How to Delete Emails From All Mailboxes in Exchange Online Microsoft 365

Connect to Security & Compliance PowerShell

1. Connect to Security & Compliance PowerShell or you can open PowerShell as administrator then run the following commands to install PowerShell module then connect to Security & Compliance PowerShell.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force;
Install-PackageProvider -Name NuGet -Force;
Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted;
Install-Module -Name ExchangeOnlineManagement;
Import-Module ExchangeOnlineManagement;
Connect-IPPSSession

Create a new Compliance search

1. You can create a new compliance search using Microsoft Purview Compliance portal. But in this post, we’ll create a new search using PowerShell:

Name: Remove Phishing Message.
ExchangeLocation: All – Searching thought all mailboxes in your organization.
ContentMatchQuery ‘Subject:”Action required”‘: search all emails with subject contain the keyword “Action required”.

$Search=New-ComplianceSearch `
    -Name "Remove Phishing Message" `
    -ExchangeLocation All `
    -ContentMatchQuery 'Subject:"Action required"'
Start-ComplianceSearch -Identity $Search.Identity

2. Once the compliance search is created and started. You can check the status of the search using Get-ComplianceSearch command.

As you can see, the compliance search was completed.

PS C:\> Get-ComplianceSearch

Name                    RunBy   JobEndTime           Status
----                    -----   ----------           ------
Remove Phishing Message Bon Ben 7/29/2022 6:19:37 AM Completed

3. Get the results of the compliance search. In this case, the search found 1029 items match the condition in Chris’s mailbox.

PS C:\> Get-ComplianceSearch -Identity "Remove Phishing Message" | Format-List

RunspaceId                            : 41c062e1-28ee-4e5e-aa25-3d14ef7e4e17
StatusMailRecipients                  : {}
LogLevel                              : Suppressed
IncludeUnindexedItems                 : True
ContentMatchQuery                     : Subject:"Action required"
SearchType                            : EstimateSearch
HoldNames                             : {}
SearchNames                           : {}
Region                                :
Refiners                              :
Items                                 : 1029
Size                                  : 271064653
UnindexedItems                        : 1321
UnindexedSize                         : 6943788843
SuccessResults                        : {Location: [email protected], Item count: 1029, Total size: 271064653,
                                        Location: [email protected], Item count: 0, Total size: 0,
......

Errors                                :
ErrorTags                             : {}
NumFailedSources                      : 0
JobId                                 : 842c0538-911e-4d24-d269-08da7129f97b
Name                                  : Remove Phishing Message
CreatedTime                           : 7/29/2022 6:17:11 AM
LastModifiedTime                      : 7/29/2022 6:19:37 AM
JobStartTime                          : 7/29/2022 6:19:03 AM
JobEndTime                            : 7/29/2022 6:19:37 AM

Delete messages from a Compliance Search

1. Now, we’ll delete emails from the compliance search result. We’ve two types of deletion, hard delete and soft delete.

A soft-deleted message is moved to a user’s Recoverable Items folder and retained until the deleted item retention period expires.
Hard-deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant.

Hard delete email messages using the following command:

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete

Soft delete email messages using the following command:

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete

2. Get status of the deletion using Get-ComplianceSearchAction command.

PS C:\> Get-ComplianceSearchAction

Name                                           SearchName                               Action  RunBy                JobEndTime            Status
----                                           ----------                               ------  -----                ----------            ------
Remove Phishing Message_Purge                  Remove Phishing Message                  Purge   Bon Ben              7/29/2022 6:45:25 AM  Completed

3. Once done, you can get more details using the following command.

Note A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an incident-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This feature isn't intended to clean up user mailboxes.

PS C:\> Get-ComplianceSearchAction -Identity "Remove Phishing Message_Purge" | Format-List

RunspaceId                            : ce865f69-4a5c-425b-ae02-5890b2f6cd58
SearchName                            : Remove Phishing Message
EstimateSearchRunId                   : 0bede0f1-fa0c-4af1-2b46-08da712bbd55
EstimateSearchJobId                   : 27e005fe-fd90-4cfe-2ee8-08da712ace6b
ActionVersion                         :
Results                               : Purge Type: HardDelete; Item count: 41; Total size 59191134; Details: {Location: Item count: 11; Total size: 17097403; Failed count: 0; 
                                        Location: ; Item count: 10; Total size: 14642237; Failed count: 0; ,
                                        Location: ; Item count: 10; Total size: 14106669; Failed count: 0; ,
                                        Location: ; Item count: 10; Total size: 13344825; Failed count: 0; }
Errors                                :
Action                                : Purge
ValidDuration                         : 00:10:00
JobId                                 : d4947bd3-3f63-4bb5-aeae-08da712dc67c
Name                                  : Remove Phishing Message_Purge
CreatedTime                           : 7/29/2022 6:44:24 AM
LastModifiedTime                      : 7/29/2022 6:45:25 AM
JobStartTime                          : 7/29/2022 6:44:30 AM
JobEndTime                            : 7/29/2022 6:45:25 AM
Description                           :
CreatedBy                             : Bon Ben
RunBy                                 : Bon Ben
TenantId                              : 615dc844-35d3-40c2-9db4-0439991ec82e
NumBindings                           : 4
Status                                : Completed
ExchangeLocation                      : {All}
JobRunId                              : 46d9fc0c-e5a5-407a-05c1-08da712dca4e
JobProgress                           : 100
...

