Email search for a time period

[lmendel]

Hi,

We have a customer for whom we provide M365 backup services. Although they have chosen not to invest in a proper journaling or compliance solution, they occasionally request searches for specific emails within defined timeframes typically in anticipation of possible litigation.

For example, they may request a search for all emails sent from sender@imaginary.email.com to mailbox@tenantxyz.com between 1 January 2024, and 1 March 2024.

I’ve explained to them that our backup solution is not designed as a compliance search or journaling tool, and there’s a possibility the requested emails may not be available. However, given that backups are their only option, they’re willing to cover any costs associated with performing these searches.

Could you advise on how to script such a search—either using PowerShell or a REST API—based on the data available in the M365 backups?

Best regards

[lmendel]

Anyone?

[track1044]

I would tell them to use Compliance Search (eDiscovery) in M365 and this would not be needed.Aand most likely save them a lot of money and headache in the process.

If you do this on the backup side, which it is not meant for, you would have to go trough each Restore Point within that period, get all backup items from the sender and filter on the sent email.
It would take quite a while to develop, setup and troubleshoot, but I wouldn't say its impossible. Just very time consuming. You would also have to validate the output to make sure nothing is missed if the company is to trust the data. That will take a bit as well.
The data can be feched via API or Powershell, so thats a preference thing.

[barkerxavierr]

Having dealt with similar requests, I agree that using M365 Compliance Search is far more efficient and reliable than digging through backups for email searches. Backup data isn’t designed for quick or accurate compliance queries, and scripting this would be a time-consuming, error-prone process. It’s definitely worth pushing clients toward proper compliance tools to avoid headaches down the line.
fnfgo

[lmendel]

Due to various reasons this is the only option for the customer.

I'm working on a script to search through array returned by Get-VBORestorePoint, but I'm stuck on passing the results to Start-VBOExchangeItemRestoreSession

All examples I can see online only show restore/restore session from the last point as in:

Code: Select all

 Start-VBOExchangeItemRestoreSession -lateststate -Organization $organization

And this works fine but if I try to pass the Get-VBORestorePoint array to Start-VBOExchangeItemRestoreSession like this:

Code: Select all

 $restorepoint = Get-VBORestorePoint 
 
 It fails with:
 "Start-VBOExchangeItemRestoreSession: Cannot convert 'System.Object[]' to the type 'Veeam.Archiver.PowerShell.Integration.Interfaces.IVBORestorePoint' required by parameter 'RestorePoint'. Specified method is not supported."
 
 or
 "Start-VBOExchangeItemRestoreSession : Cannot bind parameter 'RestorePoint'. Cannot convert the "20/02/2025 02:00:11    192c5773-f091-4105-99fd-7644bc3d07a4                 772b2840-c6e9-4809-9312-8e8910cd1eee                2904781f-945b-4eca-a015-22a029ce9a77                 True       True         True       True    False   False          False" value of type "System.String" to type "Veeam.Archiver.PowerShell.Integration.Interfaces.IVBORestorePoint". 

Get-VBORestorePoint is filtered to be org specific of course, any ideas?

[Polina]

Hi Lukasz,

It's not possible to perform a search across multiple restore points, but within a single selected RP you can find, for example, all mails sent by a specifc user within the given time range.

For that, you use the Get-VEXItem cmdlet and specify the Query parameters.

[lmendel]

Hi Polina,

Maybe I'm wasting my own time here. Tenant asked us to export all backup points for 4 months period, as this the only way for them to possibly find missing email. If email was received into mailbox and deleted and removed from 'deleted items' before backup took place, will it show if I open backup from the date in that 4 months period, with 'show deleted' option ticked? If so then scripting restore is unnecessary.

