Search for and delete email messages in your Office 365 organization

You can use the Content Search feature in Office 365 to search for and delete an email message from all mailboxes in your organization. This can help you find and remove potentially harmful or high-risk email, such as:

  • Messages that contain dangerous attachment or virus
  • Phishing messages
  • Messages that contain sensitive data

Here’s the workflow for the “search and purge” process:

Step 1: Create a Content Search to find the message to delete

Step 2: Connect to the Security & Compliance Center using remote PowerShell

Step 3: Delete the message

See the More information section for description of what happens to deleted messages and how to get the status of a search and delete operation.

CAUTION: Search and purge is a powerful feature that allows anyone that is assigned the necessary permissions to delete email messages from mailboxes in your organization.

Before you begin

  • To create and run a Content Search, you have to be a member of the eDiscovery Manager role group or be assigned the Compliance Search management role. To delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge management role. For information about adding users to a role group, see Give users access to the Office 365 Security & Compliance Center.
  • You have to use Windows PowerShell connected to the Security & Compliance Center for your organization to delete messages. See Step 2 for this procedure.
  • A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an incident-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This feature isn’t intended to clean up user mailboxes.
  • The procedure in this article can only be used to delete items in Exchange Online mailboxes and public folders. You can’t use it to delete content from SharePoint or OneDrive for Business sites.

Step 1: Create a Content Search to find the message to delete

The first step is to create and run a Content Search to find the message that you want to remove from mailboxes in your organization. You can create the search by using the Security & Compliance Center or by running the New-ComplianceSearch and Start-ComplianceSearch cmdlets. The messages that match the query for this search will be deleted by running the New-ComplianceSearchAction cmdlet in Step 3. For information about creating a Content Search and configuring search queries, see the following topics:

NOTE: The content locations that are searched in the Content Search that you create in this step can’t include SharePoint or OneDrive for Business sites. You can include only mailboxes and public folders in a Content Search that will be used to email messages. If the Content Search includes sites, you’ll receive an error in Step 3 when you run the New-ComplianceSearchAction cmdlet.

Tips for finding messages to remove

The goal of the search query is to narrow the results of the search to only the message or messages that you want to remove. Here are some tips:

  • If you know the exact text or phrase used in the subject line of the message, use the Subject property in the search query.
  • If you know that exact date (or date range) of the message, include the Received property in the search query.
  • If you know who sent the message, include the From property in the search query.
  • Preview the search results to verify that the search returned only the message (or messages) that you want to delete.
  • Use the search estimate statistics (displayed in the details pane of the search in the Security & Compliance Center or by using the Get-ComplianceSearch cmdlet) to get a count of the total number of results.

Here are two examples of queries to find suspicious email messages.

  • This query returns messages that were received by users between April 13, 2016 and April 14, 2016 and that contain the words “action” and “required” in the subject line.
    (Received:4/13/2016..4/14/2016) AND (Subject:'Action required')
  • This query returns messages that were sent by chatsuwloginsset12345@outlook.com and that contain the exact phrase “Update your account information” in the subject line.
    (From:chatsuwloginsset12345@outlook.com) AND (Subject:"Update your account information")

 

Step 2: Connect to the Security & Compliance Center using remote PowerShell

The first step is to connect Windows PowerShell to the Security & Compliance Center for your organization.

  1. Save the following text to a Windows PowerShell script file by using a filename suffix of .ps1; for example, ConnectSCC.ps1.
    # Get login credentials 
    $UserCredential = Get-Credential 
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection 
    Import-PSSession $Session -AllowClobber -DisableNameChecking 
    $Host.UI.RawUI.WindowTitle = $UserCredential.UserName + " (Office 365 Security & Compliance Center)" 
    
  2. On your local computer, open Windows PowerShell, go to the folder where the script that you created in the previous step is located, and then run the script; for example:
    .\ConnectSCC.ps1

 

Step 3: Delete the message

After you’ve created and refined a Content Search to return the message that you want to remove and are connected to the Security & Compliance Center with remote PowerShell, the final step is to run the New-ComplianceSearchAction cmdlet to delete the message. Deleted messages are moved to a user’s Recoverable Items folder.

In the following example, the command will delete the search results returned by a Content Search named “Remove Phishing Message”.

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete

TIP: The search specified by the SearchName parameter is the Content Search that you created in Step 1.

Leave a Reply

Your email address will not be published. Required fields are marked *

*