How to use the new Microsoft Purview eDiscovery Search:

Useful If:

If you are wanting to search for data relating to an investigation or a DSAR request, you can use the following guide to make your queries using the Microsoft 365 eDiscovery portal.

To search our Microsoft 365 tenancy for data relating to your investigation, do the following:

1. Open Microsoft Purview using the following URL: Microsoft Purview and sign in using your 365 credentials. (IT Ops, use your 365 admin accounts, Superusers, use your standard work email).

2. On the left hand side navigation menu, select "eDiscovery".

3. In the eDiscovery pane, select "Content Search".

4. In the content search window, under the "Searches" section, select the "Create a Search" button.

5. In the "New Search" dialogue box, Under "Search name", give your search a unique name, for example "DSAR_NAME_DATE" or "INC-0000_DATE" etc.

6. Enter an optional brief description of the search.

7. Click the "Create" button to start building the search.

8. In the "Query" section of the search builder window, select the "Add tenant-wide sources" button towards the bottom left of the screen.

9. In the "Manage sources" slide out window, select the options that best suit your individual search criteria, for example, if you are looking for all mail sent to and received from a specific person(s) across the entire organisation, select the check box next to "Mailboxes". and unselect the check box next to "Sites", as this relates to searching in SharePoint content.

10. Once you have made your selection, click "Save".

11. In the Condition builder, click on the "Add conditions" dropdown button and select any applicable search conditions. To search for email, select the "Participants" condition.

12. Ensure that "Contains any of" is the selected conditional option.

13. In the criteria field, enter all search subjects emails.

14. Click "Run Query" to select your search results type.

15. Select either "Statistics" or "Sample" and any other of the related check box options.

16. Click the "Run Query" button at the bottom of the window to execute the query.

Wait for the search operation to finish, this can take quite a while depending on the amount of data the query finds.

17. Once the data has been generated, you can then click on the export button at the top right to select your export options.

18. Give your export a name and an optional description.

19. In the "Select items to include in your export" section, select "indexed items that match your search query".

20. Under the "Messages and related items from mailboxes and Exchange Online" section, select "Organise conversations into HTML Transcript"

21. Under Export Type, select "Export items with items report".

22. Under Export Format, select "Create PSTs for messages".

23. Leave all options below this ticked.

24. Click the "Export" button to export your search content.