Office 365 – Content Search and eDiscovery

Today I would shed some light on the two options “Content Search” and “eDiscovery” from the Security and Compliance center of Office 365. You can reach the security and compliance center through the following URL:

Office 365 – Security & Compliance Center

The first questions that may raise up, what is content search and eDiscovery, and what is the difference of those two options.
With content search, you can search all the content that is actually available, regarding existent policies (given example: Exchange Hold). Content search may help you in various occasions, where it may not be required to use eDiscovery. For legal documentation the eDiscovery should be used, where you also can specify Mailboxes, SharePoint Locations and OneDrive for Business to set hold policies on them.

The next question might be: Who has access to those features by Default?

It depends…

Yes, that is true, it depends on how your Azure AD is configured. Out-of-the-Box nobody can access the two features, not even the Global Administrator. The Global Administrator can perform searches, and he is able to assign the necessary roles to export the data from the searches. But those role assignments are not set by Default. So it is like within the On-Premise Domain, you can configure the Domain Admin as an Exchange Org Admin as example, but it is not set by Default.

How can I assign the content search permission?
I would like to show you, how you can assign the content search permissions to a user (or group). Even there are preconfigured roles within the Security & Compliance Center, I create my own role, to make sure the granted access is sufficient. For creating the new role, open the permission blade within the center, and click on “+Create”:

Name the name role properly and after a click on next, you have to assign the existent roles to your own role:

  • Compliance Search
  • Preview
  • Export
  • Your Role group wizard should look like this:

    Mind that it takes up to 15 minutes, until a user can access the portal. But afterwards he is logged in, the user can immediately start a content search, and is able to preview and download the reports and data.

    How can I assign the eDiscovery permission?
    This one is more likely used, and also easier to achieve. If you click on the built-in eDiscovery Manager role, you can see, that there are two sub-roles available, the Administrator role and the manager role. As an Administrator, you have all the access to all cases that are existent. As a a manager, you can only access those case, that are assigned to you.

    How restrict access?
    If you require to restrict that access of the eDiscovery searches, for example to divide the countries, you can use the permission filters. Tony Redmond already wrote an excellent article about implementing permission filters:
    Restricting Office 365 Content Searches with Permission Filters

    Download Data from Content Search
    If your content search was successful, you can then download the results:

    There are different options when you select to export the results, and the most questionable option is “Unsearchable items”. See the official statement from Microsoft to Unsearchable items for Exchange 2013 or Exchange Online:

    (Source: https://docs.microsoft.com/en-us/exchange/security-and-compliance/in-place-ediscovery/in-place-ediscovery)

    If you have made your decision, you can start your download:

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s

    This site uses Akismet to reduce spam. Learn how your comment data is processed.