Powershell variable help
-
The below is what I came up with to search a target O365 tenant for spam email. It searched by subject line but that can be changed easily enough to meet your needs. If the subject has special characters like hyphen's then in the search box you need to use double quotes to encase the query.
# Will search the supplied Office365 mail tenant for the entered subject line, and soft-delete any emails found with the subject line # Run with standard powershell (not ISE) to have all prompts be presented in front. # $Credential = Get-Credential $SubjectLine = $( Add-Type -AssemblyName Microsoft.VisualBasic [Microsoft.VisualBasic.Interaction]::InputBox('Enter the Subject line') ) Connect-AzureAD -Credential $Credential Connect-IPPSSession -Credential $Credential $Search=New-ComplianceSearch -Name ((Get-Date -Format MM/dd/yyyy-HH:mm) + " " + "MyCompany") -ExchangeLocation All -ContentMatchQuery ("Subject:" + "$SubjectLine") Start-ComplianceSearch -Identity $Search.Identity Write-Host "###########################################################################################################################################################################################" -ForegroundColor Yellow -BackgroundColor Red Write-Host "Last chance to cancel before you're prompted to delete, hit" -ForegroundColor Yellow -NoNewline Write-Host " [CTRL+C]" -ForegroundColor Red -NoNewline Write-Host " to exit if you're unsure or" -ForegroundColor Yellow -NoNewline Write-Host " [ENTER]" -ForegroundColor GREEN -NoNewline Write-Host " to proceeed (You can verify compliance scan by logging into https://compliance.microsoft.com)" -ForegroundColor Yellow Write-Host "Proceed?" -ForegroundColor Yellow $input = Read-Host # Check if running in PowerShell ISE If ($psISE) { # "ReadKey" Not supported in PowerShell ISE. # Show MessageBox UI $Shell = New-Object -ComObject "WScript.shell" $Button = $Shell.Popup("Click OK to Delete Spam", 0, "Purge email?", 0) Return } New-ComplianceSearchAction -SearchName "$Search" -Purge -PurgeType SoftDelete -Confirm Get-PSSession | Remove-PSSession;
If anyone can sort out the special character issue listed above that'd be cool.
-
@DustinB3403 said in Powershell variable help:
In the line below, the shell will just expand $Search to what it is.
You need to enclose it in"
if you have spaces and whatnot in $Search or the shell will interpret the line as commands or options of some kind.New-ComplianceSearchAction -SearchName "$Search" -Purge -PurgeType SoftDelete -Confirm
-
@DustinB3403 I'd like to see the error you're getting when you try to set
$SubjectLine
to a string that includes special characters usingRead-Host
from your original post.As far as your above code block, yes, encasing
$Search
in double quotes is likely going to be your answer. -
@Pete-S Fixed, good eye!
-
@EddieJennings said in Powershell variable help:
@DustinB3403 I'd like to see the error you're getting when you try to set
$SubjectLine
to a string that includes special characters usingRead-Host
from your original post.As far as your above code block, yes, encasing
$Search
in double quotes is likely going to be your answer.It wasn't erroring out, powershell was simply taking
Halloween
as the search and trying to pass the rest off as options. Using this approach gets around that. -
I was curious about how
$
would be treated. Since if you wanted store it as a string, you'd have to do something like this to actually capture the$
as a string rather than a special character.$foo = 'This is a $string'
Here are the results from some tests with everything behaving as I suspected it would.
-
@EddieJennings Yeah there's always a weird off, but I didn't think about if the $ was in the subject, but the subject doesn't need to be exact, just close enough to find the email in question.
This could probably be modified to be more robust for these cases, I'm just unsure of what would fix those types.
-
This is the type of error you get if there are special characters in the subject line that is being search.
Unable to execute the task. Reason: The name of the compliance search "11/10/2020-14:25 "Baby yoda shouldn't eat frog eggs"" contains invalid character(s): ""'"".
-
@DustinB3403 said in Powershell variable help:
This is the type of error you get if there are special characters in the subject line that is being search.
Unable to execute the task. Reason: The name of the compliance search "11/10/2020-14:25 "Baby yoda shouldn't eat frog eggs"" contains invalid character(s): ""'"".
Ah, so the problem isn't getting the search variable in a string, it's using that string to search?
Normally in these cases you need to encode the string.
-
@Pete-S right, there really isn't a great way to fix it and have the ps1 still be flexible for the types of cases one might expect to see.
-
The biggest issue is that if there are special characters, it kind of breaks the whole ordeal, as the $SubjectLine either can't have hyphenated words, or you have to enter the query in double-quotations.
I haven't been able to find a way to sort out the above case so I could simply copy:
New HR policy hasn't been implemented yet, but here's what to look for
from a client request and past and go.It's mostly there in that I can still search for that, but I have to manually double-quote the $SubjectLine in the prompt to be able to create the query and have it succeed.
-
Of course to see what I'm talking about one simply needs to copy the code above to a local PS and test with some made up email subject in your O365 tenant.
-
Would this work?
$foo = Read-Host $foo = '"' + $foo + '"'
Result should be
"Your string enclosed in quotes."
-
@DustinB3403 said in Powershell variable help:
@Pete-S right, there really isn't a great way to fix it and have the ps1 still be flexible for the types of cases one might expect to see.
This is part of the line where you use set up a search on the subject line using the string the user entered:
-ContentMatchQuery ("Subject:" + "$SubjectLine")
The search query should be formatted according to KQL, Keyword Query Language.
https://docs.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-referenceWhat you are doing is just passing the user input to the query but it has to be sanitized before you can do that. Or a user could enter KQL keywords inside the search and it would mess everything up. That's why you have a problem I believe.
-
@Pete-S said in Powershell variable help:
@DustinB3403 said in Powershell variable help:
@Pete-S right, there really isn't a great way to fix it and have the ps1 still be flexible for the types of cases one might expect to see.
This is part of the line where you use set up a search on the subject line using the string the user entered:
-ContentMatchQuery ("Subject:" + "$SubjectLine")
The search query should be formatted according to KQL, Keyword Query Language.
https://docs.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-referenceWhat you are doing is just passing the user input to the query but it has to be sanitized before you can do that. Or a user could enter KQL keywords inside the search and it would mess everything up. That's why you have a problem I believe.
To sanitize user input you have to decide what you want the user to be able to enter and what not.
For instance should the user be allowed to enter wildcards (*
) in the query? International characters? -
@Pete-S That is going to be complete subjective based on the type of spam that might come in.
I follow what you're saying but I'm kind of stuck between having something functional or not (due to this).
-
@DustinB3403 said in Powershell variable help:
@Pete-S That is going to be complete subjective based on the type of spam that might come in.
I follow what you're saying but I'm kind of stuck between having something functional or not (due to this).
Well, you need to decide what you are allowing and not. For instance you have already decided to just use the subject line and not any of the other parts of the email, for instance author.
You need to run the string through regex or something like that to remove characters you are not allowing. It might take more than one string operation to sanitize. I think you can escape any special character you want to allow with backtick `.
Another option would be to allow the user to enter the entire KQL query themselves.
Also if you get an error when trying to apply the search you put out an error "Invalid search input!" and go back to prompt the user for input again. That would be one way so solve problems.