Whoops. Purge Time!

Let’s say you’re testing something. I don’t know…hyperlinking from plaintext emails generated by ADManager Plus, for instance.

And let’s say while you’re doing that, you accidentally send a test email everyone at your largest client. That sucks!

So here’s how you can search for and purge emails from Powershell. Try to do this as quickly as you can, becuase you absolutely do not want to explain to 400 end users why they just got some random internal email when the VP of IT has been pushing some poorly-designed anti-phishing training on everyone.

Connect to Exchange Online, then the Security & Compliance environment:

Connect-ExchangeOnline -UserPrincipalName push@push.blue -ShowProgress $true
Connect-IPPSSession -UserPrincipalName push@push.blue

Create a new compliance search, being as specific as possible:

New-ComplianceSearch -Name "Remove Test Message" -ExchangeLocation all `
-ContentMatchQuery '(from:push@push.blue) AND (kind:email) `
AND (Received:8/02/2022..8/03/2022) AND (subject:"Test")'

Name                RunBy JobEndTime Status
----                ----- ---------- ------
Remove Test Message                  NotStarted

Start your search, and frantically check on its progress:

Start-ComplianceSearch -Identity "Remove Test Message"
Get-ComplianceSearch -Identity "Remove Test Message"

Name                RunBy      JobEndTime Status
----                -----      ---------- ------
Remove Test Message push.blue           Starting

(If you want a WHOLE lot of details about what it’s doing, run this:)

Get-ComplianceSearch -Identity "Remove Test Message" | fl

At some point during your panic attack, the search will finish:

Get-ComplianceSearch -Identity "Remove Test Message"

Name                RunBy      JobEndTime           Status
----                -----      ----------           ------
Remove Test Message push.blue  8/2/2022 11:06:03 PM Completed

Now the fun part (once you’ve confirmed that only your test email was in the results): purge everything the search found!

New-ComplianceSearchAction -SearchName "Remove Test Message" `
-Purge -PurgeType SoftDelete

Confirm
Are you sure you want to perform this action?
This operation will make message items meeting the criteria of the compliance search "Remove Test Message" completely
inaccessible to users. There is no automatic method to undo the removal of these message items.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

Name                      SearchName          Action RunBy      JobEndTime Status
----                      ----------          ------ -----      ---------- ------
Remove Test Message_Purge Remove Test Message Purge  push.blue           Starting

Eventually, once the adrenaline has subsided, your purge will be complete:

Get-ComplianceSearchAction -Identity "Remove Test Message_Purge"

Name                      SearchName          Action RunBy      JobEndTime           Status
----                      ----------          ------ -----      ----------           ------
Remove Test Message_Purge Remove Test Message Purge  push.blue  8/2/2022 11:12:48 PM Completed

Don’t do that again.