RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

How to delete an email from one or more mailboxes in Microsoft 365
Published Date : 11 Feb 2019   Last Updated : 10 Mar 2022   Content Ref: TEC6615326  





Symptoms

One or more users have received spam, phishing or other undesired emails. As an administrator you want to delete the emails from one or more user mailboxes.


Cause

The simplest way to find and remove messages uses three steps:

  • Step 1 - Check user has sufficient permissions to search, preview search results and delete messages.
  • Step 2 - Use the Security & Compliance Admin Center to create a content search to find affected messages.
  • Step 3 - Use Security & Compliance Center PowerShell to delete the affected messages returned by the content search.

This method will delete a maximum of 10 items per mailbox, from a total of 50,000 mailboxes.

If there are more than 10 items to be deleted per mailbox then either run multiple content search and deletes, or consider using Exchange PowerShell only to search and delete messages. This alternative method needs careful consideration as there is an increased risk of deleting messages you don't intend to. More detailed information on using Exchange PowerShell to search and delete is available from here.



Requirements

Security & Compliance Center PowerShell


Procedure

Step 1: Check user has sufficient permissions to perform a content search, preview search results and delete messages
  1. Sign into portal.office.com as a global administrator.
  2. Click Admin Centers, Security & Compliance.
  3. Click Permissions.
  4. Click the Organization Management role group.
  5. Under Assigned roles, confirm the Compliance Search and 'Search and Purge' roles are assigned.
  6. Under Members, confirm the user you want to use is listed.
  7. Click Close.
  8. Click the eDiscovery Manager role group.
  9. Under Assigned roles, confirm the Preview role is assigned.
  10. Under Members, confirm the user you want to use is listed.
  11. Click Close.

Note: The Organization Management and eDiscovery role groups together contain the right permission roles to allow a user to search, preview search results and delete. You can choose to separate out these permissions as desired:

  • To perform a content search, the user must have the Compliance Search role assigned. This role can be assigned individually or inherited as a result of being assigned the Organization Management or eDiscovery Manager role groups in the Security & Compliance Admin Center, Permissions. 
  • To preview search results, the user must have the Preview role. This role can be assigned individually or inherited as a result of being assigned the eDiscovery Manager role group.
  • To delete messages, the user must have the 'Search and Purge' role assigned. This role can be assigned individually or inherited as a result of being assigned the Organization Management role group.

Further information on assigning Security & Compliance permission roles is available here.


Step 2: Create a content search in the Security & Compliance Admin Center
  1. Sign into portal.office.com as a user you assigned the Organization Management role group to.
  2. Click Admin Centers, Security & Compliance Admin Center.
  3. Under 'Search & investigation', select 'Content search'.
  4. Click 'New search'.
  5. In Search query, click 'Add conditions'.
  6. Select one or more conditions to customise your search. For example, click Subject/Title, Add to search for specific words in the subject of emails.
  7. In Locations, select 'Specific locations', Modify.
  8. If you want to search all mailboxes, move the slider to 'Select all' and click Save.
  9. If you want to restrict your search, click 'Choose users, groups or teams'.
  10. In the Search box, find the names of the users, groups or teams you want to include in the search.
  11. Tick the box next to the desired name(s) and click Choose, Done.
  12. Click Save.
  13. Click 'Save & run'.
  14. In Name, type a name for your search.

Step 3: Delete messages using Security & Compliance PowerShell
  1. Open Windows Powershell ISE as an administrator.
  2. Copy and paste the following:

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking -allowclobber

  1. Click Run Script from the toolbar and sign in as the user you assigned the Organization Management role group to.
  2. Decide which type of delete you want to run: soft-delete or hard-delete*.
  3. To soft-delete the message from user mailboxes*.

New-ComplianceSearchAction -SearchName "<Name of Search from Step 14 above>" -Purge -PurgeType SoftDelete

To hard-delete the message from user mailboxes*

New-ComplianceSearchAction -SearchName "<Name of Search from Step 14 above>" -Purge -PurgeType HardDelete

  1. To keep track of the progress of the purge, run the following command:

Get-ComplianceSearchAction -Purge 

* A soft-deleted message is moved to a user's Recoverable Items folder and retained until the deleted item retention period expires. Hard-deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant. More detailed information is available here.

If you would like further assistance with PowerShell, please raise a service request with Microsoft. See Other Useful Articles below.



Possible Issues

Error message: WinRM cannot complete the operation

When connecting to Security and Compliance Center PowerShell you may see an error message in red text:

Connecting to remote server eur01b.ps.compliance.protection.outlook.com failed with the following error message : WinRM cannot complete the operation.

PowerShell uses the Windows Remote Management service and Win HTTP Services (WinHTTP) to make a connection.

First, ensure the Windows Remote Management service is running on the PC you are using PowerShell on and then check WinHTTP is set up to use the correct proxy. If you use a proxy server to browse the Internet then you should use the network shell command-line utility to check and set WinHTTP to use the same proxy as Internet Explorer. To do this:

  1. Open a command prompt as administrator.
  2. To view the current setting, type netsh winhttp show proxy and press Enter. It may show direct access (no proxy server) or an undesired proxy setting.
  3. To set WinHTTP to use the same proxy as IE, type netsh winhttp import proxy source=ie and press Enter.
  4. Alternatively, manually set WinHTTP by typing netsh winhttp set proxy <proxyserver>:<port>. For example, netsh winhttp set proxy server06:8080.


Other Useful Articles

Microsoft 365 - How to raise a support request with Microsoft (TEC3877606)

FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: How to delete an email from one or more mailboxes in Office 365, spam, phishing, scam, hack, hacking, attack, dos, ddos, compromise, inappropriate, purge, purging, remove, bulk, en masse, m365, TEC6615326


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page