Find and delete email messages in eDiscovery

You can use the search feature to search for and delete email messages from all mailboxes in your organization. This process can help you find and remove potentially harmful or high-risk email, such as:

• Messages that contain dangerous attachments or viruses
• Phishing messages
• Messages that contain sensitive data

However, it’s important to understand that the eDiscovery purge process is not intended for general mailbox management tasks such as:

• Reducing mailbox quota

• Clearing out mailboxes

• Enforcing data retention policies

Purge process described in this article is specifically designed to address data spillage incidents, such as when a small message is accidentally shared with a large group of users. For routine mailbox management and compliance, we recommend using the following tools instead:

• Retention Policies: To manage the lifecycle of data and ensure compliance with organizational standards.

• Archive Policies: To offload older content and manage mailbox storage effectively.

• Mailbox Ownership and Manual Deletion: For precise control over specific mailboxes, especially when content needs to be reviewed or removed by the mailbox owner.

Before you begin

• Depending on the eDiscovery subscription for your organization, cases can either be enabled for premium features or not. Verify the level of feature support for the case to determine if the search and purge should be conducted using PowerShell or Microsoft Graph. Cases not configured for premium features can only use PowerShell to search and delete email messages and cases configured for premium features can use PowerShell or Microsoft Graph to search and delete email messages. Don't use a combination of PowerShell and Microsoft Graph to purge email messages.

• Once data is permanently deleted, it can't be recovered. Follow the guidance in this article carefully and validate the scope of the search before issuing the purge command. Once the purge command is run, it can't be undone and email messages can't be restored.

• Search conditions such as identifier, sensitivity label, and sensitive information type aren't supported for search and delete for non-premium enabled cases in eDiscovery. Using these conditions results in unexpected data loss.

• Run an export report to review all items that match your search criteria prior to the purge. Using the search and export experience in the Microsoft Purview portal and exporting the results in report-only format allows you to examine detailed metadata before deletion. This helps refine your search scope and ensures a more targeted and accurate purge.

• The search and purge workflow described in this article shouldn't be used to delete chat messages or other content from Microsoft Teams. If the search that you create in Step 2 returns items from Microsoft Teams, follow the steps outlined in Find and delete Microsoft Teams chat messages in eDiscovery to delete them.

• To create and run a search, you have to be a member of the eDiscovery Manager role group or be assigned the Compliance Search role in the Microsoft Purview portal. To delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge role in the Microsoft Purview portal. For information about adding users to a role group, see Assign eDiscovery permissions.

  Note

  The Organization Management role group exists in both Exchange Online and in the Microsoft Purview portal. These are separate role groups that give different permissions. Being a member of Organization Management in Exchange Online doesn't grant the required permissions to delete email messages. If you aren't assigned the Search And Purge role in the Microsoft Purview portal (either directly or through a role group such as Organization Management), you receive an error in Step 3 when you run the New-ComplianceSearchAction cmdlet with the message "A parameter can't be found that matches parameter name 'Purge'".

• You have to use Security & Compliance PowerShell to delete messages. See Step 1: Connect to Security & Compliance PowerShell for instructions about how to connect.

• A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an event-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This feature isn't intended to clean up user mailboxes.

• If additional items need to be removed from the mailbox, additional steps are required.

  1. Single item retention must be disabled for the mailboxes. This ensures items are removed from the Purges folder.
  2. The Managed Folder Assistant must be run against the mailbox after each compliance purge action. This action permanently deletes items and allow an additional 10 items to be removed with additional purge actions.

  Note

  This option isn't supported if a mailbox has a litigation hold. Only 10 items are removed from view of the user. These 10 items aren't permanently deleted, so these 10 items are the only ones processed.

• The maximum number of mailboxes in a content search that you can use to delete items by doing a search and purge action is 50,000. If the search (that you create in Step 2) searches more than 50,000 mailboxes, the purge action (that you create in Step 3) will fail. Searching more than 50,000 mailbox in a single search might typically happen when you configure the search to include all mailboxes in your organization. This restriction still applies even when less than 50,000 mailboxes contain items that match the search query. See the More information section for guidance about using search permissions filters to search for and purge items from more than 50,000 mailboxes.

• The procedure in this article can only be used to delete items in Exchange Online mailboxes and public folders. You can't use it to delete content from SharePoint or OneDrive sites.

