Data Spillage Playbook 2
Do you have a plan on how to permanently delete sensitive data accidentally delivered to your organization through email? If you do not, buckle up and read on. You can read part 1 for this series here.
Deleting Items in the Recoverable Items Folder
Requirements
1. Perform the following process for all mailbox(es) in scope.
2. This process will not work:
a. for inactive mailboxes
b. for a mailbox that has been assigned retention settings with a policy that is locked by using Preservation Lock.
c. if auto-expanding archiving is enabled for the mailbox.
3. You can choose to delete or not delete items in the Recoverable Items folder in the user's primary archive mailbox. If auto-expanding archiving is enabled for the mailbox, items in an auxiliary archive mailbox will not be deleted.
4. Budget at least 1 hour for step 2 #1; and confirm that you cannot send nor receive email from the affected mailbox(es) either via Outlook online or via the Outlook desktop client before proceeding to step 2 #2.
5. Budget 4 hours for step 2 #3. The Microsoft KB states it might take up to 60 minutes to disable single item recovery, but during testing, the PowerShell output of the command to disable single item recovery showed “WARNING: The single item recovery setting may take up to 240 minutes to take effect.” Do not delete items in the Recoverable Items folder until this period has elapsed.
6. This means that this entire process described in this document requires at least 5 hours where the user should not access the mailbox.
a. After the 5 hours, the user can resume using the mailbox.
b. Microsoft recommends you wait 24 hours after reapplying a hold or retention policy (and verifying that it is in place) before you re-enable the Managed Folder Assistant.
Step 1: Mailbox Data Gathering
Save the following information for each mailbox because the process involves changing some of the mailbox properties and reverting back to the original value later in the process
1. Connect to exchange online PowerShell
2. Run the following command to get information about the single item recovery and the deleted item retention period:
Get-Mailbox <username> | FL SingleItemRecoveryEnabled,RetainDeletedItemsFor
If single item recovery is enabled, you will have to disable it in Step 2. If the deleted item retention period is not set for 30 days (the maximum value in Exchange Online), then you can increase it in Step 2.
3. Run the following command to get the mailbox access settings for the mailbox:
Get-CASMailbox <username>| FL EwsEnabled,ActiveSyncEnabled,MAPIEnabled,OWAEnabled,ImapEnabled,PopEnabled
You will disable all of these access methods in Step 2.
4. Run the following command to get information about the holds and retention policies applied to the mailbox:
Get-Mailbox <username> | FL LitigationHoldEnabled,InPlaceHolds
If there are too many values in the InPlaceHolds property and not all of them are displayed, you can run the Get-Mailbox <username> | Select-Object -ExpandProperty InPlaceHolds command to display each value on a separate line.
5. Run the following command to get information about any organization-wide retention policies.
Get-OrganizationConfig | FL InPlaceHolds
If your organization has any organization-wide retention policies, you will have to exclude the mailbox from these policies in Step 3.
6. Run the following command to determine if a delay hold is applied to the mailbox:
Get-Mailbox <username> | FL DelayHoldApplied,DelayReleaseHoldApplied
If the value of the DelayHoldApplied or DelayReleaseHoldApplied property is set to True, a delay hold is applied to the mailbox and must be removed. For more information about delay holds, see Step 4: Remove the delay hold from the mailbox.
If the value of either property is set to False, a delay hold is not applied to the mailbox, and you can skip Step 4.
7. Run the following command to get the current size and total number of items in folders and subfolders in the Recoverable Items folder in the user's primary mailbox:
Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders
If the user's archive mailbox is enabled, run the following command to get the size and total number of items in folders and subfolders in the Recoverable Items folder in their archive mailbox.
Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems -Archive | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders
Step 2: Prepare the Mailbox
After collecting and saving information about the mailbox(es), the next step is to prepare the mailbox by performing the following tasks:
· Disable client access to mailbox so that the mailbox owner cannot access their mailbox and make any changes to the mailbox data during this procedure.
