Running a Content Search is fairly easy from within the Office 365 Security & Compliance Center but sometimes it will make sense to drop down into Powershell to run more complex queries.
Here are links to some of the more useful articles on this subject:
- Run a Content Search in the Office 365 Security & Compliance Center
- Keyword queries for Content Search
To build a query you will need to use KQL. Here is a good article on the syntax:
NOTE: The Technote refers to AND and OR logical operators but in Powershell you have to use (c:c) for AND and (c:s) for OR.
Running a Complex Query in Powershell
Here is a script I wrote to run a more complex query when we had to search for a list of hundreds of document attachments within Office 365 for a Client.
NOTE: There is a limitation of the number of characters that can be in the query. No error is thrown if you run the script, it just returns incorrect results. That threw me off for a while, but if you edit the script from the Security & Compliance Center you will get an error
The property is too long. The maximum length is 16384 and the length of the value provided is 23966.
So we had to split up the query into several blocks to not exceed this limit of 16384 characters.
# Script to find documents in Office 365
# For: Client
# Author: Syndeo Technologies
# Initial Version: PS053117
# First, connect
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection
# Create the query
New-ComplianceSearch -Name "Search4Docs" -ExchangeLocation All -ContentMatchQuery "attachment:'doc1.pdf' (c:s) attachment:'doc2.docx' (c:s) attachment:'cover letter.doc' (c:s) attachment:'another doc.pdf' (c:s) attachment:'andsoon.pdf'"
# Run it
# Check Status
Deleting an Email using the Search & Compliance Center
This link describes how to delete an email message using the Search & Compliance Center:
New-ComplianceSearch -Name "TestRemoveMessage" -ExchangeLocation All -ContentMatchQuery "subject:'This is a test' (c:c) From:'firstname.lastname@example.org'" New-ComplianceSearchAction -SearchName "TestRemoveMessage" -Purge -PurgeType SoftDelete
Replace SoftDelete with HardDelete to get rid of the message altogether (does not even show up in Deleted Items).