As for the script and question see below:

I got a script which runs fine, it starts a restore session, searches for emails sent to certain mailbox from specific address and dumps results into PST file. Script looks like this:

Code: Select all

$organization = Get-VBOOrganization -Name "testorg.onmicrosoft.com"
Start-VBOExchangeItemRestoreSession -lateststate -Organization $organization
$session = Get-VBOExchangeItemRestoreSession
$database = Get-VEXDatabase -Session $session
$mailbox = Get-VEXMailbox -Database $database -name abc@test.tenant.com
$item = Get-VEXItem -Mailbox $mailbox -query "from:abcdef@sender.com"
Export-VEXItem -item $item -To "e:\date.competent.pst"
Stop-VBOExchangeItemRestoreSession -session $session 

What I'm trying to achieve is to make a loop which will go through points available in array created by Get-VBORestorePoint, perform the search and dump results into a file and then start with another restore point.

So for example utilize something like this:

Code: Select all

 $restorepoints = Get-VBORestorePoint

Gives the following results (below truncated to just for 4 points manually for visibility)

Code: Select all

 
BackupTime             OrganizationId                                       JobId                                                RepositoryId                                         IsExchange IsSharePoint IsOneDrive IsTeams IsCopy  IsLongTermCopy IsRetrieved
----------             --------------                                       -----                                                ------------                                         ---------- ------------ ---------- ------- ------  -------------- -----------
05/03/2025 00:36:25    192c5773-f091-4105-99fd-7644bc3d07a4                 772b2840-c6e9-4809-9312-8e8910cd1eee                 2904781f-945b-4eca-a015-22a029ce9a77                 False      False        True       False   False   False          False
05/03/2025 00:24:58    192c5773-f091-4105-99fd-7644bc3d07a4                 772b2840-c6e9-4809-9312-8e8910cd1eee                 2904781f-945b-4eca-a015-22a029ce9a77                 True       True         True       True    False   False          False
01/02/2025 03:53:26    192c5773-f091-4105-99fd-7644bc3d07a4                 772b2840-c6e9-4809-9312-8e8910cd1eee                 2904781f-945b-4eca-a015-22a029ce9a77                 False      True         False      False   False   False          False
01/02/2025 03:28:09    192c5773-f091-4105-99fd-7644bc3d07a4                 772b2840-c6e9-4809-9312-8e8910cd1eee                 2904781f-945b-4eca-a015-22a029ce9a77                 False      True         False      False   False   False          False 

But I don't know how to pass the result to Start-VBOExchangeItemRestoreSession According to https://helpcenter.veeam.com/docs/backu ... ml?ver=120 this cmdlet should accept paramter called 'RestorePoint' which 'Accepts the IVBORestorePoint object. To get this object, run the Get-VBORestorePoint cmdlet.' but I don't know how to pass it on?

Alternatively how does one manually specify restore point when using Start-VBOExchangeItemRestoreSession -RestorePoint? I can only get that cmdlet to run with -LastestState

Thanks

[lmendel]

Thinking about it if the email we ever included in the backup it should come up when 'show deleted' option is enabled, if it wasn't captured by the backup even once it won't show up anyway.

[Polina]

You last thought is correct. If it was captured by backup once and then deleted in production, in the backup it will remain with the IsDeleted flag, and when using the 'Show deleted' option it will be displayed. If it's not the case, then it's not in the backup at all.

[track1044]

You probably want something like this:

Code: Select all

$restorePoints = Get-VBORestorePoint

foreach ($restorePoint in $restorePoints) {
    if ($restorePoint.isExchange -eq $true) {
        $session = Start-VBOExchangeItemRestoreSession -RestorePoint $restorePoint
        $database = Get-VEXDatabase -Session $session
        $mailbox = Get-VEXMailbox -Database $database -name abc@test.tenant.com
        if ($mailbox) {
        	$item = Get-VEXItem -Mailbox $mailbox -query "from:abcdef@sender.com"
        }
        if ($item) {
        	Export-VEXItem -item $item -To "e:\date.competent.pst"
        }
        Stop-VBOExchangeItemRestoreSession -session $session 
        }
    }
}

You can use Start-VBOExchangeItemRestoreSession -RestorePoint $restorePoint -ShowDeleted:$true if you want to see deleted items.