Run a Content Search in the Office 365 Security & Compliance Center

You can use Content Search in the Office 365 Security & Compliance Center to search mailboxes, SharePoint Online sites, and OneDrive for Business locations in your Office 365 organization. Content Search is a new eDiscovery search tool with new and improved scaling and performance capabilities. Use Content Search to run very large eDiscovery searches. You can search all mailboxes, all Exchange public folders, and all SharePoint Online sites and OneDrive for Business locations in a single Content Search. There are no limits on the number of mailboxes and sites that you can search. There are also no limits on the number of searches that can run at the same time. After you run a Content Search, the number of content locations and an estimated number of search results are displayed in the details pane on the Content search page. After you run a Content Search you can preview the results, export the results to a local computer, or prepare the results for analysis in Office 365 Advanced eDiscovery.

Contents   

Create a search

Preview search results

Update search results

Retry a search

Edit a search

Export search results

Prepare search results for analysis in Advanced eDiscovery

More information

Before you begin

  • For an administrator, compliance officer, or eDiscovery manager to have access to the Content search page to perform Content Searches and preview search results, they have to be a member of the eDiscovery Manager role group in the Security & Compliance Center. You don't have to assign additional search permissions in Exchange Online, SharePoint Online, or for OneDrive for Business sites. For more information, see Assign eDiscovery permissions in the Office‍ 365 Security & Compliance Center.

  • There are limits applied to Content Search to maintain the health and quality of services provided to Office 365 organizations. In most cases, you can't modify these limits, but you should be aware of them so that you can take these limits into consideration when planning, running, and troubleshooting searches. For more information, see Limits for Search in the Office 365 Security & Compliance Center.

  • You can use Content Search to search for content in Office 365 groups. This means you can search the group mailbox, shared calendar, and the SharePoint sites associated with an Office 365 group. For information, see Learn about Office 365 groups.

  • See the More information section for estimated search times based on the number of mailboxes that are searched in a single Content Search.

Return to top

Create a search

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the left pane of the Security & Compliance Center, click Search & investigation > Content search.

  4. Click New Add icon .

  5. On the New search page, type a name for the Content Search. This name has to be unique in your organization.

  6. Choose the content locations that you want to search. You can search mailboxes, sites, and public folders in the same search.

    Choose the content locations that you want to search
    1. Search everywhere   Select this option to search all content locations in your organization. When you select this option, you can choose to search all mailboxes (which includes the mailboxes for all Office 365 groups), all SharePoint and OneDrive for Business sites (which includes the sites for all Office 365 groups), and all public folders.

      Click the Search everywhere option to search all content locations
    2. Custom location selection   Select this option to select the mailboxes and sites that you want to search. If you choose this option, you have flexibility to search all content locations for a specific service (such as searching all Exchange mailboxes) or you can search specific content locations for a service. For public folders, you can choose to search all public folders in your Exchange Online organization or not search any public folders.

    Keep the following in mind when adding content locations to search:

    • When you click Add Add Icon to specify mailboxes to search, the mailbox picker that's displayed is empty. This is by design to enhance performance. To add recipients to this list, type a name (a minimum of 3 characters) in the search box and click Search Search icon .

    • You can add inactive mailboxes, Office 365 groups, and distribution groups to the list of mailboxes to search. Dynamic distribution groups aren't supported. If you add an Office 365 group, the group mailbox is searched; the mailboxes of the group members aren't searched.

    • If you don't want to include any mailboxes or sites in a search, select Choose specific mailboxes to search or Choose specific sites to search, but don't add mailboxes or sites to the list.

    • To add sites click Add Add Icon and then type the URL for each site that you want to search. You can also add the URL for the SharePoint site for Office 365 groups.

