Exchange Online Search and Purge with PowerShell and Threat Explorer

Page content

Hi All,

In this Article i’ll show you how you can “Search and Purge” Emails in Exchange Online.

With Compliance Search you can search for Mails and purge (Soft- or HardDelete) them afterwards. That’s usually the case for Phishing or Spam Incidents. Your search can cover a maximum of 50'000 Mailboxes

A new Compliance Search will create an Alert by default.

First of all you need to have the correct Permissions Select “Email & collaboration Roles”

I’have created a custom Role with the following Roles and assign this to Max Muster

  • Preview
  • Search And Purge
  • Compliance Search

Let’s assume we search for this Mail

Max Muster can now connect with Security and Compliance part of the ExchangeOnlineManagement PowerShell Module

Get-Command -Module **

Now he can start a Compliance Search with Keyword Query Language (KQL)

New-ComplianceSearch -ContentMatchQuery <KQL Query>?
New-ComplianceSearch -Name "ComplianceSearchDemo" -Description "BOA: ComplianceSearchDemo" -ExchangeLocation All ?-ContentMatchQuery "( AND (Subject:'Spende')" 

A Compliance Search raises an Alert

Now you need to Start the Compliance Search

Get-ComplianceSearch -Identity ComplianceSearchDemo
Start-ComplianceSearch -Identity ComplianceSearchDemo
Get-ComplianceSearch -Identity ComplianceSearchDemo

You can check if the ComplianceSearch has a status of “Completed” then look at the details

Get-ComplianceSearch -Identity ComplianceSearchDemo
Get-ComplianceSearch -Identity ComplianceSearchDemo | fl

You see how many Items are found and the Mailbox it was found on

The Content Search can be viewed or created in the Microsoft Purview Portal

If you have the “Preview” Role you can view Samples.

This is useful to check if you have matched the correct Emails and not Mails that should not be there.

Then you have to refine your search query.

Now we can define the Action for this Search

#Purge to Recoverable Items for the User
New-ComplianceSearchAction -SearchName "ComplianceSearchDemo" -Purge -PurgeType SoftDelete

#Purge to Exchange Dumpster
New-ComplianceSearchAction -SearchName "ComplianceSearchDemo" -Purge -PurgeType HardDelete

Get-ComplianceSearchAction -Identity ComplianceSearchDemo_Purge

I can confirm, that i see this Mail in my “Recover Deleted Items” in Outlook

Sometimes it’s more easy to create the Search in the Microsoft Purview Portal

You need to define a Name

Select the Location. You can select all Mailboxes or include or exclude specific Mailboxes

With the Conditions you can create your Search

This is the Search i’ve created

If you select “KQL Editor” then you see the KQL Query of the GUI you just created.

Over time you will understand the KQL Syntax and don’t use the GUI anymore.


Search is created and submitted. A Search from the GUI is automatically started.

The Compliance Searches will stay there. You need to delete them in the GUI or with PowerShell


Search and Purge with Threat Explorer

If you are Exchange Administrator and have the Emails & Collaboration Role

  • Search And Purge
  • Compliance Search

You will also be able to Search and Purge with Threat Explorer

Search in Threat Explorer

Select the Items you want to remove from the Result Table in the Bottom

Then select “Message actions” and “Soft delete”

Now you have to go through the Wizard

Select a severity. I think that this is a low severity

After a few Minutes you can see that in the Actioncenter

See de Details if you select one Action

Mail has been SoftDeleted - Remediation complete

Andres Bohren