Admins are often charged with finding out who knew what when in the most efficient and effective way possible to respond to requests concerning ongoing or potential litigation, internal investigations, and other scenarios. These requests are often urgent, involve multiple stakeholder teams, and have significant impact if not completed in a timely manner. Knowing how to find the right information is critical for admins to complete searches successfully and help their organizations to manage the risk and cost associated with eDiscovery requirements.
Tip
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
When an eDiscovery request is submitted, often there's only partial information available for the admin to start to collect content that might be related to a particular investigation. The request might include user names, project titles, rough date ranges when the project was active, and not much more. From this information, the admin needs to create queries to find relevant content across Microsoft 365 services to determine the information needed for a particular project or subject. Understanding how information is stored and managed for these services help admins more efficiently find what they need quickly and in an effective manner.
Email, chat, meeting, and Microsoft 365 Copilot and Microsoft 365 Copilot Chat activity data (user prompts and Copilot responses) are all stored in Exchange Online. Many communication properties are available for searching items included in Exchange Online. Some properties such as From, Sent, Subject, and To are unique to certain items and aren't relevant when searching for files or documents in SharePoint and OneDrive. Including these types of properties when searching across workloads can sometimes lead to unexpected results.
For example, to find content related to specific users (User 1 and User 2), associated with a project called Tradewinds, and during January 2020 through January 2022, you might use a query with the following properties:
- Add User 1 and User 2's Exchange Online locations as data sources to the case
- Select User 1 and User 2's Exchange Online locations as data source.
- For Keyword, use Tradewinds
- For Date Range, use the January 1, 2020 to January 31, 2022 range
Important
For emails, when a keyword is used, we search subject, body, and many properties related to the participants. However, due to recipient expansion, search might not return expected results when using the alias or part of the alias. Therefore we recommend using the full UPN.
Searchable email properties
The following table lists the email message properties that can be searched by using the eDiscovery search tools in the Microsoft Purview portal.
Important
While email messages might have other properties supported in other Microsoft 365 services, only the email properties listed in this table are supported in eDiscovery search tools. Attempting to include other email messages properties in searches isn't supported.
The table includes an example of the property:value syntax for each property and a description of the search results returned by the examples. You can enter these property:value pairs in the keywords box for an eDiscovery search.
Note
When searching email properties, it's not possible to search for message headers. Header information isn't indexed for searches. Additionally, items in which the specified property is empty or blank aren't searchable. For example, using the property:value pair of subject:"" to search for email messages with an empty subject line returns zero results. This also applies when searching site and contact properties.