      Tip: To collect a list of the URLs for the OneDrive for Business sites in your organization, use the script in Step 2 in Assign eDiscovery permissions to OneDrive for Business sites. This script creates a text file that contains a list of all OneDrive for Business sites. To run this script, you'll have to install and use the SharePoint Online Management Shell (see Step 1 in the previous topic). Be sure to append the URL for your organization’s MySite domain to each OneDrive for Business site that you want to search. This is the domain that contains all your OneDrive for Business; for example, https://contoso-my.sharepoint.com. Here's an example of a URL for a user's OneDrive for Business site: https://contoso-my.sharepoint.com/personal/sarad_contoso_onmicrosoft.com.

  7. Click the Include items that have an unrecognized format, are encrypted, or weren't indexed for other reasons if you want to include unindexed items in the statistics of the estimated search results. The number of unindexed items that don't meet the search criteria will be included in the search statistics displayed in the details pane. If an unindexed item matches the search query (because other message or document properties meet the search criteria), it won't be include in the estimated number of unindexed items. However, if an unindexed item is excluded by the search criteria, it won't be included in the estimate of the search results. Unindexed items aren't available for previewing. For more information, see Unindexed items in Content Search.

  8. Click Next.

  9. On the New search page, you can add keywords and conditions to create the search query.

    Create a search query with keywords and conditions
    1. In the box under What do you want us to look for?, type a search query in the box. You can specify keywords, message properties such as sent and received dates, or document properties such as file names or the date that a document was last changed. You can use a more complex queries that use a Boolean operator, such as AND, OR, NOT, NEAR, or ONEAR. You can also search for sensitive information (such as social security numbers) in documents, or search for documents that have been shared externally. If you leave the keyword box empty, then all content located in the specified content locations will be included in the search results.

    2. Under Conditions, add conditions to a search query to narrow a search and return a more refined set of results. Each condition adds a clause to the KQL search query that is created and run when you start the search. A condition is logically connected to the keyword query (specified in the keyword box) by the AND operator. That means that items have to satisfy both the keyword query and the condition to be included in the results. This is how conditions help to narrow your results.

    For more information about creating a search query and using conditions, see Keyword queries for Content Search.

  10. Click Search to save the search settings and start the search.

    The search is started. When the search is completed, the following information is displayed in the details pane.

    Search statistics are shown in the details pane of the selected content search
    1. The date and time that the search was last run.

    2. The number (and total size) of items that were found that matched the search query. Examples of item types include email messages, calendar items, and documents. If an item contains multiple instances of a keyword that is being searched for, it's only counted once in the total number of items. For example, if you're searching for words "stock" or "tip" and an email message contains three instances of the word "stock", it's only counted once in the Items field.

    3. The number and total size of unindexed items in the content locations that were searched if you includes unindexed items in the estimated search results, This field isn't displayed if you don't include unindexed items.

    4. The number of each type of content location that was searched. For mailboxes, note that archive mailboxes are included in the total number of mailboxes that were searched. In the previous example, four user mailboxes were searched and the archive mailbox for each of these users is enabled. That's why eight mailboxes are cited in the search statistics.

    5. Links to preview the search results or run the search again to update the search statistics.

    If necessary, click Refresh Refresh icon to update the information in the details pane for the selected search.

Return to top

Preview search results

After a search is successfully completed, you can preview the search results. There are a number of limits related to previewing Content Search results. For more information, see Limits for Search in the Office 365 Security & Compliance Center.

  1. On the Content search page, select a search.

  2. In the details pane, under Results, click Preview search results. The Preview search results page opens, and contains a list of the search result items.

    You can click a column header to sort the results based on subject, type, sender, or the date an item was received in the source mailbox.

  3. To preview an item, select it from the list, and click Show item.

    The item is opened in a new Outlook on the web window.

Note: If you preview the search results for a search that was last run more than 7 days ago, you will be prompted to update the search results. The search is rerun to get the most current results that meet the search query.

Return to top

Update search results

When you update the results of an existing Content Search, the search query is rerun on all specified content locations. The obvious reason to update search results is to get the most recent data.

  1. On the Content search page, select the search that you want to update the results for.

  2. In the details pane, under Results, click Update search results.

    A status messages is displayed saying that the results are being retrieved. When the search is finished, updated information is displayed under Results in the details pane. Note that the date in the Searched on field in the details pane is updated to the current date and time. To refresh the information in the list of Content Searches, click Refresh Refresh icon .

