In office 365 the search can be used to search in-place items from email, documents, Skype for business and Microsoft Teams.In this article we will look into the steps to search emails from mailboxes present in office 365.
The search and delete operation can be executed when an important confidential message is sent by mistake to unintended recipients, a suspicious message have been circulated to few users or it can be even a phishing email. Admin can run into any of the above scenario and can be requested to perform this action.
In office 365 we can use the native search-mailbox , compliance search or the content search available in the office 365 security and compliance center.
The search-mailbox is exactly similar to what we have in on premise.We have to be a member of Mailbox Search and Mailbox Import Export role group to execute the search and delete operation.
We need to establish PSSession to office 365 with below:
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
Then we need to execute the search operation based on the search parameter , search query and operators as per our requirement to search the required data.
Example of basic search which allowed to log data to a target mailbox
Search-Mailbox -identity firstname.lastname@example.org -SearchQuery ‘subject:test’ -Logonly -LogLevel full -TargetMailbox email@example.com -TargetFolder SearchResults
The delete operation can be used to delete the content.
Search-Mailbox -Identity firstname.lastname@example.org -SearchQuery ‘subject:test’ -DeleteContent
We can use the compliance search operation to search and delete any emails from mailboxes present in office 365. We need to establish new pssession to compliance as below.
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Once connected we can initiate new compliance search with New-Compliance search commandlet.
First New-Compliance search with required parameter and content match query needs to be created.
New-ComplianceSearch -Description Marketing-Search -Name MarketingTeam -Exchangelocation email@example.com -ContentMatchQuery “‘Teach English in China'”
Then we need to start the compliance search with Start-ComplianceSearch
Start-ComplianceSearch -Identity searchname
Post this operation we have 3 options with New-ComplianceSearchAction report only mode , export the searched data also delete the search results as below example.
New-ComplianceSearchAction -SearchName SearchName -Report
New-ComplianceSearchAction -SearchName SearchName -Export
After we run the command with export once export is completed it will be available in the security and compliance center in the export section ready for download.
We can also use the delete option
New-ComplianceSearchAction -SearchName SearchName Puirge -PurgeType softdelete
Get-ComplianceSearch can be run to check the existing executed compliance searches.
We can also use the content search option available in office 365 security and compliance center. Here we can specify the content locations from where it has to be searching the required content.
Here we have 3 options to search.
New Search – which is the default option and provides the search query parameters and conditions.
Guided Search – Guided search has the same options like new search except it has an addition guided wizard like below. Rest of the search query parameters and the conditions remains the same.
ID Search – We can perform a targeted search based on providing a csv input file.
For ID search we need to provide a well formatted CSV input as mentioned in this Technet format the document ID column and populate the selected column as mentioned in the article.
Once the CSV is prepared and imported it will be ready for save and run as below.
After the save and run operation we get the results as below
We have options to choose the locations from where the data has to be fetched from modify location. This option is available only on New Search and Guided Search.
After specifying the location – add the search query keywords – date range – sender and other required parameters based on the search requirement.
once the search query is completed we can see the search results in the searches tab like below
We have an option to download the search results
We have options to export the report like below.
- The ID search is limited and supported only for mailbox items.
- We need to be member of Organization Management or at least Compliance Administrator role group in-order to consume this service from Security & Compliance Center.