Share via

The New Compliance Search in Exchange 2016

  • Article

Till Exchange 2013 we were using the Search-Mailbox to delete any suspicious spam emails circulated in the organization.

Starting from Exchange 2016 there is a new component New-Complianintroducedtroducted for performing this action.
In Exchange 2016, New-ComplianceSearch cmdlet was introduced to search and delete messages. There are no limits for the number of mailboxes in a single search when using New-ComplianceSearch. If you use Search-Mailbox, you can only search a maximum of 10,000 mailboxes in a single search.

Still the Search-Mailbox is applicable and working for Exchange 2016 servers as well.

Example to create compliance search:
New-ComplianceSearch -Name “New Phishing Message” -ExchangeLocation “All”

https://exchangequery.files.wordpress.com/2017/03/ncs.png?w=600

Allowed parameters are few but we require these two at least for better searches:

ContentMatchQuery – The ContentMatchQuery parameter specifies a content search filter and uses the KQL – keyword query language syntax.

Example :

New-ComplianceSearch -Name “Remove Phishing Message” -ExchangeLocation “All” -ContentMatchQuery “‘virus’ AND ‘your account closure'”

ExchangeLocation – This parameter specifies the location to look for the search.

Accepted values are:
Specific Mailbox can be mentioned.
A distribution group can be mentioned.
All – When we specify all it looks for All mailboxes.

Force – After specifying this parameter only the command executed . Not sure why this was the case.

Also there is an option to modify the created one by using Set-ComplianceSearch cmdlet.

Important Note:
When a new compliance search is created a shadow in-place ediscovery search will be created in In-Place eDiscovery and holds the page in the EAC like below.

https://exchangequery.files.wordpress.com/2017/03/ncs1.png?w=600
But the status will not be started and we can see this by running Get-MailboxSearch as well.

Microsoft recommends to delete this autocreated shadow In-Place eDiscovery search. Instead, run the Microsoft provided script in New-ComplianceSearch page that will convert an existing compliance search to an In-Place eDiscovery search.

So when we run Get-ComplianceSearch we need to see the Compliances that we created.

But when we run Get-MailboxSearch we should not see any shadow in-placediscovery which was created for them.

In short, the below steps will be the procedure:

  1. Create a new compliance search.
  2. Remove the shadow in-placediscovery created for the new compliance search.
  3. Run the script provided in step 3 in this TechNet article – Compliance Search
  4. Start the In-Place eDiscovery search – Start-MailboxSearch
  5. Create an In-Place Hold
  6. Copy the search results
  7. Export the search results
  8. Use New-ComplianceSearchAction -SearchName “Remove Phishing Message” -Purge -PurgeType SoftDelete and delete the message

Tips:

When we run the compliance search ps1 script provided by Microsoft we should enter the value of the new compliance we created as below:

https://exchangequery.files.wordpress.com/2017/03/ncs3.png

While creating the inplace hold better to enter the values of all the available fields.

https://exchangequery.files.wordpress.com/2017/03/ncs5.png?w=600

Once the search completes there is an option to preview the search results through delegated admin account.

https://i0.wp.com/exchangequery.files.wordpress.com/2017/03/ncs6.png?w=596&h=151&crop&ssl=1

https://i0.wp.com/exchangequery.files.wordpress.com/2017/03/ncs7.png?w=218&h=75&crop&ssl=1

After that the data can be exported as PST.

https://exchangequery.files.wordpress.com/2017/03/ncs9.png

Post that the New-ComplianceSearchAction command should be used to remove the emails.

Note:

  1. New-ComplianceSearch limits to deleting 10 emails per mailbox at once on a single command, though there is no limits on number of mailboxes to search.
  2. Search-Mailbox limits to deleting 10000 emails per mailbox on at once on a single command.
  3. New-MailboxSearch will be deprecated soon on future updates most likely since this command will no longer be available on Office 365 from July 2017 as per TechNet source.