| Property | Property description | Examples | Search results returned by the examples |
|---|---|---|---|
| AttachmentNames | The names of files attached to an email message. | attachmentnames:annualreport.ppt |
Messages that have an attached file named annualreport.ppt. In the second example, using the wildcard character ( * ) returns messages with the word annual in the file name of an attachment.1 |
| Bcc | The Bcc field of an email message.1 | bcc:pilarp@contoso.com |
All examples return messages with Pilar Pinilla included in the Bcc field. (See Recipient Expansion) |
| Category | The categories to search. Categories can be defined by users by using Outlook or Outlook on the web (formerly known as Outlook Web App). The possible values are:
|
category:"Red Category" |
Messages that have been assigned the red category in the source mailboxes. |
| Cc | The Cc field of an email message.1 | cc:pilarp@contoso.com |
In both examples, messages with Pilar Pinilla specified in the Cc field. (See Recipient Expansion) |
| Folderid | The folder ID (GUID) of a specific mailbox folder in 48-character format. If you use this property, be sure to search the mailbox that the specified folder is located in. Only the specified folder is searched. Any subfolders in the folder isn't searched. To search subfolders, you need to use the Folderid property for the subfolder you want to search. | folderid:4D6DD7F943C29041A65787E30F02AD1F00000000013A0000 |
The first example returns all items in the specified mailbox folder. The second example returns all items in the specified mailbox folder that were sent or received by garthf@contoso.com. |
| From | The sender of an email message.1 | from:pilarp@contoso.com |
Messages sent by the specified user. (See Recipient Expansion) |
| HasAttachment | Indicates whether a message has an attachment. Use the values true or false. | from:pilar@contoso.com AND hasattachment:true |
Messages sent by the specified user that have attachments. |
| Importance | The importance of an email message, which a sender can specify when sending a message. By default, messages are sent with normal importance, unless the sender sets the importance as high or low. | importance:high |
Messages that are marked as high importance, medium importance, or low importance. |
| IsRead | Indicates whether messages have been read. Use the values true or false. | isread:true |
The first example returns messages with the IsRead property set to True. The second example returns messages with the IsRead property set to False. |
| ItemClass | Use this property to search specific third-party data types that your organization imported to Office 365. Use the following syntax for this property: itemclass:ipm.externaldata.<third-party data type>* |
itemclass:ipm.externaldata.Facebook* AND subject:contoso |
The first example returns Facebook items that contain the word "contoso" in the Subject property. The second example returns Twitter items that were posted by Ann Beebe and that contain the keyword phrase "Northwind Traders". |
| Kind | The type of email message to search for. Possible values: contacts 文档 电子邮件 externaldata 传真 即时消息 日志 会议 microsoftteams (从Microsoft Teams) 中的聊天、会议和通话中返回项目 notes 公告 RSS 源 任务 语音邮件 |
kind:email |
第一个示例返回满足搜索条件的电子邮件。 第二个示例返回电子邮件、即时消息对话 (包括Microsoft Teams) 中的Skype for Business对话和聊天,以及满足搜索条件的语音邮件。 第三个示例返回从满足搜索条件的第三方数据源(例如 Twitter、Facebook 和 Cisco Jabber)导入到 Microsoft 365 邮箱中的项目。 有关详细信息,请参阅在 Office 365 中存档第三方数据。 |
