Use Content Search in your eDiscovery workflow

The Content Search feature in the Office 365 Security & Compliance Center allows you to search all mailboxes in your organization. Unlike In-Place eDiscovery in Exchange Online (where you can search up to 10,000 mailboxes), there are no limits for the number of target mailboxes in a single search. For scenarios that require you to perform organization-wide searches, you can use Content Search to search all mailboxes. Then you can use the workflow features of In-Place eDiscovery to perform other eDiscovery-related tasks, such as placing mailboxes on hold and exporting search results. For example, let's say you have to search all mailboxes to identify specific custodians that are responsive to a legal case. You can use Content Search in the Security & Compliance Center to search all mailboxes in your organization to identify those that are responsive to the case. Then you can use that list of custodian mailboxes as the source mailboxes for an In-Place eDiscovery search in Exchange Online. Using In-Place eDiscovery also allows you to put a hold on those source mailboxes, copy search results to a discovery mailbox, and export the search results.

This topic includes a script that you can run to create an In-Place eDiscovery search in Exchange Online by using the list of source mailboxes and search query from a search created in the Security & Compliance Center. Here's an overview of the process:

Step 1: Create a Content Search to search all mailboxes in your organization

Step 2: Connect to the Security & Compliance Center and Exchange Online in a single remote PowerShell session

Step 3: Run the script to create an In-Place eDiscovery search from the Content Search

Step 4: Start the In-Place eDiscovery search

Next steps after creating and running the In-Place eDiscovery search

Step 1: Create a Content Search to search all mailboxes in your organization

The first step is to use the Security & Compliance Center (or Windows PowerShell) to create a Content Search that searches all mailboxes in your organization. There's no limit for the number of mailboxes for a single Content Search. Specify an appropriate keyword query (or a query for sensitive information types) so that the search returns only those source mailboxes that are relevant to your investigation. If necessary, refine the search query to narrow the scope of search results and source mailboxes that are returned.

Note: If the source Content Search doesn't return any results, an In-Place eDiscovery won't be created when you run the script in Step 3. You may have to revise the search query then rerun the Content Search to return search results.

Use the Security & Compliance Center to search all mailboxes

  1. Go to the Office 365 Security & Compliance Center.

  2. Click Search & investigation, click Content search, and then click New Add icon .

  3. On the New search page, type a name for the Content Search.

  4. Under Where do you want us to look?, click Search all mailboxes, and then click Next.

  5. In the box under What do you want us to look for?, type a search query in the box. You can specify keywords, message properties such as sent and received dates, or document properties such as file names or the date that a document was last changed. You can use a more complex queries that use a Boolean operator, such as AND, OR, NOT or NEAR, or you can also search for sensitive information (such as social security numbers) in messages. For more information about creating search queries, see Keyword queries for Content Search.

  6. Click Search to save the search settings and start the search.

    After a while, an estimate of the search results displayed in the details pane. The estimate includes the total size and number of items for the search results. After the search is completed, you can preview the search results. If necessary, click Refresh Refresh icon to update the information in the details pane.

  7. If necessary, refine the search query to narrow the scope of search results and then restart the search.

Use Windows PowerShell to search all mailboxes

You can also use the New-ComplianceSearch cmdlet to search all mailboxes in your organization. The first step is to Connect to the Office 365 Security & Compliance center using remote PowerShell.

Here's an example of using Windows PowerShell to search all mailboxes in your organization. The search query returns all messages sent between January 1, 2015 and June 30, 2015 and that contain the phrase "financial report" in the subject line. The first command creates the search, and the second command runs the search.

New-ComplianceSearch -Name "Search All-Financial Report" -ExchangeLocation all -ContentMatchQuery 'sent>=01/01/2015 AND sent<=06/30/2015 AND subject:"financial report"'
Start-ComplianceSearch -Identity "Search All-Financial Report"

For more information, see New-ComplianceSearch.

Return to top

Verify the number of source mailboxes in the Content Search

A Content Search returns a maximum of 1,000 source mailboxes that contain search results. If there are more than 1,000 mailboxes that contain content that matches the search query, only the top 1,000 mailboxes with the most search results are included in the Content Search that you created in the previous step. So if more than 1,000 mailboxes contain search results, some of those mailboxes won't be included in the list of source mailboxes copied to the new In-Place eDiscovery search created in Step 3.

To help you create a Content Search with no more than 1,000 source mailboxes, follow these steps to run a script that displays the number of source mailboxes (that contain search results) returned by the Content Search you created in Step 1.

  1. Save the following text to a Windows PowerShell script file by using a filename suffix of .ps1. For example, you could save it to a file named SourceMailboxes.ps1.

