Last active
September 13, 2020 14:28
-
-
Save BrianTJackett/10fa4dcfe9d6044ad65cd159c5c0bb45 to your computer and use it in GitHub Desktop.
Create an Office 365 Security and Compliance Center eDiscovery case, hold, and content search. Warning: uses basic authentication which will be deprecated in Oct 2020.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Set-StrictMode -Version "Latest" | |
| # eDiscovery case creation | |
| $caseName = 'Smith v. Johnson'; | |
| $UPN = '[email protected]', '[email protected]' | |
| $description = "$caseName" | |
| $policyName = "$caseName - Hold Policy" | |
| $ruleName = "$caseName - Hold Rule" | |
| $searchName = "$caseName - Search Name" | |
| $rootFolderNameQuery = "Legal Hold" | |
| function GetFolderQueries { | |
| param ( | |
| [string] | |
| $rootFolderNameQuery, | |
| [string[]] | |
| $UPN | |
| ) | |
| $folderQueries = @() | |
| foreach($user in $UPN) | |
| { | |
| $rootFolderStats = Get-MailboxFolderStatistics -Identity $user | Where-Object name -eq $rootFolderNameQuery | |
| $childFolderStats = Get-MailboxFolderStatistics -Identity $user | Where-Object FolderPath -like "$($rootFolderStats.FolderPath)*" | |
| # sample script to convert folderId: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-content-search-for-targeted-collections?view=o365-worldwide#step-1-run-the-script-to-get-a-list-of-folders-for-a-mailbox-or-site | |
| foreach ($folderStatistic in $childFolderStats) | |
| { | |
| $folderId = $folderStatistic.FolderId; | |
| $folderPath = $folderStatistic.FolderPath; | |
| $encoding= [System.Text.Encoding]::GetEncoding("us-ascii") | |
| $nibbler= $encoding.GetBytes("0123456789ABCDEF"); | |
| $folderIdBytes = [Convert]::FromBase64String($folderId); | |
| $indexIdBytes = New-Object byte[] 48; | |
| $indexIdIdx=0; | |
| $folderIdBytes | Select-Object -skip 23 -First 24 | %{$indexIdBytes[$indexIdIdx++]=$nibbler[$_ -shr 4];$indexIdBytes[$indexIdIdx++]=$nibbler[$_ -band 0xF]} | |
| $folderQuery = "folderid:$($encoding.GetString($indexIdBytes))"; | |
| $folderStat = New-Object PSObject | |
| Add-Member -InputObject $folderStat -MemberType NoteProperty -Name UPN -Value $user | |
| Add-Member -InputObject $folderStat -MemberType NoteProperty -Name FolderPath -Value $folderPath | |
| Add-Member -InputObject $folderStat -MemberType NoteProperty -Name FolderQuery -Value $folderQuery | |
| $folderQueries += $folderStat | |
| } | |
| } | |
| return $folderQueries | |
| } | |
| # Connection to EXO and SCC PowerShell Modules | |
| $UserCredential = Get-Credential | |
| $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection | |
| Import-PSSession $Session -AllowClobber | |
| $SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection | |
| Import-PSSession $SccSession -AllowClobber -DisableNameChecking | |
| # Create eDiscovery case, hold, and compliance search | |
| New-ComplianceCase -Name $caseName -Description $description | |
| New-CaseHoldPolicy -Name $policyName -Case $caseName -ExchangeLocation $UPN -Enabled $true | |
| New-CaseHoldRule -Name $ruleName -Policy $policyName -Disabled $false | |
| $folderQueries = GetFolderQueries -rootFolderNameQuery $rootFolderNameQuery -UPN $UPN | |
| New-ComplianceSearch -Name $searchName -Case $caseName -HoldNames "All" -ContentMatchQuery $folderQueries.FolderQuery |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment