Background We have a group of users in our “Cyber IT Team” and would like to be able to delegate the ability for that team to carry out Content Searches in our Exchange Online mailboxes. The results of these searches can then subsequently be used by the Exchange team (which is a separate team) to purge related data from Exchange mailboxes. Requirements Delegate the ability for our “Cyber IT Team” to carry out Content Searches of Exchange Online mailboxes. The “Cyber IT Team” should only be able to see Content Searches that they own. Results of these searches can subsequently be used by the Exchange Team to purge Exchange data related to those searches. Today the Exchange Team uses the New-ComplianceSearchAction cmdlet. For example, the cmdlet below would purge items which are part of the “ Cyber-IT-Team-12-12-2024 ” Content Search: New-ComplianceSearchAction -SearchName "Cyber-IT-Team-12-12-2024" -Purge -PurgeType HardDelete Thanks!

Hi @mark terry Greetings & Welcome to Microsoft Q&A forum! Thanks for posting your query! Thank you for providing the detailed background on your requirements. I understand that you would like to delegate the ability to perform Content Searches in Exchange Online to your Cyber IT Team , while ensuring that the Exchange Team can act on the search results to purge the related data. It's great to see you are focusing on security while providing the necessary access. The approach of assigning the full ' eDiscovery Manager ' role and relying on individual eDiscovery cases, as sometimes suggested, is not the most secure or efficient method. It grants excessive permissions and doesn't fully restrict visibility to only owned searches. A better approach is to use a custom role group with specific permissions. Here's how: Create a Custom Role Group - In the Microsoft Purview compliance portal ([invalid URL removed]), navigate to Permissions -> Roles -> Role groups and create a new role group (e.g., 'Cyber IT Searchers'). Assign Specific Roles - Add the following roles to this custom role group, Compliance Search - This allows users to create, modify, and run Content Searches. (Optional but recommended) Preview - This allows users to preview search results. Crucially, do NOT add roles like 'Case Management' or 'Hold'. This ensures they only have the necessary permissions. Add Cyber IT Team Members - Add the members of the Cyber IT Team to this new role group. Exchange Team Purge Action - The Exchange team can then use the New-ComplianceSearchAction cmdlet as before: New-ComplianceSearchAction -SearchName "Cyber-IT-Team-12-12-2024" -Purge -PurgeType HardDelete This approach offers several advantages: Principle of Least Privilege - It grants only the necessary permissions, minimizing the potential impact of security breaches or accidental misuse. True Restricted Visibility - Users in this custom role group will only see and manage the Content Searches they create. Simplified Management - It avoids the overhead of managing numerous eDiscovery cases. By following these steps, you can effectively delegate Content Search capabilities to the Cyber IT Team while maintaining strong security and control over your Exchange environment. This ensures compliance and a proper separation of duties between the Cyber IT and Exchange teams." I hope this information helps. Please do let us know if you have any further queries. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Delegate Exchange Content Search ability to specific users

Accepted answer

Chandra Boorla 6,460 Reputation points Microsoft Vendor

2025-01-03T04:09:52.0033333+00:00
Hi @mark terry

Greetings & Welcome to Microsoft Q&A forum! Thanks for posting your query!

Thank you for providing the detailed background on your requirements. I understand that you would like to delegate the ability to perform Content Searches in Exchange Online to your Cyber IT Team, while ensuring that the Exchange Team can act on the search results to purge the related data. It's great to see you are focusing on security while providing the necessary access.

The approach of assigning the full 'eDiscovery Manager' role and relying on individual eDiscovery cases, as sometimes suggested, is not the most secure or efficient method. It grants excessive permissions and doesn't fully restrict visibility to only owned searches.

A better approach is to use a custom role group with specific permissions. Here's how:

Create a Custom Role Group - In the Microsoft Purview compliance portal ([invalid URL removed]), navigate to Permissions -> Roles -> Role groups and create a new role group (e.g., 'Cyber IT Searchers').

Assign Specific Roles - Add the following roles to this custom role group, Compliance Search - This allows users to create, modify, and run Content Searches. (Optional but recommended) Preview - This allows users to preview search results.

Crucially, do NOT add roles like 'Case Management' or 'Hold'. This ensures they only have the necessary permissions.

Add Cyber IT Team Members - Add the members of the Cyber IT Team to this new role group.

Exchange Team Purge Action - The Exchange team can then use the New-ComplianceSearchAction cmdlet as before:

New-ComplianceSearchAction -SearchName "Cyber-IT-Team-12-12-2024" -Purge -PurgeType HardDelete

This approach offers several advantages:

Principle of Least Privilege - It grants only the necessary permissions, minimizing the potential impact of security breaches or accidental misuse.

