Exchange Online Search and Purge with PowerShell and Threat Explorer
Hi All,
In this Article i'll show you how you can "Search and Purge" Emails in Exchange Online.
With Compliance Search you can search for Mails and purge (Soft- or HardDelete) them afterwards. That's usually the case for Phishing or Spam Incidents.
Your search can cover a maximum of 50’000 Mailboxes
A new Compliance Search will create an Alert by default.
A new Compliance Search will create an Alert by default.
First of all you need to have the correct Permissions https://security.microsoft.com/permissions
Select "Email & collaboration Roles"
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_00.jpg)
I'have created a custom Role with the following Roles and assign this to Max Muster
- Preview
- Search And Purge
- Compliance Search
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_01.jpg)
Let's assume we search for this Mail
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_02.jpg)
Max Muster can now connect with Security and Compliance part of the ExchangeOnlineManagement PowerShell Module
Connect-IPPSSession
Get-Module
Get-Command -Module <tmpxxxx.xxx>
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_03.jpg)
Now he can start a Compliance Search with Keyword Query Language (KQL)
https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-referenceNew-ComplianceSearch -ContentMatchQuery <KQL Query>
New-ComplianceSearch -Name "ComplianceSearchDemo" -Description "BOA: ComplianceSearchDemo" -ExchangeLocation All -ContentMatchQuery "(From:zainabyusuf128@gmail.com) AND (Subject:'Spende')"
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_04.jpg)
A Compliance Search raises an Alert
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_05.jpg)
Now you need to Start the Compliance Search
Get-ComplianceSearch -Identity <Name>
Start-ComplianceSearch -Identity <Name>
Get-ComplianceSearch -Identity <Name>
Start-ComplianceSearch -Identity <Name>
Get-ComplianceSearch -Identity <Name>
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_06.jpg)
You can check if the ComplianceSearch has a status of "Completed" then look at the details
Get-ComplianceSearch -Identity <Name>
Get-ComplianceSearch -Identity <Name> | fl
You see how many Items are found and the Mailbox it was found on
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_07.jpg)
The Content Search can be viewed or created in the Microsoft Purview Portal https://compliance.microsoft.com/contentsearchv2?viewid=search
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_08.jpg)
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_09.jpg)
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_10.jpg)
If you have the "Preview" Role you can view Samples.
This is useful to check if you have matched the correct Emails and not Mails that should not be there.
Then you have to refine your search query.
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_11.jpg)
Now we can define the Action for this Search
#Purge to Recoverable Items for the User
New-ComplianceSearchAction -SearchName "ComplianceSearchDemo" -Purge -PurgeType SoftDelete
Purge to Exchange Dumpster
#New-ComplianceSearchAction -SearchName "ComplianceSearchDemo" -Purge -PurgeType HardDelete
New-ComplianceSearchAction -SearchName "ComplianceSearchDemo" -Purge -PurgeType SoftDelete
Purge to Exchange Dumpster
#New-ComplianceSearchAction -SearchName "ComplianceSearchDemo" -Purge -PurgeType HardDelete
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_12.jpg)
Get-ComplianceSearchAction
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_13.jpg)
I can confirm, that i see this Mail in my "Recover Deleted Items" in Outlook
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_14.jpg)
Sometimes it's more easy to create the Search in the Microsoft Purview Portal https://compliance.microsoft.com/contentsearchv2?viewid=search
You need to define a Name
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_15.jpg)
Select the Location. You can select all Mailboxes or include or exclude specific Mailboxes
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_16.jpg)
With the Conditions you can create your Search
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_17.jpg)
This is the Search i've created
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_18.jpg)
If you select "KQL Editor" then you see the KQL Query of the GUI you just created.
Over time you will understand the KQL Syntax and don't use the GUI anymore.
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_19.jpg)
Summary
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_20.jpg)
Search is created and submitted. A Search from the GUI is automatically started.
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_21.jpg)
The Compliance Searches will stay there. You need to delete them in the GUI or with PowerShell
Remove-ComplianceSearchAction
Search and Purge with Threat Explorer
Microsoft Defender for Office 365 security product overview
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_22.jpg)
If you are Exchange Administrator and have the Emails & Collaboration Role
- Search And Purge
- Compliance Search
You will also be able to Search and Purge with Threat Explorer
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_23.jpg)
Search in Threat Explorer
Select the Items you want to remove from the Result Table in the Bottom
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_24.jpg)
Then select "Message actions" and "Soft delete"
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_25.jpg)
Now you have to go through the Wizard
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_26.jpg)
Select a severity. I think that this is a low severity
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_27.jpg)
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_28.jpg)
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_29.jpg)
After a few Minutes you can see that in the Actioncenter
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_30.jpg)
See de Details if you select one Action
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_31.jpg)
Mail has been SoftDeleted - Remediation complete
![](https://icewolffile.blob.core.windows.net/$web/202302/EXO_ComplianceSearch_32.jpg)
Regards
Andres Bohren
![](https://icewolffile.blob.core.windows.net/$web/logos/Exchange_logo.png)