Overview
I recently had a need to delete a phishing email that had slipped through my emailing filter solution. Manually deleting the email from hundreds of mailboxes wouldn’t have been fun or quick so I can came up the below solution.
The Office 365 Content Search feature can be used to search Exchange, Skype and SharePoint amongst other things. In my case I wanted to search and delete all exchange email delivered after a certain date with a specific keyword in the subject.
Step 1: Creating the Content Search Rule
- Head over to https://protection.office.com
- Expand Search & Investigation => Content Search and click the plus icon to create a new rule
- Give the rule a name, rather than searching everywhere I selected the option to “Search all mailboxes” for my needs. Click Next
- At the bottom entire the relevant criteria to identify the emails you wish to delete. Click Search
- IMPORTANT Use the search statistics and the “Preview search results” link to verify you rule is only matching the intended emails, else you may be deleting more than desired.
Step 2: Deleting the matched emails via PowerShell
1. Connecting to the Security and Compliance Center
|
1 2 3 |
$UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session |
2. Deleting the emails matching the Content Search rule
|
1 |
New-ComplianceSearchAction -SearchName "RuleName" -Purge -PurgeType SoftDelete |
Step 3: Checking the Status
Using the below command you can get a summary of the status of the action;
|
1 |
Get-ComplianceSearchAction |
Or you can get a detailed output for the action using the below;
|
1 |
Get-ComplianceSearchAction -Identity "RuleName_Purge" | Format-List |
References
Run a Content Search in the Office 365 Security & Compliance Center
great article, however you need to give a -purge before giving a -purgetype. action is required before action type.
Step 2
Should be like this.
New-ComplianceSearchAction -SearchName “RuleName” -Purge -PurgeType SoftDelete
You miss -Purge in the PowerShell sentence, however in the screenshot you pasted is OK.
Thanks for your article.
Great job.
Hi,
Thanks for pointing that out, I have updated the article.
Phil
Thanks for the tips and brief tutorial , quite helpful in getting the help regarding the deleting an email from all mailboxes using the content search features.
Hi, I have tired this out and it when I check the status, i get “completed”. However, when I run the search again I still get the original results. Is there a time delay I should account for?
I’m experiencing the same results, I ran purge but the messages still exist
When i run command to delete the emails that match the content search rule i get the following error message:
“Purge does not support the SharePoint or OneDrive workload.”
Hi, I am experiencing the Same results. After softdelete, when I do content search again it shows me same previous result and mailbox size has not been decreased.
If you check the Microsoft KB on this, these commands move the items to the Deleted Items folder (in recoverable items). https://support.office.com/en-us/article/search-for-and-delete-email-messages-in-your-office-365-organization-admin-help-3526fd06-b45f-445b-aed4-5ebd37b3762a#step3