Practical Purview: Removing Old Items from User Calendars

eDiscovery Purge Actions and Other Methods

A comment about an article about using compliance search purge actions focused on removing old calendar events from user mailboxes. After thinking about it, I’m not sure that compliance search purge actions are the right way to solve the problem. Purges are limited to removing 10 items per mailbox at a time and great care needs to be taken to exclude the Recoverable Items folder from the purges. If you don’t, the purge actions might end up processing the same items ad nauseum. In addition, there seems to be a problem with removing calendar items using compliance search actions. Microsoft knows about the issue but hasn’t responded to it yet.

Some suggest using the Remove-CalendarEvents cmdlet. The cmdlet only processes meetings (both normal and online) and leaves appointments intact, but the problem here is that the Remove-CalendarEvents cmdlet deletes future meetings instead of what happened in the past. A different solution is needed.

eDiscovery Mailbox Purges

In August 2024, Microsoft announced a redesigned Purview eDiscovery “product experience.” As part of the announcement, Microsoft said, “previously administrators could only purge 10 items per mailbox location, they can now purge up to 100 items per mailbox location.” What Microsoft didn’t make clear is that the new limit doesn’t apply to compliance search purge actions, which remain limited to removing 10 items per mailbox. Instead, the new limit applies to eDiscovery (Premium), where the new eDiscoverySearch PurgeData Graph API performs the purges. eDiscovery purges can remove items from Exchange Online and Teams. They can’t purge SharePoint Online or OneDrive for Business data.

A complete Purview eDiscovery Graph API is available to create new cases, searches, holds, and so on. I do not suggest that you use the API to create and manage cases. It’s easier through the GUI and flaws exist in the V1.0 version of the API (some fixed in the beta version).

Searching for Old Calendar Items

As an example, let’s take the scenario where an organization wishes to remove old calendar items from specific user mailboxes. The process is as follows:

• Create a new eDiscovery Premium case. The ability to work with eDiscovery Premium cases requires specific licenses and Purview roles.
• Add a search to the case. This includes adding the sources (mailboxes). In the older version of eDiscovery Premium, sources are referred to as custodians. You can add all mailboxes in the organization or a targeted set.
• Add the KeyQL search query to find the items.
• Run the query to check if the correct items are found. Just like content searches, you can review samples of the items found to confirm that the query is working as expected.

Figure 1 shows that the query used is (kind:meetings) AND (received>=2021-01-01 AND received<=2023-12-31). In other words, find meeting items between the two specified dates. If you want to find appointments or items like meeting requests, use the item classes. For example:

(received>=2021-01-01 AND received<=2023-12-31) AND (ItemClass=IPM.Appointment OR ItemClass=IPM.Schedule)

Achieving a query that finds the correct items will probably take several attempts. Experience with eDiscovery and KeyQL syntax makes it easier to find items. The usual problem is then to refine the query to find just the desired items. The more precise the query, the better, if only to keep the number of items to be removed under the 100-item purge limit.

Remember that eDiscovery uses estimate searches because they’re much faster than the exhaustive search needed to find and retrieve all items. Estimate searches are just that – an approximation of what will be found when a search eventually runs. This doesn’t mean that the search will find bad data. It does mean that the sample items returned for a search might not include some items that you expect to see.

Some might ask if it’s possible to restrict searches to a single folder or set of folders so that only items in the Calendar folder are found rather than those in Deleted Items or Recoverable Items. Purview supports targeted searches that use folder identifiers to locate items. However, these searches only work within a single mailbox.

Purging Items Found by an eDiscovery Search

When you’re happy that the search finds the right items, the purge can go ahead. To purge items, you must know the identifiers for the eDiscovery case and the search. This code connects an interactive Microsoft Graph PowerShell SDK session with the eDiscovery.ReadWrite.All permission (because we’re going to purge items). Interactive sessions use delegated permissions, which is why the signed-in account must hold the required eDiscovery role, like eDiscovery admins.

The code finds all the eDiscovery cases modified in the last month. We then store details of the first case into a variable.

