How to enable, verify and test Litigation Hold in Office 365 – Step by Step

How to enable, verify and test Litigation Hold in Office 365 – Step by Step

In this blog post, I’ll demonstrate step by step how to enable, verify and test litigation hold in Office 365.  I’ll be focusing specifically on the Exchange Online workload.

  1.  Enabled Litigation Hold

You can enable litigation hold for a mailbox by running the following command from the Exchange Online shell (note:  steps to connect PowerShell to Exchange Online can be found here)

Set-Mailbox -identity -LitigationHoldEnabled $true


You can enable litigation hold for all users using the following command

Get-Mailbox -RecipientTypeDetails UserMailbox -Filter {PersistedCapabilities -eq “BPOS_S_Enterprise” -and LitigationHoldEnabled -ne $true}

If you want to automate the process, so that when new mailboxes are created they are automatically enabled for litigation hold, please see this blog from Vasil Michev.

2.  Verify Litigation Hold is enabled

To verify Litigation hold is enabled, run the following command

Get-Mailbox -identity |fl Identity, LitigationHold*


3.  How to test litigation hold

In the next steps we are going to delete an email so that it cannot be retrieved by the end users in Outlook, and then as an admin perform a search in the Office 365 portal to retrieve the email.

When a user deletes an item, it goes to the deleted items folder, where it can be recovered by the end user.



If the item is emptied / deleted from the “Deleted items” folder,


it goes into the “recoverable items”, where it can still be retrieved by the end user

Note:  14 days retention period for items removed from the Deleted Items folder, after which they cannot be retrieved by the end user. (Details here).


Once the item is removed from the Deleted Items folder (either automatically by Office 365 after 14 days, or manually by the end user choosing “Purge Selected Items”), it is no longer retrievable by the end user


If the mailbox is on litigation hold, the item can be retrieved by an Office 365 Administrator.  If the mailbox is not on litigation hold, the item cannot be retrieved.

Next, we will use Office 365 e-Discovery search to retrieve an item that has been deleted from the Delete Items folder, for a mailbox that is on litigation hold

Log into the Office 365 portal ( with an account that has a minimum of E-Discovery Manager permissions and navigate to the Security & Compliance admin centre

Note:  E-Discovery Manager permissions are set here


Navigate to the Security & Compliance admin centre


Navigate to Search & Investigation and choose “Content Search”


Choose “New Search”


Under Locations > Specific locations click Modify


For “Exchange Email”, select “Choose users”


Search for required user


In Keywords, add a “condition” to filter the search for specific details about the email to be retrieved.  Then click Save & Run



Enter a description for the Search


The results show the mail item to be retrieved


There are a few options here as to how the email item is recovered into the mailbox

  1. Export to EML file
  2. Export to PST file


Export to EML File

For single email items, you can choose “Download Original Item”.  This will allow you to save the email as an .EML file


The file can then be open on a client that has Outlook installed



And saved back into the mailbox using the “Move” option



Export to PST file

For recovery of many items, exporting to PST file might be a better option

From the results preview, choose More > Export Results


Choose export options and then select EXPORT


Click on the EXPORT tab, copy the export key, and then select “Download Results”


Click to install the Microsoft Office 365 eDiscovery Export Tool


Paste the export key and choose a download location, click start



When complete, a pst file is created


Finally, this can then be opened using outlook and / or imported into the mailbox


That’s all for now, hope you found it useful.

Leave a Reply

Your email address will not be published. Required fields are marked *