Why Search-Mailbox Can’t Remove All Office 365 Content

ExchangeOnline

Search-Mailbox – Powerful but Limited

Note: Search-Mailbox is due for deprecation on July 1, 2020. See this post for more information.

Search-Mailbox is a very powerful cmdlet. It can search user mailboxes to find and remove content, or copy content to another mailbox, or both. The usual situation when Search-Mailbox is called into use is when someone, invariably an important person (in their minds, anyway), makes a mistake and sends email when they shouldn’t have and now wants every trace of the message eradicated. Search-Mailbox can do this, but only within the boundary of a single Office 365 tenant, and only in user and shared mailboxes.

Another common scenario is when some inappropriate or malicious content is circulating in email. If you can construct search criteria to find the bad content, Search-Mailbox can track it down and erase it, again from user and shared mailboxes.

No Group Mailboxes

Search-Mailbox can’t deal with group mailboxes, so it cannot erase content posted to the Inbox of Office 365 Groups nor can it remove Teams compliance records from the Team Chat folder. Removing compliance records might seem to be a bad thing, and normally it is, but if you do this to force Teams to synchronize the deletions back to its Azure data services and so remove the bad content from channel conversations, it could be a good thing. If, that is, appropriate authorizations are sought and granted to allow deletions to proceed.

The reason why Search-Mailbox is limited to user and shared mailboxes is that it was built many years ago to run inside an Exchange on-premises environment where the only objects it might have to process were user and shared mailboxes. Apart from making sure that it can understand queries expressed in KQL-syntax, Microsoft hasn’t done much to Search-Mailbox since Exchange 2010.

Dealing with Non-Mailbox Content

Search-Mailbox cannot process documents stored in SharePoint or OneDrive for Business libraries, or sways, plans, or forms, or any of the other non-Exchange content created by users and found inside Office 365.

If you need to run a search to find information across all the Office 365 workloads, you can use a content search, which covers Exchange (including public folders), SharePoint, OneDrive, and Teams. Once you’ve found the information, you can add a purge action to the search and have it remove items. But here’s the downside – content searches can only purge 10 items at a time and can only soft-delete information. In other words, the deletions can be reversed.

Hard Deletes

Probably with good reason, Microsoft has not yet allowed content searches to hard-delete items from the workloads it supports. Perhaps this is because the same kind of backups that exist on-premises don’t exist in the cloud, and if you made a mistake and permanently removed some information, Microsoft wouldn’t be able to retrieve that information. When backups don’t exist, soft-deletion and a nice period in a recycle bin seems like a good idea.

But Search-Mailbox does hard-delete items, which is what you want to do with malware or other objectionable material in mailboxes, so it’s a powerful tool that needs to be handled with care.

For more information about Search-Mailbox, see Chapter 6 of Office 365 for IT Pros. For more information about content searches, see Chapter 20.

7 Replies to “Why Search-Mailbox Can’t Remove All Office 365 Content”

  1. Search-Mailbox -Identity “sso” -SearchQuery “subject:Test RMS” -DeleteContent

    its not working. here is result:

    RunspaceId : xxxxxxxxx
    Identity : SSO Email
    TargetMailbox :
    Success : False
    TargetFolder :
    ResultItemsCount : 0
    ResultItemsSize : 0 B (0 bytes)

      1. Thanks, just got a solution with the help of Microsoft:

        Following things must require to delete a specific message from an email box:

        1. Litigation Hold and delay hold
        2. Single Item Recovery

        Disable above then you are all ready to go.

        as per your question, Yes search query is working fine. do you have any idea if above items are enabled can we delete a specific email? via “Search-Mailbox”?

        Microsoft DOC: ( not mentioned anything that we must do this before perform above task.

        https://docs.microsoft.com/en-us/office365/SecurityCompliance/search-for-and-delete-messagesadmin-help

        Thanks

      2. SIR and/or an in-place hold do not stop Search-Mailbox removing items. All these settings do is stop Exchange permanently removing the retained copies of deleted items from the mailbox. When a hold is in place and a deletion happens, Exchange captures a copy of the deleted item in the Recoverable Items\Purges folder and keeps it there until the hold elapses. If an item is deleted before its SIR period elapses, Exchange also keeps an item until that period elapses. I don’t know what point Microsoft Support was making…. The references they point to in the page cover a situation when someone wants to purge items completely from the mailbox in such a way that they are even removed from eDiscovery coverage.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.