Advanced Audit

With E5 or Advanced Audit add-on, gain access to enhanced audit capabilities for forensic investigations and long-term compliance.

High-Value Audit Events

• MailItemsAccessed — Every email read event
• Send — Every email sent event
• SearchQueryInitiatedExchange — Mailbox searches performed
• SearchQueryInitiatedSharePoint — SharePoint searches performed

10-Year Retention

Keep audit logs for up to 10 years for long-term compliance and forensic needs. Configure retention policies to specify how long different audit record types are kept.

Higher Bandwidth

Increased API throttling limits for faster large-scale searches. Essential for large organizations running complex investigations across many users and workloads.

Content Search

Search for content across your Microsoft 365 environment including Exchange mailboxes, SharePoint sites, OneDrive accounts, and Teams conversations. Content Search is the foundation for eDiscovery, compliance investigations, and data subject access requests.

Note: Content Search is available with Microsoft 365 E3 and above. eDiscovery (Premium) features require E5 or eDiscovery add-on licensing.

Search Locations

Exchange Online

• User mailboxes (primary and archive)
• Shared mailboxes
• Microsoft 365 Group mailboxes
• Public folders
• Inactive mailboxes

SharePoint Online

• SharePoint sites
• Document libraries
• Lists
• Teams site content
• Microsoft 365 Group sites

OneDrive for Business

• User OneDrive accounts
• Shared files
• Synced content

Microsoft Teams

• Channel messages (via group mailbox)
• Private chats (via user mailbox)
• Meeting conversations
• Shared files (via SharePoint)

Query Syntax (KQL)

Keyword Query Language (KQL) for advanced searches:

• project AND confidential — Keyword search
• "quarterly report" — Phrase search
• from:john@contoso.com AND subject:"budget" — Property search
• sent:2024-01-01..2024-03-31 — Date range
• filetype:xlsx AND filename:budget — File type
• project* AND 202* — Wildcard

Common Properties

Search Results

• Preview Results — View a sample of matching items directly in the browser. Preview up to 1000 items per location.
• Statistics — View total items found, size, and breakdown by location. Top locations report shows distribution.
• Export Results — Download search results in PST (email) or original format (files). Includes search report with metadata.
• Add to Review Set — (eDiscovery Premium) Add results to a review set for advanced analysis, tagging, and attorney review.

Export Options

• All Items — Export all items matching search criteria
• Indexed Items Only — Export only indexed (searchable) items
• Unindexed Items Only — Export items that couldn’t be indexed (encrypted, corrupted, unsupported format)
• De-duplicated — Remove duplicate items, one copy per unique message

Common Use Cases

• Legal Hold / Litigation — Identify and preserve documents relevant to legal matters. Export for legal review and production.
• Data Subject Request (GDPR) — Find all content associated with a specific individual for access, rectification, or deletion requests.
• Internal Investigation — Search for evidence of policy violations, misconduct, or inappropriate communications.
• Departed Employee — Retrieve and preserve content from users who have left the organization.

Best Practices

• Narrow your search scope — Start with specific locations and date ranges to reduce results
• Preview before exporting — Review sample results to verify query accuracy before full export
• Use conditions for precision — Combine keywords with date, sender, and file type conditions
• Document your searches — Keep records of search criteria for audit and defensibility

API Reference

• GET /api/compliance/content-search — List all content searches
• POST /api/compliance/content-search — Create a new content search
• POST /api/compliance/content-search/:id/run — Start search execution
• GET /api/compliance/content-search/:id/results — Get search results and statistics
• POST /api/compliance/content-search/:id/export — Export search results