Exchange Online: How to search and delete emails?


This blog explains how to search and delete emails using Microsoft 365 Compliance Center and PowerShell add-in.

First you should know that you can search emails on Exchange Online mailboxes and view the search results in Microsoft 365 Compliance center. BUT you cannot delete the emails from search results. You HAVE to use PowerShell delete (purge) the emails.

Requirements:

Here are the Compliance Center PowerShell Commands used for search and delete.

Search emails in the Mailboxes

First connect to Exchange Online and then Compliance Center in PowerShell:

Connect-ExchangeOnline

Next connect to Compliance Center: Replace the UserPrincipalName with yours or Admin account.

Connect-IPPSSession -UserPrincipalName username@company.com

Search email using this command.  You need to specify a mailbox and specific keyword in the search command. Keyword will be searched in Subject, Email body and Attachments.  For help on this New-ComplianceSearch, check it here: Keyword Query Language (KQL) syntax reference | Microsoft Docs

New-ComplianceSearch -Name "Test Content Search" -ExchangeLocation mobius@company.com -ContentMatchQuery "Sample Keyword"

Note: ExchangeLocation parameter can be set to “All” to search all mailboxes if need to. You may also specify a “Distribution List’ to search all mailboxes of members.

Note: You may also search and preview the results at Content Search at https://compliance.microsoft.com/.

Preview the Email Search Results

If you are going to delete the emails, you should check the email search results first to validate emails to be deleted. If you don’t see the email you want to see, you may need to re-do the New-ComplianceSearch command with refined conditions.

To preview the search results, we have to use New-ComplianceSearchAction command with -Preview option. There two steps to preview the search results.

Step-1; Create a Search action.

$SearchAction = New-ComplianceSearchAction -SearchName "Test content Search" -Preview

Here we created new compliance search action with the Preview parameter. Note that Search name is taken from previous New-ComplianceSearch command or copy/paste the Search name from Content Seach at https://compliance.microsoft.com. You should replace the SeachName from your own Seach.

Step-2: Preview the Search Results.

I have wrote this function to format the search results in readble form. You shouild store this function in a PoweShell file I saved as PreviewResults.ps1. This function can be passed parameter using piping the Get-ComplianceSearchAction results.

function PreparePreviewResults
{
    Param (
        [Parameter(ValueFromPipeline=$true)]
        $SearchResults
     )
    $SearchResults = $SearchResults.Results.Replace('{','').Replace('}','')
    $data = "Location,Sender,Subject,Type,Size,Received Time,Data Link`n"
    $SearchResults | ForEach-Object { $t=""; $_.Split(';').foreach({ $t += $_.Split(":")[1].Trim() +","  }) ; $data += $t + "`n"  }
    Return ($data | ConvertFrom-Csv)
}

Now dot source this PreviewResults.ps1 file. Replace the path of the PreviewResults.ps1 file in below dot sourcing.

. c:\scripts\PreviewResults.ps1

Now the PreparePreviewResults function in memory, we are going to use this function with this command format. Note that $SeachAction variable has the result object from New-ComplianceSearchAction command in Step-1.

Get-ComplianceSearchAction -Identity $SearchAction.Name | Select-Object Results | ForEach-Object {$_.Results } | PreparePreviewResults | Out-GridView

Delete the Emails

After you validate the emails from the above section, you may delete those email with this simple command. Note that SearchName is same as New-ComplianceSearch command. You should replace the SeachName from your own Seach.

$SearchAction = New-ComplianceSearchAction -SearchName "Test content Search" -Purge -PurgeType HardDelete -Force

Above command will start deleting the emails from the mailbox(es). You can check the status fo the delete operation with this command. Note we used $SearchAction variable used in above command.

Get-ComplianceSearchAction -Identity $SearchAction.Name | Select-Object SearchName,Results,Errors

I hope this is helpful document for you. You may leave a comment of “Thanks” or ask any questions.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s