-Phone numbers for Billing and Technical support hours (and languages) are listed on [Microsoft 366 for business support contacts by country or region](support-contact-info.md).

-Billing support for Microsoft 365 for business products and services is provided in English from 9 AM-5 PM (9 AM-6 PM in Australia), Monday through Friday.\

-Technical support is provided in English 24 hours a day, 7 days a week.

-description: "Configure the support integration experimental feature to test and provide the Microsoft 365 support integration team with feedback."

-# Enable Microsoft 365 support integration for ServiceNow Virtual Agent

-> [!IMPORTANT]

-> Support integration for ServiceNow Virtual Agent is an experimental feature being rolled out for users to test and provide the Microsoft 365 support integration team with feedback.

-When you configure the Microsoft 365 support integration app to work with ServiceNow Virtual Agent, you gain access to **Recommended Solutions** through two different user experiences:

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-support-integration-1.png" lightbox="../../media/ServiceNow-guide/servicenow-support-integration-1.png" alt-text="Quick Insights.":::

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-support-integration-2.png" lightbox="../../media/ServiceNow-guide/servicenow-support-integration-2.png" alt-text="Branching Experience.":::

-## Before you begin

-## Configure Microsoft 365 support integration to work with ServiceNow Virtual Agent

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-support-integration-3.png" lightbox="../../media/ServiceNow-guide/servicenow-support-integration-3.png" alt-text="Set default chat experience fallback topic.":::

-# Find Microsoft 365 for business phone support numbers by country or region

-Billing support for Microsoft 365 for business products and services is provided in English from 9 AM-5 PM (9 AM-6 PM in Australia), Monday through Friday.\

-Technical support is provided in English 24 hours a day, 7 days a week.

-0120 628 860 (Other Plans)

-03 4332 6257 (Other Plans)\

-Telephone technical support is available from 9:00-17:30 on weekdays. For high severity issues, technical support is available 24 hours a day, 7 days a week.

-The guidance in these missions is based upon the [Zero Trust security model](../security/office-365-security/microsoft-365-policies-configurations.md), and is summarized in a downloadable [Cybersecurity playbook](https://download.microsoft.com/download/9/c/1/9c167271-8209-492e-acc2-38a39d1834c2/m365bp-cybersecurity-playbook.pdf)).

-Once customers purchase the apps and accept the Microsoft Customer Agreement, they can manage them in Microsoft 365 admin center, or Microsoft Store for Business.

-When you use the eDiscovery Export tool to export the email results of an eDiscovery search from the different Microsoft eDiscovery tools, the default size of a PST file that can be exported is 10 GB. If you want to change this default size, you can edit the Windows Registry on the computer that you use to export the search results. One reason to do this is so a PST file can fit on removable media, such a DVD, a compact disc, or a USB drive.

-1. Close the eDiscovery Export tool if it's open.

-

-2. Save the following text to a Window registry file by using a filename suffix of .reg; for example, PstExportSize.reg.

-

-

-

-3. Change the `PstSizeLimitInBytes` value to the desired maximum size of a PST file when you export search results, and then save the file.

-

-4. In Windows Explorer, click or double-click the .reg file that you created in the previous steps.

-

-5. In the User Access Control window, click **Yes** to let the Registry Editor make the change.

-

-6. When prompted to continue, click **Yes**.

-

-

-7. You can repeat steps 3 - 6 to change the value for the `PstSizeLimitInBytes` registry setting.

-## Frequently asked questions about changing the default size of PST files when you export eDiscovery search results

- **Why is the default size 10 GB?**

- **Should I increase or decrease the default size of PST files?**

- **What computer do I have to do this on?**

- **After I change this setting, do I have to reboot the computer?**

- **Does an existing registry key get edited or does a new key get created?**

-Here's an example of the warning message that's displayed after you click **Check query for typos** for the search query in the previous screenshot. Note the original query used smart quotes and lowercase Boolean operators.

