AzureFeeds

Welcome back to the series of blogs covering search and purge in Microsoft Purview eDiscovery!

If you are new to this series, please first visit the blog post in our series that you can find here: Search and Purge workflow in the new modern eDiscovery experience.

Also please ensure you read in full the Microsoft Learn documentation on this topic as I will not be covering some of the steps in full (permissions, releasing holds, all limitations): Find and delete email messages in eDiscovery | Microsoft Learn

So as a reminder, E3/G3 customers must use the Security and Compliance PowerShell cmdlets to execute the purge operation.

Searches can continue to be created using the New-ComplianceSearch cmdlet and then run the newly created search using the Start-ComplianceSearch cmdlet.

Once a search has run, the statistics can be reviewed before executing the New-ComplianceSearchAction cmdlet with the Purge switch to remove the item from the targeted locations.

However, some organizations may want to initially run the search, review statistics and export an item report in the new user experience before using the New-ComplianceSearchAction cmdlet to purge the items from the mailbox.

1. Create the case, if you will be using the new Content Search case you can skip this step. However, if you want to create a new case to host the search, you must create the case via PowerShell. This ensures any searches created within the case in the Purview portal will support the PowerShell based purge command.

Use the Connect-IPPSession command to connect to Security and Compliance PowerShell before running the following command to create a new case.

New-ComplianceCase “Test Case”

 

2. Select the new Purview Content Search case or the new case you created in step 1 and create a new Search

 

3. Within your new search use the Add Sources option to search for and select the mailboxes containing the item to be purged by adding them to the Data sources of your newly created search.

Note: Make sure only Exchange mailboxes are selected as you can only purge items contained within Exchange Mailboxes. If you added both the mailbox and associated sites, you can remove the sites using the 3 dot menu next to the data source under User Options.

 

 

Alternatively, use the manage sources button to remove the sites associated with the data source.

 

4. Within Condition builder define the conditions required to target the item you wish to purge. In this example, I am targeting an email with a specific subject, from a specific sender, on a specific day.

 

5. To help me understand the estimated number of items that would be returned by the search I can run a statistics job first to give me confidence that the query is correct. I do this by selecting Run Query from the search itself. Then I can select Statistics and Run Query to trigger the Statistics job. Note, you can view the progress of the job via the Process Manager

6. Once completed I can view the Statistics to confirm the query looks accurate and returning the numbers I was expecting.

7. If I want to further verify that the items returned by the search is what I am looking for, I can run a Sample job to review a sample of the items matching the search query

 

8. Once the Sample job is completed, I can review samples for locations with hits to determine if this is indeed the items I want to purge.

 

9. If I need to go further and generate a report of the items that match the search (not just statistics and sampling) I can run an export to generate a report for the items that match the search criteria.

Note: It is important to run the export report to review the results that purge action will remove from the mailbox. This will ensure that we purge only the items of interest.

 

10. Download the report for the export job via the Process Manager or the Export tab to review the items that were a match

 

 

Note: If very few locations have hits it is recommended to reduce the scope of your search by updating the data sources to include only the locations with hits.

11. Switch back to the cmdlet and use Get-ComplianceSearch cmdlet as below, ensure the query is as you specified in the Purview Portal

Get-ComplianceSearch -Identity “My search and purge” | fl

12. As the search hasn’t be run yet in PowerShell – the Items count is 0 and the JobEndTime is not set – the search needs to be re-run via PS as per the example shown below

Start-ComplianceSearch “My search and purge”

 

13. Give it a few minutes to complete and use Get-ComplianceSearch to check the status of the search, if the status is not “Completed” and JobEndTime is not set you may need to give it more time

14. Check the search returned the same results once it has finished running

Get-ComplianceSearch -Identity “My search and purge” | fl name,status,searchtype,items,searchstatistics

 

CRITICAL: It is important to make sure the Items count match the number of items returned in the item report generated from the Purview Portal.

If the number of items returned in PowerShell do not match, then do not continue with the purge action.

15. Issue the purge command using the New-ComplianceSearchAction cmdlet

New-ComplianceSearchAction -SearchName “My search and purge” -Purge -PurgeType HardDelete

16. Once completed check the status of the purge command to confirm that the items have been deleted

Get-ComplianceSearchAction “My search and purge_purge” | fl

Now that the purge operation has been completed successfully, it has been removed from the target mailbox and is no longer accessible by the user.