Search Content in Microsoft Purview
Use Case: If an email was sent in error or a malicious email has been sent to a large number of recipients, one can find and remove that data using Microsoft 365 Security and Compliance Powershell.
First, Connect to Microsoft 365 Exchange Online
Create the search
New-ComplianceSearch -Name "An Email Search" -ExchangeLocation All -ContentMatchQuery 'From:externalsender@example.com'Refine the search
This example has a date range and subject specified in the query.
New-ComplianceSearch -Name "An Email Search" -ExchangeLocation All -ContentMatchQuery '(Received:M/DD/YYYY..M/DD/YYYY) AND (Subject:"An email not to be seen")'This example searches specific folders in a specific mailbox.
New-ComplianceSearch -Name "An Email Search" -ExchangeLocation recipient@example.com -ContentMatchQuery "((folderid:3B927126EF666C45810642B802ECCF370000000001410000) and (folderid:3B927126EF666C45810642B802ECCF370000000001610000) and (folderid:3B927126EF666C45810642B802ECCF370000000001630000))"Start the search; after you create the search, you will have to start it.
Start-ComplianceSearch -Identity "An Email Search"Perform an action on the results; once you have the results, do something with it.
New-ComplianceSearchAction -SearchName "An Email Search" -Purge -PurgeType SoftDeleteRunning the command in variables enables you to create the search and then start it.
$Search=New-ComplianceSearch -Name "Remove an email" -ExchangeLocation All -ContentMatchQuery ‘(From:sender@example.com) AND (Subject:"An email subject") AND (Received:M/DD/YYYY..M/DD/YYYY)’
Start-ComplianceSearch -Identity $Search.IdentitySoftDelete removes the email, but it is still recoverable. HardDelete removes the email and it is not recoverable. It does not move it to the recipient's Deleted Items folder.