Microsoft 365 Defender

XDR

How to Delete mail items from Microsoft 365

mailbox for SOC analyst
To delete mail items from a single or multiple mailboxes in Microsoft 365, you must find
the messages using a compliance search. Once that’s done, you can choose to soft-
delete or hard-delete the mail items. In this article, you will learn how to delete mail
items from a Microsoft 365 mailbox with PowerShell.

Note

The Organization Management role group exists in both Exchange Online and in the
compliance portal. These are separate role groups that give different permissions. Being
a member of Organization Management in Exchange Online does not grant the required
permissions to delete email messages. If you aren't assigned the Search And Purge role
in the compliance portal (either directly or through a role group such as Organization
Management), you'll receive an error in Step 3 when you run the New-
ComplianceSearchAction cmdlet with the message "A parameter cannot be found that
matches parameter name 'Purge'".
Table of contents
Contents
Table of contents ....................................................................................................................3
1. Prerequisites ..................................................................................................................4
2. Connect to Exchange Online .........................................................................................9
3. Create Compliance Search .............................................................................................9
4. Delete mail items from all mailboxes ......................................................................... 10
5. Verify soft deleted mail items in Outlook................................................................... 12
6. Delete mail items from single Microsoft 365 mailbox ............................................... 13
7. Delete Compliance Search ........................................................................................... 14
a. Delete Compliance Search with PowerShell ............................................................... 15
b. Delete Compliance Search Action with PowerShell ................................................... 15
c. Delete Content Search in Microsoft Purview.............................................................. 15
d. Delete Content Search Export in Microsoft Purview .................................................. 18
8. Conclusion .................................................................................................................... 20
 1. Prerequisites
You must assign the following permissions (Compliance Search, Search And Purge,
Preview, Export) to the admin account. This will let you search, view, export, and delete
mail items.

Check if you have set the required permissions in the Microsoft Purview compliance
portal to use the New-ComplianceSearchAction or Remove-
ComplianceSearch cmdlets.

To create a new role and assign permissions in Microsoft Purview, follow these steps:

1. Sign in to Microsoft Purview

2. Click Roles & scopes > Permissions
3. Click Microsoft Purview solutions > Roles

4. Click Create role group

5. Name the role group
6. Click Next
7. Click Choose roles

8. Add the roles (Compliance Search, Search And Purge, Preview, Export)
9. Click Next
10. Click Choose users

11. Add the user

12. Click Next
 13. Click Create

14. Click Done

All the permissions are set now.

Note: It can take up to one hour for the permissions to be assigned to the user.

2. Connect to Exchange Online

It’s important to have Exchange Online PowerShell module version 3.2.0 or higher on
the system installed.

Note: You need to Update the Exchange Online PowerShell module to the latest version.
Otherwise, the commands will not work.

To be able to run the PowerShell commands specified in the current article, you will
need to Connect to Exchange Online PowerShell.

Start Windows PowerShell as administrator and run the cmdlet Connect-

ExchangeOnline.

Connect-ExchangeOnline
Copy

Then you need to connect again with the below command.

Connect-IPPSSession
Copy

3. Create Compliance Search

To delete mail items from a single or multiple Microsoft 365 mailboxes, you need to
create a content search in Microsoft Purview or with PowerShell.

Use one of the following methods to create and start a compliance search:

• Exchange Online PowerShell

• Microsoft Purview compliance portal

We suggest you follow the steps in the article How to Use the New-ComplianceSearch
PowerShell cmdlet to run a compliance search.

Once you complete the compliance search, you can proceed to the next step.
 4. Delete mail items from all mailboxes
First, we will run the New-ComplianceSearch PowerShell cmdlet to create a new search.
After that, we will run the New-ComplianceSearchAction PowerShell cmdlet, to delete
mail items from the compliance search.

In our example, we want to find all the mail items that were sent to a specific
user ([email protected]) on a specific date (2024-03-15).

We will create a compliance search that will search through all the mailboxes. You need
to specify the value All in the -ExchangeLocation parameter.

