Seek And Destroy (Rod from God) Exchange Mail Purge
KB – Purview (Security & Compliance): Targeted Mail Purge via Compliance Search & Action
Summary
This guide walks authorized admins through performing a targeted purge of emails in Microsoft 365 using Compliance Search and Compliance Search Action (Purview). The included PowerShell script:
connects to Exchange Online and Purview,
prompts for a KQL query (subject + date range),
builds and runs a Compliance Search,
executes a Purge action (HardDelete by default), and
exports run artifacts (CSV/JSON/TXT) to
C:\PCF\.Link to Script (IT SharePoint) - SeekandDestroy.ps1
Audience
Security, Messaging, and Incident-Response admins who hold the required Purview/Exchange permissions.
Scope
Workload: Exchange Online content (user mailboxes + user app content when applicable).
Action Types: Preview (optional), Purge (HardDelete). You can switch to SoftDelete if needed.
Not Covered: SharePoint/OneDrive/Teams content searches, journal mailboxes, or on-prem mailboxes.
Prerequisites & Access
Role Groups (Purview): Member of eDiscovery Manager (or higher) and Compliance Search-capable role set.
Exchange: Sufficient rights to run
Connect-ExchangeOnlineand Purview cmdlets.Modules/PowerShell:
Windows PowerShell 5.1+ or PowerShell 7.x
ExchangeOnlineManagement module v3+
Network: Ability to reach Microsoft 365 endpoints.
Change Control: Ticket/approval per incident response SOP.
⚠️ Legal & Hold Considerations
If mailboxes are on Litigation Hold / eDiscovery Hold / Retention Policy, purges may be limited or redirected to Recoverable Items. Consider running a SoftDelete first to verify scope and behavior.
Safety Checklist (Do Before You Purge)
✅ Confirm incident scope and business approval.
✅ Validate KQL on a small, known sample (use Preview).
✅ Consider SoftDelete first if you’re unsure about holds/retention.
✅ Communicate with stakeholders if user impact is expected.
✅ Ensure export location
C:\PCF\exists or let the script create it.
What the Script Does (At a Glance)
Connects to Exchange Online and Purview/IPPSSession.
Prompts you to build KQL:
Subject (required)
Received on/after (required;
yyyy-MM-dd)Received cutoff (optional)
Creates a Compliance Search targeting All Exchange locations.
Starts the search and polls until Completed.
(Optional) Preview check (commented line provided).
Creates a Compliance Search Action with Purge -PurgeType HardDelete.
Polls the action until terminal state.
Exports a summary CSV, full JSON, and optional results TXT to
C:\PCF\.
Step-by-Step – Running the Script
Open an elevated PowerShell (Run as Administrator) on a secure admin workstation.
Paste and run the script from your secure repository or this KB. It will prompt you for Subject and Dates to build the KQL.
Example prompts:
Enter SUBJECT phrase: Trucordia Insurance Services LLC
Enter RECEIVED on/after date (yyyy-MM-dd): 2025-09-23
Optional cutoff: press Enter to skip or provide a date.
Verify the KQL line the script echoes in cyan. Example:
subject:"Trucordia Insurance Services LLC" AND received>=2025-09-23
If you added an end date, it appends: AND received<=YYYY-MM-DDAllow the search to complete. The script polls status and shows item counts.
(Optional) Preview sanity check. You can un-comment the preview line in the script to review a small sample of results before purging.
Purge. The script issues a purge action using HardDelete by default. It will poll the action status until it reaches a terminal state such as Succeeded or Failed.
Review outputs in C:\PCF\
CompliancePurge_<timestamp>.csv – flat summary for quick review and sharing
CompliancePurge_<timestamp>.json – full object for deep inspection
CompliancePurge_<timestamp>-results.txt – raw results line(s) when present
Appendix – Script Variables You’ll See
$MailSearch– Unique name for each run:PurgeSearch_<yyyyMMdd_HHmmss>$kql– Your assembled query (subject + date filters)Outputs:
C:\PCF\CompliancePurge_<timestamp>.csv/.json/(-results.txt)