Step 1: Create a Content Search to find the message to delete
To have access to the Content search page to run searches and preview and export search results you must be a member of the eDiscovery Manager role group in the Security & Compliance Center.
Go to https://protection.office.com and sign in using your email
Click Search > Content search.
On the Search page, click the arrow next to New search.
Click New search in the drop-down list.
Under Search query, specify the keywords and any other items you wish to use to narrow down your search, for example, sender, receiver and or date send etc.
Specify to search all locations
After you’ve set up your search query, click Save & run.
On the Save search page, type a name for the search, and an optional description that helps identify the search. The name of the search has to be unique in your organization.
Click Save to start the search.
After you save and run the search, any results returned by the search are displayed in the results pane. Depending on how you have the preview setting configured, the search results are display or you have to click Preview results to view them.
Step 2: Connect to Security & Compliance Center PowerShell
Open PowerShell and run the following command.
$UserCredential = Get-Credential
In the Windows PowerShell Credential Request dialog box, type your username and password, and then click OK.
Run the following command
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
If you’re behind a proxy server, run this command first:
$ProxyOptions = New-PSSessionOption -ProxyAccessType <Value>, where the ProxyAccessType value is
AutoDetect. Then, add the following parameter and value to the end of the $Session = … command:
Run the following command:
Import-PSSession $Session -DisableNameChecking
Be sure to disconnect the remote PowerShell session when you’re finished.
Step 3: Delete the message
The command below soft-deletes (to the recycle bin) the search results returned by a Content Search named “Remove Phishing Message”.
New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete
To hard-delete the items returned by the “Remove Phishing Message” content search, you would run this command.
New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete
When you run the previous command to soft- or hard-delete messages, the search specified by the SearchName parameter is the Content Search that you created in Step 1.