-description: "You have to enable ClickOnce support to use the newest version of Microsoft Edge to download search results from Content Search and eDiscovery in the security and compliance center."

-3. Scroll down to the bottom of the browser window and click **Restart** to restart Edge.

-**Note:** Organizations can use Group Policy to disable ClickOnce support. To check if there is an organizational policy for ClickOnce support, go to **edge://policy**. The following screenshot shows that ClickOnce is enabled across the entire organization. If this policy value is set to **false**, you will need to contact an admin in your organization.

-1. Click **Download results** on the flyout page of an export in Content Search or an eDiscovery case.

-2. You will be prompted with a confirmation to launch the tool, Click **Open**.

- If the eDiscovery Export Tool isn't installed, you will be prompted with a Security Warning,

-3. Click **Install**. After it's installed, the export tool will launch automatically.

-For more information, see the following topics:

-You can search the mailbox that's associated with a Microsoft Team or Microsoft 365 Group. Because Microsoft Teams is built on Microsoft 365 Groups, searching them is similar. In both cases, only the group or team mailbox is searched. The mailboxes of the group or team members aren't searched. To search them, you have to specifically add them to the search.

-You can search inactive mailboxes in a content search. To get a list of the inactive mailboxes in your organization, run the command `Get-Mailbox -InactiveMailboxOnly` in Exchange Online PowerShell. Alternatively, you can go to **Data lifecycle management** \> **Microsoft 365** \> **Retention** in the Microsoft Purview compliance portal, and then click **More** \> **Inactive mailboxes**.

-## Searching for content in a SharePoint Multi-Geo environment

-1. Create a separate user account for each satellite geo location that the eDiscovery manager needs to search. To search for content in sites in that geo location, the eDiscovery manager must sign in to the account you created for that location and then run a content search.

-1. Go to <https://compliance.microsoft.com> and sign in using the credentials of an account that's been assigned the appropriate permissions.

-2. In the left navigation pane of the compliance portal, click **Content search**.

-3. On the **Content search** page, click **New search**.

-4. Type a name for the search, an optional description that helps identify the search. The name of the search must be unique in your organization.

- 1. **Exchange mailboxes**: Set the toggle to **On** and then click **Choose users, groups, or teams** to specify the mailboxes to search. Use the search box to find user mailboxes and distribution groups. You can also search the mailbox associated with a Microsoft Team (for channel messages), Office 365 Group, and Yammer Group. For more information about the application data stored in mailboxes, see [Content stored in mailboxes for eDiscovery](what-is-stored-in-exo-mailbox.md).

- 2. **SharePoint sites**: Set the toggle to **On** and then click **Choose sites** to specify SharePoint sites and OneDrive accounts to search. Type the URL for each site that you want to search. You can also add the URL for the SharePoint site for a Microsoft Team, Office 365 Group, or Yammer Group.

- 3. **Exchange public folders**: Set the toggle to **On** to search public folders in your Exchange Online organization. You can't choose specific public folders to search. Leave the toggle switch off if you don't want search public folders.

-6. On the **Define your search conditions** page, type a keyword query and add conditions to the search query if necessary.

- 2. Alternatively, you can click the **Show keyword list** checkbox and the type a keyword in each row. If you do this, the keywords on each row are connected by a logical operator (**c:s**) that is similar in functionality to the **OR** operator in the search query that's created.

- Why use the keyword list? You can get statistics that show how many items match each keyword. This can help you quickly identify which keywords are the most (and least) effective. You can also use a keyword phrase (surrounded by parentheses) in a row. For more information about the keyword list and search statistics, see [Get keyword statistics for searches](view-keyword-statistics-for-content-search.md#get-keyword-statistics-for-searches).

-7. Review the search settings (and edit if necessary), and then submit the search to start it.

-To access this content search again or access other content searches listed on the **Content search** page, select the search and then click **Open**.

-## More information

-For more information about Content search, such as searching for content in different Microsoft 365 services, see [Feature reference for Content search](content-search-reference.md).

