Recall email messages from Exchange Online with Powershell

#Exchange #Powershell

I was looking for some good documentation online on how to recall emails from user inboxes.

First, import and connect to the relevant Powershell modules and environments:

Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-IPPSSession -UserPrincipalName XXX # Change this value to your account with Global Admin or Compliance Admin permissions

Next, create a new Compliance Search by defining your scope and query. For this example, I'm going to keep it simple by targeting all Exchange content and a subject line search:

# Change the subject line to the emails' subject line in question
New-ComplianceSearch -Name "New search" -ExchangeLocation All -ContentMatchQuery '(Subject:"Spammy email subject line")' | Start-ComplianceSearch

Depending on the size of your tenant, this may take a while, maybe a few hours. You can check the status of the search by running Get-ComplianceSearch

After the search status says 'Completed', the following command to purge and delete all instances of the email from your tenant:

New-ComplianceSearchAction -SearchName "New search" -Purge -PurgeType HardDelete

This command may take a while too, depending on the size of your tenant. You can check the status of the search action with the command Get-ComplianceSearchAction

You can see the results of these actions in the Microsoft Compliance center and a full audit log of your admin actions will be available to view through the portal.

It might be a good idea to do some spot checking before you delete all of the emails. If you want to check the content of the email before you delete, you will need to add yourself to the Role “Compliance Data Administrator” in Azure AD.

After adding the Role to your account, navigate to the Purview or Compliance admin dashboard: https://compliance.microsoft.com/

Navigate to the “Content search” section and select the Compliance Search that you saved earlier. In the popup pane, click the “Review sample” button:

Screenshot of Microsoft Purview with Content search pane opened

From this view, you can click on items on the left side of the pane and view the message on the right:

Screenshot of Microsoft Purview, Content search preview samples

By taking a second look before deleting emails, this could prevent some accidental deletions and save you some headaches.

Discuss...