We will review the following subjects:
- How to create an Exchange In-place eDiscovery & Hold query.
- How to send a copy of the search results to the Discovery Search Mailbox.
- How to export the search results to PST file.
- How to access the Exchange Online In-Place eDiscovery admin interface by Office 365 Business customers.
Article Table of content | Click to Expand
Article Series Table of content | Click to Expand
In the following section, we will demonstrate the way that we use Exchange Online in-place eDiscovery & Hold for searching and recovering mail items.
In our scenario, we get a call from a user named John that reports that he noticed that some of his mail is missing.
John is not sure if the mail items were deleted in a specific date and cannot point out a specific charter of the mail item that deleted.
In this scenario, we would like to create a query that will “scan” John’s mailbox and “send” the search result of the – Discovery Search Mailbox.
Later on, we look for information about deleted mail items located in the Recoverable Items folder in the Purges folder
Step 1 – assign permissions
To be able to create an in-place eDiscovery & hold query, that will search through Exchange users’ mailboxes and in addition, enable us to view data from a user mailbox, we will need to have the required permissions.
The required permissions are membership in a group named:
- In the Exchange Online management portal, choose the permissions menu and then, on the top-bar choose admin roles.
- Double-click on a group named – Discovery Management
- In the members sections, click on the plus icon to add the username that needs to have the required permission (the user that will perform the In-place eDiscovery & hold search).
Step 2 – creating in-place eDiscovery & hold search query
In the following section, we will create the required in-place eDiscovery & hold search query. In our specific example, we will not create a specific filter, but instead, search the “whole of John mailbox”.
- On the left side menu bar, choose the menu – compliance management
- On the top menu, bar choose the menu – In-place eDiscovery & hold
- Click on the plus sign for creating a new in-place eDiscovery & hold search
- In the text box – Name and description, provide the name for the -place eDiscovery & hold search query. Note – the name cannot contain spaces.
In our specific scenario, we want to look at John’s mailbox.
For this reason, we will choose the option of – specify the mailbox to search.
- In the window that appears, we will search for John’s name and then, click on the add button.
In the following screenshot, we can see that the search query “boundary” is John’s mailbox.
The following window enables us to set the specific parameters of the search query.
- In our specific scenario, we will choose the option of – include all content.
On the next screen, we will not select anything because this part is related to a scenario in which we want to put on hold particular mail items (our purpose is only to search and recover mail items).
For this reason, we will just click on the finish button
In the following screenshot, we can see we can see that the In-place eDiscovery & hold search query successfully created.
In the following screenshot, we can see the In-place eDiscovery & hold search query that we have created. Notice that the status is “Search has been queued.”
Exchange server needs some time to look for the required information in the Exchange index database.
Step 3 – View the In-place eDiscovery & hold search results
In the section, we want to “take a peek” in the search results, meaning the information (mail items) that was founded based on our search query.
To view the information, click on the link – Preview search results.
In the following screenshot, we can see the result search meaning – the mail items that appear in John mailbox.
Note that the information displayed in a “flat manner.”
The meaning is that the view doesn’t include the “original folder structure and Hierarchy” as at appearing in the “original John mailbox”.
From my experience, this “flat view” is suitable only in a scenario that the search result includes a few mail items.
In a scenario that we create a search query that “fetch” all of the user mailboxes which can contain thousands or even tens of thousands of mail items, the “Flat view” will make it very hard to look for a particular
But fear not!
Step 4 – copy\save the In-place eDiscovery & hold search results to the Discovery Search Mailbox
In the next section, we will demonstrate how to “export” (copy) the search query results to a special Exchange system mailbox named: Discovery Search Mailbox
The option of saving the search query results to the Discovery Search Mailbox will enable us to get a clear view of the folder structure in John’s mailbox and also, save the information for later use.
Click on the Magnifying glass icon and choose the menu – Copy search results
In the following windows, we will need to choose where to “store” the search query results.
