You can use the Content Search feature to search for and delete an email message from all mailboxes in your organization. This can help you find and remove potentially harmful or high-risk email, such as:

  • Messages that contain dangerous attachments or viruses

  • Phishing messages

  • Messages that contain sensitive data

Step 1: Create a Content Search to find the message to delete

The first step is to create and run a Content Search to find the message that you want to remove from mailboxes in your organization. You can create the search by using the Security & Compliance Center or by running the New-ComplianceSearch and Start-ComplianceSearch cmdlets. The messages that match the query for this search will be deleted by running the New-ComplianceSearchAction -Purge command in Step 3. For information about creating a Content Search and configuring search queries, see the following topics:

Here's an example of using a query to create and start a search by running the New-ComplianceSearch and Start-ComplianceSearch cmdlets to search all mailboxes in the organization:

PowerShell

$Search=New-ComplianceSearch -Name "Remove Phishing Message" -ExchangeLocation All -ContentMatchQuery '(Received:4/13/2016..4/14/2016) AND (Subject:"Action required")'
Start-ComplianceSearch -Identity $Search.Identity

Step 2: Connect to Security & Compliance Center PowerShell

The next step is to connect to Security & Compliance Center PowerShell for your organization. For step-by-step instructions, see Connect to Security & Compliance Center PowerShell.

PowerShell

Connect-IPPSSession -UserPrincipalName <UPN> [-ConnectionUri <URL>] [-PSSessionOption $ProxyOptions]

After you've connected to Security & Compliance Center PowerShell, run the New-ComplianceSearch and Start-ComplianceSearch cmdlets that you prepared in the previous step.

Step 3: Delete the message

After you've created and refined a Content Search to return the message that you want to remove and are connected to Security & Compliance Center PowerShell, the final step is to run the New-ComplianceSearchAction cmdlet to delete the message. You can soft- or hard-delete the message. A soft-deleted message is moved to a user's Recoverable Items folder and retained until the deleted item retention period expires. Hard-deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant. If single item recovery is enabled for the mailbox, hard-deleted items will be permanently removed after the deleted item retention period expires. If a mailbox is placed on hold, deleted messages are preserved until the hold duration for the item expires or until the hold is removed from the mailbox.

In the following example, the command soft-deletes the search results returned by a Content Search named "Remove Phishing Message".

PowerShell

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete

To hard-delete the items returned by the "Remove Phishing Message" content search, you would run this command:

PowerShell

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete

When you run the previous command to soft- or hard-delete messages, the search specified by the SearchName parameter is the Content Search that you created in Step 1.

More information

  • A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an incident-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This feature isn't intended to clean up user mailboxes.

  • If you know the exact text or phrase used in the subject line of the message, use the Subject property in the search query.

  • If you know that exact date (or date range) of the message, include the Received property in the search query.

  • If you know who sent the message, include the From property in the search query.

  • Preview the search results to verify that the search returned only the message (or messages) that you want to delete.

  • Use the search estimate statistics (displayed in the details pane of the search in the Security & Compliance Center or by using the Get-ComplianceSearch cmdlet) to get a count of the total number of results.

  • This query returns messages that were received by users between April 13, 2016 and April 14, 2016 and that contain the words "action" and "required" in the subject line.

    PowerShell

    (Received:4/13/2016..4/14/2016) AND (Subject:'Action required')

  • This query returns messages that were sent by chatsuwloginsset12345@outlook.com and that contain the exact phrase "Update your account information" in the subject line.

    PowerShell

    (From:chatsuwloginsset12345@outlook.com) AND (Subject:"Update your account information")

  • How do you get status on the search and remove operation?

    Run the Get-ComplianceSearchAction to get the status on the delete operation. The object that is created when you run the New-ComplianceSearchAction cmdlet is named using this format: <name of Content Search>_Purge.

  • What happens after you delete a message?

    A message that's deleted with the New-ComplianceSearchAction -Purge -PurgeType HardDelete command is moved to the Purges folder and can't be accessed by the user. After the message is moved to the Purges folder, the message is retained for the duration of the deleted item retention period if single item recovery is enabled for the mailbox. (In Microsoft 365, single item recovery is enabled by default when a new mailbox is created.) After the deleted item retention period expires, the message is marked for permanent deletion and will be purged from Microsoft 365 the next time the mailbox is processed by the Managed Folder assistant.

    If you use the New-ComplianceSearchAction -Purge -PurgeType SoftDelete command, messages are moved to the Deletions folder in the user's Recoverable Items folder. It isn't immediately purged from Microsoft 365. The user can recover messages in the Deleted Items folder for the duration based on the deleted item retention period configured for the mailbox. After this retention period expires (or if user purges the message before it expires), the message is moved to the Purges folder and can no longer be accessed by the user. Once in the Purges folder, the message is retained for the duration based on the deleted item retention period configured for the mailbox if single items recovery is enabled for the mailbox. (In Microsoft 365, single item recovery is enabled by default when a new mailbox is created.) After the deleted item retention period expires, the message is marked for permanent deletion and will be purged from Microsoft 365 the next time that the mailbox is processed by the Managed Folder assistant.

  • What happens if a message is deleted from a mailbox that has been placed on In-Place Hold or Litigation Hold or is assigned to an Microsoft 365 retention policy?

    After the message is purged and moved to the Purges folder, the message is retained until the hold duration expires. If the hold duration is unlimited, then items are retained until the hold is removed or the hold duration is changed.