Search Content in Microsoft Purview
Use Case: If an email was sent in error or a malicious email has been sent to a large number of recipients, one can find and remove that data using Microsoft 365 Security and Compliance Powershell.
When
First, connect to Microsoft 365 Exchange Online
Create the search
New-ComplianceSearch -Name "An Email Search" -ExchangeLocation All -ContentMatchQuery 'From:externalsender@example.com'
Refine the search
This example has a date range and subject specified in the query.
New-ComplianceSearch -Name "An Email Search" -ExchangeLocation All -ContentMatchQuery '(Received:M/DD/YYYY..M/DD/YYYY) AND (Subject:"An email not to be seen")'
This example searches specific folders in a specific mailbox.
New-ComplianceSearch -Name "An Email Search" -ExchangeLocation recipient@example.com -ContentMatchQuery "((folderid:3B927126EF666C45810642B802ECCF370000000001410000) and (folderid:3B927126EF666C45810642B802ECCF370000000001610000) and (folderid:3B927126EF666C45810642B802ECCF370000000001630000))"
Start the search; after you create a new compliancethe search, ityou doeswill nothave automaticallyto runstart it.
Start-ComplianceSearch -Identity "An Email Search"
Perform an action on the search.results; Theonce commandsyou belowhave createsthe results, do something with it.
New-ComplianceSearchAction -SearchName "An Email Search" -Purge -PurgeType SoftDeleteRunning the command in variables enables you to create the search and then runsstart it.
The search is looking for an email:
Fromuser@example.comWith the subjectAn email subjectThat was received between two specified dates.
$Search=New-ComplianceSearch -Name "Remove an email" -ExchangeLocation All -ContentMatchQuery ‘(From:user@example.sender@example.com) AND (Subject:"An email subject") AND (Received:M/DD/YYYY..M/DD/YYYY)’
Start-ComplianceSearch -Identity $Search.IdentityTo delete the results of the above search, run:
New-ComplianceSearchAction -SearchName "Remove an email" -Purge -PurgeType SoftDeleteSoftDelete removes the email, but it is still recoverable. HardDelete removes the email and it is not recoverable. It does not move it to the recipient's Deleted Items folder.