· Increase the deleted item retention period to 30 days (the maximum value in Exchange Online) so that items are not purged from the Recoverable Items folder before you can delete them in Step 5.
· Disable single Item recovery so that items will not be retained (for the duration of the deleted item retention period) after you delete them from the Recoverable Items folder in Step 5.
· Disable the Managed Folder Assistant so that it does not process the mailbox and retain the items that you delete in Step 5.
1. In Exchange Online PowerShell, run the following command to disable all client access to the mailbox. The command syntax assumes that all client access methods were enabled on the mailbox:
Set-CASMailbox <username> -EwsEnabled $false -ActiveSyncEnabled $false -MAPIEnabled $false -OWAEnabled $false -ImapEnabled $false -PopEnabled $false
It might take up to 60 minutes to disable all client access methods to the mailbox. Note that disabling these access methods will not disconnect the mailbox owner if they are currently signed in. If the owner is not signed in, they won't be able to access their mailbox after these access methods are disabled.
2. Run the following command to increase the deleted item retention period to the maximum of 30 days. Do this only if the current setting is less than 30 days.
Set-Mailbox <username> -RetainDeletedItemsFor 30
3. Run the following command to disable single item recovery.
Set-Mailbox <username> -SingleItemRecoveryEnabled $false
It might take up to 4 hours to disable single item recovery. Do not delete items in the Recoverable Items folder until this period has elapsed.
4. Run the following command to prevent the Managed Folder Assistant from processing the mailbox. As previously explained, you can disable the Managed Folder Assistant only if a retention policy with a Preservation Lock is not applied to the mailbox.
Set-Mailbox <username> -ElcProcessingDisabled $true
Step 3: Remove All Holds from the Mailbox
The last step before you can delete items from the Recoverable Items folder is to remove all holds (that you identified in Step 1) placed on the mailbox. All holds must be removed so that items will not be retained after you delete them from the Recoverable Items folder. There are different types of holds and each type requires a different method for removing the hold. We will focus only on Organization-wide retention policies in this article. See this KB for information on other hold methodologies and how to remove each one. Remember to check with your records management or legal departments before removing a hold from a mailbox.
Organization-wide retention policies
Organization-wide, Exchange-wide, and Teams-wide retention policies are applied to every mailbox in the organization. They are applied at the organization level (not the mailbox level) and are returned when you run the Get-OrganizationConfig cmdlet in Step 1.
1. Connect to Security & Compliance Center PowerShell and run the following command to identify the organization-wide retention policies. Use the GUID (not including the mbx prefix, and excluding the “:x” suffix) for the organization-wide retention policies that you identified in Step 1.
Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name
After you identify the organization-wide retention policies, go to the Information governance > Retention page in the Security & Compliance Center, edit each organization-wide retention policy that you identified in the previous step, and add the mailbox to the list of excluded recipients. Doing this will remove the user's mailbox from the retention policy.
Step 4: Remove the Delay Hold from the Mailbox
After any type of hold is removed from a mailbox, the value of the DelayHoldApplied or DelayReleaseHoldApplied mailbox property is set to True. This occurs the next time the Managed Folder Assistant processes the mailbox and detects that a hold has been removed. This is called a delay hold and means the actual removal of the hold is delayed for 30 days to prevent data from being permanently deleted from the mailbox. (The purpose of a delay hold is to give admins an opportunity to search for or recover mailbox items that will be purged after a hold is removed.) When a delay hold is placed on the mailbox, the mailbox is still considered to be on hold for an unlimited duration, as if the mailbox was on Litigation Hold. After 30 days, the delay hold expires, and Microsoft 365 will automatically attempt to remove the delay hold (by setting the DelayHoldApplied or DelayReleaseHoldApplied property to False) so that the hold is removed. For more information about a delay hold, see "Managing mailboxes on delay hold".
