Forum Discussion
Administratively retract a user's email
I was recently asked to retract a message that was sent in-error to staff. I ran a discovery/search, and saved it, but when I ran the powershell script after connecting to Exchange, the script could not find the search, something like name not found. I verfied the name was correct, and I am a global admin so permissions should not have been an issue.
Does anyone know of any accurate documentation to run a search and retract? I had to use an old YouTube video and could not find anything in Microsoft's documentation.
3 Replies
Hi,
What you are trying to do is no longer the old Exchange “message recall” scenario. In Microsoft 365, administrative removal of emails is now typically handled through Microsoft Purview Content Search / eDiscovery with a purge action. (Microsoft Learn)
Important clarification
Being a Global Administrator does not automatically mean you have the required Purview purge permissions.
For purge actions, you usually need roles such as:
- Search And Purge
- eDiscovery Manager / appropriate Purview roles
- Sometimes Organization Management in Purview (not just Exchange)
Microsoft specifically notes that Exchange Online Org Management and Purview Org Management are separate permission models. (Microsoft Learn)
Why your script may not find the search
Common causes:
1. Connected to the wrong PowerShell endpoint
You need Security & Compliance / Purview PowerShell, not only Exchange Online.
Use:
Connect-ExchangeOnline Connect-IPPSSession -EnableSearchOnlySession
2. Search created in new Purview experience / incompatible context
Some searches created in different case types or portals may behave differently depending on whether they are premium-enabled or standard workflows. (Microsoft Learn)
3. Name mismatch / delayed sync
Sometimes newly created searches need a few minutes before PowerShell lists them.
Check:
Get-ComplianceSearch
4. Insufficient Purview permissions
Even Global Admin may need explicit Purview role assignment.
Recommended Modern Workflow
Step 1 – Connect
Connect-IPPSSession -EnableSearchOnlySession
Step 2 – Create Search
New-ComplianceSearch -Name "BadEmailRemoval" ` -ExchangeLocation All ` -ContentMatchQuery 'Subject:"Incorrect Subject"'
Step 3 – Start Search
Start-ComplianceSearch -Identity "BadEmailRemoval"
Step 4 – Validate Status
Get-ComplianceSearch -Identity "BadEmailRemoval"
Step 5 – Purge
New-ComplianceSearchAction -SearchName "BadEmailRemoval" -Purge -PurgeType SoftDelete
Important Limitations
- Purge is not true Outlook recall.
- User may already have read/copied/forwarded it.
- Limits apply (items per mailbox / scale depending licensing).
- Litigation hold / retention can affect outcomes. (Microsoft Learn)
My Recommendation
For accidental internal sends:
- Purge with Purview
- Send correction notice
- Review transport rules / DLP / approval flow
If I were troubleshooting your exact error
Run:
Get-ComplianceSearch | Select Name,Status
If the search does not appear, you are almost certainly connected to the wrong session or missing Purview role assignments.
Honest Architect Note
Microsoft documentation around this process has changed multiple times, so many admins still rely on older community posts/videos. You are not alone there.
Hope this helps.
They changed that like a year ago where there is another module you need to use, Security and Compliance
Its been a few months but I remember having trouble using the name and finally had to go broad with something like this
Connect-IPPSSession
Get-ComplianceSearch | FL
Get-ComplianceSearch -Identity "SearchID" | Select-Object Name, Status, Items
New-ComplianceSearchAction -SearchName "SearchID" -Purge -PurgeType SoftDelete
#or
New-ComplianceSearchAction -SearchName "SearchID" -Purge -PurgeType HardDelete
TomCSB check if this MS Learn documentation https://learn.microsoft.com/en-us/purview/edisc-search-mailbox-data applies to your scenario.
