Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Content Search in fully automated way with PowerShell

Copper Contributor

Hello,

I'm trying to create a PowerShell script that will, among other things, preform eDiscovery Content Search and export of user's mailboxes and OneDrive content.

I use standard method to create and perform the Content Search with Connect-IPPSSession, New-ComplianceSearch, Start-ComplianceSearch and New-ComplianceSearchAction cmdlets.

It all works very well if I authenticate to O365 with the account that is a member of eDiscovery Management role. But since my solution needs to be fully automated, I cannot use user account for authentication. Instead I need to use a Service Principal.

So, I created an App Registration in Azure Portal and used New-ServicePrincipal cmdlet to create the associated service principal in Exchange Online. I gave the Service Principal the following permissions:

API Permissions:

Office 365 Exchange Online Exchange.Manage (Delegated)

Office 365 Exchange Online Exchange.ManageAsApp (Application)

I made the service principal the member of the following Role Groups in both Azure AD and Compliance portal:

Global Administrator, Exchange Administrator, Compliance Administrator and eDiscovery Management.

I used Add-eDiscoveryCaseAdmin cmdlet to add the Service Principal as eDiscovery Administrator in eDiscovery Management role.


When I connect to IPPSSession using the Service Principal and try to create and use the Content Search against a user mailbox the following happens.

The search gets created. I can start the search. The search runs and eventually gets finished. But the search result always comes out empty, 0 items found. As mentioned above, if I perform that same search under user account that is a member of eDiscovery Management role, I get the expected results.

 

Any help on this would be appreciated.

Thanks.

2 Replies
That used to work, though currently I also seem to have trouble with the compliance center cmdlets when using app context. I'll give it some time to replicate the changes, just in case, and test again. But it doesn't hurt to open a case with MS in the meantime, as you have performed all the needed steps.

For the sake of testing, can you add the SP as member of the specific case and check if it makes a difference? Also, are there any compliance security filters configured in your org (Get-ComplianceSecurityFilter)?
Hi @Vasil Michev
Thanks for the replay. I did file a ticket with Microsoft and waiting for their response. As far as I understand, you need to create an advanced eDiscovery case in order to add users to it. I can't use Advanced eDiscovery as I don't have license for it. It has to be a simple content search.  Get-ComplianceSecurityFilter comes up empty, so no filters are set.