New-ComplianceSearch -Name "Spam Mail" -ExchangeLocation "All" -ContentMatchQuery

"(To:[email protected]) AND (Sent:2024-03-15)"
Copy

Run the below PowerShell command to soft delete all the mail items of a specific
compliance search.

New-ComplianceSearchAction -SearchName "Spam Mail" -Purge -PurgeType SoftDelete -

Confirm:$false
Copy

The PowerShell output shows the below output. It automatically creates the purge with
a name (Spam Mail_Purge) and starts.

Name SearchName Action RunBy JobEndTime Status

---- ---------- ------ ----- ---------- ------
Spam Mail_Purge Spam Mail Purge M365info Admin Starting
Copy

Run the below PowerShell command to see if the purge is completed.

Get-ComplianceSearchAction -Identity "Spam Mail_Purge"

Copy

The PowerShell output shows the status Completed.

Name SearchName Action RunBy JobEndTime Status

---- ---------- ------ ----- ---------- ------
Spam Mail_Purge Spam Mail Purge M365info Admin 02/04/2024 21.35.30 Completed
Copy

Run the below PowerShell command to see a detailed list of the purge results.

Get-ComplianceSearchAction -Identity "Spam Mail_Purge" | Format-List

Copy

The PowerShell output shows the below result. In our example, it deleted 44 mail items
in total and without errors.

Note: The email items are removed to the Deleted Items folder, because it’s soft-deleted.
It means the user can still find and restore or purge the email items from the Recover
Deleted Items in Outlook.
SearchName : Spam Mail
EstimateSearchRunId : 6f9c7f6b-c543-4a47-999d-08dc5107d0c5
EstimateSearchJobId : d11047fb-9725-4d8f-64ca-08dc5107ccc4
ActionVersion :
Results : Purge Type: SoftDelete; Item count: 44; Total size
895806; Details: {Location:
[email protected]; Item count: 10; Total size:
313705; Failed count: 0; ,
Location: [email protected]; Item count: 10;
Total size: 222878; Failed
count: 0; ,
Location: [email protected]; Item count: 10; Total
size: 163677; Failed count: 0;
,
Location: [email protected]; Item count: 10; Total
size: 133863; Failed count: 0;
,
Location: [email protected]; Item count: 2; Total
size: 17300; Failed count: 0; ,
Location: [email protected]; Item count: 1;
Total size: 22980; Failed
count: 0; ,
Location: [email protected]; Item count: 1; Total
size: 21403; Failed count: 0; }
Errors :
Action : Purge
ValidDuration : 00:10:00
JobId : 4c788d4e-f0e3-4f33-40e5-08dc535cba55
Name : Spam Mail_Purge
CreatedTime : 02/04/2024 21.34.50
LastModifiedTime : 02/04/2024 21.35.30
JobStartTime : 02/04/2024 21.34.50
JobEndTime : 02/04/2024 21.35.30
Description :
CreatedBy : M365info Admin
RunBy : M365info Admin
TenantId : a2ff010e-0e03-4c56-8863-2ae7f07876dd
NumBindings : 7
Status : Completed
ExchangeLocation : {All}
PublicFolderLocation :
SharePointLocation :
OneDriveLocation :
ExchangeLocationExclusion :
PublicFolderLocationExclusion :
SharePointLocationExclusion :
OneDriveLocationExclusion :
JobRunId : 7c280e70-f8c4-4c74-059f-08dc535cba5a
Retry : False
AllowNotFoundExchangeLocationsEnabled : False
JobOptions : 272
JobProgress : 100
CaseId :
CaseName :
PagingState :
Identity : 7c280e70-f8c4-4c74-059f-08dc535cba5a
ContentURL :
ResultInEOP : False
AzureBatchFrameworkEnabled : True
IsValid : True
ObjectState : New
Copy

You can also delete the mail items permanently from all the mailboxes.

Important: You can’t restore any hard deleted mail items from a Microsoft 365 mailbox,
because it will be permanently deleted.

Run the below PowerShell command to hard delete all the mail items.

