New-ComplianceSearchAction

This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the New-ComplianceSearchAction cmdlet to create actions for content searches in Exchange Server and in the Microsoft Purview compliance portal.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Syntax

New-ComplianceSearchAction
   [-SearchName] <String[]>
   [-Export]
   [-ActionName <String>]
   [-ArchiveFormat <ComplianceExportArchiveFormat>]
   [-Confirm]
   [-FileTypeExclusionsForUnindexedItems <String[]>]
   [-EnableDedupe <Boolean>]
   [-ExchangeArchiveFormat <ComplianceExportArchiveFormat>]
   [-Force]
   [-Format <ComplianceDataTransferFormat>]
   [-IncludeCredential]
   [-IncludeSharePointDocumentVersions <Boolean>]
   [-JobOptions <Int32>]
   [-NotifyEmail <String>]
   [-NotifyEmailCC <String>]
   [-ReferenceActionName <String>]
   [-Region <String>]
   [-Report]
   [-RetentionReport]
   [-RetryOnError]
   [-Scenario <ComplianceSearchActionScenario>]
   [-Scope <ComplianceExportScope>]
   [-SearchNames <String[]>]
   [-SharePointArchiveFormat <ComplianceExportArchiveFormat>]
   [-ShareRootPath <String>]
   [-Version <String>]
   [-WhatIf]
   [<CommonParameters>]
New-ComplianceSearchAction
   [-SearchName] <String[]>
   [-Preview]
   [-ActionName <String>]
   [-Confirm]
   [-Force]
   [-Format <ComplianceDataTransferFormat>]
   [-IncludeCredential]
   [-JobOptions <Int32>]
   [-ReferenceActionName <String>]
   [-Region <String>]
   [-RetryOnError]
   [-Scenario <ComplianceSearchActionScenario>]
   [-SearchNames <String[]>]
   [-Version <String>]
   [-WhatIf]
   [<CommonParameters>]
New-ComplianceSearchAction
   [-SearchName] <String[]>
   [-Purge]
   [-PurgeType <ComplianceDestroyType>]
   [-ActionName <String>]
   [-Confirm]
   [-Force]
   [-Format <ComplianceDataTransferFormat>]
   [-IncludeCredential]
   [-JobOptions <Int32>]
   [-Region <String>]
   [-ReferenceActionName <String>]
   [-RetryOnError]
   [-Scenario <ComplianceSearchActionScenario>]
   [-SearchNames <String[]>]
   [-Version <String>]
   [-WhatIf]
   [<CommonParameters>]

Description

After you create a content search using the New-ComplianceSearch cmdlet and run it using the Start-ComplianceSearch cmdlet, you assign a search action to the search using the New-ComplianceSearchAction cmdlet.

In on-premises Exchange, this cmdlet is available in the Mailbox Search role. By default, this role is assigned only to the Discovery Management role group.

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

In Microsoft 365, the account that you use to run this cmdlet must have a valid Microsoft 365 license assigned.

To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see Permissions in the Microsoft Purview compliance portal.

Examples

Example 1

New-ComplianceSearchAction -SearchName "Project X" -Preview

This example creates a preview search action for the content search named Project X.

Example 2

New-ComplianceSearchAction -SearchName "Project X" -Export

This example creates an export search action for the content search named Project X.

Example 3

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete

This example deletes the search results returned by a content search named Remove Phishing Message. Note that unindexed items aren't deleted when you use the Purge parameter.

Example 4

New-ComplianceSearchAction -SearchName "Case 321 All Sites" -Export -SharePointArchiveFormat SingleZip -ExchangeArchiveFormat PerUserPst -Format FxStream

This example exports the results returned by the content search named "Case 321 All Sites". The search results are compressed and exported to a single ZIP file. If the search included any Exchange locations, the search results are exported as one PST file per mailbox.

Parameters

-ActionName

This parameter is available only in the cloud-based service.

The ActionName parameter specifies a name for the content search action. You use this parameter only when you specify multiple content searches in the SearchName parameter.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ArchiveFormat

This parameter has been deprecated and is no longer used.

