This post demonstrates how to run Microsoft's O365 Compliance Search using PowerShell or the web based user interface (UI). Since I've been using compliance search, the original PowerShell cmdlets were deprecated and now use the Exchange Online Management v2 cmdlets. The web UI also changed. I’ve written in the past about on-prem Exchange server email search but that is not applicable here. The one exception is the same search query language.
PowerShell O365 Compliance Search
I prefer to run PowerShell, because as you’ll see, it’s much less verbose and time consuming than the web UI. However, for months and months this wasn't available in my environment. That has since changed but I needed this capability immediately so I got acquianted with the GUI. Also, maybe people aren't comfortable with PowerShell so this is the perferred method for them.
Assuming you have the accesses and permissions necessary to perform O365 Complaince Search, I’ll outline the six cmdlets you need to start a Security & Compliance PowerShell (or IPPS) session followed by creating, running, and cleaning-up a search. Even with PowerShell you can’t escape the web app UI completely as it’s still required to download your results. The UI portion of this tutorial will show how and where to do that.
1. Open PowerShell and create a IPPS session. You will be prompted for your admin credential 2FA during this step:
Connect-IPPSSession -UserPrincipalName admin_name@org.com
Note: this cmdlet should be present but if it’s not you can run:
Import-Module exchangeonlinemanagement2. Create your Compliance Search. The -ContentMatchQuery follows the same query language used for the on-prem Exchange search. Keyword queries and search conditions for eDiscovery: is Microsoft documentation with more specifics:
New-ComplianceSearch -Name <search_name> -ExchangeLocation <mailbox(s)|All> -ContentMatchQuery '(to:email@otherorg.com OR subject:"Prefix search term*") AND date:07/20/2021..07/22/2021'
3. Start your compliance search:
Start-ComplianceSearch -Identity <search_name>
4. Export your compliance search results:
New-ComplianceSearchAction -SearchName <search_name> -EnableDedupe $true -ExchangeArchiveFormat SingleZip -Export
Note: the -NotifyEmail option seems like it should email the specified account your exported results but that did not work for me.
5. Download your results from the web app UI (details below).
6. Clean up and remove your compliance search results:
Remove-ComplianceSearchAction -Identity <search_name>_Export -Confirm:$false
Note: I'm skipping the prompt for final confirmation. If you do, remove that option if you prefer this.
7. Clean up and remove your compliance search:
Remove-ComplianceSearch -Identity <search_name> -Confirm:$false
This info is copied from the linked Microsoft documentation but I’m adding it here (edited) to highlight some important search tips:
- Keyword searches are not case-sensitive (i.e.,
catandCATreturn the same results). - The Boolean operators
AND,OR,NOT, andNEARmust be uppercase. - A space between two keywords or two
property:valueexpressions is the same as usingAND. - Use syntax that matches the
property:valueformat. - Values are not case-sensitive and they can't have a space after the operator.
- When searching a recipient property, such as
To,From,Cc, orRecipients, you can use an SMTP address, alias, or display name to denote a recipient. For example, you can use smithj@org.com, smithj, or "John Smith". - You can use only prefix searches; for example,
cat*orset*. Suffix searches*cat, infix searchesc*t, and substring searches*cat*are not supported. - If a search property consists of multiple words (i.e., it has a space) enclose it in double quotation marks
" ". - To exclude content marked with a certain property value from your search results, place a minus sign
-before the name of the property (e.g.,-from:"John Smith").
Also note that when viewing your search query in the web app UI you may see keyword query logical operators added: (c:c) or (c:s). The former is similar in functionality to the AND operator and the latter to the OR operator.
Web Application UI O365 Compliance Search
The steps highlighted below achieve the same results as the PowerShell listed above, it’s just a lot more clicking. Also note that regardless of where you run your search you need to download your results from the web app.
In the screenshots below I’ve changed data that could be an opsec leak or completely removed it. I’ve also taken screenshots from various searches on different days as I refined this write-up. If you notice some peculiarities in the data this is why. However, the process is sound and these minor details will not impact it.
