[Update]: This blog post was originally published on November 28, 2016. It has been updated to reflect the changes to the Search-Mailbox cmdlet introduced in Exchange Online.
Applies to: Exchange Online, Exchange 2019, Exchange 2016, Exchange 2013, Exchange 2010
In this article, I’ll show you how to use it search mailbox PowerShell cmdlet along with the -Delete content Switch to deleting emails (and other item types) from multiple mailboxes in Microsoft Exchange Online as well as on-premises Exchange.
note: In Exchange Online, the cmdlet will no longer be officially supported after July 1, 2020. The alternative to this very useful cmdlet is to use *ComplianceSearch cmdlets. While the compliance search is helpful and doesn’t give you a “no longer supported” warning, it’s less convenient to use and was never intended for bulk content deletion. Compliance search cmdlets can only delete 10 items at a time (compared to 10,000 offered by Search-Mailbox). Learn how to use the new version of Search-Mailbox to search and delete mailbox content in Exchange Online, Exchange 2016, and Exchange 2019
While I can’t recommend a solution that’s retiring, as of February 2022, Search-Mailbox is still working wonders. It’s quick, easy, and can easily delete items in bulk. If you don’t mind using solutions that may no longer work, Search-Mailbox can still be of use to you.
I will discuss those too -Search query -Parameters for managing item scopes and targeting specific content.
contents
Required Permissions
The minimum permissions required to perform searches and deletes are:
You can assign them via Exchange Admin Center, Permissions, administrator roles (Exchange 2010: ECP, Roles & Auditing, Administrator Roles).
- mailbox search is part of the Discovery Management role by default.
- Mailbox Import Export is not Part of one of the default role groups, so you either have to add it to e.g. B. Add to discovery management or create a custom role group for mailbox search and mailbox import/export.
To assign the roles to a user directly from PowerShell, run:
New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "<user name or alias>"
New-ManagementRoleAssignment -Role "Mailbox Search" -User "<user name or alias>"
After assigning permissions, restart the PowerShell console. Otherwise, Search-Mailbox is not available to you.
Learn more about role-based access control
Learn how to remotely connect to Office 365 using PowerShell
Find and delete content from a mailbox
Before we discuss deleting items from multiple mailboxes, let’s take a look at a very basic one search mailbox Command that allows you to delete all content from a single mailbox:
Search-Mailbox -Identity "<User's Name, Alias, DN, GUID, SMTP email or UPN>" -DeleteContent
Tip 1: To skip the confirmation prompt, use the -Force switch. Otherwise, PowerShell will prompt you to confirm that you want to delete mailbox content:
Tip 2: To check how much data you will delete, first run the search mailbox command with the – EstimateResultOnly switch first instead of using -DeleteContent immediately (you can have the same information sent to a selected mailbox by using the -LogOnly switch, but remember that you must specify a target mailbox and folder for this).
Limiting the scope of deleted items
You can use these parameters to limit the scope of the search and delete operation:
-Search query
In Exchange 2010, 2013 and 2016 The range of element properties that can be queried and operations that you can perform on them is quite wide.
You can use any of the properties listed in this article and the operations you can perform on them are kindly provided KQL (Keyword Query Language). Concrete examples of queries in section below.
Note: Exchange 2010 uses a query language that is slightly less agile. Find out more in this Microsoft documentation.
-SearchDumpster
By default, a mailbox’s Recoverable Items folder is searched. To rule it out, add -SearchDumpster:$false
to your script.
-DoNotIncludeArchive
Excludes the archive of a specific mailbox (switch).
-SearchDumpsterOnly
Restricts the search and deletion to the Recoverable Items folder of a specific mailbox (switch).
Examples of conditional queries
The following section contains excerpts of scripts targeting article types that I think are the most useful. If you would like to see an addition to this list, please let me know in the comments.
Delete emails with #keyword# in the subject that you received from someone outside your domain
Search-Mailbox ... -SearchQuery 'subject:#keyword# AND from<>#Your domain#' -DeleteContent
Delete emails and calendar events received before a specific date
Search-Mailbox ... -SearchQuery '(kind:email OR kind:meetings) AND received<#Date in MM/dd/yyyy format#' -DeleteContent
Delete emails with total attachment size greater than #number# bytes
Search-Mailbox ... -SearchQuery 'hasattachment:true AND size>#number#' -DeleteContent
IMPORTANT: since size attribute only checks the size of the entire message, this query can target a slightly wider range of items with attachments than just those whose total attachment size exceeds #number#.
List of properties you can query with Search-Mailbox
Delete emails from multiple mailboxes
To extend the search and delete process to multiple mailboxes, you can use PowerShell’s pipeline or foreach loop mechanism.
For example, the following commands delete content that matches #your query# from all mailboxes that can be found in an organization:
Get-Mailbox | Search-Mailbox -SearchQuery '#Your query#' -DeleteContent
foreach ($mailbox in (get-mailbox)) {Search-Mailbox -id $mailbox -SearchQuery '#Your query#' -DeleteContent -Force}
NOTE: When using the for every method, I recommend appending the command with a -Force switch. Otherwise, you’ll need to confirm content deletion for each individual mailbox.
The result of the above two commands is identical in terms of deleted content.
If you add a target mailbox and folder to the command (see Additional switches and parameters under the Get-Mailbox The pipeline generates a search summary and log file while the for every loop generates separate search summaries and log files for each mailbox.
Both methods allow you to limit the scope of mailboxes that will be searched and deleted.
That Get-Mailbox You can also use the pipeline to perform simple range operations such as: B. Limit the output to a defined mailbox database, organizational unit, domain, or mailbox type. See for details this Microsoft documentation.
Additional switches and parameters
After you run the search mailbox command with the -Delete content switch, the output contains a very simple summary of the process (example in the image below).
– EstimateResultOnly
As I mentioned earlier, you can use this switch to get the above type of summary before using the -Delete content switch. Note that – EstimateResultOnly cannot be used with -Delete content. Example:
Search-Mailbox ... -SearchQuery '#Your query#' -EstimateResultOnly
-LogOnly
By default the -LogOnly switch sends exactly the same basic information as – EstimateResultOnly to a specific mailbox. This is because the default log level is Basic. You can change this by increasing the log level to full.
Note that when using -LogOnly switch, you must define the target mailbox and folder and cannot use them -Delete content switch. Example:
Search-Mailbox ... -SearchQuery '#Your query#' -LogOnly -LogLevel:full -TargetMailbox #Mailbox id# -TargetFolder #Folder name#
-Log level
You can also use the -Log level parameters along with the -Delete content switch to get detailed information about what was deleted. As above, you need to increase the log level to full and specify a target mailbox and folder.
After the search and delete process is successful, you will find an email in the specified location with an attached zipped CSV file containing a list of deleted items.
Search-Mailbox ... -SearchQuery '#Your query#' -DeleteContent -LogLevel:full -TargetMailbox #Mailbox id# -TargetFolder #Folder name#