Return to top

Retry a search

If a search returns any errors, you don't have to re-search all of the content locations. You can rerun the search so that only the content locations that failed are search again. To re-search all content locations, you can update the search results.

  1. On the Content search page, select the search that contains the content locations that you want to re-search.

  2. In the details pane, under Error, click Retry search.

    A status messages is displayed saying that the results are being retrieved. When the search is complete, updated information is displayed under Results in the details pane. Note that the date in the Searched on field in the details pane is updated to the current date and time. To refresh the information in the list of searches, click Refresh Refresh icon .

Return to top

Edit a search

You can change the source mailboxes and the search query for an existing Content Search.

  1. On the Content search page, select a search.

  2. In the details pane, under Query, click Edit search.

  3. On the Locations page, you can change which mailboxes, groups, SharePoint sites, or OneDrive for Business sites to search. You can also select (or un-select) to search all public folders in Exchange.

  4. On the Query page, you can edit the search query.

  5. To start the revised search, click Search on either the Sources or Locations page.

    The revised search is started. When the search is completed, the estimated results for the revised search are displayed in the details pane.

Return to top

Export search results

After a search is successfully run, you can export the search results to a local computer. When you export email results, they're downloaded to your computer as PST files. When you export content from SharePoint and OneDrive for Business sites, copies of native Office documents are exported. There are also additional documents and reports that are included with the exported search results. For more information, see Export search results from the Office 365 Security & Compliance Center.

Prepare search results for analysis in Advanced eDiscovery

You can also prepare the search results for further analysis by using Advanced eDiscovery (which requires an E5 subscription). This lets you analyze large, unstructured data sets so you can reduce the amount of data that's relevant to a legal case. For more information, see:

Return to top

More information

  • For a description of the limits that are applied to the Content Search feature, see Limits for Search in the Office 365 Security & Compliance Center.

  • Microsoft collects performance information for Content Searches run by all Office 365 organizations. While the complexity of the search query can impact search times, the biggest factor that affects how long searches take is the number of mailboxes searched. Although Microsoft doesn't provide a Service Level Agreement for search times, the following table lists average search times for a Content Search based on the number of mailboxes included in the search.

    Number of mailboxes

    Average search time

    100

    30 seconds

    1,000

    45 seconds

    10,000

    4 minutes

    25,000

    10 minutes

    50,000

    20 minutes

    100,000

    25 minutes

  • Here's some more information about searching Office 365 groups.

    • When a user's mailbox is searched, any Office 365 group that the user is a member of won't be searched. You have to explicitly add an Office 365 group as a content location for a search. Similarly, when you search an Office 365 group, only the group mailbox is searched; the mailboxes of group members aren't searched unless you specifically add the mailboxes of group members to the search.

    • Run the Get-UnifiedGroup cmdlet in Exchange Online to view properties for an Office 365 group. For example, the following command displays selected properties for an Office 365 group named Senior Leadership Team:

      Get-UnifiedGroup "Senior Leadership Team" | FL DisplayName,Alias,PrimarySmtpAddress,SharePointSiteUrl
      
      DisplayName            : Senior Leadership Team
      Alias                  : seniorleadershipteam
      PrimarySmtpAddress     : seniorleadershipteam@contoso.onmicrosoft.com
      SharePointSiteUrl      : https://contoso.sharepoint.com/sites/seniorleadershipteam
      
  • Content searches created on the Content search page in the Security & Compliance Center aren't displayed on the In-Place eDiscovery & Hold page in the Exchange admin center. This is because the Content Search architecture and the search objects created in the Security & Compliance Center are completely different than the In-Place eDiscovery feature in Exchange Online.

    For the same reason, Content Searches aren't displayed on the eDiscovery cases page in the Security & Compliance Center.

  • What is the difference between restarting and retrying a search? When you restart a search, all content locations that are specified in the search are searched again in a new preview search. However, when you retry a search, only the content locations that failed when the search was last run are searched again.

Return to top

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×