Mailboxes section, select the user you want to put on Legal Hold and click on “Details”

1 2 3 Page 1
Page 1 of 3
The 10 most powerful companies in enterprise networking 2022