Data investigation capabilities in Office 365 in Public Preview

Published 04-30-2019 09:00 AM 30.6K Views

In talking to our customers, we learned that IT and security operations roles need a more efficient way to contain a data spill by quickly identifying the impacted content and taking immediate action to remediate the risk.


Unfortunately, in the past, this process involved several different tools such as content search, audit log search and executing different PowerShell cmdlets.


Today, we are excited to share new data investigation capabilities in Office 365 that is available in preview. With these new capabilities in Office 365, you can search for sensitive, malicious, or misplaced data across Office 365, investigate what happened, and take the appropriate actions to remediate the spillage.


Read further to understand what data investigation capabilities in Office 365 can do: 


Advanced search


Target relevant content across Office 365. Quickly identify potential sources of both personal and shared content locations. You can also triage data with conditions, key words and advanced search functionality to cull initial collection to a smaller set. Once evidence is collected to a reasonable data set, you can process and validate the content.


Pix 1.png


Review and investigate the data


Once you are ready to process and validate the impacted content, you can review individual documents and evaluate the data to determine if further action is required.


pix 2.png


Remediate risk by taking immediate action


Finally, you can remediate and mitigate the incident of a data spill and limit damage to the organization by deleting the impacted data to prevent end users from accessing the content. Today this is done through PowerShell but we plan on providing a UI experience at the end of May. 


pix 3.png


Get started today


Review our supporting documentation and try the data investigation capabilities in Office 365 in Preview today.


Also, let us know what you think! We want to hear from you. Fill out this short survey for us if you are interested in us reaching out to you.

Super Contributor

Survey is not open for anonymous users.

Super Contributor

Also, it looks like this is for the new Compliance center, which  was retracted for some customers (e.g. those with only Office 365 licenses).

Occasional Contributor

@Oleg K The screen shots are all from SC&C, rather than 

Occasional Contributor

@Caroline Shin Nice re-use of existing capabilities for a new solution area. Cool.


Does the Evidence show whether a recipient has viewed the message / spilled data? Deleting it when they haven't viewed or read it means the data spill was contained before causing a problem. If they have viewed it and the offending emails are then deleted, does this become a situation of deliberate destruction of evidence of a data breach?

Occasional Contributor

@Caroline Shin Thinking ... how far beyond Office 365 can you reach? If the customer has Microsoft 365 / Intune / Microsoft Defender ATP, can you detect whether a document that was spilled was saved outside of OneDrive or SharePoint to a user's local device - and if so, delete it from there too?

Occasional Contributor

@Caroline Shin Any thoughts about using Microsoft's AI capabilities to analyze why the data spillage happened (parameters / attributes / etc.) and then auto-recommending the right mitigation in Office 365 to prevent it from happening again in the future? This would greatly help organizations subject to GDPR, for example by showing that they have technical capabilities that are improving and getting better in response to real-life situations.

Super Contributor

I don't think you can remove data from external recipient system. Even if they are using Office 365 services. You could abuse this service to remove something you have sent and retract your decisions, destroy evidence of agreeing to something.

Occasional Contributor

@Oleg K If that's about my question re local hard drive, my question was in the context of an employee who works for the org in which the investigation is started, not about an external recipient. My question is about whether this capability in Office 365 can link through to complementary capabilities in Enterprise Mobility + Security if data has been moved out of Office 365 storage locations. Does that make sense?

Super Contributor

I see. Well, i guess maybe if the device is managed with a help of WIP. Not sure if WIP can do that. Same with mobile. If it uses MAM, then you shouldn't be able to save work data into non-work environment. If it is fully managed, then maybe it can do selecting deleting, but not sure either. Maybe this new feature is only about deleting stuff from Office 365 services (email, OneDrive, SPO, Teams). Will leave that to MS to answer.


@Michael Sampson @Oleg K Thank you for the detailed feedback. With the initial version of the tool, users can search for spilled O365 content within the organization, investigate and delete them. Before deleting the offending data, users will also be able to collect the search results as "evidence" to address the situation you mentioned as "destruction of evidence of data breach".


Looking ahead, we plan to add more intelligence to assist investigation as well as different types of remedial actions other than deletion. So suggestions and feedback like yours is valuable to us shaping the product. If you are interested in providing us any additional feedback and haven't done so, please take a short moment to fill out this survey.

Senior Member

When choosing to mark an email for deletion, will this also remove emails put on hold with Retention Policies or Litigation Hold? If so will they be completelly removed from dumpster, purges and versions?


@Erik Fryksén In the future, users will be provided with options to delete items with recovery period (soft delete), permanently delete items without recovery period (hard delete) and if needed, override a legal hold with appropriate approval workflow as well as thorough auditing. The initial release of the remedial action will be soft delete (June CY19). 

Version history
Last update:
‎May 11 2021 03:44 PM
Updated by: