office 365 Mailboxes: Steps to Execute search operation
In office 365 the search can be used to search in-place items from email, documents, Skype for business and Microsoft Teams.In this article we will look into the steps to search emails from mailboxes present in office 365.
The search and delete operation can be executed when an important confidential message is sent by mistake to unintended recipients, a suspicious message have been circulated to few users or it can be even a phishing email. Admin can run into any of the above scenario and can be requested to perform this action.
In office 365 we can use the native search-mailbox , compliance search or the content search available in the office 365 security and compliance center.
The search-mailbox is exactly similar to what we have in on premise.We have to be a member of Mailbox Search and Mailbox Import Export role group to execute the search and delete operation.
We need to establish PSSession to office 365 with below:
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
Import-PSSession $Session
Search-Mailbox
https://exchangequery.files.wordpress.com/2018/11/smbx0.png?w=600
Then we need to execute the search operation based on the search parameter , search query and operators as per our requirement to search the required data.
Example of basic search which allowed to log data to a target mailbox
Search-Mailbox -identity mbx@domain.com -SearchQuery ‘subject:test’ -Logonly -LogLevel full -TargetMailbox mbx@domain.com -TargetFolder SearchResults
https://exchangequery.files.wordpress.com/2018/11/smbx.png?w=600
https://exchangequery.files.wordpress.com/2018/11/smbx1.png?w=600
The delete operation can be used to delete the content.
Search-Mailbox -Identity mbx@domain.com -SearchQuery ‘subject:test’ -DeleteContent
https://exchangequery.files.wordpress.com/2018/11/smbx2.png?w=600
Compliance Search
We can use the compliance search operation to search and delete any emails from mailboxes present in office 365. We need to establish new pssession to compliance as below.
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
https://exchangequery.files.wordpress.com/2018/11/cs1.png?w=600
Once connected we can initiate new compliance search with New-Compliance search commandlet.
First New-Compliance search with required parameter and content match query needs to be created.
New-ComplianceSearch -Description Marketing-Search -Name MarketingTeam -Exchangelocation alias@domain.com -ContentMatchQuery “‘Teach English in China'”
https://exchangequery.files.wordpress.com/2018/11/cs2.png?w=600
Then we need to start the compliance search with Start-ComplianceSearch
Start-ComplianceSearch -Identity searchname
Post this operation we have 3 options with New-ComplianceSearchAction report only mode , export the searched data also delete the search results as below example.
Report Mode
New-ComplianceSearchAction -SearchName SearchName -Report
https://exchangequery.files.wordpress.com/2018/11/cs3.png?w=600
Export Mode
New-ComplianceSearchAction -SearchName SearchName -Export
https://exchangequery.files.wordpress.com/2018/11/cs11.png?w=600
After we run the command with export once export is completed it will be available in the security and compliance center in the export section ready for download.
https://exchangequery.files.wordpress.com/2018/11/untitled24.png?w=600
We can also use the delete option
New-ComplianceSearchAction -SearchName SearchName Puirge -PurgeType softdelete
https://exchangequery.files.wordpress.com/2018/11/cs4.png?w=600
Get-ComplianceSearch can be run to check the existing executed compliance searches.
https://exchangequery.files.wordpress.com/2018/11/untitled411.png?w=600
Content Search
We can also use the content search option available in office 365 security and compliance center. Here we can specify the content locations from where it has to be searching the required content.
Here we have 3 options to search.
New Search – which is the default option and provides the search query parameters and conditions.
https://exchangequery.files.wordpress.com/2018/11/untitled26.png?w=600
Guided Search – Guided search has the same options like new search except it has an addition guided wizard like below. Rest of the search query parameters and the conditions remains the same.
https://exchangequery.files.wordpress.com/2018/11/untitled261.png?w=600
ID Search – We can perform a targeted search based on providing a csv input file.
https://exchangequery.files.wordpress.com/2018/11/untitled262.png?w=600
For ID search we need to provide a well formatted CSV input as mentioned in this Technet format the document ID column and populate the selected column as mentioned in the article.
Once the CSV is prepared and imported it will be ready for save and run as below.
https://exchangequery.files.wordpress.com/2018/11/untitled263.png?w=600
After the save and run operation we get the results as below
https://exchangequery.files.wordpress.com/2018/11/untitled264.png?w=600
We have options to choose the locations from where the data has to be fetched from modify location. This option is available only on New Search and Guided Search.
After specifying the location – add the search query keywords – date range – sender and other required parameters based on the search requirement.
https://exchangequery.files.wordpress.com/2018/11/content.png?w=600
once the search query is completed we can see the search results in the searches tab like below
https://exchangequery.files.wordpress.com/2018/11/content1.png?w=600
We have an option to download the search results
https://exchangequery.files.wordpress.com/2018/11/content2.png?w=600
We have options to export the report like below.
https://exchangequery.files.wordpress.com/2018/11/untitled25.png?w=600
Imp Notes:
- The ID search is limited and supported only for mailbox items.
- We need to be member of Organization Management or at least Compliance Administrator role group in-order to consume this service from Security & Compliance Center.