If the value of the DelayHoldApplied or DelayReleaseHoldApplied property is set to True, run one of the following commands to remove the delay hold:
Set-Mailbox <username> -RemoveDelayHoldApplied
Or
Set-Mailbox <username> -RemoveDelayReleaseHoldApplied
Step 5: Delete Items in the Recoverable Items Folder
Now you are ready to actually delete items in the Recoverable Items folder by using the New-ComplianceSearch and New-ComplianceSearchAction cmdlets in Security & Compliance Center PowerShell.
1. To search for items that are located in the Recoverable Items folder, it is recommended that you perform a targeted collection. This means you narrow the scope of your search only to items located in the Recoverable Items folder. You can do this by running the script – “GetFolderSearchParameters.ps1” as described here. This script returns the value of the folder ID property for all the subfolders in the target Recoverable Items folder. Then you use the folder ID in a search query to return items located in that folder.
Instead of displaying a list of folders on the computer screen, you can re-direct the output of the script to a text file. This file will be saved to the folder where the script is located. For example, to redirect the script output to a text file, run the following command ".\GetFolderSearchParameters.ps1 > MailboxnameFolderIds.txt. Then you can copy a folder ID or documentlink from the file to use in a search query.
Note: The script - GetFolderSearchParameters.ps1- described here includes encoding logic that converts the 64-character folder Id values that are returned by Get-MailboxFolderStatistics to the same 48-character format that is indexed for search. If you just run the Get-MailboxFolderStatistics cmdlet in PowerShell to obtain a folder Id (instead of running the script described here), a search query that uses that folder Id value will fail. You have to run the script to get the correctly formatted folder Ids that can be used in a Content Search.
2. Here is a list and description of the subfolders in the Recoverable Items folder that you can search and delete items from:
a. Deletions: Contains soft-deleted items whose deleted item retention period has not expired. Users can recover soft-deleted items from this subfolder using the Recover Deleted Items tool in Outlook.
b. Purges: Contains hard-deleted items whose deleted item retention period has expired. Users can also hard-delete items by purging items from their Recoverable Items folder. If the mailbox is on hold, hard-deleted items are preserved. This subfolder is not visible to end users.
c. DiscoveryHolds: Contains hard-deleted items that have been preserved by an eDiscovery hold or a retention policy. This subfolder is not visible to end users.
d. SubstrateHolds: Contains hard-deleted items from Teams and other cloud-based apps that have been preserved by a retention policy or other type of hold. This subfolder is not visible to end users.
Copy the folder IDs for all subfolders in the Recoverable Items folder.
3. Use the New-ComplianceSearch cmdlet (in Security & Compliance Center PowerShell) or use the Content search tool in the compliance center to create a content search that returns items from the target user's Recoverable Items folder. You can do this by including the FolderId in the search query for all subfolders that you want to search. For example, the following query returns all messages in the Purges and eDiscoveryHolds subfolders
folderid:<folder ID of Purges subfolder> OR folderid:<folder ID of DiscoveryHolds subfolder>
see here for more examples of about running content searches that use the folder ID property.
If you use the New-ComplianceSearch cmdlet to search the Recoverable Items folder, be sure to use Start-ComplianceSearch cmdlet to run the search.
For example:
a. To define the search criteria:
$Search=New-ComplianceSearch -Name "Remove Sensitive Data in Purge Subfolder" -ExchangeLocation All -ContentMatchQuery 'folderid:208B3EB7A2C2C345AF7B2190B7B41E9300000000011C0000 AND (Received:2/4/2001..2/10/2001) AND (Subject:"Sensitive Data")'
b. To start the search:
Start-ComplianceSearch -Identity $Search.Identity
c. To get a list of all searches:
Get-ComplianceSearch
d. To get the status of the search job; is it still running or completed?
