How To Find And Delete An Email From All Mailboxes In Office 365


The Best WordPress plugins!

1. WP Reset

2. WP 301 Redirects

3. WP Force SSL

If you need to find and delete emails from the mailbox of an individual or a whole group, it’s not that hard. Whether you’re looking for messages sent by your boss about how many hours per day he expects his subordinates to work or want to get rid of old personal emails, this tutorial shows you where they can be found on Office 365.

The “office 365 delete email from all mailboxes” is a process that allows users to find and delete an email from all mailboxes in Office 365.

How To Find And Delete An Email From All Mailboxes In Office 365

It’s no secret that mail hygiene solutions aren’t always successful. From time to time, malicious communications slip through the cracks without being caught. You’ll need to know how to utilize Office 365 to discover and delete email in certain situations.

If you manage Office 365, you’re probably acquainted with the scenario mentioned above. Spam or phishing assaults are regarded as serious security breaches. To reduce the possible damage to users and infrastructure, email administrators must act swiftly.

You can do a content search via the Office 365 Security and Compliance interface by clicking around, but you’ll need to use PowerShell to remove the results. So, since you’re going to use PowerShell anyhow, why not use it for everything?

In this post, you’ll learn how to search for and remove harmful messages from all Office 365 mailboxes using the Security and Compliance PowerShell cmdlets.


There are certain prerequisites if you want to follow along with this essay, since it is basically a How-To.

  • To search mailboxes and remove messages, your admin account must have sufficient Office 365 access. – Permission to search mailboxes is required: The account must be given the Compliance Search management role or be a member of the eDiscovery Manager role group. – To remove communications, the account must belong to the Organization Management role group or have the Search And Purge management role given to it. – Permission to preview messages is required: The account must belong to the eDiscovery Manager role group or have the Preview management role given to it.
  • PowerShell must be connected to the Office 365 Security & Compliance Center PowerShell. Follow this link to connect without MFA, or this link to connect with MFA.

Getting Information on the Deleted Message

You must first collect all relevant information about the message before you begin generating the content search for the message that has to be erased. Unless you’ve previously been given all of the facts.

Knowing as much information as possible about the message can aid you in deciding how to phrase the search query. Some of the most essential information you’ll need, for example, is:

  • What is the email address of the sender?
  • What is the topic of the message?
  • Are there any file attachments, and if so, what are the names of the files?
  • When was the first time you heard about it?
  • Who are the lucky ones?

In most circumstances, one or two of the following pieces of information should enough to create a search query. Then it’s up to you to figure out which of these search parameters is most useful.

The Office 365 Email Content Search: Setting Up and Using It

It’s time to open up PowerShell and start constructing the content search after you’re sure that you have all the information you need about the message.

Assume the following characteristics of the spam/phishing message to be deleted:

  • You must update your bank password immediately.
  • 05/12/2020 – 05/12/2020 – 05/12/2020 – 05

The message attributes provided above will be utilized to generate a search query using the New-ComplianceSearch. The ability to maintain search results as accurate as possible is dependent on well-defined search criteria.

There are various options and switches available with the New-ComplianceSearch cmdlet. These are the parameters that will be utilized to construct a mailbox content search.

  • The name that will be allocated to the content search object is accepted here. This may be any name; there’s no need to think too hard about it.
  • ExchangeLocation – This accepts the Exchange location to which the search will be directed. This might be a mailbox or a group. To ensure that all mailboxes in the search are targeted, the value to use in this article is All.
  • ContentMatchQuery – This parameter is the most important aspect in determining the correctness of the search results. The allowed query format is KQL, which stands for Keyword Query Language.

Copy the code below and paste it into your PowerShell console to generate the content search. Make careful to adjust the parameter values according to your needs. The search is called Phish1 in this case, and the query combines the topic and sent property values.

-ContentMatchQuery’subject:”You must change your bank password now” AND sent:05/12/2020′ New-ComplianceSearch’-Name Phish1′-ExchangeLocation All’-ContentMatchQuery’subject:”You must change your bank password now” AND sent:05/12/2020′

To learn more about utilizing keywords in content search, go to the Keyword queries and search criteria for Content Search page.

When you execute the code above in PowerShell, you should see something like the result shown below.

Making a brand-new content searchMaking a brand-new content search

The content search task has been established at this stage, but the search has not yet been launched, according to the status (NotStarted).

Use the Start-ComplianceSearch cmdlet to begin the content search. You must use the -Identity argument to provide the cmdlet the name of the content search job that you generated.