• Email items in a review set in an eDiscovery case can't be deleted by using the procedures in this article. That's because items in a review set are stored in an Azure Storage location, and not in the live service. This means they aren't returned by the content search that you create in Step 1. To delete items in a review set, you have to delete the eDiscovery case that contains the review set.

Step 1: Connect to Security & Compliance PowerShell

The first step is to connect to Security & Compliance PowerShell for your organization. For step-by-step instructions, see Connect to Security & Compliance PowerShell.

Step 2: Create a search query to find the message to delete

The second step is to create and run a search to find the message that you want to remove from mailboxes in your organization. You can create the search by using the Microsoft Purview portal or by running the New-ComplianceSearch and Start-ComplianceSearch cmdlets in Security & Compliance PowerShell. The messages that match the query for this search are deleted by running the New-ComplianceSearchAction -Purge command in Step 3. For information about creating and configuring search queries, see the following articles:

• Create a search query
• Use the condition builder
• New-ComplianceSearch
• Start-ComplianceSearch

Tips for finding messages to remove

The goal of the search query is to narrow the results of the search to only the message or messages that you want to remove. Here are some tips:

• If you know the exact text or phrase used in the subject line of the message, use the Subject property in the search query.
• If you know that exact date (or date range) of the message, include the Received property in the search query.
• If you know who sent the message, include the From property in the search query.
• Preview the search results to verify that the search returned only the message (or messages) that you want to delete.
• Use the search estimate statistics (displayed in the details pane of the search in the Microsoft Purview portal or by using the Get-ComplianceSearch cmdlet) to get a count of the total number of results.

Here are two examples of queries to find suspicious email messages.

• This query returns messages that were received by users between April 13, 2024 and April 14, 2024 and that contain the words "action" and "required" in the subject line.

  (Received:4/13/2024..4/14/2024) AND (Subject:'Action required')
  

• This query returns messages sent by user@contoso.com and that contain the exact phrase "Update your account information" in the subject line.

  (From:user@contoso.com) AND (Subject:"Update your account information")
  

Here's an example of using a query to create and start a search by running the New-ComplianceSearch and Start-ComplianceSearch cmdlets to search all mailboxes in the organization:

$Search=New-ComplianceSearch -Name "Remove Phishing Message" -ExchangeLocation All -ContentMatchQuery '(Received:4/13/2016..4/14/2016) AND (Subject:"Action required")'
Start-ComplianceSearch -Identity $Search.Identity

Step 3: Delete the message

After you've created and refined a search query to return the messages that you want to remove, the final step is to run the New-ComplianceSearchAction -Purge command in Security & Compliance PowerShell to delete the message.

You can soft- or hard-delete the message. A soft-deleted message is moved to a user's Recoverable Items folder and retained until the deleted item retention period expires. Hard-deleted messages are marked for permanent removal from the mailbox and is permanently removed the next time the mailbox is processed by the Managed Folder Assistant. If single item recovery is enabled for the mailbox, hard-deleted items are permanently removed after the deleted item retention period expires. If a mailbox is placed on hold, deleted messages are preserved until the hold duration for the item expires or until the hold is removed from the mailbox.

To run the following commands to delete messages, be sure that you're connected to Security & Compliance PowerShell.

Soft-delete messages

In the following example, the command soft-deletes the search results returned by a search query named "Remove Phishing Message".

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete

Hard-delete messages

To hard-delete the items returned by the "Remove Phishing Message" content search, you would run this command:

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete

When you run the previous commands to soft- or hard-delete messages, the search specified by the SearchName parameter is the search query that you created in Step 1.

For more information, see New-ComplianceSearchAction.

Frequently asked questions

• I followed the steps in this article for search, verify, and purge but it still doesn't delete items from a mailbox.

  Sometimes the items matching the search query is over 10 items (or 100 items if using Microsoft Graph) for a mailbox. If you ran the purge using the PowerShell cmdlet and only deleted 10 items, or ran the purge using Microsoft Graph and only deleted 100 items, this is normal. Repeat the process multiple times if you want to delete more than 10 (or 100) items per mailbox. We strongly recommend against working around these limits by continually running the purge command. If you need to delete more data from a single location, see Remediate malicious email delivered in Office 365 or Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365.

