Export the content of Exchange mailbox “Recoverable items” folder to PST using the Office 365 content search | Step by step guide | 2#3 5/5 (2) 10 min read

In this article, we review in detailed step by step description of the process of – exporting the content of Exchange Online mailbox to a PST file.

A quick reminder for our scenario, Adele (Office 365 Global administrator) needs to check what happened to specific mail items, that were reported as mail items that “disappeared” by an organization’s user named Angelina.

Adele needs to export the content of Angelina Exchange Online mailbox to a PST file, and later, import the PST file to an Outlook mail profile, so she will be able to view and browse through the content of the “Recoverable items” folder.

Step 1#4 – Add the user account to the eDiscovery Manager group

The first task that we need to complete is, assign the required permissions to the user who will perform the Content Search (membership within the eDiscovery Manager group).

Most of the times, the access to Office 365 Security & Compliance is implemented by a user who has Office 365 Global Administrator permissions, but it is important to emphasize that by default, the Office 365 Global Administrator role doesn’t have the required permissions for performing a search via the “Content Search” service.

To be able to perform the mailbox search + to export the search results to PST file, the user who performs the operations must be a member of a special Office 365 group named – eDiscovery Manager.

Search & investigation - Content Search - Required permissions -01-min

In the following section, we review how to add an Office 365 user as a member of
the eDiscovery Manager group.

Note – you can access the Security & compliance portal by using the following https://protection.office.com

Login to Office 365 security & Compliance portal -01-min

  • Select the permissions menu

Login to Office 365 security & Compliance portal -02-min

In the following section, we will add Adele as a member of the eDiscovery Manager group.

  • Select the eDiscovery Manager group

Assign the required permissions for viewing + exporting the results of the content search -01-min

  • In the section, eDiscovery Administrator clickEdit

Assign the required permissions for viewing + exporting the results of the content search -02-min

  • In the section, select eDiscovery Administrators clickEdit

Assign the required permissions for viewing + exporting the results of the content search -03-min

  • Click Add

Assign the required permissions for viewing + exporting the results of the content search -04-min

  • Form the user list, select the user who will be added to the eDiscovery Manager In our scenario, this user is – Adele
  • Click – Add

Assign the required permissions for viewing + exporting the results of the content search -05-min

In the following screenshot, we can see that now Adele is a member of the eDiscovery Manager group

  • Click – Done

Assign the required permissions for viewing + exporting the results of the content search -06-min

  • Click – Close

Assign the required permissions for viewing + exporting the results of the content search -07-min

Note – from my experience, it takes 30-60 minutes until the permissions are updated. For this reason, it’s recommended to wait for a little before starting the Search Content and export process.

Step 2#4 – Perform the Content Search – Define the search query

In this step, we define the search query parameters for the Content Search process. A quick reminder, we are going to define a search query that will locate all the information that is stored in a specific Exchange Online mailbox named – Angelina. As mentioned, although our main purpose is to get only the mail items stored in the Recoverable items” folder, the Office 365 Content Search doesn’t include a built-in filter (condition) that enabled us to define a search query (condition) that will restrict the search only for a specific mailbox folder.

For this reason, we ask from the Office 365 Content Search to get us All the Exchange Online mailbox content and export this content to a PST file. Later, when browsing through the PST file, we will access only folders that are relevant to us (the Recoverable items” folder).

Perform Exchange mailbox content search using Security & compliance -01-min

  • Click on the plus icon for creating the required content search query

Perform Exchange mailbox content search using Security & compliance -02-min

  • In the *Name box, type the name of the search query

Under the section named – Where do you want us to look? Select the following two options:

  • Custom location selection
  • Choose specific mailboxes to search

Perform Exchange mailbox content search using Security & compliance -03-min

In the next step, we will need to specify the name of the Exchange Online Mailbox for which we wish to perform the search.

Important notes about the Web interface:

Compared to other Office 365 admin interfaces, which will automatically display a list of all existing users or mailbox accounts, the Content Search interface, does not automatically populate the Exchange Online mailbox list. In other words, the list of users is empty!

To be able to locate the specific Exchange Online mailbox that we want to add to the search, we will need to manually type the name of the mailbox and then, “run” the search process in which the Content Search fetches the required mailbox name.

Perform Exchange mailbox content search using Security & compliance -04-min

  • To be able to locate the specific Exchange Online mailbox, we need to manually type the mailbox name. In our scenario, the mailbox name is – Angelina.
  • Click on the search icon

Perform Exchange mailbox content search using Security & compliance -05-min

  • After the required mailbox name was located, click on the Add-> button

Perform Exchange mailbox content search using Security & compliance -06-min

  • Click OK

Perform Exchange mailbox content search using Security & compliance -07-min

  • Click Next

Perform Exchange mailbox content search using Security & compliance -08-min

In the following screenshot, we need to decide if we want to create search filters (defined as “conditions”) that will narrow and focus the search results.

A quick reminder, in our scenario, we don’t wish to define any filter because we want to get the “Full content” of Angelina’s mailbox.

Perform Exchange mailbox content search using Security & compliance -09-min

Although that in our scenario, we don’t define any condition, I would like to briefly display the option of “conditions.”

In the following screenshot, we can see an example of the various conditions (filters) that can be defined such as – specific date range, specific text string and so on.

Perform Exchange mailbox content search using Security & compliance -10-min

  • Click Search

Perform Exchange mailbox content search using Security & compliance -11-min

In the following screenshot, we can see that the Content Search “Job” was successfully created.

