Configure eDiscovery Permissions Filtering for Content Search

Calling all PowerShell lovers! This is an opportunity for you to utilize your scripting skills to minimize the eDiscovery capacity for select users in your tenant. For the scenarios that call for restrictions on who should be able to search what with regards to Exchange Online mailboxes (both active and inactive), SharePoint Online Sites, or OneDrive storage, the Office 365 Security & Compliance center now offers search permission filters.

So how does this work? This feature is implemented by using PowerShell and connecting to both Exchange Online Remote PowerShell and Security & Compliance Center using an account that is a member of the Organization Management role group in the Security & Compliance Center. While there isn’t a hard limit to the number of filters you can use, over 100 can adversely impact performance. Microsoft recommends combining services with filters to help alleviate performance bottlenecks (NOTE: this recommendation may not be applicable in every scenario). The filters you create can be applied when running, purging, exporting, or previewing searches. These can be applied to Exchange Online as well as to SharePoint Online using Boolean expressions (AND operator from within a content search and OR operator when multiple search filters are combined). The filters are applied after a search is executed using different search properties derived from Keyword Query Language (KQL).

Key Features

PowerShell commands allow for specific search filtering applied to specified users (NOTE: does not support distribution groups):

  • PowerShell commands to create, query, change, or delete search filters:
    • New-ComplianceSecurityFilter
    • Get-ComplianceSecurityFilter
    • Set-ComplianceSecurityFilter
    • Remove-ComplianceSecurityFilter

Exchange Online mailbox and mailbox content search filtering:

  • Listing of filterable properties for the -RecipientFilter Exchange Online PowerShell parameter (NOTE: Applicable to address lists, address list policies, or distribution groups):
  • This example allows the user username@companydomain.com to perform all Content Search actions only for mailboxes in USA. This filter contains the three-digit numeric country code for the United States from ISO 3166-1:
    • New-ComplianceSecurityFilter -FilterName CountryFilter -Users user@companydomain.com -Filters “Mailbox_CountryCode  -eq ‘840’” -Action All

SharePoint Online and OneDrive for Business content search filtering:

  • There are differences in the use of crawled properties vs managed properties in SharePoint site and SharePoint site content searches:
    • Crawled properties: content and metadata is extracted from an item and then mapped to a Managed property
    • Managed properties: a large number of settings, or attributes help determine how the contents are shown in search results
  • Listing of keyword query language (KQL) properties and search conditions for Content Search:
  • This example permits members of the OneDrive eDiscovery Managers custom role group to only search for content in OneDrive for Business locations in the organization:
    • New-ComplianceSecurityFilter -FilterName OneDriveOnly -Users “OneDrive eDiscovery Managers” -Filters “Site_Path -like ‘https://tenantname-my.sharepoint.com/personal*'” -Action Search
  • This example restricts the user to performing all Content Search actions on SharePoint Site documents that were last changed sometime in the calendar year 2018:
    • New-ComplianceSecurityFilter -FilterName DocumentDateRestrictionFilter -Users user@company.com -Filters “SiteContent_LastModifiedTime -ge ’01-01-2018′ -and SiteContent_LastModifiedTime -lt ’01-01-2019′” -Action All

Caveats

  • Exchange Online Public Folders search permissions filtering is not available.
  • You will need to create a search permissions filter to explicitly prevent users from searching content locations in a specific Office 365 service, such as preventing a user from searching any Exchange mailbox or any SharePoint site.

Sound enticing? Need more information? Email info@peters.com. We are happy to help. Thanks for reading and good luck!

By | 2018-12-18T11:47:21+00:00 July 2nd, 2018|Infrastructure Services|Comments Off on Configure eDiscovery Permissions Filtering for Content Search

About the Author:

In the role of senior consultant for Peters & Associates, Kevin's main areas of expertise that he brings his clients are in the realm of Active Directory, Microsoft Exchange, Office 365, Azure, and ADFS. With over 20 years of IT experience in a multitude of industries with various sized environments, he has done everything from system integration, migration, administration, recovery, performance optimization, and high availability. With a tenacious penchant for success and unrelenting gumption, Kevin's talents and skill have and continue to exponentially evolve with the field and the arrow always pointing up on possibility and prosperity.