Microsoft 365 Email Security Management Guide
Published: February 7, 2023 | Last Modified: May 13, 2025
Tags: email security hacked accounts M365 ExchangeOnlineManagement powershell azure compliance security management email management incident response
Categories: PowerShell Security Microsoft 365
Block Unwanted Emails
Objective: Prevent sending or receiving emails from specific external email addresses or domains.
Action: Navigate to the Tenant Allow/Block List in the Microsoft Security Center. Configure the settings to block specific email addresses or domains. For direct access, use this link: Tenant Allow/Block List.
Review Past Week of Sign-In History
Objective: Review sign-in history to identify any unusual user activity.
Action: Access the Azure portal’s sign-in history section. Specify the user of interest and examine their sign-in locations and activities. Access the portal here: Azure Sign-In History.
Define Content Search Criteria
Objective: Search and identify specific emails that need to be removed from your organization.
Action: Utilize the Content Search feature in the Microsoft Compliance center. Define your search criteria to target specific emails. Access Content Search here: Content Search in Compliance Center.
Connect to Exchange Online Management
Preparation: The following steps require PowerShell. Ensure you launch powershell_ise with administrative privileges.
Action: Establish a connection to Exchange Online Management using an elevated PowerShell session.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned # If not already set.
Install-Module -Name ExchangeOnlineManagement # If not installed.
Import-Module ExchangeOnlineManagement # This is a necessary step.
Connect-IPPSSession # Launches a Modern Authentication Window.
Purge Unwanted Content
Confirmation: Ensure that your content search in the Compliance Center is valid. If the search name isn’t visible, it might still be processing.
Get-ComplianceSearch | Sort-Object JobEndTime # Retrieve and sort all compliance searches by job end time.
# or
Get-ComplianceSearch -Identity "05297487" | Select-Object * # Retrieveall stats of only one content search that you know the name of.
Action: Execute a “hard delete” on the identified content based on your search.
New-ComplianceSearchAction -SearchName "name_of_content_search" -Purge -PurgeType HardDelete # Perform a hard delete of the search results.
Status Check: Monitor the progress of the hard delete operation. The names of purge actions are typically appended with _Purge.
Get-ComplianceSearchAction -Identity "name_of_content_search_Purge" | Format-List # Check the status of the purge operation.
Disconnect: End your session with Exchange Online Management.
Disconnect-ExchangeOnline # Disconnect from Exchange Online Management.
Check Inbox Rules
Objective: Review and analyze inbox rules for each user to detect any unusual or unauthorized rules.
Action: Run the following PowerShell script to extract inbox rules for a list of specified user email addresses.
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline # Launches a Modern Authentication Window.
# Define an array of user email addresses
$userEmails = @(
'example-one@contoso.com',
'example-two@contoso.com',
'example-three@contoso.com'
)
# Iterate through each user and retrieve their inbox rules
foreach ($userEmail in $userEmails) {
Write-Host ("Getting inbox rules for: " + $userEmail)
# Attempt to fetch inbox rules for each user
try {
$inboxRules = Get-InboxRule -Mailbox $userEmail
if ($inboxRules) {
Write-Host ("Inbox rules for " + $userEmail + ":")
$inboxRules | Format-List * # Display all properties of the inbox rules
} else {
Write-Host ("No inbox rules found for " + $userEmail + ".")
}
} catch {
Write-Host ("Error retrieving inbox rules for " + $userEmail + ": " + $_.Exception.Message)
}
}