Remove Notifications From Teams

I had an interesting challenge with a customer deployment recently. A retention policy was configured for Teams chat and channel messages – this is all normal and worked fine. The issue occurred with the automatic notifications that are sent by Teams to users mailboxes notifying them about things like missed messages. While the notifications themselves are useful, a challenge with this is that it also contains the content, or a snippet of the content of the original Teams message, defeating the purpose of the retention policy to automatically delete chat messages for privacy reasons.

While Teams email notifications can be disabled, they do have value and are useful for catching up on things. The requirement was not to disable them, but to make sure they are removed in line with the retention policy. After giving it some through, I put together a PowerShell script to remove the email messages from each mailbox and scheduled it through Azure Automation.

The Script

I’ve uploaded the full script to GitHub here but in short, here’s the structure:

• Connect to the Microsoft Graph using the Graph PowerShell SDK and a managed identity
• Either get a single user if specified or all users if no user is specified
• Validate the user / users have mailboxes in Exchange Online
• If no mailboxes are found, exit
• If mailboxes are found, loop through each
• For each mailbox, get the emails from the 14 days (by default) that have come from “noreply@emeaemail.teams.microsoft.com”
• For any emails found that are older than 7 days (by default), delete them
• Format a HTML report of all mails that have been deleted
• Send this report out if the parameter has been specified

The script is customizable with the following parameters:

• Mailbox: Used if you want to run on a single mailbox. If this is not specified, the script will run on all mailboxes.
• DeleteOlderThanDays: Specifies the age threshold for which mails should be deleted. The default is 7 days meaning any mail found that is older than 7 days will be deleted.
• SearchDays: Specifies the length of time to search. By default this is 14 days. Including a range to search ensures the script doesn’t have to scan every mail in every mailbox each time it runs. As I scheduled the script to run nightly, it was not an issue to keep this value low after the first run for historical mails.
• SendReportTo: Specifies an email address to send the HTML report to. If not specified, no report will be sent.
• ReportOnly: Runs the script in Report Only mode, nothing will be deleted but the report will be sent to the recipient in SendReportTo
• ReportFromAddress: Used to specify the email address the report will be sent from, must be an active address in your tenant.

The report requires a system-assigned managed identity for the Automation Account and the following application permissions (Figure 1):

• Directory.Read.All – To get the users and their attributes
• MailboxSettings.Read – To determine if a user account has a mailbox
• Mail.ReadWrite – To remove the mails
• Mail.Send – To send the report

Automation Account

The Automation Account that will be used to run the script requires the following PowerShell modules installed (Figure 2):

• Microsoft.Graph.Authentication – To authenticate to the Graph API
• Microsoft.Graph.Mail – To interact with the mailboxes and to send the report
• Microsoft.Graph.Users – To get the user profiles
• Microsoft.Graph.Users.Actions – To delete the emails

Once everything is in place for the automation account, the runbook should be linked to a scedule. An example schedule with parameters is shown in Figure 3.

Summary

The Graph API is extreamly useful for small tasks like this, particularly when linked with Azure Automation. This is a great example of where you can take an idea and build it from scratch with some really powerful results. Check out the full script on my GitHub along with many other similar tools! https://github.com/smcavinue/AdminSeanMc/blob/master/Graph%20Scripts/graph-DeleteTeamsEmailNotifications.ps1