To specify the format for Exchange search results, use the ExchangeArchiveFormat parameter. To specify the format for SharePoint and OneDrive search results, use the SharePointArchiveFormat parameter.

Type:ComplianceExportArchiveFormat
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-Confirm

The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.
  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.

This cmdlet has a built-in pause, so use -Confirm:$false to skip the confirmation.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-EnableDedupe

This parameter is reserved for internal Microsoft use.

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ExchangeArchiveFormat

This parameter is functional only in the cloud-based service.

This parameter requires the Export role in Security & Compliance PowerShell. By default, this role is assigned only to the eDiscovery Manager role group.

The ExchangeArchiveFormat parameter specifies how to export Exchange search results. Valid values are:

  • PerUserPst: One PST file for each mailbox.
  • SinglePst: One PST file that contains all exported messages.
  • SingleFolderPst: One PST file with a single root folder for the entire export.
  • IndividualMessage: Export each message as an .msg message file. This is the default value.
  • PerUserZip: One ZIP file for each mailbox. Each ZIP file contains the exported .msg message files from the mailbox.
  • SingleZip: One ZIP file for all mailboxes. The ZIP file contains all exported .msg message files from all mailboxes. This output setting is available only in PowerShell.

To specify the format for SharePoint and OneDrive search results, use the SharePointArchiveFormat parameter.

Type:ComplianceExportArchiveFormat
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-Export

This parameter is functional only in the cloud-based service.

This parameter requires the Export role in Security & Compliance PowerShell. By default, this role is assigned only to the eDiscovery Manager role group.

The Export switch specifies the action for the content search is to export the full set of results that match the search criteria. You don't need to specify a value with this switch.

To only return the information about each detected item in a report, use the Report switch.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-FileTypeExclusionsForUnindexedItems

The FileTypeExclusionsForUnindexedItems specifies the file types to exclude because they can't be indexed. You can specify multiple values separated by commas.

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-Force

The Force switch hides warning or confirmation messages. You don't need to specify a value with this switch.

You can use this switch to run tasks programmatically where prompting for administrative input is inappropriate.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-Format

In Security & Compliance PowerShell, this parameter requires the Export role. By default, this role is assigned only to the eDiscovery Manager role group.

The Format parameter specifies the format of the search results when you use the Export switch. Valid values are:

  • FxStream: Export to PST files. This is the only option that's available when you export search results from the Microsoft Purview compliance portal.
  • Mime: Export to .eml message files. This the default value when you use cmdlets to export the search results.
  • Msg: Export to .msg message files.
Type:ComplianceDataTransferFormat
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-IncludeCredential

The IncludeCredential switch specifies whether to include the credential in the results. You don't need to specify a value with this switch.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-IncludeSharePointDocumentVersions

This parameter is available only in the cloud-based service.

The IncludeSharePointDocumentVersions parameter specifies whether to export previous versions of the document when you use the Export switch. Valid values are:

  • $true: Export all versions of the document.
  • $false: Export only the current published version of the topic. This is the default value.
Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-JobOptions

This parameter is reserved for internal Microsoft use.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-NotifyEmail

In Security & Compliance PowerShell, this parameter requires the Export role. By default, this is assigned only to the eDiscovery Manager role group.

The NotifyEmail parameter specifies the email address target for the search results when you use the Export switch.

The recipient you specify is in the To: field of the message.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-NotifyEmailCC

In Security & Compliance PowerShell, this parameter requires the Export role. By default, this role is assigned only to the eDiscovery Manager role group.

The NotifyEmailCC parameter specifies the email address target for the search results when you use the Export switch.

The recipient you specify is in the Cc: field of the message.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-Preview

In Security & Compliance PowerShell, this parameter requires the Preview role. By default, this role is assigned only to the eDiscovery Manager role group.

The Preview switch specifies the action for the content search is to preview the results that match the search criteria. You don't need to specify a value with this switch.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-Purge

Note: In Security & Compliance PowerShell, this switch is available only in the Search and Purge role. By default, this role is assigned only to the Organization Management and Data Investigator role groups.