New-ComplianceSearchAction -SearchName "Spam Mail" -Purge -PurgeType HardDelete -

Confirm:$false
Copy

5. Verify soft deleted mail items in Outlook

When you soft delete the mail items of your compliance search, the user can still choose
to restore or purge the soft deleted items in Outlook. In our example, the
user ([email protected]) will sign in to Outlook and check if these 10 email
messages are soft deleted.

To find the deleted mail items in Outlook, follow these steps:

1. Sign in to Outlook
2. Click Deleted Items folder
3. Click Recover Deleted items from Server
4. See the Recover Deleted Items

It will also delete the mail items in the other mailboxes. In the next step, we will explain
how to delete the mail items from a single mailbox.

6. Delete mail items from single Microsoft 365

mailbox
To delete mail items from a single mailbox, you need to specify it in the compliance
search.
In our example, we want to find all the mail items that were sent to a specific
user ([email protected]) on a specific date (2024-03-15).

We will create a new compliance search that will only search a single mailbox. You need
to specify the single mailbox value in the -ExchangeLocation parameter.

New-ComplianceSearch -Name "Amanda Hansen mailbox" -ExchangeLocation

"[email protected]" -ContentMatchQuery "(To:[email protected]) AND
(Sent:2024-03-15)"
Copy

It will only search the content in the user mailbox you specified.

Note: When you create a compliance search, there is no option to change it afterward. If
you made a mistake, you need to delete the compliance search and create a new one.

To soft-delete all the mail items from a single mailbox, run the below PowerShell
command.

New-ComplianceSearchAction -SearchName "Amanda Hansen mailbox" -Purge -PurgeType SoftDelete -

Confirm:$false
Copy

To hard-delete all the mail items from a single mailbox, run the below PowerShell
command.

Important: You can’t restore any hard deleted mail items from a Microsoft 365 mailbox,
because it will be permanently deleted.
New-ComplianceSearchAction -SearchName "Amanda Hansen mailbox" -Purge -PurgeType HardDelete -
Confirm:$false
Copy

7. Delete Compliance Search

You can delete the compliance search and compliance search report in two methods:

• Exchange Online Powershell

• Microsoft Purview compliance portal
 a. Delete Compliance Search with PowerShell
We will use the Remove-ComplianceSearch cmdlet to remove compliance searches from
the Microsoft Purview compliance portal.

Run the below PowerShell command to delete a compliance search.

Remove-ComplianceSearch -Identity "Spam Mail" -Confirm:$false

Copy

It removes any compliance search with the status not started, starting, stopped,
or completed.

b. Delete Compliance Search Action with

PowerShell
We will use the Remove-ComplianceSearchAction cmdlet to remove compliance search
actions from the Microsoft Purview compliance portal.

If you created a compliance search export or report, you can delete these results. It will
not delete the compliance search.

To remove a specific compliance search report, run the below PowerShell cmdlet.

Remove-ComplianceSearchAction -Identity "Spam Mail_Export" -Confirm:$false

Copy

c. Delete Content Search in Microsoft

Purview
To delete a compliance search in Microsoft Purview, follow these steps:

1. Sign in to Microsoft Purview

2. Click Content search
3. Click the name of your search (SpamMeeting)
4. Click Actions
5. Select Delete
6. Click Yes

7. It automatically deletes the compliance search (SpamMeeting) from the content

search list.
 d. Delete Content Search Export in Microsoft
Purview
If you exported the compliance search result to a report, you can also delete it.

To delete a content search export in Microsoft Purview, follow these steps:

1. Sign in to Microsoft Purview

2. Click Content search
3. Click Export
4. Click the name of your search (SpamMeeting_Export)
5. Click Delete

6. Click Delete to confirm

 7. It deletes the compliance search export (SpamMeeting_Export) from the list.

That’s it!

Read more: Export Microsoft 365 mailbox to PST file »

 8. Conclusion
You learned how to delete mail items from a Microsoft 365 mailbox with PowerShell.
First, you must assign permissions in Microsoft Purview to search, view, export, and
delete mail items from mailboxes. After that, you can choose to search and delete mail
items from a single mailbox or multiple mailboxes.

Did you enjoy this article? You may also like Restore Azure AD users with Microsoft
Graph PowerShell. Don’t forget to follow us and share this article.