We recently had a requirement to delete a suspicious e-mail that used spoofed sender address and reached to the all-company mailboxes. It is very difficult to remove the e-mail manually so we come with the below solution using Office 365 content search.
The Office 365 Content Search feature can be used to search Exchange, Teams, and SharePoint amongst other things. In our case, we wanted to search and delete all exchange emails delivered after a certain date with a specific sender address.
Before you begin
To perform Content search, you have to be a member of the eDiscovery Manager role group or be assigned the Compliance Search role in the Microsoft Purview compliance portal. To delete messages, you have to be a member of the Organization Management role group or be assigned the Search and Purge role in the compliance.
Step 1: Starting with Content Search Rule
- Go to the Microsoft 365 admin center and select Compliance or directly access using https://compliance.microsoft.com/
- Select content search and create a new rule using New Search > Enter the appropriate name and description. click next
- Location: Turn on Exchange Mailboxes and click next
- Conditions: click on Add condition > Sender > internal sender or manually type external address and hit enter > Again click on Add condition > Date > enter appropriate date that match your search range.
- There are other multiple available conditions like Subject, keyword etc. those can be used.
- After selecting all required conditions, click next > submit
Step 2: Deleting the matched emails via PowerShell
- Search and open elevated PowerShell (open as administrator) and enter the command > Connect-ExchangeOnline > Enter your credentials and 2FA to proceed.
- In order to use all commands effectively, install ExchangeOnlineManagement latest module using the command (latest module is 2.0.6)
- Now search and purge soft delete (e-mails will be moved on deleted items) or hard delete (permanent delete) emails using the below command
New-ComplianceSearchAction -SearchName “Test” -Purge -PurgeType SoftDelete
Step 3: Checking the Status
- Using the below command, we can check the purge action status
Get-ComplianceSearchAction
Or you can get a detailed output for the action using the below;
Get-ComplianceSearchAction -Identity “RuleName_Purge” | Format-List
