How to use content search in Office 365

A screenshot of the Office 365 content search web UI

Content search is a powerful eDiscovery tool in Office 365. You can use it to identify and/or remove content across Exchange Online mailboxes, Microsoft teams and other Office 365 products. Read on to learn how to use content search in the Office 365 Security & Compliance Center and PowerShell. 

User permissions

In order to be able to run a content search in Office 365, a user must be granted the eDiscovery Manager role group in the Security & Compliance Center by an admin user with Global Admin or Compliance Manager roles.

Note: A user cannot modify their own roles, even if the user is a Global Admin. Roles must be modified by another administrator.

To grant the eDiscovery Manager role to a user:

  1. Click on Permissions in the Security & Compliance Center menu, or go to https://protection.office.com/permissions
  2. Select the eDiscovery Manager role
  3. Click Edit under eDiscovery Administrator, and select the users to add
  4. Click Done

Accessing the content search web UI

To access the content search web UI, go to https://protection.office.com/, and navigate to Search> Content search. If you do not see that item in the menu, your account does not have the proper permissions.

Building query strings

Content search queries are written in Keyword Query Language (KQL). A list of available properties to use when using content search is available on the Microsoft website.

Example query strings

Find every email sent from [email protected]

 from:[email protected]

Find every email sent to or from [email protected] during January 2019

(participants:[email protected]) AND (sent:01/01/2019...01/31/2019)

Find every email that has the words “action” and “required” in the subject

Subject:'Action required'

Find every email sent by [email protected] and that contains the exact phrase “Update your account information” in the subject

(From:[email protected]) AND (Subject:"Update your account information")

Setting up PowerShell

PowerShell can also be used to create and manage content searches. To access the Security & Compliance Center using PowerShell, you need to install the Exchange Online Remote PowerShell Module for Multi-Factor Authentication (MFA). on your client system. To do this, login to the Exchange Admin Center (EAC), click on the hybrid menu item, and click on the configure button  under the the Exchange Online PowerShell module.

A screenshot of the hybrid page of the Exchange Admin Console (EAC)

Click Install when Prompted. This will launch the Microsoft Exchange Online PowerShell module, and create desktop and Start Menu shortcuts for launching it later.

A screenshot of the Microsoft Exchange Online PowerShell install prompt

If you see a message about the stating “Your administrator has blocked this application because it potentially poses a security risk to your computer. Your security settings do not allow this application to be installed on your computer.”, like the one in the screenshot below, an application might have previously tweaked your security settings, You’ll need to make some registry changes.

A screenshot of the Microsoft Exchange Online PowerShell install prompt being blocked

Open regedit, and navigate to the key 

\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel

And change the value of the Internet string subkey from Disabled to Enabled.

Then, try installing the Exchange Online Remote PowerShell Module again.

Once the Exchange Online Remote PowerShell Module is installed and open, run the following command:

Connect-IPPSSession -UserPrincipalName <your UPN>

<your UPN> is usually your full email address.

Once you have authenticated, try running 

Get-Help New-ComplianceSearch

If the command cannot be found, your account does not have the required eDiscovery Manager role.

Creating a new content search

To create a new content search in the Security & Compliance Center, click on the New search button. For the most flexibility in your searches. write your query in the Keywords box using the Keyword Query Language (KQL) described below. Or, for easier queries, Click the Add condition button, and use the web UI to add conditions.

Although it is tempting to select All locations when creating a search in the web UI, don’t do that! Selecting All locations will likely produce terabytes of unrelated results from files from SharePoint and OneDrive, even if you only used email-related fields in your query.

Instead, select Specific locations, and click on the Modify… link. In the modify locations pane, enable only the locations that are relevant to your search. For example, if you are looking for emails, enable the Select all switch, across from the Exchange email and Exchange public folders locations, but leave SharePoint sites and OneDrive accounts location disabled, and click Save.

A secreenshot of the content search location selection pane

Then click Save & run. Give your search a unique name, and an optional description, then click Save. You can check the status of your search by clicking on Status details.

To create a content search using PowerShell instead of the web UI, use the the New-ComplianceSearch cmdlet, after connecting to the Security & Compliance Center using the Connect-IPPSSession cmdlet. For example, to create a content search for all emails from [email protected]:

$query = "from:[email protected]"
New-ComplianceSearch -Name "Emails from [email protected]" -ContentMatchQuery $query -ExchangeLocation "All" 

The above command creates creates the search, but it does not run the search. To run the search, use the Start-ComplianceSearch cmdlet.

Start-ComplianceSearch "Emails from [email protected]"

To check the status of a search, use the Get-ComplianceSearch cmdlet.

Get-ComplianceSearch "Emails from [email protected]"

Viewing and downloading results

While searches can be created and ran from PowerShell, viewing and downloading the results must be done through the web UI.

Individual items can be previewed in the search results page by selecting the search and clicking View results. Each item can be downloaded by clicking on the Download Original Item link.

Results can be exported in bulk by selecting the search, and clicking Export results, selecting export options and clicking Export.

Note: More export format options are available by using the PowerShell cmdlet New-ComplianceSearchAction with -Export, -Format, and -ExchangeArchiveFormat parameters.

Regardless of how the export was created, the export results must be downloaded using the web UI with Microsoft Edge or Internet Explorer. Click on the Exports tab to view the list of complete exports. Select an export and click Download results. This will install the Microsoft Office 365 eDiscovery Export Tool, and provide a key to be used with it to download the export results.

A screenshot of the Microsoft Office 365 eDiscovery Export Tool install prompt

Once the tool is running, paste in the export key, set the storage directory, and click Start.

A screenshot of the Microsoft Office 365 eDiscovery Export Tool

Removing malicious items from mailboxes

The New-ComplianceSearchAction cmdlet can be used with the -Purge parameter to remove malicious items from mailboxes. Note, for safety, this action only applies to at most 10 items per mailbox. This scenario is covered in detail in the official Office 365 guide titled Search for and delete email messages in your Office 365 organization.

Leave a Reply

Your email address will not be published. Required fields are marked *