I recently had a need to delete a phishing email that had slipped through my emailing filter solution. Manually deleting the email from hundreds of mailboxes wouldn’t have been fun or quick so I can came up the below solution.
The Office 365 Content Search feature can be used to search Exchange, Skype and SharePoint amongst other things. In my case I wanted to search and delete all exchange email delivered after a certain date with a specific keyword in the subject.
Expand Search & Investigation => Content Search and click the plus icon to create a “New Search” rule
Search Query Section – Where we define what email(s) we want to delete
In the “Search query” section click the “Add conditions” button (you may have to scroll down)
Add the condition(s) relevant to what you are searching for. In my case emails which contain the string “DocuSign” in the subject that were received after a certain date.
Locations Section – We only want to search Exchange
Under the Location section select “Specific Locations” and click the “Modify” button
Only enable the Exchange section.
Click Save in the Modify Locations section
Finishing the Rule
Click “Save & Run” on the New search section
Give the rule a name and a description if desired and click Save
At this point the search will run. It is very important you take a good look to confirm only the email(s) you want to delete are returned.
Step 2: Deleting the matched emails via PowerShell
1. Connecting to the Security and Compliance Center
28/08/2018 – If you get the message ““Purge does not support the SharePoint or OneDrive workload.” when running the PowerShell it is because you location in section 1 is set to more than just Exchange. Thanks Chris!
28/08/2018 – If you run the search again and still see the email(s) present, don’t worry this is expected. The PowerShell moves the email(s) into the Deleted Items folder (in recoverable items). Thanks Briangig!
I am an IT Operations Manager, managing all aspects of the IT infrastructure and service for a mid sized UK based company. I have been working full time in IT since 2001 in 1st to 3rd line and System Administration roles. MCSA, MCSE, CCNA, Citrix CCA
16 Comments
Mario
on September 20, 2017 at 12:17 pm
great article, however you need to give a -purge before giving a -purgetype. action is required before action type.
Step 2
Should be like this.
New-ComplianceSearchAction -SearchName “RuleName” -Purge -PurgeType SoftDelete
You miss -Purge in the PowerShell sentence, however in the screenshot you pasted is OK.
Thanks for the tips and brief tutorial , quite helpful in getting the help regarding the deleting an email from all mailboxes using the content search features.
Hi, I have tired this out and it when I check the status, i get “completed”. However, when I run the search again I still get the original results. Is there a time delay I should account for?
Hi, I am experiencing the Same results. After softdelete, when I do content search again it shows me same previous result and mailbox size has not been decreased.
Figured out the cause of “Purge does not support the SharePoint or OneDrive workload.” – When you build your query in Step 1, bullet point 3, you MUST NOT choose “All Locations”, as this includes Sharepoint and OneDrive! You MUST MUST MUST limit the query to Mailboxes.
Thanks for the tips…I am just curious how you would stop or cancel or abort a purge job…this is the closest I could come up with but I have not yet tested it: Stop-ComplianceSearch -Identity “Case 1234”
If someone knows for sure what the command would be and would let me know it would be much appreciated! Thanks. JB
Hiya,
I am still receiving the error “Purge does not support the SharePoint or OneDrive workload” even though location is only set to exchange and to test even further I chose just one mailbox, yet the error still seems to think Sharepoint and onedrive are in the results and so won’t continue ?
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.OkRead more
great article, however you need to give a -purge before giving a -purgetype. action is required before action type.
Step 2
Should be like this.
New-ComplianceSearchAction -SearchName “RuleName” -Purge -PurgeType SoftDelete
You miss -Purge in the PowerShell sentence, however in the screenshot you pasted is OK.
Thanks for your article.
Great job.
Hi,
Thanks for pointing that out, I have updated the article.
Phil
Thanks for the tips and brief tutorial , quite helpful in getting the help regarding the deleting an email from all mailboxes using the content search features.
Hi, I have tired this out and it when I check the status, i get “completed”. However, when I run the search again I still get the original results. Is there a time delay I should account for?
I’m experiencing the same results, I ran purge but the messages still exist
Same problem here…
When i run command to delete the emails that match the content search rule i get the following error message:
“Purge does not support the SharePoint or OneDrive workload.”
Same. Hoping the author sees this and updates the article.
I did and I have 🙂
The GUI had changed a fair bit since this was posted.
Thanks
Phil
Hi, I am experiencing the Same results. After softdelete, when I do content search again it shows me same previous result and mailbox size has not been decreased.
If you check the Microsoft KB on this, these commands move the items to the Deleted Items folder (in recoverable items). https://support.office.com/en-us/article/search-for-and-delete-email-messages-in-your-office-365-organization-admin-help-3526fd06-b45f-445b-aed4-5ebd37b3762a#step3
Figured out the cause of “Purge does not support the SharePoint or OneDrive workload.” – When you build your query in Step 1, bullet point 3, you MUST NOT choose “All Locations”, as this includes Sharepoint and OneDrive! You MUST MUST MUST limit the query to Mailboxes.
Great, thanks for sharing this!
I have updated the post with the GUI changes and your find,
Thanks
Phil
Thanks for the tips…I am just curious how you would stop or cancel or abort a purge job…this is the closest I could come up with but I have not yet tested it: Stop-ComplianceSearch -Identity “Case 1234”
If someone knows for sure what the command would be and would let me know it would be much appreciated! Thanks. JB
Hiya,
I am still receiving the error “Purge does not support the SharePoint or OneDrive workload” even though location is only set to exchange and to test even further I chose just one mailbox, yet the error still seems to think Sharepoint and onedrive are in the results and so won’t continue ?