Running an Office 365 Compliance Search using Powershell

Overview

Running a Content Search is fairly easy from within the Office 365 Security & Compliance Center but sometimes it will make sense to drop down into Powershell to run more complex queries.

Here are links to some of the more useful articles on this subject:

To build a query you will need to use KQL. Here is a good article on the syntax:
https://technet.microsoft.com/en-us/library/ms.exch.eac.searchquerylearnmore(v=exchg.150).aspx

NOTE: The Technote refers to AND and OR logical operators but in Powershell you have to use (c:c) for AND and (c:s) for OR.

Running a Complex Query in Powershell

Here is a script I wrote to run a more complex query when we had to search for a list of hundreds of document attachments within Office 365 for a Client.

NOTE: There is a limitation of the number of characters that can be in the query. No error is thrown if you run the script, it just returns incorrect results. That threw me off for a while, but if you edit the script from the Security & Compliance Center you will get an error

The property is too long. The maximum length is 16384 and the length of the value provided is 23966.

So we had to split up the query into several blocks to not exceed this limit of 16384 characters.

Deleting an Email using the Search & Compliance Center

This link describes how to delete an email message using the Search & Compliance Center:

https://support.office.com/en-us/article/Search-for-and-delete-email-messages-in-your-Office-365-organization-Admin-Help-3526fd06-b45f-445b-aed4-5ebd37b3762a

Example:

New-ComplianceSearch -Name "TestRemoveMessage" -ExchangeLocation All -ContentMatchQuery "subject:'This is a test' (c:c) From:'pschwarz@syndeotech.com'" New-ComplianceSearchAction -SearchName "TestRemoveMessage" -Purge -PurgeType SoftDelete

Replace SoftDelete with HardDelete to get rid of the message altogether (does not even show up in Deleted Items).

 

 

Leave a Reply