Calling all PowerShell lovers! This is an opportunity for you to utilize your scripting skills to minimize the eDiscovery capacity for select users in your tenant. For the scenarios that call for restrictions on who should be able to search what with regards to Exchange Online mailboxes (both active and inactive), SharePoint Online Sites, or OneDrive storage, the Office 365 Security & Compliance center now offers search permission filters.
So how does this work? This feature is implemented by using PowerShell and connecting to both Exchange Online Remote PowerShell and Security & Compliance Center using an account that is a member of the Organization Management role group in the Security & Compliance Center. While there isn’t a hard limit to the number of filters you can use, over 100 can adversely impact performance. Microsoft recommends combining services with filters to help alleviate performance bottlenecks (NOTE: this recommendation may not be applicable in every scenario). The filters you create can be applied when running, purging, exporting, or previewing searches. These can be applied to Exchange Online as well as to SharePoint Online using Boolean expressions (AND operator from within a content search and OR operator when multiple search filters are combined). The filters are applied after a search is executed using different search properties derived from Keyword Query Language (KQL).
PowerShell commands allow for specific search filtering applied to specified users (NOTE: does not support distribution groups):
- PowerShell commands to create, query, change, or delete search filters:
Exchange Online mailbox and mailbox content search filtering:
- Listing of filterable properties for the -RecipientFilter Exchange Online PowerShell parameter (NOTE: Applicable to address lists, address list policies, or distribution groups):
- This example allows the user email@example.com to perform all Content Search actions only for mailboxes in USA. This filter contains the three-digit numeric country code for the United States from ISO 3166-1:
- New-ComplianceSecurityFilter -FilterName CountryFilter -Users firstname.lastname@example.org -Filters “Mailbox_CountryCode -eq ‘840’” -Action All
SharePoint Online and OneDrive for Business content search filtering:
- There are differences in the use of crawled properties vs managed properties in SharePoint site and SharePoint site content searches:
- Crawled properties: content and metadata is extracted from an item and then mapped to a Managed property
- Managed properties: a large number of settings, or attributes help determine how the contents are shown in search results
- Listing of keyword query language (KQL) properties and search conditions for Content Search:
- NOTE: this is applicable to both email and document properties, thus being leveraged for Exchange Online and/or SharePoint Online content searches
- This example permits members of the OneDrive eDiscovery Managers custom role group to only search for content in OneDrive for Business locations in the organization:
- New-ComplianceSecurityFilter -FilterName OneDriveOnly -Users “OneDrive eDiscovery Managers” -Filters “Site_Path -like ‘https://tenantname-my.sharepoint.com/personal*'” -Action Search
- This example restricts the user to performing all Content Search actions on SharePoint Site documents that were last changed sometime in the calendar year 2018:
- New-ComplianceSecurityFilter -FilterName DocumentDateRestrictionFilter -Users email@example.com -Filters “SiteContent_LastModifiedTime -ge ’01-01-2018′ -and SiteContent_LastModifiedTime -lt ’01-01-2019′” -Action All
- Exchange Online Public Folders search permissions filtering is not available.
- You will need to create a search permissions filter to explicitly prevent users from searching content locations in a specific Office 365 service, such as preventing a user from searching any Exchange mailbox or any SharePoint site.
Sound enticing? Need more information? Email firstname.lastname@example.org. We are happy to help. Thanks for reading and good luck!