Office 365 Security and Compliance Search

By March 14, 2018Office 365

If you’re trying to track down who sent out those company secrets or correspondence regarding a legal issue, you can use the Office 365 Security and Compliance features.

First, Set Up Proper eDiscovery Permissions

Open Office 365 using Microsoft Edge. Log on as an administrator and open the “Security and Compliance” console:

Office 365 Security and Compliance or Office 365 Security and Compliance

Permissions should only be granted to the level needed to perform the task at hand. For a deeper explanation of Compliance permissions, check out this Microsoft article.

For this particular case we will be assigning the “eDiscovery Manager” permissions.

Select “Permissions”, “eDiscovery Manager” and edit the eDiscovery Manager to add the account which will be doing the eDiscovery:

Office 365 Security and ComplianceNote: Exchange and eDiscovery permissions are completely separate.

Select “Choose eDiscovery Manager”:

Office 365 Security and Compliance

Select Add:

Office 365 Security and ComplianceSelect the user or users and select “Add”, “Done”, “Save”, then ”Close”.

After assigning that user the eDiscovery permissions, give Office 365 time to propagate those changes. This usually takes less than 15 minutes. If you are using that account I would recommend logging off while it propagates.

Create a Content Search

Drill down to “Search and Investigations” and “Content search”, as shown below:

Office 365 Security and ComplianceClick on the + to add a new search, name the search and specify locations to search and click “Next”, as shown below:

Office 365 Security and ComplianceNow put in your search keywords and/or any conditions. CAUTION! If you put in something too short or vague and don’t qualify it with a condition, you may get more results than you intended.

Office 365 Security and ComplianceNote: you can change the conditions as needed if you don’t get the results intended.

Once you click “Search” it will begin immediately searching your “indexed” database.

Note: Indexed means email and data it can scan and index. It may skip attachments or larger email threads. Soft deleted items are also indexed.

To the right you will see the search results. As you can see below my search grabbed the one email regarding “internal company takeover plans”. To view what specific emails it found you can “preview search results”:

Office 365 Security and ComplianceNote: If you did not properly define the permissions on step 1 or allow them time to propagate you may get an error saying you do not have preview permissions.

Opening the Preview Search Results:

Office 365 Security and ComplianceIf you click on “Download Original Item” you can download the email as .eml.

If you would like to export the results to a CSV file, go to “Export report to a computer” and click on “Generate report” underneath it, as shown below:

Office 365 Security and ComplianceSelect the options you need for your export.

Office 365 Security and ComplianceIt will then change the prompt to “Download report”, as shown below:

Office 365 Security and ComplianceSkip to step “Transferring the data onsite report or PST”.

If you need to export all the emails to PST under “Export results to a Computer” click “Start Export” as shown below:

Office 365 Security and ComplianceSelect the options you need for your export, keeping in mind the sizes of the PST files that may be created. The bigger the files the more likely for corruption and download issues.

Office 365 Security and ComplianceIt will then change the prompt to “Download exported results”, as shown below:

Office 365 Security and Compliance

Transferring the Data into OnsiteReport or PST:

Whether you download PSTs or the report, you will receive an export key as shown below. Copy it and then click on “download results”:

Office 365 Security and ComplianceYou will then download and install the eDiscovery Export Tool:

You will then be prompted for the export key and path on your local system for the data:

It will then begin downloading the data:

When finished, the report, PST file or files will be in a subdirectory under the path you specified.

Note: Soft deleted emails will be listed and exportable by the query till they are hard deleted from the mailboxes.

Note: This can also be used to delete small batches of emails such as companywide phishing email blasts.

If you have questions about this or other features within Office 365, send us an email or give us a call at 502-240-0404!