Quick Tips – Search mailbox operation in office 365

In office 365 the search can be used to search in-place items from email, documents, Skype for business and Microsoft Teams.In this article we will look into the steps to search emails from  mailboxes present in office 365.

The search and delete operation can be executed when an important confidential  message is sent by mistake to unintended recipients, a suspicious message have been circulated to few users or it can be even a phishing email. Admin can run into any of the above scenario and can be requested to perform this action.

In office 365 we can use the native search-mailbox , compliance search or the content search available in the office 365 security and compliance center.

The search-mailbox is exactly similar to what we have in on premise.We have to be a member of Mailbox Search and Mailbox Import Export role group to execute the search and delete operation.

We need to establish PSSession to office 365 with below:

$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
Import-PSSession $Session

Search-Mailbox

SMBX0

Then we need to execute the search operation based on the search parameter , search query and operators as per our requirement to search the required data.

Example of basic search which allowed to log data to a target mailbox

Search-Mailbox -identity mbx@domain.com -SearchQuery ‘subject:test’ -Logonly -LogLevel full  -TargetMailbox mbx@domain.com -TargetFolder SearchResults

SMBX

SMBX1

The delete operation can be used to delete the content.

Search-Mailbox -Identity mbx@domain.com -SearchQuery ‘subject:test’ -DeleteContent

SMBX2

Compliance Search

We can use the compliance search operation to search and delete any emails from mailboxes present in office 365. We need to establish new pssession to compliance as below.

$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

CS1

Once connected we can initiate new compliance search with New-Compliance search commandlet.

First New-Compliance search with required  parameter and content match query needs to be created.

New-ComplianceSearch -Description Marketing-Search -Name MarketingTeam -Exchangelocation alias@domain.com -ContentMatchQuery “‘Teach English in China'”

CS2

Then we need to start the compliance search with Start-ComplianceSearch

Start-ComplianceSearch -Identity searchname

Post this operation we have 3 options with New-ComplianceSearchAction report only mode , export the searched data also delete the search results as below example.

Report Mode

New-ComplianceSearchAction -SearchName SearchName -Report

CS3

Export Mode

New-ComplianceSearchAction  -SearchName SearchName -Export

CS11

After we run the command with export once export is completed it will be available in the security and compliance center in the export section ready for download.

Untitled24

We can also use the delete option

New-ComplianceSearchAction -SearchName SearchName Puirge -PurgeType softdelete

CS4

Get-ComplianceSearch can be run to check the existing executed compliance searches.

untitled41

Content Search

We can also use the content search option available in office 365 security and compliance center. Here we can specify the content locations from where it has to be searching the required content.

Here we have 3 options to search.

New Search – which is the default option and provides the search query parameters and conditions.

Untitled26

Guided Search –  Guided search  has the same options like new search except it has an addition guided wizard like below. Rest of the search query parameters and the conditions remains the same.

Untitled26

ID Search –  We can perform a targeted search based on providing a csv input file.

Untitled26

For ID search we need to provide a well formatted CSV input as mentioned in this Technet  format the document ID column and populate the selected column as mentioned in the article.

Once the CSV is prepared and imported it will be ready for  save and run as below.

Untitled26

After the save and run operation we get the results as below

Untitled26

We have options to choose the locations from where the data has to be fetched from modify location. This option is available only on New Search and Guided Search.

After specifying the location – add the search query keywords – date range – sender and other required parameters based on the search requirement.

Content

 

once the search query is completed we can see the search results in the searches tab like below

Content1

 

We have an option to download the search results

Content2

We have options  to export the report  like below.

Untitled25

Imp Notes:

  1. The ID search is limited and supported only for mailbox items.
  2. We need to be member of Organization Management or at least Compliance Administrator role group in-order to consume this service from Security & Compliance Center.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: