Part 2 | When Native Tools Fall Short: Closing the Compliance Gap with PowerShell + Microsoft Graph
After publishing my last write-up on the technical limitations of auto-labeling in Exchange Online, I received a ton of messages from security engineers, admins, and compliance leaders asking for the actual solution.
Microsoft Purview currently doesn’t scan mailbox content at rest for Sensitive Information Types (SITs). Unfortunately, this isn't a simple policy misconfiguration, it’s a fundamental product behavior gap.
When native tools can’t meet the requirements, we build what’s missing.
This open-source toolkit is designed for forensic and controlled remediation use cases. It’s modular, reviewable, and built to be compliant and auditable. While inspired by a solution I piloted on a recent engagement, this version is generalized and independently developed for community use.
The GitHub repo includes:
-Invoke-EmailSITSearch.ps1: Scans Exchange Online mailboxes for SSNs using keyword context and format matching, then exports a CSV for review.
-Invoke-EmailSSNDeletion.ps1: Enables safe, manual or bulk deletion of reviewed messages using the CSV (includes logging).
-README: Setup guide, app registration steps, Graph scopes, usage flow, and safety tips.
Use this when you need transparency, control, and verifiable results...and Microsoft’s tooling can’t get you there alone.
Built to support:
-Exchange Online forensic investigations
-Data discovery audits
-Incident response when emails must be reviewed and removed surgically
If you’re a Microsoft Purview user or partner and you've ever run into the Exchange limitation wall, this should help.
Feel free to fork, adapt, and expand. And if this helped you or your team, I’d love to hear how you use it.
If there’s interest, I’m considering expanding the toolkit to support:
-Scanning for additional Sensitive Information Types (SITs)
-Inspecting attachments for embedded sensitive data
Let me know if these are use cases you’re facing, and I’ll prioritize what helps the most.