Copy the code below and paste it into your PowerShell console to start the Office 365 email content search.

-Identity Phish1 -Start-ComplianceSearch

There will be no output on the screen after executing the code above. The next step is to keep an eye on the search’s progress. Use the PowerShell code below to keep track of the search status.

Phish1 -Identity Get-ComplianceSearch

When you execute the code above, you should get something like this. The content search job status is Completed, as seen in the output below.

Obtaining the status of the content searchObtaining the status of the content search

The result above shows that the returned attributes are restricted and that the number of detected matches is not shown. To receive all the characteristics of the content search result, use the command below.

Phish1 -Identity Get-ComplianceSearch | Format-List *

You should get a similar result after executing the command above, as seen below. There were 16 things that matched the search parameters in this instance.

Results of a content searchResults of a content search

Viewing the Search Results in Advance (Optional)

Viewing the search results in advance is an optional step, but it’s suggested if you’re the sort that like to be safe. Would you want to remove the erroneous message from all of your mailboxes?

You’ve created, ran, and monitored the content search using the New-ComplianceSearch, Start-ComplianceSearch, and Get-ComplianceSearch cmdlets so far. You will now need to use the New-ComplianceSearchAction cmdlet to examine the search results.

To get a preview of the search results, use the command below to create a preview action.

-SearchName Phish1 -Preview New-ComplianceSearchAction

The preview job has been created with the name Phish1 Preview, and it is immediately started, as you can see in the output below.

Phish1 PreviewPhish1 Preview

After the preview has been created, you may receive a preview of the results by executing the command below, which will display the results on the screen.

(Get-ComplianceSearchAction Phish1 Preview | Select-Object -ExpandProperty Results) -split “,”

And if you execute the program above, you should obtain something like the picture below.

Viewing the search results in advanceViewing the search results in advance

Let’s face it, the end product, as depicted above, is unappealing. If you like, you may export the results as a TXT file. You may also obtain the content search report from the Security and Compliance Center portal if you want a more prepared report.

Note that the Preview action does not reveal the messages’ contents. It just displays the information of messages that fit the search parameters, not the content of each message.

Messages are being deleted.

The last step is to do the Office 365 delete email action. Assume you’re already happy with the results of your search. You may now begin the message deleting procedure.

To remove the messages that fit the search criteria, use the New-ComplianceSearchAction cmdlet with the -Purge switch and -PurgeType option to create a purge task.

Below is the code for creating the purge job. To execute the code, copy it and paste it into PowerShell.

-SearchName Phish1 -Purge -PurgeType SoftDelete -New-ComplianceSearchAction

The -PurgeType SoftDelete parameter/value would delete the messages from the mailbox and place them in the Deletions folder under the Recoverable Items folder. This implies that, if necessary, the communication might still be recovered.

The purge task will be created and started when you execute the code above.

Make the message purge task.Make the message purge task.

The purge task was created with the name Phish1 Purge, and it began automatically, as seen in the picture below.

The purge task has been created and begun.The purge task has been created and begun.

When the purge is finished, run the command below to see the final result.

Format-List | Get-ComplianceSearchAction -Identity Phish1 Purge

The outcome would be similar to what is seen below. There were 16 messages erased in this case, and none of them failed.

The message cleanse has been completed.The message cleanse has been completed.

That’s all there is to it. You’ve successfully removed all spam/phishing communications from your Office 365 mailboxes.


You learnt how to find and remove messages from all Office 365 mailboxes using the Security and Compliance PowerShell cmdlets in this post.

You’ve learnt how to combine the information of the message you want to remove together in order to refine your search criteria. Refining the search criteria ensures that the results are as accurate as possible.

You also learnt how to build and initiate content searches, see the results, and erase the messages that met the search criteria. The nicest part about it all is that you didn’t have to leave PowerShell to do these chores!

With the information you’ve obtained from this article, you may be able to automate the whole search and delete operation so that even your front-line personnel can do it. Maybe then you won’t have to be jolted awake from your much-needed slumber.

Additional Reading

The “delete phishing email from office 365” is a task that many people have to do on a daily basis. The process of finding and deleting an email from all mailboxes in Office 365 is simple.

Frequently Asked Questions

Related Tags

  • search-mailbox
  • powershell delete email from mailbox office 365
  • exchange delete email from all mailboxes
  • powershell delete email from mailbox exchange 2016
  • search and delete email office 365 powershell

Table of Content