| 参与者 | 电子邮件中的所有人员字段。 这些字段为“发件人”、“收件人”、“抄送”和“密件抄送”。1 | participants:garthf@contoso.com |
由 发送或发送到 garthf@contoso.com的消息。 第二个示例返回 contoso.com 域中的用户发送的所有邮件或发送至 contoso.com 域中的用户的所有邮件。 (请参阅收件人扩展) |
| 接收时间 | 收件人接收电子邮件的日期。 | received:2021-04-15 |
2021 年 4 月 15 日收到的消息。 第二个示例返回在 2021 年 1 月 1 日至 2021 年 3 月 31 日之间收到的所有消息。 |
| 收件人 | 电子邮件中的所有收件人字段。 这些字段为“收件人”、“抄送”和“密件抄送”。1 | recipients:garthf@contoso.com |
发送到 garthf@contoso.com的消息。 第二个示例返回发送至 contoso.com 域中的任何收件人的邮件。 (请参阅收件人扩展) |
| 发件箱 | 发件人发送电子邮件的日期。 | sent:2021-07-01 |
在指定日期或指定日期范围内发送的邮件。 |
| Size | 邮件的大小(以字节为单位)。 | size>26214400 |
邮件超过 25 MB。 第二个示例返回大小介于 1 到 1,048,567 (1 MB) 字节之间的邮件。 |
| 主题 | 电子邮件主题行中的文本。
注意: 在查询中使用 Subject 属性时,搜索将返回主题行包含要搜索的文本的所有邮件。 换句话说,查询不会仅返回具有完全匹配的那些消息。 例如,如果搜索 |
subject:"Quarterly Financials" |
主题行文本中任意位置包含短语“季度财务”的邮件。 第二个示例返回主题行中包含单词"northwind"的所有邮件。 |
| 收件人 | 电子邮件的"收件人"字段。1 | to:annb@contoso.com |
所有示例返回在"收件人:"行中指定为 Ann Beebe 的邮件。 |
注意
1 对于 recipient 属性的值,可以使用电子邮件地址 (也称为用户主体名称 (UPN) ) 、显示名称或别名来指定用户。 例如,可以使用 annb@contoso.com、annb 或“Ann Beebe”来指定用户 Ann Beebe。
可搜索敏感数据类型
可以使用 Microsoft Purview 门户中的电子数据展示搜索工具搜索存储在邮箱中的文档中的敏感数据,例如信用卡号码或社会安全号码。 为此,SensitiveType可以使用 属性以及关键字 (keyword) 查询中敏感信息类型的名称 (或 ID) 。 例如,查询SensitiveType:"Credit Card Number"返回包含信用卡号的文档。 该查询 SensitiveType:"U.S. Social Security Number (SSN)" 返回包含美国社会安全号码的文档。
若要查看可搜索的敏感信息类型的列表,请转到 Microsoft Purview 门户中 的数据分类>敏感信息类型 。 或者,可以使用 Security & Compliance PowerShell 中的 Get-DlpSensitiveInformationType cmdlet 来显示敏感信息类型的列表。
收件人扩展
邮箱是灵活的存储,收件人信息的某些方面 (特别是发件人) 由连接到邮箱的客户端控制。 客户端可以选择 SMTP、 Name 或 LegacyDN 属性作为发件人地址。 为了补偿客户端行为的变化以及数据的存储方式,电子数据展示搜索的收件人扩展是一项有用的功能。
通常,某些客户端创建的 “已发送邮件” 仅存储发件人的名称(如 John Doe),而不包括 SMTP 地址(如 johndoe@contoso.com)。 此外,与旧系统的联合项目只能存储 LegacyExchangeDN,这是旧版 Exchange 中用于表示邮箱或通讯组列表的唯一标识符。 联合系统是指从不同系统或组织集成的消息或数据,通常涉及使用旧格式或标识符的旧系统。
接收方扩展函数通过扩展搜索来捕获随这些变体一起存储的内容,解决了搜索范围不够大的问题。 查询Microsoft Entra ID将展开参与者筛选器中指定的任何值。 此扩展包括用户的电子邮件地址、UPN、别名、显示名称和 LegacyExchangeDN。 这种扩展可确保搜索投向更广泛的网络,捕获所有相关内容,而不考虑参与者信息的存储方式,并提高电子数据展示搜索的准确性和全面性。
(发件人、收件人、密件抄送、密件抄送、参与者和收件人) 搜索任何收件人属性时,Microsoft 365 尝试通过在Microsoft Entra ID中查找来扩展每个用户的标识。 如果在 Microsoft Entra ID 中找到用户,则查询会展开,以包括用户的电子邮件地址 (或 UPN) 、别名、显示名称和 LegacyExchangeDN。 例如,查询(如) participants:ronnie@contoso.com 将扩展为 participants:ronnie@contoso.com OR participants:ronnie OR participants:"Ronald Nelson" OR participants:"<LegacyExchangeDN>"。
若要防止收件人扩展,请在电子邮件地址末尾添加一个 (星号) 的野生卡字符,并使用简化的域名;例如,participants:"ronnie@contoso*"请确保用双引号将电子邮件地址括起来。
阻止搜索查询中的收件人扩展可能会导致搜索结果中未返回相关项目。 Exchange 中的Email邮件可以在收件人字段中使用不同的文本格式进行保存。 收件人扩展旨在通过返回可能包含不同文本格式的邮件来帮助缓解这一事实。 因此,阻止收件人扩展可能会导致搜索查询未返回可能与调查相关的所有项目。
收件人扩展不是为了支持涉及用户名和别名更改的方案而设计的。 如果用户的 SMTP/UPN 已更改,Microsoft Entra ID可能无法找到该用户,从而导致搜索结果不完整。 此外,很少更改的 LegacyExchangeDN 可能并不存在于所有电子邮件项目的基底中。 收件人扩展仅处理客户端使用 LegacyExchangeDN 而不是 SMTP 的情况。 如果 SMTP 地址已更改,但 LegacyExchangeDN 未更改,则收件人扩展无济于事,需要手动查找并使用这些地址的所有变体。 这可能会导致用户错误地认为收件人扩展会捕获所有变体,包括名称和 SMTP 更改。
在某些情况下,使用组织搜索时,收件人扩展还可能导致其他项目命中。 例如,一个用户的显示名称可能构成另一个用户的显示名称的一部分。 例如,一个用户的显示名称可能是 John Doe ,另一个用户的显示名称可能是 小 John Doe。组织范围的搜索可能会返回来自两个邮箱的结果命中数。 在这种情况下,请考虑通过在 SMTP 地址末尾添加句点来抑制收件人扩展。
注意
如果需要查看或减少由于收件人扩展而由搜索查询返回的项目,请考虑使用高级电子数据展示功能。 可以搜索邮件 (利用收件人扩展) ,将它们添加到审阅集,然后使用审阅集查询或筛选器查看或缩小结果范围。
存储在Exchange Online邮箱中用于电子数据展示的内容
Exchange Online 中的邮箱主要用于存储与电子邮件相关的项目,例如邮件、日历项目、任务和便笺。 但是,随着越来越多的基于云的应用也将其数据存储在用户的邮箱中,这一点正在发生变化。 在邮箱中存储数据的一个优点是,可以使用电子数据展示中的搜索工具来查找、查看和导出这些基于云的应用中的数据。
其中一些应用的数据存储在邮箱中的非人际邮件 (非 IPM) 子树中的隐藏文件夹中。 来自其他基于云的应用的数据可能不存储在邮箱 中 ,但它 与邮箱相关联 ,如果数据与搜索查询) 匹配,则会在搜索 (返回。 无论基于云的数据是存储在用户邮箱中还是与用户邮箱关联,当用户打开其邮箱时,数据在电子邮件客户端中通常不可见。
下表列出了存储数据或将数据与基于云的邮箱关联的应用。 The table also describes the type of content that each app produces.
