Overview
I recently had a need to delete a phishing email that had slipped through my emailing filter solution. Manually deleting the email from hundreds of mailboxes wouldn’t have been fun or quick so I can came up the below solution.
The Office 365 Content Search feature can be used to search Exchange, Skype and SharePoint amongst other things. In my case I wanted to search and delete all exchange email delivered after a certain date with a specific keyword in the subject.
Step 1: Creating the Content Search Rule
- Head over to https://protection.office.com
- Expand Search & Investigation => Content Search and click the plus icon to create a “New Search” rule
Search Query Section – Where we define what email(s) we want to delete
- In the “Search query” section click the “Add conditions” button (you may have to scroll down)
- Add the condition(s) relevant to what you are searching for. In my case emails which contain the string “DocuSign” in the subject that were received after a certain date.
Locations Section – We only want to search Exchange
- Under the Location section select “Specific Locations” and click the “Modify” button
- Only enable the Exchange section.
- Click Save in the Modify Locations section
Finishing the Rule
- Click “Save & Run” on the New search section
- Give the rule a name and a description if desired and click Save
- At this point the search will run. It is very important you take a good look to confirm only the email(s) you want to delete are returned.
Step 2: Deleting the matched emails via PowerShell
1. Connecting to the Security and Compliance Center
|
1 2 3 |
$UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session |
2. Deleting the emails matching the Content Search rule
|
1 |
New-ComplianceSearchAction -SearchName "RuleName" -Purge -PurgeType SoftDelete |
Step 3: Checking the Status
Using the below command you can get a summary of the status of the action;
|
1 |
Get-ComplianceSearchAction |
Or you can get a detailed output for the action using the below;
|
1 |
Get-ComplianceSearchAction -Identity "RuleName_Purge" | Format-List |
References
Run a Content Search in the Office 365 Security & Compliance Center
Updates
- 28/08/2018 – If you get the message ““Purge does not support the SharePoint or OneDrive workload.” when running the PowerShell it is because you location in section 1 is set to more than just Exchange. Thanks Chris!
- 28/08/2018 – If you run the search again and still see the email(s) present, don’t worry this is expected. The PowerShell moves the email(s) into the Deleted Items folder (in recoverable items). Thanks Briangig!
great article, however you need to give a -purge before giving a -purgetype. action is required before action type.
Step 2
Should be like this.
New-ComplianceSearchAction -SearchName “RuleName” -Purge -PurgeType SoftDelete
You miss -Purge in the PowerShell sentence, however in the screenshot you pasted is OK.
Thanks for your article.
Great job.
Hi,
Thanks for pointing that out, I have updated the article.
Phil
Thanks for the tips and brief tutorial , quite helpful in getting the help regarding the deleting an email from all mailboxes using the content search features.
Hi, I have tired this out and it when I check the status, i get “completed”. However, when I run the search again I still get the original results. Is there a time delay I should account for?
I’m experiencing the same results, I ran purge but the messages still exist
When i run command to delete the emails that match the content search rule i get the following error message:
“Purge does not support the SharePoint or OneDrive workload.”
Same. Hoping the author sees this and updates the article.
I did and I have 🙂
The GUI had changed a fair bit since this was posted.
Thanks
Phil
Hi, I am experiencing the Same results. After softdelete, when I do content search again it shows me same previous result and mailbox size has not been decreased.
If you check the Microsoft KB on this, these commands move the items to the Deleted Items folder (in recoverable items). https://support.office.com/en-us/article/search-for-and-delete-email-messages-in-your-office-365-organization-admin-help-3526fd06-b45f-445b-aed4-5ebd37b3762a#step3
Figured out the cause of “Purge does not support the SharePoint or OneDrive workload.” – When you build your query in Step 1, bullet point 3, you MUST NOT choose “All Locations”, as this includes Sharepoint and OneDrive! You MUST MUST MUST limit the query to Mailboxes.
Great, thanks for sharing this!
I have updated the post with the GUI changes and your find,
Thanks
Phil