Notice that when we select the specific Content Search job, in the right side on the screen, we can see a detailed information about the job status, and the various tasks that can be executed.

Perform Exchange mailbox content search using Security & compliance -12-min

In the following screenshot, we can see the various “parts” of the search job.

Perform Exchange mailbox content search using Security & compliance -13-min

  • The top part (section A in the screenshot) is the part that includes information about the Search Content
  • The rest of the options (section B in the screenshot) include the specific action that we can apply to the search results.
  1. Content search job information – the first part (number 1) is the “information part” which displays information about the specific search job such as – the number of mail items that were found, the size of all mail items, the number of mailboxes that were searched and so on.

Notice an interesting detail, in our scenario, the number of mailboxes that were searched is “2” because Angelina has one primary Exchange mailbox + Exchange Archive mailbox.

The following section enables us to execute as specific “action” on the search results.

  1. Preview search results (number 2) – instead of exporting the data to a PST file; we can use the content search web interface for “looking at the search results”. For example, looking at the content of a specific mail item. From my experience, this option is relevant only in a scenario in which the search results include few mail items.

In most of the scenarios, the search result includes a large amount of “findings,” and because the search interface can display only a limited amount of mail items, most of the times, we will need to use the “export to PST file option.”

  1. Export results to a computer (number 3) – this is the option that we review in the current article. When selecting this option, the next step will be – installing a small application on our local desktop that will enable us to download the PST file.
  2. Generate a report (number 4) – this option will enable us to export a detailed report (in a CSV file format), that includes a description of each mail item that appears in the search results. Notice that this is not the actual mail item but instead, “Metadata” (data about data).

Step 3#4 – Export the search results ?(mailbox content in our scenario) to a PST file

In our scenario, we select the option – Export results to a computer, Start export

Perform Exchange mailbox content search using Security & compliance -14-min

In this step, we instruct the Content Search how to perform the process of exporting the search results to a PST file.

  • Under the section – Include these items from the search: select the option – All items, excluding the ones that have unrecognized format, are encrypted, or weren’t indexed for other reasons
  • Under the section – Export Exchange content as – select the option One PST file for each mailbox
  • Click – Start export

Exporting Exchange mailbox content search results -01-min

The “response” of the Content Search wizard is a little confusing because associatively we assume that the export to PST will need to start.

After we click on the “Start Export” button, the export process will not start and instead, the main admin screen appears again.

The “catch” is that when we click on the option of “Start export,” we are telling the Office 365 Content Search to start to prepare all the required setting in the background, but the actual process of exporting the information to PST file is not automatically started.

In the following screenshot, we can see that the status of the “export option” was updated and now its configured as “Download exported results.

Download the PST file to the local Host - using Security & Compliance -01-min

  • Under the section, Export results to a computer, click on the option – Download exported results

Download the PST file to the local Host - using Security & Compliance -02-min

To be able to download the private data in PST file that will be saved on our local drive, Office 365 needs to verify our identity (trust the entity the perform the download file process).

This “trust” is implemented by using a “secret key” (the Export key).

  • In the windows that appear, select the option – copy to clipboard

We will need this “key” at a later stage, as part of the information that we need to provide to the eDiscovery PST Export Tool.

Download the PST file to the local Host - using Security & Compliance -03-min

Although we don’t have to save the export key to a file, my recommendation is to save the Secret Key value in a file (such as text file) so, it will be easy for us to get this value Down the road.

Download the PST file to the local Host - using Security & Compliance -04-min

  • Click on the option – Download results

Download the PST file to the local Host - using Security & Compliance -05-min

In this step, we will download + install the Office 365 application that is required for implementing the process of download the search result to a PST file that will be saved on the local Hard drive.

Note – there are preliminary requirements that need for completing the process of downloading and using the eDiscovery PST Export Tool.

You can read more information about these pre-requirements for the eDiscovery PST Export Tool in the following article.

  • Click – Open

Installing the PST export application on the local host -01-min

  • Click – Install

Installing the PST export application on the local host -02-min

The installation process begins.

Installing the PST export application on the local host -03-min

Now we will need to provide to eDiscovery PST Export Tool two details – the secret key that we got from the former step + the location on our local Hard drive which will use to store the PST file.

Saving the exported PST file to local folder -01

  • In the section – Paste the export key that will be used to connect to the source, paste the Export Key value

Saving the exported PST file to local folder -02

In this section, we need to define the local folder which will be used to store the PST file.

  • Click on the Browse button

Saving the exported PST file to local folder -03

In our scenario, we will create a NEW folder on the desktop

  • Click – Make New Folder

Saving the exported PST file to local folder -04

  • We will call the new folder – Exported PST

Saving the exported PST file to local folder -05

  • Click – Start

Saving the exported PST file to local folder -06

In the following screenshot, we can see that the process of exporting the Exchange mailbox content to PST file start

Saving the exported PST file to local folder -07

  • Click – Close

Saving the exported PST file to local folder -08

Summary and recap

In the current article, we review how to use the Office 365 Content Search tool for performing a search query that gets the whole content of a specific Exchange Online mailbox + Export the information (the search results) to a PST file.

In the next article, we review how to import the PST file to the Outlook mail profile, so we will be able to browse view the content of the “Recoverable items” folder.


Now it’s Your Turn!
It is important for us to know your opinion on this article

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

Leave a Reply

Your email address will not be published. Required fields are marked *