A Different Way to Report Items Stored in Recoverable Items

Yesterday’s article about reporting items stored in the Recoverable Items structure in mailboxes provoked some questions. Some were surprised that it is possible for administrators to get this level of detail about retained items from user mailboxes, but the items are the same kind that users process, so the APIs work as well for the items held in Recoverable Items as they do for folders like the inbox, sent items, and so on. On a serious note, RBAC for applications is the best way to curtail application access to sensitive mailboxes, including whatever they hold in Recoverable Items.

One of my MVP colleagues pointed out that a lot of the information I discussed could be retrieved using the Get-RecoverableItems cmdlet. That’s true, if you are only interested in certain item properties and certain folders. Using the Graph APIs supports full access to item properties in all folders, and that’s where the major advantage lies.

Let me explain what I mean. Microsoft built the Get-RecoverableItems cmdlet to allow administrators to recover items on behalf of users. The recovered items go back into the parent folder from where they were deleted. The intention behind the cmdlet is that it is used in tandem with the Restore-RecoverableItems cmdlet. In other words, the items found by Get-RecoverableItems can be restored by Restore-RecoverableItems.

Creating a Script Based on Get-RecoverableItems

Getting back to the point in hand, the observation made was that you could use Get-RecoverableItems to retrieve item information for reporting purposes, just like I did with the Graph. However, the available data is different. This might or might not be a problem.

To illustrate the issue, I created a version of the script using Get-RecoverableItems. You can download the script from GitHub. The script:

Connects to Exchange Online. You must use an account that holds the Exchange mailbox import-export role as this is required to run the Get-RecoverableItems cmdlet.

Finds user mailboxes.

Runs Get-RecoverableItems for each mailbox to find items in the Deletions folder in Recoverable Items for the last year. By default, Get-RecoverableItems fetches items from Deleted Items, Deletions, and Purges. The Graph-based version of the script only processes Recoverable Items folders including Versions and SubstrateHolds that aren’t exposed to Get-RecoverableItems.

Create a report of the results (Figure 1) and export the results to a CSV file.

Different Data Reported

Looking at the data shown in Figure 1, some of the item properties are common with those available via the Graph SDK (mailbox name and item subject). The last modified time is in U.S. format, so the script reformats the date. The last parent property is the folder that the item was deleted from, and the item class is the MAPI type. Looking at the items returned from my mailbox, I see the following types (IPM.Note is a regular message).

$Items | Group-Object ItemClass -NoElement | Sort-Object Count | Format-Table Name, Count

Name Count
—- —–
IPM.Schedule.Meeting.Resp.Tent 1
IPM.Task 1
IPM.Note.Rules.OofTemplate.Microsoft 3
IPM.Note.SMIME.MultipartSigned 4
IPM.Schedule.Meeting.Canceled 9
IPM.Post.Rss 27
IPM.Schedule.Meeting.Resp.Pos 27
REPORT.IPM.Note.NDR 89
IPM.Schedule.Meeting.Request 92
IPM.Appointment 180
IPM.Note 4305

The properties for a full item returned by Get-RecoverableItems looks like this:

LastParentPath : CalendarPlanner-Microsoft 365 Message Center
LastParentFolderID : 37B5390C4C3298448EB307D556E7D40D000392D3F3B3
OriginalFolderExists : True
Identity : Tony.Redmond@office365itopros.com
MailboxIdentity : a662313f-14fc-43a2-9a7a-d2e27f4f3478370f354-2752-4437-878d-cf0e5310a8d4
ItemClass : IPM.Appointment
Subject : [Microsoft 365 for the web] (Updated) Loop components in Microsoft OneNote [MC777847]
PolicyTag : 59c7aa03-6579-4008-b484-e8ed327c3b69
EntryID : 000000007EEC82E914DC7C4EB92D68AF156167AB07005EF42BB02DCD9F4CAED6E3A2F5480A7D000000DA5215000037B5390C4C3298448EB307D556E7D40D00078B11E96B0000
SourceFolder : Recoverable ItemsDeletions
LastModifiedTime : 08/16/2024 21:15:03
IsValid : True
ObjectState : New

The properties for an item returned by the Graph looks like this. Many of the properties are blank because I did not fetch the information.

Attachments :
BccRecipients :
Body : Microsoft.Graph.PowerShell.Models.MicrosoftGraphItemBody
BodyPreview :
Categories :
CcRecipients :
ChangeKey :
ConversationId :
ConversationIndex :
CreatedDateTime : 12/09/2024 16:53:39
Extensions :
Flag : Microsoft.Graph.PowerShell.Models.MicrosoftGraphFollowupFlag
From : Microsoft.Graph.PowerShell.Models.MicrosoftGraphRecipient
HasAttachments :
Id : AAMkADAzNzBmMzU0LTI3NTItNDQzNy04NzhkLWNmMGU1MzEwYThkNABGAAAAAAB_7ILpFNx8TrktaK8VYWerBwBe9CuwLc2fTK7W46L1SAp9AAAA2lIaAAA3tTkMTDKYRI6zB9VW59QNAAechaYpAAA=
Importance :
InferenceClassification :
InternetMessageHeaders :
InternetMessageId :
IsDeliveryReceiptRequested :
IsDraft :
IsRead :
IsReadReceiptRequested :
LastModifiedDateTime :
MultiValueExtendedProperties :
ParentFolderId :
ReceivedDateTime :
ReplyTo :
Sender : Microsoft.Graph.PowerShell.Models.MicrosoftGraphRecipient
SentDateTime :
SingleValueExtendedProperties : {Long 0xe08}
Subject : Undeliverable: Size limit for HVE
ToRecipients :
UniqueBody : Microsoft.Graph.PowerShell.Models.MicrosoftGraphItemBody
WebLink :
AdditionalProperties : {[@odata.etag, W/”FwAAABYAAAA3tTkMTDKYRI6zB9VW59QNAAeYsZ/A”]}

It’s obvious that the two sets of properties are very different. Because the Graph provides data to clients, the Graph set includes the item body and a body preview together with a bunch of flags for the item status, like isRead or isDraft. The set includes a single value extended property for the item size. By comparison, the set retrieved by Get-RecoverableItems are designed to help a user or administrator decide which items to restore and no more.

The Bottom Line

Two methods are available to tenant administrators who need to know about the items held in the Recoverable Items structure. The Graph API can reveal more information about individual items, especially the actual content of an item, but the Get-RecoverableItems cmdlet is a viable candidate to use if you only need to know bare details like the sender, date, and subject. Isn’t it nice to have choice!

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.