Managing Content Searches in the Security & Compliance Center

Managing Content Searches in the Security & Compliance Center


Recently, a customer asked for clarification on the difference between Content Search (Security & Compliance center | Search & investigation | Content search) and the Content Search feature in an eDiscovery case (Security & Compliance center | Search & investigation | eDiscovery).  The answer: nothing.

Well, almost nothing.

In the context of how they work, they are identical. What’s different is how they’re presented and what everyone can see.  Under the main Content Search, the details of the search (who created it, what locations were searched, and what keywords or content was searched for) are visible to everyone with access to Content Search.  In the real world, you may not want everyone to see what is being searched for, since searches can reveal things that may be inappropriate for all with access to see.

That’s where an eDiscovery case comes in handy.  With eDiscovery, you can only see cases listed that you have created or to which you have been added as a case member.  The content searches are performed inside the case, so if you can’t see that a case even exists, you most certainly can’t see the associated content searches.

To limit the potential display of content searches, I have created a script that can be used to notify the creator of the Content Search, their manager, and any additional administrators that a search was created in the wrong area and that it should instead be created in the context of an eDiscovery case.

Note: I’ve included a function to log on to a tenant with embedded credentials for demo purposes.  I’d instead look to use Azure Automation instead.

Alert on ComplianceReports
$SMTPServer = ""
$Date = Get-Date -Format yyyy-MM-dd-hh
$LogFile = "C:\Logs\$($Date)" + "_ContentSearchLog.txt"
$Recipients = @()
# Uncomment out the next line for additional recipients to always be notified
# $Recipients = @('', '')
$From = ""

Function o365Logon
    # This is just a sample. You should probably use Azure Automation instead.
    $userAdmin = ""
    $userAdminPass = "Password123"
    $securePassword = ConvertTo-SecureString $userAdminPass -AsPlainText -Force
    $global:Credential = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $userAdmin, $securePassword
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Credential -Authentication Basic -AllowRedirection
    $ComplianceSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Credential -Authentication Basic -AllowRedirection
    Import-PSSession $Session
    Import-PSSession $ComplianceSession -Prefix Protection
    Connect-MsolService -Credential $Credential


# Build list of searches
$Searches = Get-ProtectionComplianceSearch

# Users allowed to create/run searches
$eDiscoveryUsers = @()
$ComplianceCenterRoleGroups = Get-ProtectionRoleGroup
foreach ($Group in $ComplianceCenterRoleGroups)
$eDiscoveryUsers += Get-ProtectionRoleGroupMember $Group.Name
$eDiscoveryUsers = $eDiscoveryUsers | Sort -Unique -Property DistinguishedName

foreach ($Search in $Searches)
    # Save Search's CreatedBy value as CreatedByName
    $CreatedByName = $Search.CreatedBy
    # Search eDiscovery-enabled users for Displayname that matches CreatedByName
    foreach ($User in $eDiscoveryusers)
        If ($Search.CreatedBy -match $User.Name)
            # "$($User.DisplayName) matches"
            $CreatedBy = $User.PrimarySmtpAddress
        # If we can't find a name in the eDiscovery users, then search the GAL and return the first matching user
        $CreatedBy = (Get-Recipient -anr $Search.CreatedBy).PrimarySmtpAddress[0]
    $SearchName = $Search.Name
    $CreatedByManager = $CreatedBy.Manager
    $CreatedByManagerAddress = (Get-Recipient $CreatedByManager).PrimarySmtpAddress
    $Body = "You created search $($SearchName) in the Content Search area of the Security & Compliance Center. It has been deleted. Please re-create it in the eDiscovery Center."
    $Subject = "NOTIFICATION: Your Content Search has been deleted."
    If ($CreatedByManagerAddress) { $Recipients += $CreatedByManagerAddress }
    Send-MailMessage -SmtpServer $SMTPServer -To $CreatedBy -Cc $Recipients -Subject $Subject -Body $Body -From $From
    $Search | Out-File -Append $Logfile
    Add-Content "------------------------------------" -Path $Logfile
    Remove-ProtectionComplianceSearch -Identity $Search.Identity -Confirm:$false

Get-PSSession | Remove-PSSession

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.