    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$True,Position=1)]
        [string]$SearchName
    )
    
    $search = Get-ComplianceSearch $SearchName
    if ($search.Status -ne "Completed")
    {
                    "Please wait until the search finishes.";
                    break;
    }
    
    $results = $search.SuccessResults;
    if (($search.Items -le 0) -or ([string]::IsNullOrWhiteSpace($results)))
    {
                    "The Content Search " + $SearchName + " didn't return any useful results.";
                    break;
    }
    
    $mailboxes = @();
    $lines = $results -split '[\r\n]+';
    foreach ($line in $lines)
    {
        if ($line -match 'Location: (\S+),.+Item count: (\d+)' -and $matches[2] -gt 0)
        {
            $mailboxes += $matches[1];
        }
    }
    
    "Number of mailboxes that have search hits: " + $mailboxes.Count
  2. In a Windows PowerShell session that's connected to the Security & Compliance Center, go to the folder where the script you created in the previous step is located, and then run the script; for example:

    .\SourceMailboxes.ps1
  3. When prompted by the script, type the name of the Content Search that you created in Step 1.

    The script displays the number of source mailboxes that contain search results.

If there are more than 1,000 source mailboxes, try creating two (or more) Content Searches. For example, search half of your organization's mailboxes in one Content Search and the other half in another Content Search. You could also change the search criteria to reduce the number of mailboxes that contain search results. For example, you could include a date range or refine the keyword query.

Return to top

Step 2: Connect to the Security & Compliance Center and Exchange Online in a single remote PowerShell session

The next step is to connect Windows PowerShell to both the Security & Compliance Center and to your Exchange Online organization. This is necessary because the script that you run in Step 3 requires access to the Content Search cmdlets in the Security & Compliance Center and the In-Place eDiscovery cmdlets in Exchange Online.

  1. Save the following text to a Windows PowerShell script file by using a filename suffix of .ps1. For example, you could save it to a file named ConnectEXO-CC.ps1.

    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session -DisableNameChecking
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session -AllowClobber -DisableNameChecking
    $Host.UI.RawUI.WindowTitle = $UserCredential.UserName + " (Exchange Online + Compliance Center)"
  2. On your local computer, open Windows PowerShell, go to the folder where the script that you created in the previous step is located, and then run the script; for example:

    .\ConnectEXO-CC.ps1

How do you know if this worked? After you run the script, cmdlets from the Security & Compliance Center and Exchange Online are imported into your local Windows PowerShell session. If you don’t receive any errors, you connected successfully. A quick test is to run a Security & Compliance Center cmdlet—for example, Install-UnifiedCompliancePrerequisite—and an Exchange Online cmdlet, such as Get-Mailbox.

Return to top

Step 3: Run the script to create an In-Place eDiscovery search from the Content Search

After you create the dual Windows PowerShell session in Step 2, the next step is to run a script that will convert an existing Content Search to an In-Place eDiscovery search. Here's what the script does:

  • Prompts you for the name of the Content Search to convert.

  • Verifies that the Content Search has completed running. If the Content Search doesn't return any results, and In-Place eDiscovery won't be created.

  • Saves a list of the source mailboxes from the Content Search that contain search results to a variable.

  • Creates a new In-Place eDiscovery search, with the following properties. Note that the new search isn't started. You'll start it in step 4.

    • Name      The name of the new search uses this format: <Name of Content Search>_MBSearch1. If you run the script again and use the same source Content Search, the search will be named <Name of Content Search>_MBSearch2.

    • Source mailboxes      All mailboxes from the Content Search that contain search results.

    • Search query      The new search uses the search query from the Content Search. If the Content Search includes all content (where the search query is blank) the new search will also have a blank search query and will include all content found in the source mailboxes.

    • Estimate only search      The new search is marked as an estimate-only search. It won't copy search results to a discovery mailbox after you start it.

  1. Save the following text to a Windows PowerShell script file by using a filename suffix of ps1. For example, you could save it to a file named CreateMBSearchFromComplianceSearch.ps1.

    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$True,Position=1)]
        [string]$SearchName,
    
        [switch]$original,
    
        [switch]$restoreOriginal
    )
    
    $search = Get-ComplianceSearch $SearchName
    if ($search.Status -ne "Completed")
    {
    	"Please wait until the search finishes";
    	break;
    }
    
    $results = $search.SuccessResults;
    if (($search.Items -le 0) -or ([string]::IsNullOrWhiteSpace($results)))
    {
    	"The Content Search " + $SearchName + " didn't return any useful results";
    	"A mailbox search object wasn't created";
    	break;
    }
    
    $mailboxes = @();
    $lines = $results -split '[\r\n]+';
    foreach ($line in $lines)
    {
        if ($line -match 'Location: (\S+),.+Item count: (\d+)' -and $matches[2] -gt 0)
        {
            $mailboxes += $matches[1];
        }
    }
    
