Use PowerShell to Report Recoverable Items Data

In August, I published an article about using Microsoft Graph PowerShell SDK cmdlets to access Exchange Online mailbox data. The nature of website articles is that they can’t cover everything, and in turn this means that questions flow in about whether it’s possible to use a technique covered in an article to accomplish a goal.

Last week, I was asked if it’s possible to report items in the Recoverable Items structure within mailboxes. My answer is that it all depends on what data you want.

How Exchange Online Uses Recoverable Items

Recoverable Items includes folders such as Deletions, Purges, SubstrateHolds, and Versions where Exchange Online holds messages and attachments required for eDiscovery. These items might be held by a litigation hold, an in-place hold, or waiting removal by the Managed Folder Assistant after their single item recovery period or retention period expires. The Managed Folder Assistant is also responsible actioning instructions in retention policies and labels by moving items into Recoverable Items.

To make sure that it’s always possible to hold data, Recoverable Items has a separate quota of up to 110 GB. When archive mailboxes are used, Exchange mailbox retention policies can move items to the Recoverable Items folder in the archive mailbox. Microsoft 365 retention policies don’t support a move to archive action. The ability to move items into archive mailboxes for long-term storage is one of the reasons why Exchange mailbox retention policies are still very useful.

The Get-ExoMailboxFolderStatistics cmdlet (or my version of a script to report folder contents) can report how many items are in Recoverable Items folders and the consumed quota.

Accessing Recoverable Items

Outlook clients can access and recover items in the Deletions folder. Administrators can list items in the Deletions folder by running the Get-RecoverableItems cmdlet or through the Exchange admin center (Figure 1).

However, neither users nor administrators can use these options to access content held in the other Recoverable Items folders. Administrators can use the MFCMAPI utility to view the contents of any Recoverable Items folder.

All of this information is valuable, but it didn’t answer the question. The scenario contemplated is for an eDiscovery investigator who needs to review items to see if anything of interest is present. Items might be in any folder, not just Deletions.

Building a Script to Report Recoverable Items

The answer is to use PowerShell to build the report recoverable items script to:

Connect to Exchange Online and find the mailboxes of interest. Normally, an eDiscovery investigation is limited to a known subset of mailboxes and other sources. The script (downloadable from GitHub) finds all user mailboxes. Amend this command to find the right target set.

Connect to the Microsoft Graph PowerShell SDK using an application identifier of an Entra ID app that has consent to use the Graph Mail.Read application permission. An X.509 certificate loaded into the app is used for authentication. Running the script in an interactive session only allows delegate access to the folders in the mailbox of the signed-in user. An app-only session is required to access all mailboxes.

Use the Get-MgUserMailFolder cmdlet to retrieve the identifier of the Recoverable Items folder. “RecoverableItemsRoot” is a well-known folder, which makes the task easier.

Use the Get-MgUserMailFolderChildFolder cmdlet to retrieve the set of folders under the root. We’re not interested in some folders, like Calendar Logging and Audit, so the script excludes these from the analysis.

Define the time period to find items for. The script looks for items created over the last year.

For each folder, use the Get-MgUserMailFolderMessage cmdlet to fetch a limited set of properties (to speed up performance). In an eDiscovery scenario, you might want to fetch the BodyPreview property. The script fetches a single-value extended property containing the item size and formats the size (from bytes) to make it look nice.

Report what’s found (Figure 2), including generating a CSV file.

Figure 2: Report of Recoverable Items generated by PowerShell

The report recoverable items script can access confidential information. Consider using RBAC for applications to block access to sensitive or confidential mailboxes.

Code Usable for All Folders

The techniques explained here can be used to report items from any mailbox folder. It’s relatively simple PowerShell and the only thing that’s likely to trip people up is the requirement to access the Graph SDK and use an Entra ID app with an X.509 certificate for authentication and authorization. But now you know this must be done, it shouldn’t be a surprise.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.