The Purge switch specifies the action for the content search is to remove items that match the search criteria. You don't need to specify a value with this switch.

  • A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an incident-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This action isn't intended to clean up user mailboxes.

    Tip: To purge more than 10 items, refer to ediscoverySearch: purgeData in the Microsoft Graph API, which allows purging a maximum of 100 items per location.

  • You can remove items from a maximum of 50,000 mailboxes using a single content search. To remove items from more than 50,000 mailboxes, you'll have to create separate content searches. For more information, see Search for and delete email messages in your Microsoft 365 organization.

  • Unindexed items aren't removed from mailboxes when you use this switch.

  • The value of the PurgeType parameter controls how the items are removed.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-PurgeType

Note: In Security & Compliance PowerShell, this parameter is available only in the Search and Purge role. By default, this role is assigned only to the Organization Management and Data Investigator role groups.

The PurgeType parameter specifies how to remove items when the action is Purge. Valid values are:

  • SoftDelete: Purged items are recoverable by users until the deleted item retention period expires.
  • HardDelete (cloud only): Purged items are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant. If single item recovery is enabled on the mailbox, purged items will be permanently removed after the deleted item retention period expires.
Type:ComplianceDestroyType
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-ReferenceActionName

This parameter is reserved for internal Microsoft use.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-Region

This parameter is reserved for internal Microsoft use.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-Report

This parameter is functional only in the cloud-based service.

The Report switch specifies the action for the content search is to export a report about the results (information about each item instead of the full set of results) that match the search criteria. You don't need to specify a value with this switch.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-RetentionReport

The RetentionReport switch specifies the action for the content search is to export a retention report. You don't need to specify a value with this switch.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-RetryOnError

The RetryOnError switch specifies whether to retry the action on any items that failed without re-running the entire action all over again. You don't need to specify a value with this switch.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-Scenario

In Security & Compliance PowerShell, this parameter requires the Preview role. By default, this role is assigned only to the eDiscovery Manager role group.

The Scenario parameter specifies the scenario type when you use the Export switch. Valid values are:

  • AnalyzeWithZoom: Prepare the search results for processing in Microsoft Purview eDiscovery Premium.
  • General: Exports the search results to the local computer. Emails are exported to .pst files. SharePoint and OneDrive for Business documents are exported in their native Office formats.
  • GenerateReportsOnly:
  • Inventory:
  • RetentionReports:
  • TriagePreview:
Type:ComplianceSearchActionScenario
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-Scope

The Scope parameter specifies the items to include when the action is Export. Valid values are:

  • IndexedItemsOnly
  • UnindexedItemsOnly
  • BothIndexedAndUnindexedItems
Type:ComplianceExportScope
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-SearchName

The SearchName parameter specifies the name of the existing content search to associate with the content search action. You can specify multiple content searches separated by commas.

You can find the content search by running the command Get-ComplianceSearch | Format-Table -Auto Name,Status.

Type:String[]
Position:1
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-SearchNames

This parameter is available only in the cloud-based service.

The SearchNames parameter specifies the names of the existing content searches to associate with the content search action. You separate the content search names by commas.

You can find content search names by running the command Get-ComplianceSearch | Format-Table -Auto Name,Status.

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-SharePointArchiveFormat

This parameter is functional only in the cloud-based service.

This parameter requires the Export role. By default, this role is assigned only to the eDiscovery Manager role group.

The SharePointArchiveFormat parameter specifies how to export SharePoint and OneDrive search results. Valid values are:

  • IndividualMessage: Export the files uncompressed. This is the default value.
  • PerUserZip: One ZIP file for each user. Each ZIP file contains the exported files for the user.
  • SingleZip: One ZIP file for all users. The ZIP file contains all exported files from all users. This output setting is available only in PowerShell.

To specify the format for Exchange search results, use the ExchangeArchiveFormat parameter.

Type:ComplianceExportArchiveFormat
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-ShareRootPath

{{ Fill ShareRootPath Description }}

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019

-Version

This parameter is reserved for internal Microsoft use.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance

-WhatIf

The WhatIf switch doesn't work in Security & Compliance PowerShell.

The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Security & Compliance