    $msPrefix = $SearchName + "_MBSearch";
    $I = 1;
    $mbSearches = Get-MailboxSearch;
    while ($true)
    {
        $found = $false;
        $mbsName = "$msPrefix$I";
        foreach ($mbs in $mbSearches)
        {
            if ($mbs.Name -eq $mbsName)
            {
                $found = $true;
                break;
            }
        }
    
        if (!$found)
        {
            break;
        }
    
        $I++;
    }
    
    $query = $search.KeywordQuery;
    if ([string]::IsNullOrWhiteSpace($query))
    {
        $query = $search.ContentMatchQuery;
    }
    
    if ([string]::IsNullOrWhiteSpace($query))
    {
    	New-MailboxSearch "$msPrefix$i" -SourceMailboxes $mailboxes -EstimateOnly;
    }
    else
    {
    	New-MailboxSearch "$msPrefix$i" -SourceMailboxes $mailboxes -SearchQuery $query -EstimateOnly;
    }
    
  2. In the Windows PowerShell session that you created in Step 2, go to the folder where the script that you created in the previous step is located, and then run the script; for example:

    .\CreateMBSearchFromComplianceSearch.ps1

  3. When prompted by the script, type the name of the Content Search that you want to covert to an In-Place eDiscovery search (for example, the search that you created in Step 1) , and then press Enter.

    If the script is successful, a new In-Place eDiscovery search is created with a status of NotStarted. Run the command Get-MailboxSearch <Name of Content Search>_MBSearch1 | FL to display the properties of the new search.

Return to top

Step 4: Start the In-Place eDiscovery search

The script that you run in Step 3 creates a new In-Place eDiscovery search, but doesn't start it. The next step is to start the search so you can get an estimate of the search results.

  1. In the Exchange admin center (EAC), go to Compliance management > In-Place eDiscovery & Hold.

  2. In the list view, select the In-Place eDiscovery search that you created in Step 3.

  3. Click Search Search icon > Estimate search results to start the search and return an estimate of the total size and number of items returned by the search.

    The estimates are displayed in the details pane. Click Refresh Refresh icon to update the information displayed in the details pane.

  4. To preview the results after the search is completed, click Preview search results    in the details pane.

Return to top

Next steps after creating and running the In-Place eDiscovery search

After you create and start the In-Place eDiscovery search that was created by the script in Step 3, you can use the normal In-Place eDiscovery workflow to perform different eDiscovery actions on the search results.

Create an In-Place Hold

  1. In the EAC, go to Compliance management > In-Place eDiscovery & Hold.

  2. In the list view, select the In-Place eDiscovery search that you created in Step 3, and then click Edit Edit icon .

  3. On the In-Place Hold page, select the Place content matching the search query in selected mailboxes on hold check box and then select one of the following options:

    • Hold indefinitely   Choose this option to place items returned by the search on an indefinite hold. Items on hold will be preserved until you remove the mailbox from the search or remove the search.

    • Specify number of days to hold items relative to their received date   Choose this option to hold items for a specific period. The duration is calculated from the date a mailbox item is received or created.

  4. Click Save to create the In-Place Hold and restart the search.

Return to top

Copy the search results

  1. In the EAC, go to Compliance management > In-Place eDiscovery & Hold.

  2. In the list view, select the In-Place eDiscovery search that you created in Step 3.

  3. Click Search Search icon , and then click Copy search results from the drop-down list.

  4. In Copy Search Results, select from the following options:

    • Include unsearchable items   Select this check box to include mailbox items that couldn’t be searched (for example, messages with attachments of file types that couldn’t be indexed by Exchange Search).

    • Enable de-duplication   Select this check box to exclude duplicate messages. Only a single instance of a message will be copied to the discovery mailbox.

    • Enable full logging   Select this check box to include a full log in search results.

    • Send me mail when the copy is completed   Select this check box to get an email notification when the search is completed.

    • Copy results to this discovery mailbox   Click Browse to select the discovery mailbox where you want the search results copied to.

  5. Click Copy to start the process to copy the search results to the specified discovery mailbox.

  6. Click Refresh Refresh icon to update the information about the copying status that is displayed in the details pane.

  7. When copying is complete, click Open to open the discovery mailbox to view the search results.

Return to top

Export the search results

  1. In the EAC, go to Compliance management > In-Place eDiscovery & Hold.

  2. In the list view, select the In-Place eDiscovery search that you created in Step 3, and then click Export to a PST file.

  3. In the list view, select the In-Place eDiscovery search you want to export the results of, and then click Export to a PST file.

  4. In the eDiscovery PST Export Tool window, do the following:

    • Click Browse to specify the location where you want to download the PST file.

    • Click the Enable deduplication checkbox to exclude duplicate messages. Only a single instance of a message will be included in the PST file.

    • Click the Include unsearchable items checkbox to include mailbox items that couldn’t be searched (for example, messages with attachments of file types that couldn’t be indexed by Exchange Search). Unsearchable items are exported to a separate PST file.

  5. Click Start to export the search results to a PST file.

    A window is displayed that contains status information about the export process.

Return to top

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×