Getting started with the new Purview Content Search

“I’m looking to get started with the new Content Search experience in Purview. Where do I get started?”

Welcome to the exciting new world of Content Search! This revamped experience is designed to be more intuitive, making it easier for you to navigate and find what you need. The modern Content Search experience offers additional capabilities like enhanced data sources to make it easier to identify the locations that you want to search, an improved condition builder, and a streamlined export experience. Also, you will now be able to take advantage of Premier features if you have E5 licensing, further elevating your search experience.

Privacy is a key focus in this update, allowing you to restrict access to your content searches and ensure that sensitive information remains secure. Additionally, the ability to configure Role-Based Access Control (RBAC) permissions means you can customize Content Search functionality to suit your needs, granting or limiting access as necessary.

There are two different ways of accessing Content Search. You can access content search by clicking on the eDiscovery solution card under the Purview portal and select Content Search on the left nav.

Figure 1: Screenshot of the Microsoft Purview compliance portal showing the navigation pane within the eDiscovery section. The "Content Search" option is highlighted, indicating its selection for searching emails, documents, and other content across Microsoft 365.

This is a shortcut that will take you to the Content Search case in the new unified Purview eDiscovery. You will see all of your existing content searches here.

 

“What do I need to do first?”

First, let’s talk about permissions and privacy. The first step in using the new content search is to make sure that you have access to the new Content Search. eDiscovery managers and administrators will automatically have access to new content search. However, if you are not a member of either of these built-in role groups or in a custom role group, you may need to have either an eDiscovery manager or an eDiscovery administrator grant you access to the new content search. You will need to take the following steps if you receive this message when attempting to access the new content search:

Figure 2: A screenshot of a web application displaying a 'Permission Error' message in a pop-up window, indicating that the user does not have access to the requested page.

Here are the steps for assigning a custom RBAC group or individual user to the Content Search:

1) NOTE: You will need to have someone with eDiscovery manager or eDiscovery admin permissions to assign these permissions. This is done through the Case settings button under Content Search:

Figure 3: Screenshot showing the 'Content Search' page from the Microsoft Purview compliance portal. It includes options to create a new search, export data, and refresh the current view. A specific search named "CS - Mark & Eliza Gallager Incident" is listed with details such as description, query text, created by, created date, modified by, and modified date.

2) This will take you to the case settings page. You will need to click Permissions. After you select Permissions, you will have the options to add an individual user (Users) or all members of a built-in or custom role group (Role groups)

Figure 4: Screenshot of the 'Case settings' page in a content search application, showing permissions management for users and role groups.

You can see where I have added a custom role group named “Content Search” in this example.

3) Once you have added either the user or the role group, they will then be able to access the new Content Search!

 

“Thanks! I can now access the new Content Search, but it looks like I now have access to holds. My team should not have the ability to place holds. What can we do?”

Have no fear! The new Content Search will not provide admins the permission to apply holds. This is tightly controlled via the Purview roles assigned to you by an authorized administrator. If the holds tab is present in the new Content Search case, it is because you already have the Hold Purview role assigned to you. You can learn more about the different roles that eDiscovery and Content Search use in this article: Assign permissions in eDiscovery.

You can customize what content search activities a user can perform by using Purview custom role groups. Let’s say that you want to restrict the ability to create and manage holds with Microsoft Purview. We are going to do that by creating a new custom role group named Content Search.

Here are the steps for creating a custom role group.

1) The Microsoft Purview portal supports directly managing permissions for users who perform tasks within Microsoft Purview including eDiscovery and Content Search. Using the Roles and scopes area in Settings in the Purview portal, you can manage permissions for your users. IMPORTANT: To view Role groups in the Roles and scopes area in the Microsoft Purview portal, users need to be a global administrator or need to be assigned the Role Management role (a role is assigned only to the Organization Management role group). The Role Management role allows users to view, create, and modify role groups.

Figure 5: Screenshot displaying the 'Role groups for Microsoft Purview solutions' page, where various administrative roles and their details are listed, including the role name, type, description, and last modified date.

2) Next, click the +Create role group button to create a new role group in Purview. You can learn more about the different roles that eDiscovery and Content Search use in this article: Assign permissions in eDiscovery. After reviewing the different Content Search-related roles, select the ones applicable to your Content Search users.

