query on content search

Glenn Maxwell 10,571 Reputation points
2024-06-27T21:15:25.89+00:00

Hi all

i have a requirement to delete the below emails on 10 users mailboxes. i have those email addresses in csv file in the below format. 

EmailAddress 
user1@contoso.com  
user2@contoso.com
user3@contoso.com
user4@contoso.com

Email subject(changed) is bigger and it includes (/,). When i try to search using content search from GUI i see the this criteria. Email subject is getting split.

Search criteria (c:c)(date=2024-05-01..2024-06-15)(from=user100@contoso.com)(subject="Test Test Test Test: This is a spam/phishing email please ignore")(subject="it, Please delete the email")

my requirement is only to delete the exact email with the subject "Test Test Test Test: This is a spam/phishing email please ignore it, Please delete the email". None of the other emails should be deleted except with the exact subject. How can i import from csv file and delete the emails. will the below syntax work for me.

 $Search=New-ComplianceSearch -Name "Deleteemails" -ExchangeLocation "user1@contoso.com","user2@contoso.com","user3@contoso.com","user4@contoso.com" -ContentMatchQuey '(Received:05/01/2024 00:00..06/15/2024 23:59) AND (Subject:"Test Test Test Test: This is a spam/phishing email please ignore it, Please delete the email") AND (from:"user100@contoso.com")'

Start-ComplianceSearch -Identity $Search.Identity
New-ComplianceSearchAction -SearchName "Deleteemails" -Purge -PurgeType SoftDelete -force

Once search is completed how can i know what emails did it pulled before deleting those mails. experts guide me.
Microsoft Exchange Online
Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,159 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,332 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,454 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,965 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 98,946 Reputation points MVP
    2024-06-28T06:26:45.5733333+00:00

    While there are some issues with special characters support in eDiscovery (see for example https://video2.skills-academy.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions#special-characters), the PowerShell cmdlet you are using should work fine.

    Once the search completes, you can review the results within the Compliance center, before doing the deletion. Alternatively, you can export the results, or just the report, in order to review the messages. You cannot do this part purely with PowerShell if that's what you are asking.

    0 comments
  2. Bruce Jing-MSFT 1,995 Reputation points Microsoft Vendor
    2024-06-28T07:02:47.1333333+00:00

    Hi,@Glenn Maxwell

    Thanks for posting your question in the Microsoft Q&A forum.

    The command you provided looks generally correct, but there are a few things you might want to note:

    -ContentMatchQuey appears to be -ContentMatchQuery, there is a typo.

    As Vasil Michev mentioned, certain special characters are not included in the search index and are therefore not searchable.

    According to your request, I conducted the test:

    1. I created a CSV file.

    User's image

    2. Send an email to members with the subject line "Test Test Test Test: This is a spam/phishing email please ignore it, Please delete the email".

    User's image

    3. Connect to your organization's Security and Compliance PowerShell.

    User's image

    4. Import a CSV file and define search names and subjects.

    $users = Import-Csv -Path "C:\Users\brucejing\Documents\test2.csv"

    $searchName = "DeleteSpecificEmailSearch1"

    $subject = "Test Test Test Test: This is a spam/phishing email please ignore it, Please delete the email"

    $searchQuery = "subject:"$($subject)""

    User's image

    5. Create a new search item.

    New-ComplianceSearch -Name $searchName -ExchangeLocation $users.EmailAddress -ContentMatchQuery $searchQuery

    User's image

    6. Start your search.

    Start-ComplianceSearch -Identity $searchName

    User's image

    7. If you want to view the searched emails, you can view them in Microsoft Purview->content.

    User's image

    User's image

    8. Delete the searched emails.

    New-ComplianceSearchAction -SearchName $searchName -Purge -PurgeType SoftDelete

    User's image

    9. After waiting for a while, you will find that the test email has been deleted. The person whose information is deleted will receive an email alerting them.

    User's image

    If my answer is helpful to you, please mark it as the answer so that other users can refer to it. Thank you for your support and understanding.

    0 comments
  3. Glenn Maxwell 10,571 Reputation points
    2024-06-28T13:02:31.8066667+00:00

    is the below syntax correct? i am adding Received and from

    $users = Import-Csv -Path "C:\Users\brucejing\Documents\test2.csv"

$searchName = "DeleteSpecificEmailSearch1"

$subject = "Test Test Test Test: This is a spam/phishing email please ignore it, Please delete the email"

$searchQuery = "subject:"$($subject)""

New-ComplianceSearch -Name $searchName -ExchangeLocation $users.EmailAddress -ContentMatchQuery $searchQuery AND (Received:05/01/2024 00:00..06/15/2024 23:59) AND (from:"user100@contoso.com")
    0 comments
  4. Bruce Jing-MSFT 1,995 Reputation points Microsoft Vendor
    2024-07-01T06:31:36.4033333+00:00

    Hi,@Glenn Maxwell

    I'm glad to hear from you.

    According to the command you provided, there is no error overall, but there is a problem with the date format.

    This is the cmdlet after I optimized it. I ran the command and it worked without any problems.

    $searchName = "DeleteSpecificEmailSearch5"

    $subject = "Test Test Test Test: This is a spam/phishing email please ignore it, Please delete the email"

    $searchQuery = "subject:"$subject" AND (Received:2024-06-29-00:00..2024-07-01-23:59  AND (from:" [user100@contoso.com](mailto:user100@contoso.com)")"

    New-ComplianceSearch -Name $searchName -ExchangeLocation $users.EmailAddress -ContentMatchQuery $searchQuery

    User's image

    If my answer is helpful to you, please mark it as the answer so that other users can refer to it. Thank you for your support and understanding.

    0 comments