Tips for finding messages to remove

The goal of the search query is to narrow the results of the search to only the message or messages that you want to remove. Here are some tips:

If you know the exact text or phrase used in the subject line of the message, use the Subject property in the search query.
If you know that exact date (or date range) of the message, include the Received property in the search query.
If you know who sent the message, include the From property in the search query.

Here are two examples of queries to find suspicious email messages.

This query returns messages that were received by users between April 13, 2016 and April 14, 2016 and that contain the words “action” and “required” in the subject line.

(Received:4/13/2016..4/14/2016) AND (Subject:'Action required')

This query returns messages that were sent by [email protected] and that contain the exact phrase “Update your account information” in the subject line.

(From:[email protected]) AND (Subject:"Update your account information")

Here’s an example of using a query to create and start a search by running the New-ComplianceSearch and Start-ComplianceSearch cmdlets to search all mailboxes in the organization:

$Search=New-ComplianceSearch `
 -Name "Remove Phishing Message" `
 -ExchangeLocation All `
 -ContentMatchQuery '(Received:4/13/2016..4/14/2016) AND (Subject:"Action required")' `

Start-ComplianceSearch -Identity $Search.Identity

What happens after you delete a message?

A message that’s deleted with the New-ComplianceSearchAction -Purge -PurgeType HardDelete command:

A message that’s deleted is moved to the Purges folder and can’t be accessed by the user.
After the message is moved to the Purges folder, the message is retained for the duration of the deleted item retention period if single item recovery is enabled for the mailbox.
After the deleted item retention period expires, the message is marked for permanent deletion and will be purged from Microsoft 365 the next time the mailbox is processed by the Managed Folder assistant.

If you use the New-ComplianceSearchAction -Purge -PurgeType SoftDelete command:

Messages are moved to the Deletions folder in the user’s Recoverable Items folder.
It isn’t immediately purged from Microsoft 365. The user can recover messages in the Deleted Items folder for the duration based on the deleted item retention period configured for the mailbox.
After this retention period expires (or if user purges the message before it expires), the message is moved to the Purges folder and can no longer be accessed by the user.
Once in the Purges folder, the message is retained for the duration based on the deleted item retention period configured for the mailbox if single items recovery is enabled for the mailbox.
After the deleted item retention period expires, the message is marked for permanent deletion and will be purged from Microsoft 365 the next time that the mailbox is processed by the Managed Folder assistant.

Cleanup

When all email messages are removed, you can delete the compliance search and compliance search action using the following commands.

Remove-ComplianceSearch -Identity "Remove Phishing Message" -Confirm:$false
Remove-ComplianceSearchAction -Identity "Remove Phishing Message_Purge" -Confirm:$false

Or you can delete all compliance searches and compliance search actions at once:

Get-ComplianceSearch | Remove-ComplianceSearch
Get-ComplianceSearchAction | Remove-ComplianceSearchAction

All commands in this post:

###Connect to Security & Compliance
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force;
Install-PackageProvider -Name NuGet -Force;
Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted;
Install-Module -Name ExchangeOnlineManagement;
Import-Module ExchangeOnlineManagement;
Connect-IPPSSession

###Create a new Compliance search
$Search=New-ComplianceSearch `
    -Name "Remove Phishing Message" `
    -ExchangeLocation All `
    -ContentMatchQuery 'Subject:"Action required"'
Start-ComplianceSearch -Identity $Search.Identity

Get-ComplianceSearch
Get-ComplianceSearch -Identity "Remove Phishing Message" | Format-List

###Delete messages from a Compliance Search
New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete
Get-ComplianceSearchAction
Get-ComplianceSearchAction -Identity "Remove Phishing Message_Purge" | Format-List

###Cleanup
Remove-ComplianceSearch -Identity "Remove Phishing Message" -Confirm:$false
Remove-ComplianceSearchAction -Identity "Remove Phishing Message_Purge" -Confirm:$false

Get-ComplianceSearch | Remove-ComplianceSearch
Get-ComplianceSearchAction | Remove-ComplianceSearchAction