Here are the roles that we selected for our Content Search users:

Figure 6: Screenshot showing the 'Edit roles of the role group' page in Microsoft Purview's Content Search. The interface allows users to select roles for a specific group, with options including eDiscovery Manager, Compliance Search, Export, Preview, and RMS Decrypt. The page includes navigation buttons labeled 'Back,' 'Next,' and 'Cancel.

3) Microsoft always recommends that you use roles with the fewest permissions. When planning your access control strategy, it's a best practice to manage access for the least privilege for your eDiscovery and Content Search users. Least privilege means you grant your administrators exactly the permission they need to do their job.

4) Please refer to this article if you need any other assistance creating custom role groups in Purview: Permissions in the Microsoft Purview portal.

 

“Excellent! I can’t see the holds tab anymore. However, I’m noticing that I have access to E5 features like review sets. We only have E3 licenses. What can we do to disable the Premium features?”

Depending on your tenant configuration, the new Content Search may have eDiscovery (Premium) features enabled (these features include review sets, advanced indexing, cloud attachment support, and many others). The eDiscovery (Premium) features can be disabled via the Content Search case settings. This can be done by clicking on the Case settings button from the new Content Search. Within the Case details page there is a toggle to enable or disable the eDiscovery (Premium) features.

Figure 7: Screenshot displaying the 'Case settings' page for a content search case in Microsoft Purview compliance portal. It includes sections for Case details, Permissions, Data sources, Search & analytics, and Review sets. The Case details section shows information such as the license type (eDiscovery Premium), premium features toggle, case name ('Content Search'), case number, and a description field. The status of the case is marked as active with a creation date and time.

 

“Thanks! It looks like I have the correct permissions and settings. Where do I get started?”

1) Let’s start with creating a new search. Under the new Content Search, you’re going to click the Create a search button.

Figure 8: Screenshot showing the 'Content Search' page within Microsoft Purview, specifically under the 'eDiscovery' section. The interface includes options to create a new search, export results, and manage existing searches. There is one search listed with details such as name, description, query text, created by, last modified date, and status.

2) Give your new search a unique name and description.

3) Under the Query tab in your new search, you will see Data sources on the left side. The new Content Search’s enhanced data sources will make it a lot easier for you to set the locations that you would like to search. You can use Content Search to search for M365 content such as email, documents, and instant messaging conversations in your organization. Use search to find content in these cloud-based Microsoft 365 data sources:

1. Exchange Online mailboxes
2. SharePoint sites
3. OneDrive accounts
4. Microsoft Teams
5. Microsoft 365 Groups
6. Viva Engage

In this example, we will be searching a Nestor’s mailbox and OneDrive site for an email sent in March 2025 that contains the keyword string “Project 9”

4) Click Add sources under Data sources to add your locations (you can also search all your mailboxes or sites by selecting Add tenant-wide sources if needed)

5) Type in the name of the user or their email address to find the user that you’re wanting to search and then select them.

Figure 9: Screenshot shows the 'Search for sources' interface in Microsoft 365 compliance center, where users can add people, groups, SharePoint sites, OneDrive accounts, and Microsoft Teams as sources. The search results display one item matching the query 'Nestor Wilke,' with an option to select or deselect it.

6) Click the Manage button to see the locations associated with this user. The enhanced data source experience will automatically identify a user’s mailbox and OneDrive site if they have one enabled.

Figure 10: Screenshot shows the 'Manage sources' interface, where a user can filter and search for specific users or groups. It displays a list of sources with options to select mailboxes and sites. One item is listed, with both mailboxes and sites selected.

7) Select Save to continue. Optional: you can exclude either their Mailbox or OneDrive site by unchecking them under the Manage sources view.

8) Now that we have identified the locations that we want to search. The next step is to create a query to define what we are wanting to search for within the locations.

9) Under the Keywords condition, make sure that Equal is selected, and type in Project 9 and hit enter.

Figure 11: Screenshot showing Keyword condition equal to the project 9 name.

This will let you specify that you are looking for any chat, email, or document that contains the phrase “Project 9”

10) Next, click on the + Add conditions button to add the date range condition. Select Date from the list and hit Apply.

Figure 12: Screenshot of the 'Choose which conditions to add' window in a search filter interface, showing various filter and condition options for refining a search query. The "Date" search property is selected.

11) Switch the Date operator from Before to Between and select March 1, 2025 through March 31, 2025 as the date range.

