Finding and Recovering Deleted Office 365 Data
Configuring Data Archiving
The course is part of these learning paths
Microsoft 365 provides multiple features and services for managing working data as well as for retaining them as needed. It is critical for you as an IT administrator to understand the features available for ensuring that deleted data can be restored and that you can import other data and use Microsoft 365 as an archive.
This course will focus on how to manage archival, deletion, and restoration of content and data within Microsoft 365. By the end of this course, you will know the various options available for that and when to use the Admin Center or PowerShell to restore data and content. We will also discuss some of the important aspects of working with deleted data.
- Identify content for recovery
- Ensure your end-users have the data they need
- Recover data in Microsoft 365
- Archive data in Microsoft 365
This course is intended for people who want to become a Microsoft 365 Certified: Security Administrator Associate.
If you wish to follow along with this course, it is recommended that you have a Microsoft 365 tenant, an account with Global Administrator access, as well as content within SharePoint Online and OneDrive for Business, a few Exchange Online mailboxes, and users in Azure Active Directory.
So, let's first talk about deleting and restoring mailboxes within exchange online. Microsoft 365 supports two core approaches to deleting Microsoft Exchange Online mailboxes. They are soft-deleted and hard-deleted user mailboxes. A soft-deleted user mailbox is a mailbox that has been deleted using the Microsoft 365 admin center or the Remove-Mailbox command line in Exchange Online PowerShell, and has still been in the Azure Active Directory recycle bin for less than 30 days. A hard-deleted user mailbox is a mailbox that has been deleted either because it has passed the 30-day period, has the associated Azure AD account hard-deleted, and the 30 day period has passed, or the Remove-Mailbox PowerShell command was used. Deleting a mailbox is completed using two different approaches.
Either the Remove-Mailbox or remove MsolUser. Both options will remove the mailbox. Restoring a mailbox once it's been deleted this way is achieved by using the Undo-SoftDeletedMailbox PowerShell command. So, let's go into an environment and look at executing PowerShell for deleting and restoring a mailbox. In order first to use PowerShell to manage deletion of mailboxes and undoing of those as well as accounts, we do need to make a connection to Microsoft 365. The first thing we have to do is make sure that we have the right modules installed. So, the first one is the ExchangeOnlineManagement one.
I am going to click 'Install' here. If you don't have this installed, it will go ahead and download that from the Internet and install it. You may have to click 'Yes' for the new get up data as well as 'Yes' for the untrusted repository that it's going to come from. Then, once we've downloaded that and it's been installed, we can then import that module directly into the current session. That just makes the PowerShell module available to us. We'll wait for this to download and then we'll do the import. We'll also need to put in the module for connecting to Microsoft online. So, we're going to say, Install-Module, and it's called MSOnline. So, we'll click 'Enter' here. This will install that module as well. Now you can use other modules.
You'll see we've already got the repository question, so I am going to say, "Yes". That will just accept it and add it, so we can download the package. You can use Azure AD as well. If you needed to, you could use different methods for deleting the account. So, once we have them in, if I go back to my install command, I am actually just going to say import now, that will import that module into here, and go back to my MSOnline one, and we'll say imports as well. So, we have now imported both those modules. Now, in order for us to utilize this, we first have to make a connection. So, I can say Connect-ExchangeOnline, and when I press 'Enter' here, it's going to initialize a call out to log in, and I am going to log in with my test account that's here.
This is my dummy environment or kind of test environment that I utilize. So, what we can do here is grab my credential, and then we can validate and get into the tenant. Click 'Sign in'. This will then go ahead and connect to Exchange Online and download the modules locally. You can see doing the explicit remoting now, so that I can then execute whatever the PowerShell command is that I wish to run. So, first off, let's just clear the screen here, and we can just say Get-Mailbox and just press 'Enter' here. This is going to connect to our tenant, and you'll see it returns all of the mailboxes that are in my tenant. I am going to actually pick this one, AlexW. And what we can do here is use Remove-Mailbox.
And then, from an identity perspective, we can type in the name of the mailbox that we wish to utilize. So, if I say Alex and W, and then press 'Enter', this is now going to go and remove that mailbox out of exchange. You can see it returns a message back that will say, "This is also going to be deleted, and then it won't be available, including the account." So, I am going to say, "Yes," and wait for that to complete. Now, this is what effectively is called the soft delete, because I've deleted the account at that point. Now, if we look at the PowerShell commands, and I do Get, and type Soft, you'll notice that there's no way of retrieving what would be that soft account that's been deleted.
Now, in order to view accounts that have been deleted, we can actually view those within the admin center. In the admin center, we can simply go to the Users container here, and click 'Deleted items' and you'll see that my account has been deleted. So, I could select and say restore at this point. But we're going to go ahead and do it with PowerShell. Okay, so we're back in the PowerShell. Now in order for us to restore, we can use the Undo-SoftDeletedMailbox command, and then put in the actual id of the user, so I can say AlexW. Then, of course, it's going to expect me to put the WindowsLiveID, which I am just going to type AlexW for now.
And then, it's going to ask me for the password, and we need to specify a secure password. So, I am going to say, ConvertTo-SecureString -string, and we'll just do Pass@word2022, and a bang sign like so. So, we have a simple password. AsPlainText, we'll force that one and do that. So, from a syntax perspective, we're going to be using Undo-SoftDeleted. We're going to use Alex. We're going to specify the liveID and click 'OK'. So, I am going to press 'Enter' here. And I watch what happens. It comes back and says, "Oh, I can't confirm that that's the right format for the account."
So, for the WindowsLiveID, and that's perfect, because what needs to happen is we need to utilize the full domain format for the specific account for the WindowsLiveID. So, I am going to come back into my Alex here, and just paste my ending domains for my test tenant, like so. And then I am going to press 'Enter' again. And notice, this time it takes a little bit longer. It goes through the process of looking for the account, and sure enough, it now says, "Hey, I found Alex." And we've put Alex back name. So, if I clear this and just say Get-Mailbox, what we should now see is if we scroll back, is Alex has now been restored. So, it's very simple to restore a mailbox that's been deleted either directly with PowerShell, or we could do it within the admin interface.
Liam Cleary is a Microsoft MVP and Microsoft Certified Trainer focused on Microsoft 365 and Azure. He's been working with Microsoft Cloud and Azure technologies since their creation and focuses heavily on deployments, management, and the security of Microsoft 365 and Azure. He also holds multiple certifications for both Microsoft 365 and Azure.