| Microsoft 365 app | Description |
|---|---|
| Forms* | Forms and responses to a form are stored in files that are attached to email messages and stored in a hidden folder in the mailbox of the user who created the form. Forms created before April 2020 are stored as a PDF file. Forms created after 2020 are stored as a JSON file. Responses to a form are stored in a CSV file. When you export content from Forms in a PST file, this data is located in the ApplicationDataRoot folder in a subfolder named with the following globally unique identified (GUID): c9a559d2-7aab-4f13-a6ed-e7e9c52aec87. |
| Microsoft 365 Groups | Email messages, calendar items, contacts (People), notes, and tasks are stored in the mailbox that's associated with a Microsoft 365 group. |
| Microsoft 365 Copilot and Microsoft 365 Copilot Chat | All Copilot activity data (user prompts and Copilot responses) generated in supported Microsoft 365 apps and services is stored in custodian mailboxes. |
| Outlook/Exchange Online | Email messages, calendar items, contacts (People), notes, and tasks are stored in a user's mailbox. |
| People | Contacts in the People app (which are the same contacts as the ones accessible in Outlook) are stored in a user's mailbox. |
| Class Schedule | Plans created in Class Schedule are stored in the mailbox of the corresponding Microsoft 365 Group that is provisioned when a new plan is created. The alias for the group mailbox is the name of the plan. |
| Skype for Business | Conversations in Skype for Business are stored in the Conversation History folder in a user's mailbox. If the mailbox of a participant of a Skype meeting is placed on Litigation Hold or assigned to a retention policy, files attached to a meeting are retained in the participants mailbox. |
| Sway* | Sways are stored as an HTML file that is attached to an email message and stored in a hidden folder in the mailbox of the user who created the sway. When you export content from Sway in a PST file, this data is located in the ApplicationDataRoot folder in a subfolder named with the following GUID: 905fcf26-4eb7-48a0-9ff0-8dcc7194b5ba. |
| Tasks | Tasks in the Tasks app (which are the same tasks as the ones accessible in Outlook) are stored in a user's mailbox. |
| Teams | Conversations that are part of a Teams channel are associated with the Teams mailbox. Conversations that are part of the Chat list in Teams (also called 1 x N chats) are associated with the mailbox of the users who participate in the chat. Also, summary information for meetings and calls in a Teams channel are associated with mailboxes of users who dialed into the meeting or call. So when searching for Teams content, you would search the Teams mailbox for content in channel conversations and search user mailboxes for content in 1 x N chats. |
| To-Do | Tasks (called to-dos, which are saved in to-do lists) in the To-Do app are stored in a user's mailbox. |
| Viva Engage | Conversations and comments within a Viva Engage community are associated with the Microsoft 365 group mailbox, as well as the user mailbox of the author and any named recipients (@ mentioned or Cc'ed users). Private messages sent outside of a Viva Engage community are stored in the mailbox of the users who participate in the private message. |
Note
* At this time, if a hold is placed on a mailbox using holds in eDiscovery cases, content from this app isn't preserved by the hold.