Connect-MgGraph -Scopes eDiscovery.ReadWrite.All -NoWelcome

$LastMonth = (Get-Date).AddDays(-31).ToString("yyyy-MM-ddTHH:mm:ssZ")
[array]$Cases = Get-MgSecurityCaseEdiscoveryCase -Filter "lastModifiedDateTime gt $LastMonth"


$Cases | Sort-Object LastModifiedDateTime -Descending | Format-Table Id, DisplayName, LastModifiedDateTime -AutoSize

Id                                   DisplayName             LastModifiedDateTime
--                                   -----------             --------------------
735f3217-b0aa-470a-b1c3-623a038cade5 Unwanted Calendar Items 31/03/2025 17:29:17
e8f162ec-1ba2-4100-954d-fd6865e91ca1 Case 51                 28/03/2025 19:11:03

$Case = $Cases[0]

To find the identifier for the search, run the Get-MgSecurityCaseEDiscoveryCaseSearch cmdlet. There’s only one search in the case, so we store the search details in a variable.

[array]$Searches = Get-MgSecurityCaseEdiscoveryCaseSearch -EdiscoveryCaseId $Case.Id
$Searches | Format-Table Id, DisplayName, LastModifiedDateTime -AutoSize

Id                                   DisplayName                  LastModifiedDateTime
--                                   -----------                  --------------------
005de16f-9af9-45b9-a1cc-e5386befaa63 Find Targeted Calendar Items 01/04/2025 17:28:35

$Search = $Searches[0]

With the identifiers, we can run the purge. First, we create a hash table containing the parameters for the purge action (permanently delete mailbox items) before running the Clear-MgSecurityCaseEDiscoveryCaseSearchData cmdlet. This action creates a background job to find and purge the items identified by the query.

$PurgeParameters = @{}
$PurgeParameters.Add("purgeType","permanentlyDelete")
$PurgeParameters.Add("purgeAreas","Mailboxes")

Clear-MgSecurityCaseEdiscoveryCaseSearchData -EdiscoveryCaseId $Case.Id -EdiscoverySearchId $Search.Id -BodyParameter $PurgeParameters

Once a purge starts, it runs to completion and cannot be interrupted, so it’s critical that the correct query is used. In some respects, it’s better to use the recoverable option instead of permanentlyDelete as users can then recover items in case the query finds items that should not be purged.

To check progress, you can use the Get-ExoMailboxFolderStatistics cmdlet to monitor purged items moving into Recoverable Items. If the purge allows recovery, the items end up in the Deletions folder. If they’re permanently removed, purged items are in the Purges folder.

Get-ExoMailboxFolderStatistics -Identity Lotte.Vetler@office365itpros.com -FolderScope RecoverableItems | Format-Table Name, ItemsInFolder, FolderSize -AutoSize


Name                                    ItemsInFolder FolderSize
----                                    ------------- ----------
Recoverable Items                                   0 0 B (0 bytes)
Audits                                            126 965.4 KB (988,536 bytes)
Calendar Logging                                   96 390 KB (399,386 bytes)
Deletions                                          20 2.342 MB (2,456,238 bytes)
DiscoveryHolds                                      8 1.087 MB (1,140,098 bytes)
SearchDiscoveryHoldsFolder                          0 0 B (0 bytes)
SearchDiscoveryHoldsUnindexedItemFolder             0 0 B (0 bytes)
Purges                                             96 3.342 MB (3,504,325 bytes)
SubstrateHolds                                      7 125.2 KB (128,200 bytes)
Versions                                            2 12.17 KB (12,462 bytes)

It can take some time for a purge to complete. If a hold is not in place for the items, the Exchange Online Managed Folder Assistant will remove items from the Purges folder the next time it processes the mailbox.

In situations where an organization must permanently remove items even though they are on hold, the Purview Priority Cleanup solution can do this. The advantage of running an eDiscovery purge before using Priority Cleanup is that the purge removes items from user view. The cleanup can then proceed through its multi-stage disposition process without being under any time pressure.

Graph APIs to Find and Remove Items

You don’t have to use eDiscovery to find and purge items. The Graph includes APIs to find and remove specific mailbox items. For instance, you could take the script used for the mailbox contents report and amend the code so that it only processes the calendar folder and applies a filter to select specific items. The code can then call the Delete message API (or Remove-MgUserMessage cmdlet) to clean up the folder.

On April 1, 2025, Microsoft announced new APIs to permanently remove mailbox items and folders, including calendar items. These APIs are positioned as part of the effort to help ISVs move off Exchange Web Services (EWS) before its retirement in October 2026. The difference between the new APIs and the Delete message API is that the new APIs move items directly to the Purges folder in Recoverable Items (hence permanent removal). Of course, permanent removal only works when items aren’t on hold, but now the Purview Priority Cleanup solution exists to fix that problem. So many ways to get things done!