Search and investigation in the Office 365 Security & Compliance Center

Use the search and investigation features in the Office 365 Security & Compliance Center to quickly find content in mailboxes and documents or search audit logs for various types of user and admin activity. You can also create eDiscovery cases to manage a group of users who may be involved in a legal investigation. The best part of Search & investigation is you can find all content and user activity—whether it’s in Exchange Online, SharePoint Online, or OneDrive for Business—providing you with unified protection for your Office 365 organization.

How to get to the Office 365 search and investigation features

The search and investigation features in Office 365 are accessible by using the Security & Compliance Center. Here's how to get to the page.

To go directly to the Security & Compliance Center:

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the left pane, select Search & investigation to see the search and investigation features.

To go to the Security & Compliance Center from the Office 365 app launcher:

  1. Sign in to Office 365 using your work or school account.

  2. Select the app launcher App launcher button in the upper left corner, and then select the Security & Compliance tile.

  3. In the left pane, select Search & investigation to see the search and investigation features.

Search and investigation features

The following table describes the tools that are available under Search & investigation in the Security & Compliance Center.

Tool

Description

Content search

Use the Content search page to search mailboxes, public folders, SharePoint Online sites, and OneDrive for Business locations in your Office 365 organization. You can use Content Search to run very large searches. You can search all mailboxes and public folders in Exchange Online, all SharePoint Online sites, and all OneDrive for Business locations in a single search. There are no limits on the number of mailboxes and sites that you can search. There are also no limits on the number of searches that can run at the same time. After you run a search, the number of content sources and an estimated number of search results are displayed in the details pane on the search page, where you can preview the results, or export them to a local computer.

If your organization has an Office 365 Enterprise E5 subscription, you can also analyze the results of a content search using Office 365 Advanced eDiscovery. For more information, see Office 365 Advanced eDiscovery.

Audit log search

Use the Audit log search page to view user and admin activity in your Office 365 organization. You can search for audit log entries for the following types of actions:

  • File, folder, and sharing activity by users in SharePoint and OneDrive for Business

  • User and admin activity in Exchange

  • Site admin activity in SharePoint

  • User admin and directory admin activity in Azure Active Directory (the directory service for Office 365)

  • Directory admin activity in Azure Active Directory

  • User and admin activity in Sway

  • User and admin activity in Power BI for Office 365

  • User and admin activity in Microsoft Teams

Note: You (or another admin) must first turn on audit logging before you can start searching the Office 365 audit log. To turn it on, just click Start recording user and admin activity on the Audit log search page in the Security & Compliance Center. (If you don't see this link, auditing has already been turned on for your organization.) See the Audit log search topic for more information.

eDiscovery

Use the eDiscovery page to control who can create, access, and manage eDiscovery cases in your organization. An eDiscovery case allows you to add members to a case, control what types of actions that specific case members can perform, place a hold on content locations relevant to a legal case, and associate multiple Content Searches with a single case. You can also export the results of any Content Search that is associated with a case. eDiscovery cases are a good way to limit who has access to Content Searches and search results for a specific legal case in your organization.

If your organization has an Office 365 Enterprise E5 subscription, you can also use eDiscovery cases to analyze the results of a content search results by using Office 365 Advanced eDiscovery, which helps you analyze large, unstructured data sets and reduce the amount of data that's most relevant to a legal case. That's because whey you create an eDiscovery case in the Security & Compliance Center, you can access that same case in Advanced eDiscovery. For more information, see Office 365 Advanced eDiscovery.

Productivity app discovery

Use the Productivity app discovery page to access Advanced Security Management to set up security alerts to notify you about anomalous and suspicious activity. And you can also use Productivity app discovery, which lets you use information from your organization's log files to understand and act on your users' app usage in Office 365 and other cloud apps. Advanced Security Management requires an Office 365 Enterprise E5 subscription for your organization.

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×