Using the eDiscovery tool for content search in the Microsoft 365 Compliance Center!
Dear Microsoft 365 Friends, This article is about the eDiscovery (content search) tool in Microsoft 365. Before we start, a quick word about licenses. In order to work with the tool, you need the necessary licenses. Please have a look at the following link: https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-core-ediscovery?view=o365-worldwide In my case I had to clarify the question, would emails with certain words be sent or received. To clarify this, I created a content search with eDiscovery. How this is done exactly, I will explain in the next steps. We start our investigation in the Microsoft 365 Admin Center. On the left side click on "Show All" (if not everything is displayed) and select the Complicane Center. In order to work with eDiscovery we need the necessary permissions. Click on Permissions. In the "Compliance Center" category, click "Roles". Search for eDiscovery Manager and click on this Role Group. This will give you the details of this Role Group. Navigate down and you will see "eDiscovery Manager" and "eDiscovery Administrator". For this demo, I added my account to the "eDiscovery Administrator". This is not necessarily following the concept of "working with the least privileges" (but absolutely OK for this demo). In a Productive environment, you can assign a person the role of "eDiscovery Manager" in an eDiscovery case (we'll get to that in a moment). Thus, this person only gets access to this one eDiscovery case. Click on "edit". Click on "edit" again. Find the user and click on "add" and then on "done". In the "Compliance Center", navigate to eDiscovery and select "Core". Click on "Create a case". Enter a name and if you want a description and click "save". We have now only created the "container" but not configured anything yet. We will change that in a moment. Navigate to "Searches" and click on "New search". Specify a name and description. Then click on "next". Now select the locations. This selection depends very much on your search. Then click on "next". For keyword I use as search term "Testversion". The goal is to find emails that contain this word. If you want you can work with conditions to limit this search. I like to start very general to get an overview, narrowing can be done later. Then click on "next". And now "Submit". Depending on the size of the organization and the number of objects that need to be examined, it can take a very long time until the status "Completed" is reached. Allow yourself time. If the status is "Completed", click on your search and you will get a "Summary". At the bottom click on "Review sample". Bingo! We see a list of emails, and in the first email we already see our keyword. Sure this wasn't super exciting, but I still wanted to share this information with you. I hope this article was helpful for you? Thank you for taking the time to read this article. Best regards, Tom Wechsler
Don't Delete! Mark it as Junk instead
One common mistake among most users and even IT administrators is they are deleting Spam and Malicious messages from their Inbox (those messages that bypass Anti-Spam). Deleting message just delete it and won't help anyone else. But you should mark it as Junk instead. Doing so , not only place the message into spam folder but it also notify the Anti-Spam engine that there was a message which classified incorrectly and if the same message send to other people, it will be blocked.
ATP Safe Links are automatically unsubscribing users from email lists
We turned on ATP safe links a few weeks ago, and I have multiple reports of people being automatically unsubscribed from email lists they want to remain members of. In each case the messages sent to list members includes a "Click-to-unsubscribe" link in the footer. It seems that either ATP is activating the unsubscribe script when it probes the link, or when it rewrites the URL. There are a couple of lists that between 500 and 1000 of our users subscribe to, and they were all unsubscribed the first time that list sent a message after we turned on Safe Links. Is there any way to keep this from happening? I know we can opt users out of safe links, but in this case we need to white list a sender.
Retention stuck pending and Confirming Retention Enabled
So under Security and Compliance/Data Goverence/Retention. We have a policy configured for all exchange mailboxes when I get the retention policy from powershell I see exchange is all But when I do a get-mailbox | ft *reten* or ft *hold* everything show's false So I how do I prove that it's assigned to all mailboxes Also anyone else had a issue if I set a policy and use the Retention - Security & Compliance All locations. Includes content in Exchange email and public folders, Office 365 groups, and OneDrive and SharePoint documents. It get's stuck pending. Seems to be a issue if all users accounts don't have skype enabled. Anyone else seen this as well