-During the eDiscovery export process, these three properties are compared for every message that matches the search criteria. If these properties are identical for two (or more) messages, those messages are determined to be duplicates and the result is that only one copy of the message will be exported if de-duplication is enabled. The message that is exported is known as the "source item". Information about duplicate messages is included in the **Results.csv** and **Manifest.xml** reports that are included with the exported search results. In the **Results.csv** file, a duplicate message is identified by having a value in the **Duplicate to Item** column. The value in this column matches the value in the **Item Identity** column for the message that was exported.

- ### Results.csv report (viewed in Excel)

- ### Manifest.xml report (viewed in Excel)

- - Content search in compliance center in Office 365

- - In-Place eDiscovery in Exchange Online

- - The eDiscovery Center in SharePoint Online

- - [Export Content Search](export-search-results.md)

- - [Export a Content Search report](export-a-content-search-report.md)

- - [Export In-Place eDiscovery search results to a PST file](/exchange/security-and-compliance/in-place-ediscovery/export-search-results)

- - [Export content and create reports in the eDiscovery Center](/SharePoint/governance/export-content-and-create-reports-in-the-ediscovery-center)

-This article applies to searches that you can run using one of the following Microsoft 365 eDiscovery tools:

- - Hold versioning in SharePoint. If a document is deleted from a site that's on hold and document versioning is enabled, all versions of the deleted document will be preserved.

- - Calendar items. Accept and reject messages and recurring meetings will automatically continue creating new items in the background with old dates.

-When you use the eDiscovery Export tool to export the results of a Content Search in the Microsoft Purview compliance portal, the tool automatically creates and exports two reports that contain additional information about the exported content. These reports are the Results.csv file and the Manifest.xml file (see the [Frequently asked questions about disabling export reports](#frequently-asked-questions-about-disabling-export-reports) section in this topic for detailed descriptions of these reports). Because these files can be very large, you can speed up the download time and save disk space by preventing these files from being exported. You can do this by changing the Windows Registry on the computer that you use to export the search results. If you want to include the reports at a later time, you can edit the registry setting.

-

-

-

-

-

-

-3. In Windows Explorer, click or double-click the .reg file that you created in the previous steps.

-

-4. In the User Access Control window, click **Yes** to let the Registry Editor make the change.

-

-5. When prompted to continue, click **Yes**.

-

-

-

-

-

-

-

-3. In Windows Explorer, click or double-click a .reg file that you edited in the previous step.

-

-4. In the User Access Control window, click **Yes** to let the Registry Editor make the change.

-

-5. When prompted to continue, click **Yes**.

-

- **What are the Results.csv and Manifest.xml reports?**

-

-

-

-

-

- - Whether the message is a duplicate message if you enabled de-duplication when exporting the search results. Duplicate messages will have a value in the **Parent ItemId** column that identifies the message as a duplicate. The value in the **Parent ItemId** column is the same as the value in the **Item DocumentId** column of the message that was exported.

-

- For documents from SharePoint and OneDrive for Business sites, the result log contains information about each document, including:

-

-

-

-

-

-

- **When should I disable exporting these reports?**

- **What computer do I have to do this on?**

- You have to change the registry setting on any local computer that you run the eDiscovery Export tool on.

- **After I change this setting, do I have to restart the computer?**

- **Does an existing registry key get edited or does a new key get created?**

-A new registry key is created the first time you run the .reg file that you created in the procedure in this topic. Then the setting is edited each time you change and re-run the .reg edit file.

-# Decryption in Microsoft 365 eDiscovery tools

-To execute common eDiscovery tasks on encrypted content, eDiscovery managers were required to decrypt email message content as it was exported from content searches, Microsoft Purview eDiscovery (Standard) cases, and Microsoft Purview eDiscovery (Premium) cases. Content encrypted with Microsoft encryption technologies wasn't available for review until after it was exported.

