Search and Investigation Tools
Search and Investigation Tools

This course explores how to implement and manage auditing and eDiscovery in Microsoft 365. We'll start by covering Content Search and other search and investigation tools that are used to perform content searches, and how to export content search results.

You'll also learn about auditing management, before moving on to Core eDiscovery and how to search content using the Security & Compliance Admin Center. You’ll also learn how to configure Core eDiscovery and how to create cases. Finally, we'll cover Advanced eDiscovery, and you’ll learn what Advanced eDiscovery is, how to set it up, and how to create and manage Advanced eDiscovery cases.

Learning Objectives

  • Learn about Content Search and other search and investigation tools that are used to perform content searches
  • Export Content Search results
  • Learn how to configure audit log retention and audit policy
  • Learn what Core eDiscovery is and how to search content using the Security & Compliance Admin Center
  • Configure Core eDiscovery and how to create cases
  • Get an overview of Advanced eDiscovery and learn how to create and manage Advanced eDiscovery cases

Intended Audience

This course is intended for those who wish to learn how to use and manage auditing and eDiscovery in Microsoft 365.


To get the most out of this course, you should already have some basic experience of working with Microsoft 365.


Hello, and welcome to Search and Investigation Tools. In this lesson, we’re going to take a look at the key tools that are used to perform content searches. We’ll look at Content Search, Core eDiscovery, and Advanced eDiscovery.

The Content Search tool in the Security & Compliance Center can be used to find emails in Exchange mailboxes, documents in SharePoint sites, and documents in OneDrive locations. It can also be used to find messaging conversations in Skype for Business and Microsoft Teams.

To use Content Search, what you typically do is choose the content location you wish to search, and then you configure a keyword query to search for items you are interested in. That said, you can also just leave the search query blank. When you do that, your query will return all items in the content location you’ve targeted.

The Content Search tool allows you to do things like running an ID list search to search for specific email messages, and to search cloud-based mailboxes for on-prem users in Microsoft 365. You can also use Content Search to view the keyword statistics for the results of a particular search. You can then use that info to refine the original query if necessary. Content Search also allows you to search for third-party data that’s been imported into the Microsoft 365 organization.

When you find the data you are looking for, Content Search allows you to perform several operations on that data. For example, you can export the results of your content search so you can download them, or you can search for specific email messages and delete them. This is particularly helpful when you need to remove a virus-laden email from everyone’s mailboxes quickly. You can even export a report about the results of a search. This lets you export information about the search, without exporting the actual data.

We’ll actually talk about exporting later on.

Core eDiscovery is another search tool in Microsoft 365. It’s a basic eDiscovery tool that allows you to search for, and export, content in both Microsoft 365 and in Office 365.  Core eDiscovery can also be used to place eDiscovery holds on things like Exchange mailboxes, OneDrive accounts, and SharePoint sites. It can also be used to place holds on Microsoft Teams. 

We’ll dive into Core eDiscovery in more detail later. But for now, you just need to know it’s another tool in your arsenal for performing searches in Microsoft 365.

Advanced eDiscovery is yet another Microsoft 365 offering that you can use to perform searches. It expands on the existing Microsoft eDiscovery and analytics capabilities. However, what sets Advanced eDiscovery apart is the end-to-end workflow it provides. Using this tool, you can preserve, collect, analyze, review, analyze again, and export content when performing internal and external investigations within your organization. Advanced eDiscovery even allows legal teams to manage the entire legal hold notification workflow.

Later on, we’ll dive into the details of Advanced eDiscovery.

So, now that we’ve touched on what each of the key search and investigation tools are, let’s move on to exporting content search results.


About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.