Compliance Search in Office 365 Dedicated

  • Article

 

Applies to: Exchange Online Dedicated

You can use Compliance Search to search mailboxes in your Office 365 Dedicated organization. Compliance Search is a new eDiscovery search tool with new and improved scaling and performance capabilities. Use Compliance Search to run very large eDiscovery searches because there are no limits on the number of mailboxes that you can search. There are also no limits on the number of searches that can run at the same time. After you run a compliance search, the number of mailboxes and an estimated number of search results are displayed in the details pane on the Compliance search page, where you can preview the results.

Contents

Create a search

Preview search results

Update search results

Edit a search

Restart a search

Compliance search limits

More information

Before you begin

  • For an administrator, compliance officer, or eDiscovery manager to have access to the Compliance search page to perform compliance searches, they have to be a member of the Discovery Management role group in the Exchange admin center (EAC).

  • After you run a compliance search, you can export the search results to a local computer. For more information, see Export Compliance Search results in Office 365 Dedicated.

  1. In the EAC, Click Search, and then click New Add Icon.

  2. On the New search page, type a name for the compliance search. This name has to be unique in your organization.

  3. Choose the content sources that you want to search. You can search mailboxes and sites in the same compliance search or in separate searches.

    • Search all mailboxes   Choose this option to search all mailboxes in your Exchange Online organization. There's no limit for the number of mailboxes for a single search.

    • Choose specific mailboxes to search   Choose this option to search specific. You can select distribution and dynamic distribution groups to search the mailboxes of group members. You can also include Office 365 groups as a content source to the search.

  4. Click the Include items that have an unrecognized format, are encrypted, or weren't indexed for other reasons checkbox if you want to include items in the search results that weren’t indexed. Note that any unindexed items will be included in the statistics displayed in the details pane. You will also have the option to download the unindexed items if you export the search results. But you won't be able to preview unindexed items.

  5. Click Next.

  6. In the box under What do you want us to look for?, type a search query in the box. You can specify keywords and message properties, such as sent and received dates. You can use a more complex queries that use a Boolean operator, such as AND, OR, NOT, NEAR, and ONEAR.

    If you leave this box empty, then all content located in the specified content sources will be included in the search results.

    You can also add conditions to a search query to narrow a search and return a more refined set of results. Each condition adds a clause to the KQL search query that is created and run when you start the search. A condition is logically connected to the keyword query (specified in the keyword box) by the AND operator. That means that items have to satisfy both the keyword query and the condition to be included in the results. This is how conditions help to narrow your results.

    For more information about creating search queries and using conditions, see Keyword queries and search conditions for Compliance Search in Office 365 Dedicated.

  7. Click Search to save the search settings and start the search.

    The search is started. After a while, an estimate of the search results displayed in the details pane. The estimate includes the total size and number of items for the search results. After the search is completed, you can preview the search results. If necessary, click Refresh Refresh Icon to update the information in the details pane.

Return to top

Preview search results

After a search is successfully completed, you can preview the search results. If there are more than 200 search results, only the 200 most recent results are displayed.

  1. On the Compliance search page, select a search.

  2. In the details pane, under Results, click Preview search results. The Preview search results page opens, and contains a list of the search result items.

    You can click a column header to sort the results based on subject, type, sender, or the date an item was received in the source mailbox.

  3. To preview an item, select it from the list, and click Show item.

    The item is opened in a new Outlook Web App window.

Note

If you preview the search results for a search that was last run more than 7 days ago, you will be prompted to update the search results. The search query is rerun to get the most current results that meet the search query.

Return to top

Update search results

When you update the results of an existing compliance search, the search query is rerun on all specified content sources. The obvious reason to update search results is to get the most recent data.

  1. On the Compliance search page, select the search that you want to refresh the results for.

  2. In the details pane, under Results, click Update search results.

    A status messages is displayed saying that the results are being retrieved. When the search is finished, updated information is displayed under Results in the details pane. Note that the date in the Searched on field in the details pane is updated to the current date and time. To refresh the information in the list of compliance searches, click Refresh Refresh Icon.

Return to top

You can change the source mailboxes and the search query for an existing Compliance search.

  1. On the Compliance search page, select a search.

  2. In the details pane, under Query, click Edit search.

  3. On the Locations page, you can change which mailboxes to search.

  4. On the Query page, you can edit the search query.

  5. To start the revised search, click Search on either the Sources or Locations page.

    The revised search is started.

Return to top

When you restart an existing compliance search, the keyword query for search is rerun on all specified content sources. The reason to restart a search is to get the most recent search results.

  1. On the Compliance search page, select the search that you want to restart.

  2. In the details pane, under Results, click Restart search.

    A status messages is displayed saying that the results are being retrieved. When the search is complete, updated information is displayed under Results in the details pane. Note that the date in the Searched on field in the details pane is updated to the current date and time. To refresh the information in the list of compliance searches, click Refresh Refresh Icon.

Return to top

Compliance search limits

Compliance Search has limits that are different from the current limits for In-Place eDiscovery in Exchange Online. The following table lists some of the limits for Compliance Search.

Description of limit Limit

The maximum number of mailboxes or sites that can be searched in a single compliance search

No limit

The maximum number of compliance searches that can run at the same time in your organization.

No limit1

The maximum number of items per user mailbox that are displayed on the preview page when previewing compliance search results.

100

The maximum number of items found in all user mailboxes that are displayed on the preview page when previewing compliance search results. The newest items are displayed.

200

The maximum number of user mailboxes that can be previewed for search results. If there are more than 1000 mailboxes that contain content that matches the search query, only the top 1000 mailboxes with the most search results will be available for preview.

1000

The maximum number of keywords that can be specified in a compliance search query.

500

The maximum number of mailboxes, distribution groups, or dynamic distribution groups that are displayed in the mailbox picker for selecting source mailboxes when creating a new compliance search

500

Maximum number of variants returned when using a prefix wildcard to search for an exact phrase in a keyword search query or when using a prefix wildcard and the NEAR or ONEAR operators. 2

10,000

The minimum number of alpha characters for prefix wildcards; for example, time*, one*, or set*.

3

Note

1   If you have to run multiple compliance searches against all mailboxes in your organization, we recommend that you run them one at a time.
2   For non-phrase queries we use a special prefix index. This only tells us that a word occurs in a message, not where in the message it occurs. To do a phrase query we need to compare the position for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case we are internally expanding the query with all possible words that the prefix expands to (for example, "time*" can expand to "time OR timer OR times OR timex OR timeboxed OR …"). 10,000 is the maximum number of variants the word can expand to (not the number of messages matching the query). There is no upper limit for non-phrase terms.

More information

  • Compliance searches created on the Search page in the Compliance Center aren't displayed on the In-Place eDiscovery & Hold page in the EAC. This is because the Compliance Search architecture and the search objects created are completely different than the In-Place eDiscovery in Office 365 Dedicated.

  • What is the difference between restarting and retrying a search? When you restart a search, all content sources that are specified in the search are searched again in a new preview search. However, when you retry a search, only the content sources that failed when the search was last run are searched again.

Return to top