Deleted Email or Teams Messages? How Purview eDiscovery Finds (and Misses) Them

by | Dec 30, 2025 | M365

Microsoft Purview eDiscovery interface used to investigate deleted email and Teams messages
Last Updated:

If HR or Legal asks IT to retrieve “deleted” emails or Teams messages, the most important thing to know is this: deleted does not always mean gone. In Microsoft 365, data often moves through a lifecycle where it may remain available for compliance and legal purposes—if retention policies or holds are in place.

This guide explains what “deleted” really means in Microsoft 365, what Purview eDiscovery can and cannot do, and how to run a defensible investigation workflow (case → sources → query → review set → export). It also includes a simple retention vs backup comparison, a visual lifecycle diagram, and common mistakes IT teams make during eDiscovery.

Legal Disclaimer: This article is for educational and IT operations guidance only and does not constitute legal advice. Always follow your organization’s HR policies, legal counsel direction, and local privacy laws. Use eDiscovery only with proper authorization, role-based access, and documented business justification.

What “Deleted” Actually Means in Microsoft 365 (Retention Lifecycle)

In Microsoft 365, a user action like deleting an email or removing a message can move data into different states. Understanding this lifecycle prevents unrealistic expectations and helps HR understand what is possible.

  • Active: Data exists in normal locations (Mailbox, Teams, SharePoint, OneDrive).
  • Deleted: Items often move into a deleted state (for example, Deleted Items or similar containers).
  • Recoverable / Preservation: Some content may remain recoverable or preserved depending on service behavior and settings.
  • Retention Hold / Litigation Hold: Retention policies or mailbox holds can prevent permanent deletion for a defined period.
  • Permanent Deletion: Once retention windows expire and no holds apply, content may no longer be recoverable.
Microsoft 365 data lifecycle showing active, deleted, recoverable items, retention hold and permanent deletion
Microsoft 365 data lifecycle: retention policies and holds can preserve content beyond user deletion.

If you’re building broader compliance awareness in your org, these related reads help: Multi-Factor Authentication (MFA) and What is Zero Trust Security?.

What Purview eDiscovery Can Do (In Real Investigations)

Microsoft Purview eDiscovery is designed for authorized compliance and legal discovery. In practical HR/legal scenarios, eDiscovery can help IT:

  • Create a formal case with controlled access and auditability
  • Search scoped data sources for relevant content using keywords + date filters
  • Preserve relevant information via hold workflows (depending on licensing and configuration)
  • Collect results into a review set for controlled analysis
  • Export results for legal review or HR investigation

What Purview eDiscovery Cannot Do (Important Limitations)

These are the most common “hard boundaries” where eDiscovery cannot help:

  • It cannot recover what no longer exists: If retention expired and data was permanently deleted, eDiscovery can’t re-create it.
  • It is not a backup restore tool: eDiscovery exports data for review; it does not “restore” chat history back to Teams like a backup solution might.
  • Wrong scope = missing results: Searching the wrong custodian, wrong locations, or wrong dates leads to incomplete findings.
  • Permission and licensing matter: If your environment lacks required licensing/features, certain collection options may be unavailable.

Retention vs Backup (Short Comparison)

HR often expects “deleted = recoverable forever.” This table helps set expectations clearly.

Category Retention (Microsoft Purview) Backup (Separate backup tool)
Purpose Compliance: keep/delete content per policy Recovery: restore after loss/corruption
Restores data to user apps No (export + investigation workflow) Often yes (restore mailbox/files/chat items)
Legal review workflow Yes (cases, searches, review sets) Varies by vendor
Best used for Investigations, compliance, defensible exports Operational recovery, ransomware recovery, accidental deletion

Step-by-Step: Run Purview eDiscovery for Deleted Email & Teams Messages

Step 1: Create a Case

Create a case with a neutral, trackable name (example: HR-INV-YYYYMMDD). Avoid writing sensitive allegations in the case description—keep it minimal.

Create new eDiscovery case in Microsoft Purview with case name and case description fields
Create a case first. All searches, holds, and review sets live inside the case.

Step 2: Validate Case Access and Permissions

Keep access limited to authorized reviewers only. Too many reviewers increases privacy exposure and risk.

Purview eDiscovery case permissions showing users and role groups
Restrict case access to only the minimum required HR/Legal/Compliance reviewers.