True Restricted Visibility - Users in this custom role group will only see and manage the Content Searches they create.

Simplified Management - It avoids the overhead of managing numerous eDiscovery cases.

By following these steps, you can effectively delegate Content Search capabilities to the Cyber IT Team while maintaining strong security and control over your Exchange environment. This ensures compliance and a proper separation of duties between the Cyber IT and Exchange teams."

I hope this information helps. Please do let us know if you have any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Please sign in to rate this answer.

1 person found this answer helpful.
mark terry 85 Reputation points

2025-01-06T17:04:19.3366667+00:00

Hi Chandra,

Thank you very much for your response!

I have created a Custom Role Group per your suggestion and only assigned the "Compliance Search" and "Preview" Roles to that group. I then assigned that Role Group to an Entra ID Group which our Cyber IT Team are members of.

However, when one of the Cyber IT Team members logs in to purview.microsoft.com, they still see Content Search entries for other users outside of their group.

Any suggestions?

Thanks again!

Chandra Boorla 6,460 Reputation points Microsoft Vendor

2025-01-06T20:45:41.28+00:00

@mark terry

Thanks for the update! If Cyber IT Team members are seeing Content Search entries created by others despite being restricted to a custom role group, it’s likely due to how permissions and visibility are configured in Microsoft Purview.

Here are some potential causes and solutions:

Verify Role Group Membership - Ensure that the Cyber IT Team members are indeed members of the Entra ID Group that you assigned to the Custom Role Group. Sometimes, there can be a delay in permissions being applied, so double-checking this can help.

Check Role Group Settings - Confirm that the Custom Role Group is configured correctly. Go to the Microsoft Purview compliance portal, navigate to Permissions -> Roles -> Role groups, and ensure that the "Cyber IT Searchers" group has only the "Compliance Search" and "Preview" roles assigned, with no additional roles that might grant broader access.

Review Content Search Ownership - Ensure that the Content Searches being viewed are not owned by the Cyber IT Team members. Users can only see searches they own, so if they are seeing searches owned by others, it may indicate a permissions issue or that those searches were created under a different context.

Test with a New Search - Have a member of the Cyber IT Team create a new Content Search and check if they can see it in the list. This will help determine if the issue is with existing searches or a broader permissions problem.

Permissions Propagation - Sometimes, permissions changes can take a little time to propagate. If the changes were made recently, it might be worth waiting a short period and then checking again.

By following these steps, you should be able to identify the cause of the visibility issue and ensure that your Cyber IT Team has the appropriate access to only their Content Searches.

I hope this information helps.

Thank you.

mark terry 85 Reputation points

2025-01-08T15:47:50.06+00:00

Hi Chandra. I confirmed your suggestions are not at play. I am wondering if the restrictions we have put in place only apply to the "new" eDiscovery Content Search section of purview.microsoft.com. The place where our Cyber team are seeing all of the other Content Search entries is under the "Classic eDiscovery" section. Do you think the restrictions we put in place do not apply to the "Classic eDiscovery/Content Search" feature.

Thanks again.

Chandra Boorla 6,460 Reputation points Microsoft Vendor

2025-01-08T17:36:48.18+00:00

@mark terry

Thank you for confirming the previous suggestions. You are correct in noting that the restrictions we configured apply only to the "new" eDiscovery Content Search section in the Microsoft Purview portal and not to the "Classic eDiscovery" section. Here’s a summary of the key differences and recommendations:

Key Differences Between the Two Experiences:

Modern eDiscovery (Standard and Premium in Purview) - Restrictions configured (e.g., custom role groups with "Compliance Search" and "Preview" roles) are enforced here. Users can only see searches they create, adhering to the principle of least privilege.

Classic eDiscovery - The permissions model is broader, often granting visibility to all Content Searches to users with roles like "Compliance Search" or members of broader role groups. Does not strictly limit visibility to owned searches, even with restrictions set in the modern interface.

Why This Happens:

User Experience Settings in eDiscovery (preview) allow toggling between Classic and Modern experiences in Purview. Enabling Classic eDiscovery overrides certain restrictions, exposing all Content Searches to users with sufficient roles in the classic interface.

Recommendations - To ensure restrictions are respected, please follow the below steps that might help you in resolving the issue:

Disable Classic eDiscovery - Navigate to eDiscovery (preview) in the Microsoft Purview portal. Go to User Experience Settings and disable Classic eDiscovery. This forces all users to use the modern eDiscovery interface where your restrictions apply.

Verify Role Assignments - Check if Cyber IT Team members have roles (e.g., "eDiscovery Manager" or "Case Management") granting broader visibility in Classic eDiscovery. Remove such roles and ensure they are only part of the custom role group you created.

