Search and investigation in the Office 365 Security & Compliance Center

Use the search and investigation features in the Office 365 Security & Compliance Center to quickly find content in mailboxes and documents or search audit logs for various types of user and admin activity. You can also create eDiscovery cases to manage a group of users who may be involved in a legal investigation. The best part of Search & investigation is you can find all content and user activity—whether it’s in Exchange Online, SharePoint Online, or OneDrive for Business—providing you with unified protection for your Office 365 organization.

How to get to the Office 365 search and investigation features

The search and investigation features in Office 365 are accessible by using the Security & Compliance Center. Here's how to get to the page.

To go directly to the Security & Compliance Center:

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the left pane, select Search & investigation to see the search and investigation features.

    Search & investigation features in the Office 365 Security & Compliance Center

To go to the Security & Compliance Center from the Office 365 app launcher:

  1. Sign in to Office 365 using your work or school account.

  2. Select the app launcher App launcher button in the upper left corner, and then select the Security & Compliance tile.

  3. In the left pane, select Search & investigation to see the search and investigation features.

Search and investigation features

The following table describes the tools that are available under Search & investigation in the Security & Compliance Center.

Tool

Description

Content search

Use the Content search feature to search mailboxes, public folders, SharePoint Online sites, and OneDrive for Business locations in your Office 365 organization. You can use Content search to run very large searches. You can search all mailboxes and public folders in Exchange Online, all SharePoint Online sites, and all OneDrive for Business locations in a single search. There are no limits on the number of mailboxes and sites that you can search. There are also no limits on the number of searches that can run at the same time. After you run a search, the number of content sources and an estimated number of search results are displayed in the details pane on the search page, where you can preview the results, or export them to a local computer.

If your organization has an Office 365 Enterprise E5 subscription, you can also analyze the results of a content search using Office 365 Advanced eDiscovery. For more information, see Office 365 Advanced eDiscovery.

Audit log search

You can use the audit log search feature to view user and admin activity in your Office 365 organization. You can search for audit log entries for the following types of actions:

  • File, folder, and sharing activity by users in SharePoint and OneDrive for Business.

  • Mailbox activity by users in Exchange.

  • Site admin activity in SharePoint.

  • User admin activity in Azure Active Directory (the directory service for Office 365).

  • Directory admin activity in Azure Active Directory.

  • Admin activity in Exchange.

Note: You (or another admin) must first turn on audit logging before you can start searching the Office 365 audit log. To turn it on, just click Start recording user and admin activity on the Audit log search page in the Security & Compliance Center. (If you don't see this link, auditing has already been turned on for your organization.) See the Audit log search topic for more information.

eDiscovery

Use the eDiscovery page to control who can create, access, and manage Content Searches in your organization. An eDiscovery case allows you to add members to a case, control what types of actions that specific case members can perform, place a hold on content locations relevant to a legal case, and associate multiple Content Searches with a single case. You can also export the results of any Content Search that is associated with a case. eDiscovery cases are a good way to limit who has access to Content Searches and search results for a specific legal case in your organization.

You can also use the eDiscovery page to access Advanced eDiscovery, which provides advanced eDiscovery capabilities that help you analyze large, unstructured data sets and reduce the amount of data that's most relevant to a legal case. Advanced eDiscovery requires an Office 365 Enterprise E5 subscription for your organization. For more information, see Office 365 Advanced eDiscovery.

Supervisory review

Define a supervisory review policy to indicate who in your organization will have their email communications reviewed and who will perform those reviews.

Quarantine

Set up a quarantine for incoming email messages in Office 365 where messages that have been filtered as spam, bulk, or phishing mail can be kept for later review. Both users and admins can work with quarantined messages. Users can work with just their own filtered messages in quarantine. Admins can search for and manage quarantined messages for all users.

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×