Purging Unwanted Messages from Exchange Online Mailboxes

Search-Mailbox Being Phased Out from Exchange Online

Last August I wrote about Microsoft’s intention to deprecate the Search-Mailbox cmdlet and remove it from Office 365. In January, Microsoft announced that it would remove Search-Mailbox and other legacy search tools on April 1, 2020. On March 27, Microsoft announced a 3-month delay in the retirement of the legacy tools by three months, but it’s unlikely that the new July 1, 2020 date will be extended again. The die is cast and there’s no going back.

One of the most common uses of Search-Mailbox is to remove email that you don’t want users to have in their mailboxes. These messages might be phishing attempts, contain malware or viruses, or maybe they’ve been sent in error and need to be recalled. Outlook’s celebrated inability to recall messages is one reason why other tools are needed when messages leak out when they shouldn’t, which is why Microsoft is working on a new message recall feature.

Office 365 Content Searches Find Bad Staff to Purge

Search-Mailbox can only be used in PowerShell and its interface is clunky, especially when formatting queries. But it’s an effective tool. Office 365 content searches are the replacement, or more correctly, a combination of a content search (to find messages) followed by a content search purge action (to remove the messages). Microsoft has some good documentation to explain how the process works and to document some limitations.

The two most obvious limitations are that purge actions are confined to Exchange messages and you can only remove 10 items from a mailbox at one time. Given that we’re discussing how to replace Search-Mailbox, the first isn’t a problem, even if it points to a need for a tool to disinfect SharePoint Online, OneDrive for Business, Teams, etc. if malware penetrates. The second limitation is by design, and it’s there to stop unwary administrators wreaking havoc on mailboxes by running a purge for a search that returns large numbers of items.

The Important of Precision Searches

The key thing to remember when considering how to purge bad messages using content searches is to use a laser-focused search to find the messages. Administrator-initiated purging should be a precision operation, and that means you must build a search to find the exact messages to remove instead of casting a net widely in the hope that the right messages are found.

The easiest way to build a focused content search is through the Compliance Center GUI. You won’t have to worry too much about the syntax to use as you can build the search by adding keywords and conditions. Even better, you can preview the search (Figure 1) to make sure that the right messages are found.

Previewing results of a content search in the Compliance Center
Figure 1: Previewing results of a content search in the Compliance Center (image credit: Tony Redmond)

Office 365 Content Search Actions

Once you know that your search is effective, you can concentrate on attaching a purge action to it. A search action is something that acts on the results of a search. When you preview search results (Figure 1), those results are generated by applying a preview action to the search.

Office 365 content searches support HardDelete and SoftDelete purge actions. As noted above, purges only work for Exchange Online.

  • The HardDelete action moves items into the Purges sub-folder of Recoverable Items. Users can’t access items in the Purges folder.
  • The SoftDelete action moves items into the Deletions sub-folder of Recoverable Items. Users can recover items from Deletions using the Recover Deleted Items feature in Outlook and OWA.

Exchange Online Message Retention Affects Purging

The Managed Folder Assistant permanently removes items from the Purges or Deletions folder after all retention mechanisms keeping the item lapse:

  • The mailbox’s deleted items retention period (items are kept between 14 and 30 days) together with Single Item Recovery to ensure that items can’t be removed until the deleted item retention period passes.
  • Any personal retention tag applied to the item.
  • Any retention policy applied to the mailbox.

Items are kept so that they remain available for eDiscovery. It’s important to remember this because a search will continue to find items in mailboxes even when they have been removed from user view by a purge. In other words, even after you run a content search and purge its results, the messages remain until anything holding them back is removed.

Purging with PowerShell

No button or other interface allows administrators to purge messages through the Compliance Center or any other Office 365 admin center. If you want to purge messages, you’ve got to do run the purge using PowerShell.

To make things easier, I wrote a script (you can fetch a copy from GitHub) to do the following:

  • Clean up by removing old versions of the content search I plan to use.
  • Create and run a content search to find items identified by sender, subject, and date range.
  • Wait for the search to finish and check if any items are found.
  • If items are found, report the mailboxes where the items are found and run the search action to hard-delete the items.
  • Because only 10 items can be removed from a mailbox at one time, iterate if needed to remove items.

Figure 2 shows an example of the search and purge script in action.

Running an Office 365 content search and purge from PowerShell
Figure 2: Running an Office 365 content search and purge from PowerShell (image credit: Tony Redmond)

Over to You

I’ve no doubt that the script can be improved to harden it for production usage. My point is to demonstrate the principle steps in creating a script to purge items from mailboxes using a content search and search action. Now it’s over to you to apply the real magic.

Search-Mailbox persists in on-premises Exchange, but now there’s a new sheriff for mailbox purging in town.