Search & Purge Mailboxes
This process will allow an administrator to create a new content search for emails, specify a search string, review the results and then either soft or hard delete the emails from users mailboxes. We would use this process if a suspected phishing email has been reported to the IT Ops team and we need to identify and delete identical copies of the same message.
The process can be achieved in 1 of 2 ways.
Run everything from the script directly.
Perform the search manually within Microsoft Security and Compliance centre and then performing the delete from the script.
1. Run everything from the script directly
Download the ps1 script above if you haven't already.
Remote connect to END-UK-DC01 (as this machine has PowerShell installed)
Open the script and follow the instructions making sure to use your credentials and adjusting the search criteria.
2. Perform the search manually within the Microsoft Security and Compliance centre and then performing the delete from the script
Go to https://compliance.microsoft.com and sign in using the credentials of an account that's been assigned the appropriate permissions. In the left navigation pane of the Microsoft 365 compliance center, click Show all, and then click Content search.
Create a new search (ensure you give it a name with no spaces in it that is unique. You’ll need this when sending your deletion command via the script) specifying the search criteria you want to use.
Once the search is complete it is strongly recommended that you attempt to preview the results to make sure you’ve picked up the right emails.
If you’re happy that the correct emails have been identified, you can now use the name of the search you’ve performed to delete the emails using the powershell script.
Remote connect to END-UK-DC01 (as this machine has PowerShell installed)
Open Powershell as an adminsitrator
-
Open the script and copy and past the following commands:
-
Connect to session and replace your.name@endclothing.com the below email address with yours (You might get a warning: "WARNING: Your connection has been redirected to the following URI: "https://eur03b.ps.compliance.protection.outlook.com/Powershell-LiveId?BasicAuthToOAuthConversion=true;PSVersion=5.1.17763.1490")
Connect-IPPSSession -UserPrincipalName your.name@endclothing.com
-
Purge the emails (If you use soft delete the user can recover items but if you use hard delete the user cant access them.)
New-ComplianceSearchAction -SearchName 'Phishing_Test31' -Purge -PurgeType SoftDelete
New-ComplianceSearchAction -SearchName 'Phishing_Test31' -Purge -PurgeType HardDelete
TIPS:
If you don’t have permission to get into the Security and Compliance centre, or to perform the search, you’ll need to Assign eDiscovery permissions in the Security & Compliance Center as per the below link:
Assign eDiscovery permissions in the Microsoft 365 compliance center - Microsoft 365 Compliance
If you know the exact text or phrase used in the subject line of the message, use the Subject property in the search query.
If you know that exact date (or date range) of the message, include the Received property in the search query.
Define by day received example: received:04/15/2016
Define by period received example: received>=01/01/2016 AND received<=03/31/2016
If you know who sent the message, include the From property in the search query.
Define by address example: from:pilarp@contoso.com
Define by domain example: from:contoso.com
This query returns messages that were received by users between April 13, 2016 and April 14, 2016 and that contain the words "action" and "required" in the subject line:
(Received:4/13/2016..4/14/2016) AND (Subject:'Action required')
This query returns messages that were sent by chatsuwloginsset12345@outlook.com and that contain the exact phrase "Update your account information" in the subject line:
(From:chatsuwloginsset12345@outlook.com) AND (Subject:"Update your account information")
REFERENCE:
How to search & delete emails in an organisation
Search for and delete email messages in your organization - Microsoft 365 Compliance
How to install & maintain EXO V2
About the Exchange Online PowerShell V2 module
How to connect to security compliance center PowerShell
Connect to Security & Compliance Center PowerShell using the EXO V2 module
https://protection.office.com/searchandinvestigation/dashboard