If you’re trying to track down who sent out those company secrets or correspondence regarding a legal issue, you can use the Office 365 Security and Compliance features.
First, Set Up Proper eDiscovery Permissions
Open Office 365 using Microsoft Edge. Log on as an administrator and open the “Security and Compliance” console:
Permissions should only be granted to the level needed to perform the task at hand. For a deeper explanation of Compliance permissions, check out this Microsoft article.
For this particular case we will be assigning the “eDiscovery Manager” permissions.
Select “Permissions”, “eDiscovery Manager” and edit the eDiscovery Manager to add the account which will be doing the eDiscovery:
Note: Exchange and eDiscovery permissions are completely separate.
Select “Choose eDiscovery Manager”:
Select the user or users and select “Add”, “Done”, “Save”, then ”Close”.
After assigning that user the eDiscovery permissions, give Office 365 time to propagate those changes. This usually takes less than 15 minutes. If you are using that account I would recommend logging off while it propagates.
Create a Content Search
Drill down to “Search and Investigations” and “Content search”, as shown below:
Click on the + to add a new search, name the search and specify locations to search and click “Next”, as shown below:
Now put in your search keywords and/or any conditions. CAUTION! If you put in something too short or vague and don’t qualify it with a condition, you may get more results than you intended.
Note: you can change the conditions as needed if you don’t get the results intended.
Once you click “Search” it will begin immediately searching your “indexed” database.
Note: Indexed means email and data it can scan and index. It may skip attachments or larger email threads. Soft deleted items are also indexed.
To the right you will see the search results. As you can see below my search grabbed the one email regarding “internal company takeover plans”. To view what specific emails it found you can “preview search results”:
Note: If you did not properly define the permissions on step 1 or allow them time to propagate you may get an error saying you do not have preview permissions.
Opening the Preview Search Results:
If you click on “Download Original Item” you can download the email as .eml.
If you would like to export the results to a CSV file, go to “Export report to a computer” and click on “Generate report” underneath it, as shown below:
Select the options you need for your export.
It will then change the prompt to “Download report”, as shown below:
Skip to step “Transferring the data onsite report or PST”.
If you need to export all the emails to PST under “Export results to a Computer” click “Start Export” as shown below:
Select the options you need for your export, keeping in mind the sizes of the PST files that may be created. The bigger the files the more likely for corruption and download issues.
It will then change the prompt to “Download exported results”, as shown below:
Transferring the Data into OnsiteReport or PST:
Whether you download PSTs or the report, you will receive an export key as shown below. Copy it and then click on “download results”:
You will then download and install the eDiscovery Export Tool:
You will then be prompted for the export key and path on your local system for the data:
It will then begin downloading the data:
When finished, the report, PST file or files will be in a subdirectory under the path you specified.
Note: Soft deleted emails will be listed and exportable by the query till they are hard deleted from the mailboxes.
Note: This can also be used to delete small batches of emails such as companywide phishing email blasts.