Get-ComplianceSearch -Identity "Remove Sensitive Data in Purge Subfolder" | Format-List
4. After you have created a content search and validated that it returns the items that you want to delete, use the New-ComplianceSearchAction -Purge -PurgeType HardDelete command (in Security & Compliance Center PowerShell) to permanently delete the items returned by the content search that you created in the previous step. For example, you can run a command similar to the following command:
New-ComplianceSearchAction -SearchName "Remove Sensitive Data in Purge Subfolder " -Purge -PurgeType HardDelete
4b. to get the status of the delete job, run “Get-ComplianceSearchAction -Identity " Remove Sensitive Data in Purge Subfolder" | Format-List” (note the Identity is the name of the “SearchAction” not the name of the “Search”)
5. A maximum of 10 items per mailbox are deleted when you run the previous command. That means you may have to run the New-ComplianceSearchAction -Purge command multiple times to delete all the items that you want to delete in the Recoverable Items folder. To delete additional items, you first have to remove the previous compliance search purge action. You do this by running the Remove-ComplianceSearchAction cmdlet. For example, to delete the purge action that was run in the previous step, run the following command:
Remove-ComplianceSearchAction "RecoverableItems_Purge"
After you do this, you can create a new compliance search purge action to delete more items. You will have to delete each purge action before creating a new one.
To get a list of the compliance search actions, you can run the Get-ComplianceSearchAction cmdlet. Purge actions are identified by _Purge appended to the search name.
Verify that Items Were Deleted.
To verify that you have successfully deleted items from the Recoverable Items folder of a mailbox, use Get-MailboxFolderStatistics cmdlet in Exchange Online PowerShell to check the size and number of items in Recoverable Items folder. You can compare these statistics with the ones you collected in Step 1.
Run the following command in to get the current size and total number of items in folders and subfolders in the Recoverable Items folder in the user's primary mailbox.
Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders
Step 6: Revert the Mailbox to its Previous State.
The final step is to revert the mailbox back to its previous configuration. This means resetting the properties that you changed in Step 2 and reapplying the holds that you removed in Step 3. This includes:
Changing the deleted item retention period back to its previous value. Alternatively, you can just leave this set to 30 days, the maximum value in Exchange Online.
Re-enabling single Item recovery.
Re-enabling the client access methods so that the owner can access their mailbox.
Reapplying the holds and retention policies that you removed.
Re-enabling the Managed Folder Assistant to process the mailbox.
Important – Microsoft recommend that you wait 24 hours after re-applying a hold or retention policy (and verifying that it is in place) before you re-enable the Managed Folder Assistant to process the mailbox.
Perform the following steps (in the specified sequence) in Exchange Online PowerShell.
1. Run the following command to change the deleted item retention period back to its original value. This assumes that the previous setting is less than 30 days; for example, 14 days.
Set-Mailbox <username> -RetainDeletedItemsFor 14
2. Run the following command to re-enable single item recovery.
Set-Mailbox <username> -SingleItemRecoveryEnabled $true
3. Run the following command to re-enable all client access methods to the mailbox.
Set-CASMailbox <username> -EwsEnabled $true -ActiveSyncEnabled $true -MAPIEnabled $true -OWAEnabled $true -ImapEnabled $true -PopEnabled $true
4. Reapply the holds that you removed in Step 3. Depending on the type of hold, use one of the following procedures described here
5. Run the following command to allow the Managed Folder Assistant to process the mailbox again. As previously stated, we recommend that you wait 24 hours after reapplying a hold or retention policy (and verifying that it is in place) before you re-enable the Managed Folder Assistant.
Set-Mailbox <username> -ElcProcessingDisabled $false
6. To verify that the mailbox has been reverted back to its previous configuration, you can run the following commands and then compare the settings to the ones that you collected in Step 1.
Get-Mailbox <username> | FL ElcProcessingDisabled,InPlaceHolds,LitigationHoldEnabled,RetainDeletedItemsFor,SingleItemRecoveryEnabled
Get-CASMailbox <username> | FL EwsEnabled,ActiveSyncEnabled,MAPIEnabled,OWAEnabled,ImapEnabled,PopEnabled
References:
[2] Use Content Search for targeted collections - Microsoft 365 Compliance | Microsoft Docs