Delete Email from User’s Mailbox on O365
Steps on how to delete email from user’s mailbox on O365
Compliance Search
Login to Microsoft 365 with PowerShell
Login to MSOL, Exchange Online v2 and Securiry & Compliance Center – Refer to Connect To Office 365 With PowerShell for more detail
#Login to Office 365
$UserName = "[email protected]"
$Password = ConvertTo-SecureString "xxxxxxxxxxxxx" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PsCredential($UserName,$Password)
Import-Module MSOnline
Connect-MsolService -Credential $Credential
### Exchange Online v2
Import-Module ExchangeOnlineManagement
# Login to Exchange Online with MFA Enabled with EXO v2
Connect-ExchangeOnline -UserPrincipalName $UserName -ShowProgress $true
#Connect to Security & Compliance Center
Connect-IPPSSession -UserPrincipalName $UserName
Assign [email protected] to member of eDiscovery Administrator & Compliance Administrator groups
Add-RoleGroupMember "eDiscoveryManager" -member [email protected]
Add-RoleGroupMember "ComplianceAdministrator" -member [email protected]
New-ComplianceSearch
Create a new Compliance Search to search for all email from [email protected] in AllanD Mailbox only
$Name = "Email from [email protected]"
New-ComplianceSearch -Name $Name -ExchangeLocation [email protected] -ContentMatchQuery "from:[email protected]"
- -ExchangeLocation – All for all users’ mailboxes or [email protected] for users or group mailbox
- -ContentMatchQuery – Refer to this link for further detail
Start Compliance Search and verify the result
Start-ComplianceSearch -Identity $Name
# Verify the ComplianceSeach is completed successfully
Get-ComplianceSearch $Name
Name RunBy JobEndTime Status
---- ----- ---------- ------
Email from [email protected] MOD Administrator 23/1/2021 1:47:17 AM Completed
# Detail information
Get-ComplianceSearch $Name | Select Name, ContentMatchQuery, Items, SuccessResults
Name ContentMatchQuery Items SuccessResults
---- ----------------- ----- --------------
Email from [email protected] from:[email protected] 2 {Location: [email protected], Item count: 2, Total size: 188826}
Delete Email Items
Only maximum of 10 items per mailbox can be removed at one time
Delete email from [email protected] from [email protected] mailbox with New-ComplianceSearchAction
New-ComplianceSearchAction -SearchName $Name -Purge -PurgeType SoftDelete -Force
Content Search in Portal
Login to Compliance & Security Center – Content Search and click Guided Search
Enter a Name for this new Content Search
Select Specific Locations and Click on Choose Users, Groups or Teams to select the user’s mailbox.
Enter Keywords you would like to search for or click Add Conditions to specific email related search, like sender, recipients, subject and etc.
Verify the result / items found once the Content Search is completed successfully
Click on More > Export Results to export the result to PST File
Go to Export and highlight the export job to download the result (PST File) using Internet Explorer
There is no option to delete search items in GUI, but to use PowerShell – New-ComplianceSearchAction
Mailbox Search
Mailbox Search can no longer be used with the announcement of Retirement of legacy eDiscovery tools
Add Mailbox Search and Mailbox Import Export Roles to Organization Management Group
New-ManagementRoleAssignment -SecurityGroup "Organization Management" -Role "Mailbox Search"
New-ManagementRoleAssignment -SecurityGroup "Organization Management" -Role "Mailbox Import Export"
Disconnect the existing PowerShell Session for Exchange
#Disconnect existing Exchange Session
Remove-PSSession $Session
#Reconnect to Exchange / Exchange Online
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ `
-Credential $Credential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Search for a particular Email in user’s mailbox
$User = "[email protected]"
$SearchQuery = 'from:"[email protected]"'
Search-Mailbox -Identity $User -SearchQuery $SearchQuery -EstimateResultOnly
Search for a particular Email in user’s mailbox and delete it permanently
$User = "[email protected]"
$SearchQuery = 'from:"[email protected]"'
Search-Mailbox -Identity $User -SearchQuery $SearchQuery -DeleteContent -Force
Search for a particular Email in user’s mailbox and copy to other mailbox for reference
$User = "[email protected]"
$SearchQuery = 'from:"[email protected]"'
Search-Mailbox -Identity $User -SearchQuery $SearchQuery -
The Search Query is using Keyword Query Language (KQL) and refer to the following commonly used SearchQuery for reference
# Email send from SENDER
$SearchQuery = 'from:"[email protected]"'
# Email send to RECIPIENT
$SearchQuery = 'to:"[email protected]"'
# Email with subject
$SearchQuery = 'subject:"important notice"'
# Email with Attachement
$SearchQuery = 'attachment:"xxxx.ppt"'
Commonly used parameter with Search-Mailbox
- -EstimateResultOnly – Estimation of the totol number of message returned by the search provided
- -DeleteContent -Force – Delete permanently for the messages return by the search provided in user’s mailbox
- -TargetMailbox – Destination mailbox where search results are copied
- -TargetFolder – Folder name in which search results are saved in the target mailbox
- -LogOnly – Messages returned by the search aren’t copied to the target mailbox.
Refer to Message properties and search operators for In-Place eDiscovery for more information
Reference Links