Post Delivery Email Deletion (Retract)

Updated 2 years ago by admin

Post Delivery Email Deletion is a feature of Email Security that allows an administrator to delete email that has been delivered and stored in a Microsoft 365 / Office 365 mailbox, including any replies or forwards of the message within the domain. This feature is particularly useful to delete and remotely wipe any messages that were accidentally released from quarantine or that contain suspicious or confidential data.

To set up, you will need:

  • A Microsoft / Office 365 domain protected by Email Security
  • A Microsoft / Office 365 user with administrator privileges
  • A USS administrator user that matches a registered mailbox email address
  • If using a roles based administrator, the EMS - Retract Message permission must be granted

Set up permissions for Post Delivery Email Deletion

To enable Post Delivery Email Deletion you must grant permissions to the Email Security system to read and write to user mailboxes.

If the Grant Permissions button is not visible please check the requirements are satisfied above

Navigate to Products -> Email Security -> Product Configuration -> Domains.

The Grant Permissions button can be used to apply the required permissions to all registered domains. If the grant is successful, the Retract column will show "Granted" next to each domain.

If there are domains in the list which are not configured in Microsoft / Office 365 then the grant will fail for those domains. You can use the Grant Permissions multiple times to retry. It is recommended that you remove any domains that are not in use.

Click the Grant Permissions button to start the consent flow.

Please note that granting permission will attempt to grant for all domain names that exist in the Domains list and the Microsoft account.

Click OK to proceed.

Sign in with a Microsoft /Office 365 administrator user.

Review the permissions requested (see table below) and press Accept if you agree to them.


API Permission (see reference)


Why is it needed?

Read all users' full profiles


Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

For the ability to search for users by their email address and other identifying properties such as domain association.

Read and write mail in all mailboxes


Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail.

For the ability to delete (retract) messages from a users mailbox.

Read domains


Allows the app to read all domain properties without a signed-in user.

For the ability to verify the email domain is registered to the Microsoft tenant

Sign in and read user profile


Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users

To authenticate the administrator, verify the tenant details and ensure there is permission to create the EMS Retract Enterprise App.

Once accepted, you will be able to close the tab window and return to the Domains list.

If successful, the domain(s) should now have Granted status in the Retract column.

If one or more domains exist in the Domains list but not in the Microsoft account, a warning will be displayed. You can retry granting permissions at any time once the issue has been resolved.

The set up is now complete and ready to use.

Using Post Delivery Email Deletion

You can use the retract feature when an email has been delivered through Email Security to a recipient within one or more managed domains. A managed domain must also be a Microsoft / Office 365 custom domain, and the administrator must have permissions to use the Post Delivery Email Deletion feature to retract the message.

Applies to delivered messages only. It is not possible to retract messages from external mailboxes or those not managed by the Microsoft account which granted the permissions. It is also not possible to retract from third party systems or products such as the Compliant Email Archive that have already processed the message. For the Compliant Email Archive, messages can be deleted using a privileged user account.

Navigate to Analytics -> Email Activity and search for an email message.

Double click the message or use the info icon on the far right to open Message Details.

Click on the Retract tab.

A list of recipient email addresses that can have their messages retracted will be summarised in the Email column. The Status column will indicate if there are any API permission issues with the recipient domain which may prevent the action being carried out.

Tick the Include checkbox for all the recipients that you want to apply the delete action to, and then click Retract.

The following options are also available:

  • Also retract conversations (forwards/replies) - when a message is delivered it is given a Message-ID and a new Conversation-ID. When a message is replied to or forwarded, it preserves the original Conversation-ID even if it is given a new Message-ID. This allows the system to find replies and forwarded messages up to the specified conversation depth. Increasing the depth will increase the time it takes to remove messages.
Once the "Retract" button is used the responsibility for removing the messages is delegated to the Microsoft Graph API. Whilst this process is usually very quick, it may sometimes take longer or result in issues that can only be resolved by contacting Microsoft.

You can confirm the Retract action action was dispatched by navigating to Analytics -> Admin Audit -> search by section "Retract" and expanding the entries. For example:

For further confirmation of the action taking place you can check the Audit Logs and Sign-in Logs for the EMS Retract enterprise application within the Azure portal. Note that a premium subscription may be required to access all information.
Please also note - as the Email Security log data is immutable it is not currently possible to mark the email as retracted in the Email Activity report.

How did we do?