Monday, March 6, 2017

Tips for Better Content Searching in O365 Security and Compliance

Technorati Tags: ,,,

One of the new features in O365 Security and Compliance Center is the new Search and Investigation section. In this section you can do Audit log searches, eDiscovery cases and set up large content searches. Content searching allows an eDiscovery manager to search Exchange mail boxes, SharePoint Online sites and OneDrive for Business folders. This features enables large searches and allows manager to export the results up to 2TB. Quite impressive. I recently had the chance to use this feature and found a few problems with it. This post will give you some tips on how to use this feature more effectively.

Why Can’t I Use Custom Managed Properties?

Many companies when migrating to Office 365 have content types that have custom site columns. These site columns get auto generated managed properties during the search crawl.  So you may want to do a content search using one of them from the content search UI. This UI allows users to create, edit, bulk edit and delete searches. When you create or edit a search you are offered the choice to put a whole KQL query or just some keywords in the large text box. You can also combine the keywords with some conditions. The condition builder only allows combining the conditions with AND and is limited to a select group of managed properties. I recommend not trying to combine conditions with a complete KQL query. The biggest problem is you get an error message if you try to use one of the custom managed properties.

If you click OK to continue,  then Office 365 will execute the query, but it strips out the part of the KQL query containing the forbidden managed property. In the case above the search returns everything but still lists the forbidden KQL in the Query.

Always Use the Refinable Managed Properties

In order to use any custom managed properties make sure to map the corresponding crawled property to a compatible refinable managed property. Don’t bother with naming an alias to make your KQL queries more readable because they don’t work either. Using a built-in refinable managed property gets rid of the error message and the query executes correctly.

If your doing large content searches that you want to export the files then this is the tool for you. Unfortunately, this tool does not make it easy for companies to leverage their custom metadata to do targeted searching. Hopefully, this can be fixed soon.