By default, Exchange creates one dedicated system mailbox named
Technically, we can ask to create additional Exchange Discovery Search Mailboxes but for now, let’s satisfied in the “original” Discovery Search Mailbox.
An additional option that is available for us are options such as Enable full logging and more
To finish the “export” (copy) process of the search results to the Discovery Search Mailbox, click on the OK button.
In the following screenshot, we can see that a “new section” was added.
To be able to view the search result, click on the [open] link
In the following screenshot, we can see the content of the Discovery Search Mailbox.
Pay attention to the logic behind the Discovery Search Mailbox structure.
The search results that appear in the Discovery Search Mailbox have the structure and the Hierarchy as it seems in the “original mailbox”. For example, the default inbox folder and so on.
The search results, are saved under a “dedicated folder” that use the name whom we have defined in the earlier steps for the In-place eDiscovery & holds search query
(In our scenario – Search_john_mailbox).
Another interesting thing is that the search results include the Purges folder. This is the folder that will include “hard deleted” mail items and that cannot be seen or accessed by the mailbox owner (John in our scenario).
Step 5 – export the search results to PST file
A very useful option that includes in the In-place eDiscovery & hold is the option of exporting the search results to a PST file.
To be able to export the particular search result, we will need to choose the result search job (Search_john_mailbox in our scenario) and click on the down arrow icon (Export to a PST file).
The computer you use to export search results to a PST file has to meet the following system requirements:
- 32- and 64-bit versions of Windows 7 and later versions
- Microsoft .NET Framework 4.5
- A supported browser:
- Internet Explorer 10 and later versions
- Mozilla Firefox or Google Chrome, with the ClickOnce add-in installed
The export process is implemented by downloading a specific software component that will help us to download the file from Exchange Online to our local desktop.
- Click on the Run option
Choose a local folder that will be used for saving the exported PST file. In our example, we have created a folder named: John PST
Provide the credentials (user name + password) of a user that have the required permission (membership in the Discovery Management group)
In the following screenshot, we can see the result. The results are the required PST file + Log file
In the following screenshot, we can see an example, in Log file that provided as part as the exported files.
The Log file includes information about every mail item that appears in the search result.
View the mail items in the PST file using an Outlook mail client
In the former section, we review the steps that are needed for exporting the search result to a PST file.
To be able to view the content of the PST file, we will need to add the PST file to an existing Outlook profile.
In the following example, we will add to existing Outlook mail profile the PST file that we got from the In-place eDiscovery & hold search result of John’s mailbox.
In outlook choose the File menu ==> Account Settings and then again Account Settings…
Choose the Data Files tab and click on the Add… button
In our example, John PST is located on drive C: in a folder named: John PST
In the following screenshot, we can see the “new PST” file that added to our Outlook mail profile.
How to access the Exchange Online In-Place eDiscovery admin interface by Office 365 Business customers
As mentioned, the option to use Exchange In-place eDiscovery & hold is available for Office 365 customers who have purchased Office 365 Business license but, not via the standard Office 365 portal admin interface.
To be able to view the “Advanced Exchange Online” admin interface, we will need to use a little trick in which we will “rewrite” the URL address.
In the following screenshot, we can see that standard portal interface of Office 365 Business customer.
Login into your mailbox using the OWA web mail client – click on the options menu and then on the Mail icon
In the following screenshot, we can see that “standard” OWA mail client URL address.
To be able to access the Exchange Online admin interface, we will need to “remove” the URL part after the address:https:/outlook.office365.com
To be able to access the Exchange Online web-based management, we will need to add the folder name ECP to the URL address
For example, https:/outlook.office365.com/ecp
In the following screenshot, we can see the “standard” Exchange Online admin interface that enables us to access the option of Exchange In-Place eDiscovery & Hold
- How to do In-place eDiscovery in new O365?
- In-Place eDiscovery
- In-Place eDiscovery and In-Place Hold in the New Exchange – Part I
- In-Place eDiscovery and In-Place Hold in the New Exchange – Part II
It is important for us to know your opinion on this article