Graph API - Security eDiscovery API Export Questions

Question

We have an application that uses the Security eDiscovery Graph API URLs to create exports based on a Case/Review Set that already exists within the Microsoft Compliance solution. The solution is correctly exporting to the Storage Account container we select, but we do not have a way to determine which folder in the container the export was sent to. See below for example flow/output.

Create Export call (https://learn.microsoft.com/en-us/graph/api/security-ediscoveryreviewset-export?view=graph-rest-beta&tabs=http):

https://graph.microsoft.com/beta/security/cases/ediscoveryCases/{CASE_ID}/reviewSets/{REVIEW_SET}/export

Payload sent:

{
    "outputName": "HIDDEN",
    "description": "",
    "exportOptions": "originalFiles",
    "exportStructure": "directory",
    "azureBlobContainer": "HIDDEN",
    "azureBlobToken": "HIDDEN"
}

First Response from URL in Location Header:

https://graph.microsoft.com/beta/security/cases/ediscoverycases(CASE_ID)/operations(OPERATION_ID)

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases(CASE_ID)/operations/$entity",
    "@odata.type": "#microsoft.graph.security.ediscoveryExportOperation",
    "createdDateTime": "2023-02-16T15:16:12.2704755Z",
    "completedDateTime": "0001-01-01T00:00:00Z",
    "percentProgress": 0,
    "status": "running",
    "action": "contentExport",
    "id": "86b2309224dd42ccb79271245ea542b6",
    "outputName": "HIDDEN",
    "description": "",
    "outputFolderId": null,
    "azureBlobContainer": null,
    "azureBlobToken": null,
    "exportOptions": null,
    "exportStructure": "none",
    "createdBy": {
        "application": null,
        "user": {
            "id": null,
            "displayName": null,
            "userPrincipalName": "HIDDEN"
        }
    }
}

Response when progress hits 100%

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases(CASE_ID)/operations/$entity",
    "@odata.type": "#microsoft.graph.security.ediscoveryExportOperation",
    "createdDateTime": "2023-02-16T15:16:12.2704755Z",
    "completedDateTime": "2023-02-16T15:28:16.438Z",
    "percentProgress": 100,
    "status": "succeeded",
    "action": "contentExport",
    "id": "86b2309224dd42ccb79271245ea542b6",
    "outputName": "HIDDEN",
    "description": "",
    "outputFolderId": null,
    "azureBlobContainer": null,
    "azureBlobToken": null,
    "exportOptions": null,
    "exportStructure": "none",
    "createdBy": {
        "application": null,
        "user": {
            "id": null,
            "displayName": null,
            "userPrincipalName": "HIDDEN"
        }
    }
}

Notice that several fields from the Operations call (https://learn.microsoft.com/en-us/graph/api/resources/security-ediscoveryexportoperation?view=graph-rest-beta) are set to null including exportOptions, azureBlobContainer, azureBlobToken, and exportOptions. Then exportStructure is set incorrectly to none.

The exported folder looks like below in the Azure Storage account. That GUID is not surfaced anywhere in the API calls we are getting and makes it very difficult to download the exported files programatically. Is this possible currently?

Answer 1

The challenge you're facing is that you're not able to determine the specific folder in the Azure Storage container where the export is being sent. The API responses you provided show that the relevant fields, such as outputFolderId, azureBlobContainer, and azureBlobToken, are set to null, and the exportStructure is incorrectly set to "none".