Published: 25.Aug 2021

Exchange Online - search and delete email/s in user mailbox

First we need to import Exchange Online module:

Import-Module ExchangeOnlineManagement

Then we need to connect to Security & Compliance:

Connect-IPPSSession -UserPrincipalName <adminUserUPN>

To create and run a Content search, you have to be a member of the eDiscovery Manager role group or be assigned the Compliance Search role in the Microsoft 365 compliance center. To delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge role in the compliance center For information about adding users to a role group, see Assign eDiscovery permissions.

You have to use Security & Compliance Center PowerShell to delete messages.

A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an incident-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This feature isn't intended to clean up user mailboxes.

The maximum number of mailboxes in a content search that you can use to delete items by doing a search and purge action is 50,000. If the search, searches more than 50,000 mailboxes, the purge action will fail.

Create Compliance Search:

For one mailbox:

$search = New-ComplianceSearch -Name "<some name>" -ExchangeLocation "<email address of the mailbox>" -ContentMatchQuery '(Received:<start date>..<end date>)'

For all mailboxes:

$search = New-ComplianceSearch -Name "<some name>" -ExchangeLocation All -ContentMatchQuery '(Received:<start date>..<end date>)'

Other options for ContentMatchQuery:

(From:[email protected]) AND (Subject:"Update your account information")

(Received:4/13/2016..4/14/2016) AND (Subject:"Action required")

After that we can start the search:

Start-ComplianceSearch -Identity $search.Identity

Check status of compliance search job:

Get-ComplianceSearch -Identity $search.Name

Purge/Delete emails:

New-ComplianceSearchAction -SearchName $search.Name -Purge -PurgeType HardDelete

What happens after you delete a message?

A message that's deleted with the New-ComplianceSearchAction -Purge -PurgeType HardDelete command is moved to the Purges folder and can't be accessed by the user. After the message is moved to the Purges folder, the message is retained for the duration of the deleted item retention period if single item recovery is enabled for the mailbox. (In Microsoft 365, single item recovery is enabled by default when a new mailbox is created.) After the deleted item retention period expires, the message is marked for permanent deletion and will be purged from Microsoft 365 the next time the mailbox is processed by the Managed Folder assistant.

If you use the New-ComplianceSearchAction -Purge -PurgeType SoftDelete command, messages are moved to the Deletions folder in the user's Recoverable Items folder. It isn't immediately purged from Microsoft 365. The user can recover messages in the Deleted Items folder for the duration based on the deleted item retention period configured for the mailbox. After this retention period expires (or if user purges the message before it expires), the message is moved to the Purges folder and can no longer be accessed by the user. Once in the Purges folder, the message is retained for the duration based on the deleted item retention period configured for the mailbox if single items recovery is enabled for the mailbox. (In Microsoft 365, single item recovery is enabled by default when a new mailbox is created.) After the deleted item retention period expires, the message is marked for permanent deletion and will be purged from Microsoft 365 the next time that the mailbox is processed by the Managed Folder assistant.

4 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
PowerAddict.net - Lubomir Goban  ---  Find me on - 
LinkedIn
0
Would love your thoughts, please comment.x
()
x