Managing Content Searches in the Security & Compliance Center

Recently, a customer asked for clarification on the difference between Content Search (Security & Compliance center | Search & investigation | Content search) and the Content Search feature in an eDiscovery case (Security & Compliance center | Search & investigation | eDiscovery).  The answer: nothing.

Well, almost nothing.

In the context of how they work, they are identical. What's different is how they're presented and what everyone can see.  Under the main Content Search, the details of the search (who created it, what locations were searched, and what keywords or content was searched for) are visible to everyone with access to Content Search.  In the real world, you may not want everyone to see what is being searched for, since searches can reveal things that may be inappropriate for all with access to see.

That's where an eDiscovery case comes in handy.  With eDiscovery, you can only see cases listed that you have created or to which you have been added as a case member.  The content searches are performed inside the case, so if you can't see that a case even exists, you most certainly can't see the associated content searches.

To limit the potential display of content searches, I have created a script that can be used to notify the creator of the Content Search, their manager, and any additional administrators that a search was created in the wrong area and that it should instead be created in the context of an eDiscovery case.

Alert on ComplianceReports
$SMTPServer = ""
$Date = Get-Date -Format yyyy-MM-dd-hh
$LogFile = "C:\Logs\$($Date)" + "_ContentSearchLog.txt"
$Recipients = @('', '')
$From = ""

Function o365Logon
    $userAdmin = ""
    $userAdminPass = "Password123"
    $securePassword = ConvertTo-SecureString $userAdminPass -AsPlainText -Force
    $global:Credential = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $userAdmin, $securePassword
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Credential -Authentication Basic -AllowRedirection
    $ComplianceSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Credential -Authentication Basic -AllowRedirection
    Import-PSSession $Session
    Import-PSSession $ComplianceSession -Prefix Protection
    Connect-MsolService -Credential $Credential


# Build list of searches
$Searches = Get-ProtectionComplianceSearch

# Users allowed to create/run searches
$eDiscoveryUsers = @()
$ComplianceCenterRoleGroups = Get-ProtectionRoleGroup
foreach ($Group in $ComplianceCenterRoleGroups)
$eDiscoveryUsers += Get-ProtectionRoleGroupMember $Group.Name
$eDiscoveryUsers = $eDiscoveryUsers | Sort -Unique -Property DistinguishedName

foreach ($Search in $Searches)
    # Save Search's CreatedBy value as CreatedByName
    $CreatedByName = $Search.CreatedBy
    # Search eDiscovery-enabled users for Displayname that matches CreatedByName
    foreach ($User in $eDiscoveryusers)
        If ($Search.CreatedBy -match $User.Name)
            # "$($User.DisplayName) matches"
            $CreatedBy = $User.PrimarySmtpAddress
        # If we can't find a name in the eDiscovery users, then search the GAL and return the first matching user
        $CreatedBy = (Get-Recipient -anr $Search.CreatedBy).PrimarySmtpAddress[0]
    $SearchName = $Search.Name
    $CreatedByManager = $CreatedBy.Manager
    $CreatedByManagerAddress = (Get-Recipient $CreatedByManager).PrimarySmtpAddress
    $Body = "You created search $($SearchName) in the Content Search area of the Security & Compliance Center. It has been deleted. Please re-create it in the eDiscovery Center."
    $Subject = "NOTIFICATION: Your Content Search has been deleted."
    If ($CreatedByManagerAddress) { $Recipients += $CreatedByManagerAddress }
    Send-MailMessage -SmtpServer $SMTPServer -To $CreatedBy -Cc $Recipients -Subject $Subject -Body $Body -From $From
    $Search | Out-File -Append $Logfile
    Add-Content "------------------------------------" -Path $Logfile
    Remove-ProtectionComplianceSearch -Identity $Search.Identity -Confirm:$false

Get-PSSession | Remove-PSSession