Office 365 – Delete an email from all mailboxes

by

I recently had a need to delete a phishing email that had slipped through my emailing filter solution. Manually deleting the email from hundreds of mailboxes wouldn’t have been fun or quick so I came up with the below solution.

The Office 365 Content Search feature can be used to search Exchange, Teams, and SharePoint amongst other things. In my case, I wanted to search and delete all exchange emails delivered after a certain date with a specific keyword in the subject.

Table of Contents

Step 1: Creating the Content Search Rule

Search Query Section – Where we define what email(s) we want to delete

  • In the “Search query” section click the “Add conditions” button (you may have to scroll down)
  • Add the condition(s) relevant to what you are searching for. In my case emails which contain the string “DocuSign” in the subject that were received after a certain date.
  • Under the Location section select “Specific Locations” and click the “Modify” button
  • Only enable the Exchange section.
  • Click Save in the Modify Locations section

Finishing the Rule

  • Click “Save & Run” on the New search section
  • Give the rule a name and a description if desired and click Save
  • At this point the search will run. It is very important you take a good look to confirm only the email(s) you want to delete are returned.

Step 2: Deleting the matched emails via PowerShell

Connecting to the Security and Compliance Center

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

Deleting the emails matching the Content Search rule

New-ComplianceSearchAction -SearchName "RuleName" -Purge -PurgeType SoftDelete

Step 3: Checking the Status

Using the below command you can get a summary of the status of the action;

Get-ComplianceSearchAction

Or you can get a detailed output for the action using the below;

Get-ComplianceSearchAction -Identity "RuleName_Purge" | Format-List

References

Run a Content Search in the Office 365 Security & Compliance Center

Updates

  • 28/08/2018 – If you get the message ““Purge does not support the SharePoint or OneDrive workload.” when running the PowerShell it is because you location in section 1 is set to more than just Exchange. Thanks Chris!
  • 28/08/2018 – If you run the search again  and still see the email(s) present, don’t worry this is expected. The PowerShell moves the email(s) into the Deleted Items folder (in recoverable items).  Thanks Briangig!

22 thoughts on “Office 365 – Delete an email from all mailboxes”

  2. Step 2
    Should be like this.
    New-ComplianceSearchAction -SearchName “RuleName” -Purge -PurgeType SoftDelete
    You miss -Purge in the PowerShell sentence, however in the screenshot you pasted is OK.

    Thanks for your article.
    Great job.

    Reply

  4. Hi, I have tired this out and it when I check the status, i get “completed”. However, when I run the search again I still get the original results. Is there a time delay I should account for?

    Reply

  5. When i run command to delete the emails that match the content search rule i get the following error message:

    “Purge does not support the SharePoint or OneDrive workload.”

    Reply

  6. Hi, I am experiencing the Same results. After softdelete, when I do content search again it shows me same previous result and mailbox size has not been decreased.

    Reply

  7. Figured out the cause of “Purge does not support the SharePoint or OneDrive workload.” – When you build your query in Step 1, bullet point 3, you MUST NOT choose “All Locations”, as this includes Sharepoint and OneDrive! You MUST MUST MUST limit the query to Mailboxes.

    Reply

      • Thanks for the tips…I am just curious how you would stop or cancel or abort a purge job…this is the closest I could come up with but I have not yet tested it: Stop-ComplianceSearch -Identity “Case 1234”

        If someone knows for sure what the command would be and would let me know it would be much appreciated! Thanks. JB

        Reply

  8. Hiya,
    I am still receiving the error “Purge does not support the SharePoint or OneDrive workload” even though location is only set to exchange and to test even further I chose just one mailbox, yet the error still seems to think Sharepoint and onedrive are in the results and so won’t continue ?

    Reply

  9. Hi, great article, I’ve purged my search results with no issues. However, I purged a search result yesterday and the status is still stuck on “starting”. This search result has about 480 emails in it. Any suggestions? Thanks!

    Reply

  10. I know it has been while, but just curious to know will it purge more than 10 emails?
    I read somewhere that it will purge only 10 emails at once.
    Also since Microsoft is getting away with search-mailbox, is there any other way to purge mass emails at once?

    Reply

  12. i am only able to do softdelete. when i do hard delete it doesn’t give me any error)it says completed) but the item count is not decreasing when i re-run search.

    Where as if i do soft-delete, i can see the reduction in item counts

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.