Preamble:
Compliance searches are all about being surgical. Gather as many details as you can from TAC or the client.
The following datapoints are recommended
- Date Email was sent
- Author / Sender (from)
- Recipient (to)
- Subject Line
Make sure to use Edge for this procedure
Use the following link to get to the compliance Search Page
Content search - Microsoft 365 compliance
To Start a new search, click “New Search”
Fill in the name and description of the search
In “Name”, make sure to descriptively name what you are looking for. Recommendation: end the name of the search with who is performing the search
In “Description”, add any conditions that were provided to you.
On the next page click “Choose users, groups or teams”
Whenever possible, select the fewest number of users (preferably just the sender or recipient). The searches will be considerably faster and there is less chance of unintended data loss when doing an email delete / recall.
Select your user, make sure to check the checkbox next to their name
Verify that you have selected the minimum number of users
Now define as many search conditions as you can.
I recommend the following search conditions
• Date
• Keywords
• To
• Subject
Return to the Content Search homepage
Content search - Microsoft 365 compliance
If your search was narrow, the compliance search should finish very quickly.
Sort the runs by “Last run time”
Click on your search
At the bottom of the pane (that pops up on the right), click “Action” and “Export results”
On the new pane, under “Export Exchange content as”, select “One PST file containing all messages” for ease of browsing.
Click “Export”
Return to the Content Search homepage
Content search - Microsoft 365 compliance
If your search was narrow, the compliance export should finish very quickly.
Click on the “Export” tab on the top left and sort by “Last export start time”
Ensure that you are looking at the latest exports (down arrow)
Select your export
On the pane that opens from the right:
Important: First, grab the key from the “Export Key section” via “Copy to clipboard”
Then click “Download Results”
A new window will pop up
Paste the export key in your clipboard into the first text box
Additionally, set the location you want to save the PST to via “Browse”
When you have done both, click “Start”
If you were surgical with your conditions, this export should complete quickly as well
Open Outlook Desktop
Note: If you do not normally use outlook and don’t have a profile, use the following run command:
Windows Key + R: ‘Outlook.exe /PIM "Your profile name"’
In Outlook, click on “File” on the top left, “Open & Export”, and “Open Outlook Data File”
Select the *.pst file that you downloaded
Please note that the PST file will be several directories “deeper” than the location that you choose earlier
Under the PST file “Exchange”, navigate to the folder of interest
You should see the email matching your search conditions.
To perform a compliance search delete:
Install the exchange online module
Install-Module -Name ExchangeOnlineManagement
Connect to exchange online
Connect-ExchangeOnline -UserPrincipalName username@mirumpharam.com
List the compliance searches
Get-ComplianceSearch
Soft Delete the messages
New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete
Monitor Completion of the delete
Get-ComplianceSearchAction
Hard Delete the messages
New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete
Monitor Completion of the delete
Get-ComplianceSearchAction