Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Create an Office 365 Security and Compliance Center eDiscovery case, hold, and content search. Warning: uses basic authentication which will be deprecated in Oct 2020.
Set-StrictMode -Version "Latest"
# eDiscovery case creation
$caseName = 'Smith v. Johnson';
$UPN = '', ''
$description = "$caseName"
$policyName = "$caseName - Hold Policy"
$ruleName = "$caseName - Hold Rule"
$searchName = "$caseName - Search Name"
$rootFolderNameQuery = "Legal Hold"
function GetFolderQueries {
param (
$folderQueries = @()
foreach($user in $UPN)
$rootFolderStats = Get-MailboxFolderStatistics -Identity $user | Where-Object name -eq $rootFolderNameQuery
$childFolderStats = Get-MailboxFolderStatistics -Identity $user | Where-Object FolderPath -like "$($rootFolderStats.FolderPath)*"
# sample script to convert folderId:
foreach ($folderStatistic in $childFolderStats)
$folderId = $folderStatistic.FolderId;
$folderPath = $folderStatistic.FolderPath;
$encoding= [System.Text.Encoding]::GetEncoding("us-ascii")
$nibbler= $encoding.GetBytes("0123456789ABCDEF");
$folderIdBytes = [Convert]::FromBase64String($folderId);
$indexIdBytes = New-Object byte[] 48;
$folderIdBytes | Select-Object -skip 23 -First 24 | %{$indexIdBytes[$indexIdIdx++]=$nibbler[$_ -shr 4];$indexIdBytes[$indexIdIdx++]=$nibbler[$_ -band 0xF]}
$folderQuery = "folderid:$($encoding.GetString($indexIdBytes))";
$folderStat = New-Object PSObject
Add-Member -InputObject $folderStat -MemberType NoteProperty -Name UPN -Value $user
Add-Member -InputObject $folderStat -MemberType NoteProperty -Name FolderPath -Value $folderPath
Add-Member -InputObject $folderStat -MemberType NoteProperty -Name FolderQuery -Value $folderQuery
$folderQueries += $folderStat
return $folderQueries
# Connection to EXO and SCC PowerShell Modules
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber
$SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $SccSession -AllowClobber -DisableNameChecking
# Create eDiscovery case, hold, and compliance search
New-ComplianceCase -Name $caseName -Description $description
New-CaseHoldPolicy -Name $policyName -Case $caseName -ExchangeLocation $UPN -Enabled $true
New-CaseHoldRule -Name $ruleName -Policy $policyName -Disabled $false
$folderQueries = GetFolderQueries -rootFolderNameQuery $rootFolderNameQuery -UPN $UPN
New-ComplianceSearch -Name $searchName -Case $caseName -HoldNames "All" -ContentMatchQuery $folderQueries.FolderQuery
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment