If you need the search a users mailbox for certain e-mails (which need to go back father than 3 months or 90 days) then you cannot use Explorer or Message Trace as these are limited to a 3 month window, the actual mailbox is not.
First we need to visit the Purview website on this link : Microsoft Purview
First we need to visit the Purview website on this link : Microsoft Purview
When loaded this will look like this, you need to ignore the banner at the top that you cannot close with the rolling adverts:
Then from the side menu you need eDiscovery > Content Search
Next we need to create a new search using the Create a Case option as below:
You then need to give to the case a name and a description as below:
That will then land you here where you need to define the "source" and the "requirements" and this is defined as :
Source : The users your wish to perform the content search on
Requirements : The requirements for what will be in that search
First lets do the requirements, first we need to add a condition and you have some options you can select as you can see below, alternatively if you have a KeyQK query then you can use the KeyQL option at the top:
Lets start with some simple requirements without a query so as an example, here we are looking for emails only sent within a certain working week with a certain subject to 2 x unique email addresses as you can see below:
If you wish to view that in KeyQL that would be the following:
Date BETWEEN 2025-03-31 AND 2025-04-04
When you use that KeyQL in the query it will confirm there are no errors which means it has parsed correctly:
When the query is submitted you will receive a summary of what has been found as an "audit report" as you can see below:
Then from the side menu you need eDiscovery > Content Search
Next we need to create a new search using the Create a Case option as below:
You then need to give to the case a name and a description as below:
That will then land you here where you need to define the "source" and the "requirements" and this is defined as :
Source : The users your wish to perform the content search on
Requirements : The requirements for what will be in that search
First lets do the requirements, first we need to add a condition and you have some options you can select as you can see below, alternatively if you have a KeyQK query then you can use the KeyQL option at the top:
Lets start with some simple requirements without a query so as an example, here we are looking for emails only sent within a certain working week with a certain subject to 2 x unique email addresses as you can see below:
If you wish to view that in KeyQL that would be the following:
Date BETWEEN 2025-03-31 AND 2025-04-04
AND (
Recipients CONTAINS “suspicious.user1@pokebearswithstickers.com”
OR Recipients CONTAINS “suspicious.user2@pokebearswithstickers.com”
)
AND Type CONTAINS “E-mail messages”
AND Subject/Title EQUALS “Stocks and Shares”
When the query is submitted you will receive a summary of what has been found as an "audit report" as you can see below:
We now need the export the data using the export option below:
The on the Export options when clicked, you need to give it name and ensure you only choose "Index items that match your search query"
Then under the email export options choose the correct what is required for your export, here we need HTML transcript and attachment links in messages:
Then under the export options choose again the required options for your export, here we need a PST file and to export the items and the report (not just the report) and we need data in separate folders/PST files as its easier to read as you can see below:
Then you are happy with the options selected click the blue export button as below:
This will then send that export request to the process manager which you can access by using the process manager button as below:
The process manager will show you all the tasks linked to your case as below:
If you wish to download the data click on the Export process once complete (the top one) and this will reveal the file information and give you the option to download:
Then you are happy with the options selected click the blue export button as below:
This will then send that export request to the process manager which you can access by using the process manager button as below:
The process manager will show you all the tasks linked to your case as below:
If you wish to download the data click on the Export process once complete (the top one) and this will reveal the file information and give you the option to download:
When you have got the downloaded files the content search is complete and you can analyse the file offline in Outlook or your choice of investigative tool.