Test the Configuration - After disabling Classic eDiscovery, have a Cyber IT Team member log in to verify they only see Content Searches they own in the modern eDiscovery interface.

Disabling Classic eDiscovery will align the experience with the configured permissions and restrictions, ensuring the Cyber IT Team sees only the searches they own. I hope this information helps. Please do let us know if you have any further queries.

Thank you.

Chandra Boorla 6,460 Reputation points Microsoft Vendor

2025-01-09T16:58:16.06+00:00

@mark terry

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

mark terry 85 Reputation points

2025-01-09T21:51:52.31+00:00

Hi Chandra,

If we force users into using the new eDiscovery Content Search, will the New-ComplianceSearchAction cmdlet still be available to the Exchange team to act on searches done using the new eDiscovery Content Search method?

According to https://zcusa.951200.xyz/en-us/purview/ediscovery-search-for-and-delete-email-messages, this may not be the case (see related excerpt from that article below):

Email items in a review set in an eDiscovery (Premium) case can't be deleted by using the procedures in this article. That's because items in a review set are stored in an Azure Storage location, and not in the live service. This means they won't be returned by the content search that you create in Step 1. To delete items in a review set, you have to delete the eDiscovery (Premium) case that contains the review set. For more information, see Close or delete an eDiscovery (Premium) case.

If this is true, we foresee issues with this model. For example, we would see scenarios where our Cyber IT team may need to create multiple review sets within a case (in order to narrow down exactly what data they want to delete). According to Manage review sets in eDiscovery (Premium) | Microsoft Learn,

You can't delete items from a review set and you can't delete review sets from a case. To delete a review set (and delete the data in it), you have to delete the eDiscovery (Premium) case the review set is located in. For more information, see Close or delete an eDiscovery (Premium) case.

If this is the case, won’t this be problematic? For example, there could be a scenario where we have multiple review sets which may contain data we do not want to delete, but it appears that in order to delete any data in a review set, you have to delete the entire case. Unless I am missing something here, this sounds potentially dangerous i.e. we could end up deleting data we do not necessarily want to delete.

Any further thoughts on this would be greatly appreciated!

Chandra Boorla 6,460 Reputation points Microsoft Vendor

2025-01-10T13:58:11.99+00:00

@mark terry

Thank you for raising your concerns about the limitations associated with eDiscovery (Premium) review sets and the New-ComplianceSearchAction cmdlet.

The New-ComplianceSearchAction cmdlet is indeed available for use in conjunction with the new eDiscovery Content Search. However, it is important to note that email items in a review set within an eDiscovery (Premium) case cannot be deleted using the procedures outlined for the New-ComplianceSearchAction cmdlet. This limitation arises because items in a review set are stored in an Azure Storage location and are not part of the live service, meaning they won't be returned by the content search.

As you pointed out, this could lead to complications if your Cyber IT team needs to create multiple review sets within a case. Since you cannot delete items from a review set individually, the only way to delete data in a review set is to delete the entire eDiscovery (Premium) case that contains it. This could indeed pose a risk of unintentionally deleting data that you may want to retain, especially if there are multiple review sets involved.

We understand these limitations could be problematic in certain scenarios, especially when dealing with multiple review sets. If this workflow does not meet your needs, we recommend sharing feedback with Microsoft to help improve eDiscovery capabilities.

Appreciate if you could share the feedback on our feedback channel. Which would be open for the user community to upvote & comment on. This allows our product teams to effectively prioritize your request against our existing feature backlog and gives insight into the potential impact of implementing the suggested feature.

I hope this information helps.

Thank you.

mark terry 85 Reputation points

2025-01-10T18:00:38.1433333+00:00

Thanks again Chandra. It does seem like a bit of a gap in how we are supposed to delete data using the new eDiscovery feature set (especially when dealing with data spillage scenarios). I will be following up with our Microsoft account team to express our concerns. Thank you for your feedback and confirming that my concerns are valid.

Regards.

Chandra Boorla 6,460 Reputation points Microsoft Vendor

2025-01-10T18:31:08.0933333+00:00

Following up to see if the above suggestion was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

mark terry 85 Reputation points

2025-01-14T00:58:42.75+00:00

Hi Chandra. Although your response did not answer my question, you did confirm the concerns which I have with the new eDiscovery features in Purview. As previously mentioned, I will be following up with our Microsoft representatives. Regards.

mark terry 85 Reputation points

2025-01-14T01:15:21.2+00:00

I went ahead and accepted your answer as you were very helpful. Thanks again.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Delegate Exchange Content Search ability to specific users

0 additional answers

Your answer