Calculating your Daily Export for the Security & Compliance Center
One of the lesser-known boundaries of Office 365's Security & Compliance Center is that we only allow 2TB per day export volume. When we talk about exports, we're talking about the idea of taking content that has been identified via a content search mechanism (content search, eDiscovery case search, etc) and then staged for download.
After the search results are identified, during the export process, they are moved into Azure Blob Storage. This is where the 2TB limit comes in. You are limited to 2TB of content in a rolling 24-hour period (which you can, after some ticketing, get temporarily raised).
We don't provide a great mechanism in the UI to track and determine this, so for most customers, the way they learn about it is an error dialog box:
Currently, you don't really know until you get there, which is kind of like listening to your parents give you a status update on a family roadtrip.
For customers who export a lot of data, this can be frustrating. And, like I previously said, the UI doesn't give you a good way to summarize the cases and export volume. But THIS IS SPART--
Whoa. Maybe not. Maybe it's just PowerShell, but it's still pretty good.
Using the Compliance cmdlets, we can get a little bit of insight into the what the status of exports is.
Running the script with no parameters (or with the -Report parameter) is the same as running it with -SearchType SearchByRecentOnly -Hours 24. That means, we're looking for cases accessed in the last 24 hours, and then inside that, looking for exports performed in the last 24 hours. The difference with -Report, of course, is that you get a report at the end.
The end result:
You'll see you have two pieces of information:
- You have a report.
- You have some exported objects.
The report is the same as the exported objects, so we'll go look in the $Exports object:
I've also included some additional parameters, such as searching all cases (which you'll want to do for looking for results exports further back) as well as looking at the LastModifiedDateTime stamp on the eDiscovery case object. Fun fact: the LastModifiedDateTime property is not updated when you do work inside of the case--it's only updated when you make changes to the properties of the case object itself.
A final note: If you aren't a member of eDiscovery Case Admins, you'll only be able to see results for cases that you either own (created) or were made a member of by another case owner.
You can download the script in the TechNet Gallery at: https://gallery.technet.microsoft.com/Get-SCCExportDataSize-1dc80e88