Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Create an Office 365 Security and Compliance Center eDiscovery case, hold, and content search. Warning: uses basic authentication which will be deprecated in Oct 2020.
Set-StrictMode -Version "Latest"
# eDiscovery case creation
$caseName = 'Smith v. Johnson';
$UPN = 'user1@contoso.onmicrosoft.com', 'user2@contoso.onmicrosoft.com'
$description = "$caseName"
$policyName = "$caseName - Hold Policy"
$ruleName = "$caseName - Hold Rule"
$searchName = "$caseName - Search Name"
$rootFolderNameQuery = "Legal Hold"
function GetFolderQueries {
param (
[string]
$rootFolderNameQuery,
[string[]]
$UPN
)
$folderQueries = @()
foreach($user in $UPN)
{
$rootFolderStats = Get-MailboxFolderStatistics -Identity $user | Where-Object name -eq $rootFolderNameQuery
$childFolderStats = Get-MailboxFolderStatistics -Identity $user | Where-Object FolderPath -like "$($rootFolderStats.FolderPath)*"
# sample script to convert folderId: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-content-search-for-targeted-collections?view=o365-worldwide#step-1-run-the-script-to-get-a-list-of-folders-for-a-mailbox-or-site
foreach ($folderStatistic in $childFolderStats)
{
$folderId = $folderStatistic.FolderId;
$folderPath = $folderStatistic.FolderPath;
$encoding= [System.Text.Encoding]::GetEncoding("us-ascii")
$nibbler= $encoding.GetBytes("0123456789ABCDEF");
$folderIdBytes = [Convert]::FromBase64String($folderId);
$indexIdBytes = New-Object byte[] 48;
$indexIdIdx=0;
$folderIdBytes | Select-Object -skip 23 -First 24 | %{$indexIdBytes[$indexIdIdx++]=$nibbler[$_ -shr 4];$indexIdBytes[$indexIdIdx++]=$nibbler[$_ -band 0xF]}
$folderQuery = "folderid:$($encoding.GetString($indexIdBytes))";
$folderStat = New-Object PSObject
Add-Member -InputObject $folderStat -MemberType NoteProperty -Name UPN -Value $user
Add-Member -InputObject $folderStat -MemberType NoteProperty -Name FolderPath -Value $folderPath
Add-Member -InputObject $folderStat -MemberType NoteProperty -Name FolderQuery -Value $folderQuery
$folderQueries += $folderStat
}
}
return $folderQueries
}
# Connection to EXO and SCC PowerShell Modules
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber
$SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $SccSession -AllowClobber -DisableNameChecking
# Create eDiscovery case, hold, and compliance search
New-ComplianceCase -Name $caseName -Description $description
New-CaseHoldPolicy -Name $policyName -Case $caseName -ExchangeLocation $UPN -Enabled $true
New-CaseHoldRule -Name $ruleName -Policy $policyName -Disabled $false
$folderQueries = GetFolderQueries -rootFolderNameQuery $rootFolderNameQuery -UPN $UPN
New-ComplianceSearch -Name $searchName -Case $caseName -HoldNames "All" -ContentMatchQuery $folderQueries.FolderQuery
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.