  Another reason could be the mailbox is on litigation hold. If the export report associated to the search run in Step 2 (or done in eDiscovery) indicates items are in the Recoverable Items folder, this means there are holds but the items have moved out of view. If you want to remove items from hold, we strongly recommend using Priority Cleanup. Alternately, you can release the hold and try purging again. Check the status of the hold by running the following cmdlet in Exchange PowerShell:

  Get-Mailbox (or MailUser) | fl *Hold*,*Recovery*
  

Verify the following values in the cmdlet results:

• InPlaceHolds should be empty or only have values prefixed with –

  • DelayHold should be false
  • SingleItemRecovery should be false

  Check for tenant level policies by running the following cmdlet:

  Get-OrganizationConfig | fl *Hold*
  

  If there are any tenant level policies, the mailbox must be excluded from the purge:

• Mailbox is on delay hold.

  • Items of interest are still found after purge because they're moved to the Recoverable items folder.

• How do i verify if items are under recoverable items folder?

  To verify items are in the Recoverable Items folder, run an export report for the search and review the file path of the items in the CSV report to see if the items are in the Recoverable items folder. If yes, the New-ComplianceSearch cmdlet doesn't attempt to delete the item. If the CSV report indicates that the items are in the Recoverable items folder and the item's mailbox is archived, the mailbox is being resized. These backup items can't be deleted and eventually are removed automatically.

• How do you get status on the search and remove operation?

  Run the Get-ComplianceSearchAction to get the status on the delete operation. The object that is created when you run the New-ComplianceSearchAction cmdlet is named using this format: <name of Content Search>_Purge.

• What happens after you delete a message?

  A message that's deleted with the New-ComplianceSearchAction -Purge -PurgeType HardDelete command is moved to the Purges folder and can't be accessed by the user. After the message is moved to the Purges folder, the message is retained for the deleted item retention period if single item recovery is enabled for the mailbox. (In Microsoft 365, single item recovery is enabled by default when a new mailbox is created.) After the deleted item retention period expires, the message is marked for permanent deletion and is purged from Microsoft 365 the next time the mailbox is processed by the Managed Folder assistant.

  If you use the New-ComplianceSearchAction -Purge -PurgeType SoftDelete command, messages are moved to the Deletions folder in the user's Recoverable Items folder. It isn't immediately purged from Microsoft 365. The user can recover messages in the Deleted Items folder for the duration based on the deleted item retention period configured for the mailbox. After this retention period expires (or if user purges the message before it expires), the message is moved to the Purges folder and can no longer be accessed by the user. Once in the Purges folder, the message is retained for the duration based on the deleted item retention period configured for the mailbox if single items recovery is enabled for the mailbox. (In Microsoft 365, single item recovery is enabled by default when a new mailbox is created.) After the deleted item retention period expires, the message is marked for permanent deletion and is purged from Microsoft 365 the next time that the mailbox is processed by the Managed Folder assistant.

• What if you have to delete a message from more than 50,000 mailboxes?

  You can perform a search and purge operation on a maximum of 50,000 mailboxes (even if less than 50,000 contain items that match the search query). If you have to do a search and purge operation on more than 50,000 mailboxes, consider creating temporary search permissions filters that reduce the number of mailboxes that would be searched to less than 50,000 mailboxes. For example, if your organization contains mailboxes in different departments, states, or a different country/region, you can create a mailbox search permissions filter based on one of those mailbox properties to search a subset of mailboxes in your organization. After you create the search permissions filter, you would create the search (described in Step 1) and then delete the message (described in Step 3). Then you can edit the filter to search for and purge messages in a different set of mailboxes. For more information about creating search permissions filters, see Configure search permissions filtering in eDiscovery.

• Will unindexed items included in the search results be deleted?

  No, the `New-ComplianceSearchAction -Purge command doesn't delete unindexed items.

• What happens if a message is deleted from a mailbox that has been placed on Litigation Hold or is assigned to an Microsoft 365 retention policy?

  After the message is purged and moved to the Purges folder, the message is retained until the hold duration expires. If the hold duration is unlimited, then items are retained until the hold is removed or the hold duration is changed.

• Why is the search and remove workflow divided among different Microsoft Purview portal role groups?

  A person has to be a member of the eDiscovery Manager role group or be assigned the Compliance Search management role to search mailboxes. To delete messages, a person has to be a member of the Organization Management role group or be assigned the Search And Purge management role. This makes it possible to control who can search mailboxes in the organization and who can delete messages.