Figure 13: Screenshot shows the 'Condition builder' interface for creating a search query with conditional filtering. It includes fields for entering specific keywords, selecting a project, and defining a date range, which in this example is set between March 1, 2023, and March 31, 2023. Additionally, there is an option to add more conditions to further refine the search criteria, allowing users to build precise and targeted search queries by combining multiple conditions.

12) Click the Run query button to generate the search estimate. Then click Run Query after selecting any additional options that you may want.

13) After the search has run, the Statistics tab will help you verify whether the relevant content was found. You can also generate a sample of the results by going under the Sample tab and hitting the Generate sample results button.

Figure 14: Screenshot shows search statistics with the "Summary" tab selected. It includes sections for Total Matches, Locations, and Data Sources, each with respective buttons for more information. Additionally, there are circular graphs displaying percentages for Top Data Sources and Top Location Type, categorized into Mailbox (blue) and Sites (green).

14) You can export the results of your search after you have verified that the relevant content has been returned by your search by selecting the Export button. Please give your export a name and description.

Figure 15: Screenshot displays an export settings window for downloading items related to the investigation. Users can configure the export by providing a name and description, selecting indexed items, versions of OneDrive and SharePoint documents, folder items, and messages from mailboxes and Exchange online. The window includes various options to customize the export process, ensuring comprehensive data collection.

15) You can choose what format you want the results to be exported in by scrolling down.

Figure 16: Screenshot displays the "Export" settings window from a software application, detailing options for exporting data. Users can choose to include Teams and Viva Engage conversations, organize conversations into an HTML transcript, and collect items linked to SharePoint or OneDrive. Additional settings allow users to select the export type, format the export into PSTs or .msg files, organize data into separate folders, condense paths to fit within 259 characters, and give items a friendly name.

In the Export type section, choose one of the following options:

1. Export items report only: Only the summary and item report are created. The various options for organizing data, folder and path structure, condensing paths, and other structures are hidden.
2. Export items with items report: Items are exported with the item report. Other export format options are available with this option in the Export format section.
3. In the Export formatsection, choose one of the following options:
4. Create PSTs for messages: This option creates .pst files for messages.
5. Create .msg files for messages: This option creates .msg files for messages
6. Select one or more of the following output package options:
7. Organize data from different locations into separate folders or PSTs: This option organizes data into separate folders for each data location.
8. Include folder and path of the source: This option includes the original folder and folder path structure for items.
9. Condense paths to fit within 256 characters: This option condenses the folder path for each item to 259 characters or less.
10. Give each item a friendly name: This option creates a friendly name for each item.

16) After you have selected the options for your export, select the Export button.

17) Click the Export button to go to the Export tab.

Figure 17: Screenshot shows a search titled "CS - April 2025 Phishing Campaign Investigation." Below the title, there is a subtitle that reads "April 2025 Phishing Campaign Investigation." The query displayed is: "Query: ('Project 9') AND ((Date=2025-03-01..2025-03-31))." At the top left, there are buttons for "Search" and "Export." The "Export" button is highlighted.

18) Select your export once the status shows as “Complete”

Figure 18: Screenshot shows the export results of a content search from the Microsoft Purview eDiscovery (Premium) portal. The export is complete and displays details such as the name, status, completion date, and export packages available for download. The export packages listed are "Report_Content_Search_Results_April_23_Phishing_investigation.zip" and "PST.zip", with a download button provided.

19) Select the export packages that you wish to download and hit the Download button. Clicking the Download button will kick off a browser download. The new Content Search does not use classic Content Search and eDiscovery (Standard)’s .NET eDiscovery Export Tool application. NOTE: You may have to disable popup blocking depending on your browser settings.

1. The download report relating to the export is named Reports-caseName-EntityName-ProcessName-timestamp.zip. With EntityName being the user given name to the export. This will include several .CSV files including items.csv which provides details of all items exported, including information such as item ID, location of the item, subject/title of the item, item class/type, and success/error status.
2. The .PST files exported will be included in an export package called "PSTs.00x.zip"

20) Files exported (e.g. files stored in OneDrive and SharePoint) will be included in an export package called Items.00x.zip

 

To learn more about the Microsoft Purview eDiscovery and Content Search solutions and become an eDiscovery Ninja, please check out our eDiscovery Ninja Guide at https://aka.ms/eDiscoNinja!