Forum Discussion
Using the eDiscovery tool for content search in the Microsoft 365 Compliance Center!
Dear Microsoft 365 Friends,
This article is about the eDiscovery (content search) tool in Microsoft 365. Before we start, a quick word about licenses. In order to work with the tool, you need the necessary licenses. Please have a look at the following link:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-core-ediscovery?view=o365-worldwide
In my case I had to clarify the question, would emails with certain words be sent or received. To clarify this, I created a content search with eDiscovery. How this is done exactly, I will explain in the next steps.
We start our investigation in the Microsoft 365 Admin Center. On the left side click on "Show All" (if not everything is displayed) and select the Complicane Center.
In order to work with eDiscovery we need the necessary permissions. Click on Permissions.
In the "Compliance Center" category, click "Roles".
Search for eDiscovery Manager and click on this Role Group. This will give you the details of this Role Group.
Navigate down and you will see "eDiscovery Manager" and "eDiscovery Administrator". For this demo, I added my account to the "eDiscovery Administrator". This is not necessarily following the concept of "working with the least privileges" (but absolutely OK for this demo). In a Productive environment, you can assign a person the role of "eDiscovery Manager" in an eDiscovery case (we'll get to that in a moment). Thus, this person only gets access to this one eDiscovery case. Click on "edit".
Click on "edit" again.
Find the user and click on "add" and then on "done".
In the "Compliance Center", navigate to eDiscovery and select "Core".
Click on "Create a case".
Enter a name and if you want a description and click "save". We have now only created the "container" but not configured anything yet. We will change that in a moment.
Navigate to "Searches" and click on "New search".
Specify a name and description. Then click on "next".
Now select the locations. This selection depends very much on your search. Then click on "next".
For keyword I use as search term "Testversion". The goal is to find emails that contain this word. If you want you can work with conditions to limit this search. I like to start very general to get an overview, narrowing can be done later. Then click on "next".
And now "Submit".
Depending on the size of the organization and the number of objects that need to be examined, it can take a very long time until the status "Completed" is reached. Allow yourself time.
If the status is "Completed", click on your search and you will get a "Summary". At the bottom click on "Review sample".
Bingo! We see a list of emails, and in the first email we already see our keyword.
Sure this wasn't super exciting, but I still wanted to share this information with you.
I hope this article was helpful for you? Thank you for taking the time to read this article.
Best regards, Tom Wechsler
- Hi Tom
Frustratingly there is little documentation I can find for doing Boolean searches in eDiscovery.
According to documentation they list AND, OR, NOT and NEAR
The first three are straight forward, but the Near one I assume is like what I learned (thirty years ago, geesh) would be w/3 to say one work within three, but near isn't explicit for how much to search.
And then there are the research, to, participants fields. I want to exclude any email that is sent to my own domain, so I only want outgoing mail from my company where no one else is copied. I've been using NOT recipient:<domain>
And then there is a question of using parenthesis, are these allowed.
I have created some fake emails between myself and myself one inside domain and one out (actually two but doesn't matter) and I do a search for (term or term),NOT recipeint:<domain> and a date range of a few days.
This returns no information at all and it really should as I created a few back and forth.
So that's where I am, if you know any good references I can look up I'd appreciate the share.
Thansk
David- How do a customer turn it off ? The customer have turn it off in the 0365 admin portal, but we make at scripts it seems that it is still on