1. Click on Content Search
2. Create a new Content Search by clicking on the + sign.
3. Name your Content Search and, optionally, add a Description. Click Next.
4. Select your Content Search locations. I’ve only searched Exchange mailboxes. After doing that click on Choose users, groups, or teams to select your search target mailboxes.
5. Enter a semicolon ; delimited list of target mailboxes you want to search then press Enter to search for them. After the results are returned you must click the checkbox next to them or they will not be included in your search. Then click Done. I made this mistake multiple times and couldn’t figure out why I was getting zero search results.
6. Confirm your target search mailbox selections by viewing the number of mailboxes you selected then click Next.
7. This is where you define your search query. There are a variety of ways to do this and for the purposes of this tutorial I’ll show you two options.
a. You can use a keyword list by clicking the appropriate checkbox. Items on each row are the same as a logical OR. You can see below I’m using the keyword query language with the To: searchable property. All different conditions within your query are treated with a logical AND. My next condition is a range of dates using Between. And finally I’m searching for a subject with the Contains any of option. I assume this is treating my subject with a prefix, postfix, or both wildard (I’m unsure). As far as I could tell, if you add different subjects on new lines it treats each of them as a logical OR.
b. Somewhat interestingly is there is a To condition you can add by clicking the plus + next to the Add condition text. However, this option will only let you add mailboxes that exist within your enterprise. If, for instance, you want to search for email sent to an address outside of your organization you can’t add it under this condition option.
8. If you use the Show keyword list option you can have a maximum of 20 entries, no more. If you do you’ll get this error.
9. Before running your search, you get a chance to review your settings, including your Search Criteria. Submit your search to proceed.
10. Congrats, your search has been created.
11. This is a similar, but an alternate way to run a search.
a. In this option you supply the logical operators of interest, (e.g., OR, AND). You are also not limited to 20 total keywords. The rest of the query is the same as the above with the exception that I added a second subject to search.
b. Of note is that you can enter your entire query in the Keywords condition box. This would be the same format as what was used in a PowerShell query with the -ContentMatchQuery option.
e.g., to:user1@otherorg.com AND subject:"sketchy business*" AND date:07/15/2021..07/20/2021
12. Like with the first example, you can review your search settings before proceeding. You’ll get the same search created confirmation as seen above.
13. Now that you have created a content search, you can search for it from the long list of other searches (side note: this seems like an opsec fail/info leakage as you can view searches performed by anybody else, unless they delete them). You do this to view the status as well as several other actions such as editing, rerunning, or to export a report of your search results.
14. After finding your search, click on it for a current summary. Click Actions for more options. Alternatively, you can click Review sample to view the returned results directly in the web UI.
15. To export your results (i.e., download a local copy of your search results) click on Export results.
16. The exported results options below are self explanatory so select what you prefer or deem appropriate. The settings I chose are highlighted below and what I found to work best. I used PowerShell to clean up my data so I clicked Individual messages versus a PST. I also did not like zipping the results as it zips the each individual mailbox. If you run a search that has 50 mailboxes you’ll have to unzip each one to proceed (you could of course script the unzipping with PowerShell if you have download speed concerns).
17. Doing the above still doesn’t download your data. You have to go back to the Export dialog and search for your export (note: _Export will get appended to your search name). From there select your export for more options.
18. First, click Copy to clipboard to save a copy of your export key in memory. Then click Download results.
19. You’ll likely get a warning dialog confirming if you really want to download this file. Click Open.
20. If this is your first time doing this you may be prompted to make a one time software download (sorry I didn’t get a screenshot). You’ll need to do this to proceed. After that you’ll want to paste in your export key. You will also specify your download location. Click Start.
21. Your download will start. If it has successfully completed you will see the three green check marks. Click Close.
22. The final phase of your compliance search is to cleanup your search query and your export results. First locate your export, select Actions, then Delete.
23. Confirm you want to delete your export.
24. Next locate your seach as before and follow the same process as step 22: click Actions then Delete. To confirm the deletion of your search click Yes.
25. The next three screenshots are a view of what to expect your locally downloaded data to look like. Keep in mind my export options from above. I chose individual files (versus a PST). Each mailbox that returned search results will have a respective directory.