Step 3: Add Custodian / Data Sources

Choose the right custodian(s). If HR wants content for one employee, start with that employee only. You can expand scope later if needed.

Add sources panel in Microsoft Purview eDiscovery showing user search and location options
Add the correct person and locations (mailbox and/or sites) so Teams and email data is included.

Step 4: Build Your Query (Keywords + Dates)

This is where your results are won or lost. Use a defensible query approach:

  • Start broad: Use date range only (no keywords) to confirm hit volume.
  • Add keywords: Add names, topics, phrases, project names.
  • Narrow slowly: Avoid overly narrow keywords until you confirm you’re not missing data.
Purview eDiscovery query builder with keyword condition, date range and Run query button
Query Builder: combine keyword filtering with date range scoping, then run query to generate results.

If your org is improving identity security posture, see: Password resets & account lockouts and Password recovery tips.

Step 5: Validate the Search Statistics Before Exporting

Before moving to review sets or export, validate the statistics. This helps you confirm:

  • Total match count makes sense
  • Hits are coming from expected locations (mailbox vs sites)
  • Your scope is not too broad or too narrow
Purview eDiscovery statistics showing total matches and location breakdown charts
Statistics confirm your scope and locations before you move content into a review set or export.

Step 6: Add Results to a Review Set (Critical for Defensible Review)

A review set is where results become a controlled dataset for review and export. This is critical for auditability and legal defensibility.

Add to review set dialog in Purview eDiscovery showing new review set name and indexed items selection
Review sets help lock down a consistent dataset for review, tagging, and controlled export.

Litigation Hold: What It Is and How IT Applies It

Litigation Hold is an Exchange mailbox preservation feature. When enabled, it preserves mailbox content (including deletions and modifications) so the organization can meet legal obligations.

When HR/Legal should request it:

  • Active legal disputes
  • Formal investigations where evidence preservation is required
  • Any situation where counsel requests preservation
Exchange admin center Manage litigation hold pane showing hold duration and Save button
Litigation hold preserves mailbox content so deleted or modified items remain discoverable for legal purposes.

Common Mistakes IT Makes During eDiscovery

  • Promising recovery without checking retention/holds
  • Over-collecting (too broad scope creates privacy and review problems)
  • Not documenting authorization (HR/legal approval should be recorded)
  • Adding too many case members (permission sprawl)
  • Skipping review sets (exports become messy and less defensible)

People Also Ask (Optimized)

Can IT retrieve deleted Teams messages?

Yes, if the Teams content still exists in Microsoft 365 locations due to retention policies, holds, or service preservation behavior. If the data has been permanently purged and retention is expired, it may not be recoverable.

Does eDiscovery recover permanently deleted emails?

Not if they are truly gone. eDiscovery can collect what still exists in retained locations. Litigation hold and retention significantly increase recoverability.

Why do eDiscovery searches show fewer results than expected?

Common causes include wrong date range, missing custodians, wrong locations, keyword filters that are too strict, or content that has already aged out of retention.

Is a Review Set required?

In most investigations, yes. Review sets provide a controlled dataset for review, tagging, and export.

Is retention the same as backup?

No. Retention is compliance-driven data lifecycle management. Backups are designed for restoring data after loss or corruption.

Related security articles on MagnetClicks: Check if your email was exposed in a breach and How to remove malware and viruses.

Frequently Asked Questions

Can Microsoft Purview eDiscovery retrieve deleted Teams chat messages?

It can retrieve Teams-related content when it still exists in Microsoft 365 locations due to retention policies, holds, or preservation behavior. If content is permanently purged and not retained, it may not be retrievable.

What is the difference between retention and litigation hold?

Retention is policy-based lifecycle management (keep or delete after a period). Litigation hold is mailbox-specific legal preservation that retains deleted and modified items until the hold is removed or expires.

Why do eDiscovery results look incomplete?

Most incomplete searches are caused by incorrect date scope, missing custodians, searching the wrong locations (mailbox vs site), or keywords that are too narrow.

Do I need a review set for every investigation?

In most cases, yes. A review set creates a controlled dataset for consistent review, tagging, and defensible export.

Does eDiscovery work like a backup restore?

No. eDiscovery is for investigation and export, not restoring data back into Teams or Outlook like a backup tool would.

Related Articles