This blog post outlines the process that can be followed when Exchange administrators are contacted by legal/compliance/Security teams to remove the messages matching certain criteria from the Exchange/Exchange Online environment.
Exchange
Note: – For commands to be successful indexing on the exchange servers should be in healthy condition.
First and foremost step is to run the search against the mailboxes with log only option to check what will be deleted.
Run Against Particular Mailboxes
- Log Only – PS command Example
Create a CSV file with header Alias (mailboxes.csv)
Values can be alias or email addresses
import-csv c:\tmp\mailboxes.csv | foreach {Search-Mailbox $_.alias -SearchQuery Subject:”Subject to Search“,Received:>’5/23/2018′ -TargetMailbox “TargetMailboxtoStoreResults” -TargetFolder “TargetFolderforLogs” -LogOnly -LogLevel Full} >c:\tmp\log_Del_messages.txt
You can than check the Target mailbox for logs folder and randomly verify as what you have intended to delete is being searched correctly.
c:\tmp\log_Del_messages.txt will show some basic stuff like how many messages kb etc will be deleted.
- Delete & Copy – Ps command Example
If the results are satisfactory than copy the same PS command above and replace
-LogOnly -LogLevel Full with -deletecontent -force.
Do not forget to change the targetfolder and text log name else everything would be in the same folder, also log will get overwritten.
import-csv c:\tmp\mailboxes.csv | foreach {Search-Mailbox $_.alias -SearchQuery Subject:”Subject to Search“,Received:>’5/23/2018′ -TargetMailbox “TargetMailboxtoStoreResults” -TargetFolder “TargetFolderforLogs” -deletecontent -force } >c:\tmp\log_Del_messages.txt
This command will delete the content but will copy all the emails to the TargetFolder, in case you require to see what has been deleted from which mailbox & folder.
After reviewing it you can completely delete the target folder if you want that all emails should be deleted from the environment because of compliance reasons.
- Delete without Copy (only to be used if you do not want any traces and completely delete)
Just remove the Target mailbox and folder from the command line
import-csv c:\tmp\mailboxes.csv | foreach {Search-Mailbox $_.alias -SearchQuery Subject:”Subject to Search“,Received:>’5/23/2018′ -deletecontent -force } >c:\tmp\log_Del_messages.txt
- Run Against All Mailboxes
If you want to run these commands against all the mailboxes in the environment.
Get all Mailboxes thru PowerShell using below command.
$allmbx = get-mailbox -resultsize unlimited | Select Alias
- Log Only PS command Example
$allmbx | foreach {Search-Mailbox $_.alias -SearchQuery Subject:”Subject to Search“,Received:>’5/23/2018′ -TargetMailbox “TargetMailboxtoStoreResults” -TargetFolder “TargetFolderforLogs” -LogOnly -LogLevel Full} >c:\tmp\log_Del_messages.txt
You can than check the Target mailbox for logs folder and randomly verify as what you have intended to delete is being searched correctly.
c:\tmp\log_Del_messages.txt ill show some basic stuff like how many messages kb etc will be deleted.
- Delete & Copy Ps command Example
If the results are satisfactory than copy the same PS command above and replace
-LogOnly -LogLevel Full with -deletecontent -force.
Do not forget to change the target folder and text log name else everything would be in same folder and log will be overwritten.
$allmbx | foreach {Search-Mailbox $_.alias -SearchQuery Subject:”Subject to Search“,Received:>’5/23/2018′ -TargetMailbox “TargetMailboxtoStoreResults” -TargetFolder “TargetFolderforLogs” -deletecontent -force } >c:\tmp\log_Del_messages.txt
This command will delete the content but will copy all the emails to the TargetFolder incase you require to see what has been deleted from which mailbox & folder.
After reviewing it you can completely delete the target folder if you want that all emails should be deleted from the environment because of compliance reasons.
- Delete without Copy (only to be used if you do not want any traces and completely delete)
Just remove the Target mailbox and folder from the command line
$allmbx | foreach {Search-Mailbox $_.alias -SearchQuery Subject:”Subject to Search“,Received:>’5/23/2018′ -deletecontent -force } >c:\tmp\log_Del_messages.txt
Exchange Online
Note: Same commands works on Exchange online as well, you just need to be sure that Target mailbox should be on Exchange online for Online commands. (User must have Mailbox Import/Export role assigned else Search-Mailbox command will not run on Exchange online world.)
Do not connect Exchange online from Exchange on-premise management Shell, open a separate PowerShell session without loading any other modules and connect to Exchange online.
How to connect Exchange Online Shell:
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber
How to Connect Security and Compliance center:
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber
Microsoft has also released a new way of deleting the content from Exchange Online using Security and Compliance center.
Use https://protection.office.com/ and create Content Search.
Ones Search is created, you know what are the items you want to delete.
To do Soft delete.
New-ComplianceSearchAction -SearchName “Remove Phishing Message” -Purge -PurgeType SoftDelete
To do Hard delete
New-ComplianceSearchAction -SearchName “Remove Phishing Message” -Purge -PurgeType HardDelete
A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an incident-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This feature isn’t intended to clean up user mailboxes. To delete more than 10 items, you can use the Search-Mailbox -DeleteContent command in Exchange Online PowerShell.
Thanks for reading
Tech Wizard
Tech Wizard 