-To make it easier to manage encrypted content in the eDiscovery workflow, Microsoft 365 eDiscovery tools now incorporate the decryption of encrypted files attached to email messages and sent in Exchange Online.¹ Additionally, encrypted documents stored in SharePoint Online and OneDrive for Business are decrypted in eDiscovery (Premium)².

-Prior to this new capability, only the content of an email message protected by rights management (and not attached files) were decrypted. Encrypted documents in SharePoint and OneDrive couldn't be decrypted during the eDiscovery workflow. Now, files that are encrypted with a Microsoft encryption technology is located on a SharePoint or OneDrive account are searchable and decrypted when the search results are prepared for preview, added to a review set in eDiscovery (Premium), and exported. Additionally, encrypted documents in SharePoint and OneDrive that are attached to an email message (as a copy) are searchable. This decryption capability allows eDiscovery managers to view the content of encrypted email attachments and site documents when previewing search results, and review them after they have been added to a review set in eDiscovery (Premium).

-For Exchange, Microsoft eDiscovery tools support items encrypted with Microsoft encryption technologies. These technologies are Azure Rights Management (Azure RMS)³ and Microsoft Purview Information Protection (specifically sensitivity labels). For more information about Microsoft encryption technologies, see [Encryption](encryption.md) and the various [email encryption](email-encryption.md#comparing-email-encryption-options-available-in-office-365) options available. Content encrypted by S/MIME or third-party encryption technologies isn't supported. For example, previewing or exporting content encrypted with non-Microsoft technologies isn't supported.

-For SharePoint, content labeled with SharePoint online service will be decrypted. Items labeled or encrypted in the client before uploading to SharePoint, legacy document library RMS templates or settings and S/MIME or other standards are not supported².

-¹ Encrypted files located on a local computer and copied to an email message arenΓÇÖt decrypted and indexed for eDiscovery. For eDiscovery (Premium), encrypted email and attachments in recipient mailbox needs to be advanced indexed to be decrypted. For more information about advanced indexing, see [Advanced indexing of custodian data](indexing-custodian-data.md).

-³ The RMS keys need to be fully managed in M365/O365 cloud service - meaning DKE, BYOK, OnPrem RMS, etc. are not supported. See [Your Azure Information Protection tenant key](/azure/information-protection/plan-implement-tenant-key#tenant-root-keys-generated-by-microsoft).

-The new KQL query experience in Microsoft 365 eDiscovery tools search provides feedback and guidance when you build search queries in Content search, Microsoft Purview eDiscovery (Standard), and eDiscovery (Premium). When you type queries in the editor, it provides autocompletion for supported searchable properties and conditions and provides lists of supported values for standard properties and conditions. For example, if you specify the `kind` email property in your query, the editor will present a list of supported values that you can select. The KQL editor also displays potential query errors in real time that you can fix before you run the search. Best of all, you can paste complex queries directly into the editor without having to manually build queries using the keywords and conditions cards in the standard condition builder.

-When you start to type a search query in the KQL editor, the editor displays suggested autocompletion of supported search properties (also called *property restrictions*) that you can select. You have to type a minimum of two characters to display a list of supported properties that begin with those two characters. For example, the following screenshot shows the suggested search properties that begin with `Se`.

-<!--

-

-||||

-|Search for content </br> Keyword queries and search conditions </br> Export search results </br> Role-based permissions|Search and export </br> Case management </br>Legal hold|Custodian management </br> Legal hold notifications </br> Advanced indexing </br> Review set filtering </br> Tagging </br> Analytics </br> Predictive coding models </br> And more...|

-See the following articles to help you learn more and get started using the eDiscovery solutions in Microsoft 365.

-### Content search

-### eDiscovery (Standard)

-### eDiscovery (Premium)

-Training your IT administrators, eDiscovery managers, and compliance investigation teams in the basics for Content search, eDiscovery (Standard), and eDiscovery (Premium) can help your organization get started more quickly using Microsoft 365 eDiscovery tools. Microsoft 365 provides the following resource to help these users in your organization getting started with eDiscovery: [Describe the eDiscovery and audit capabilities of Microsoft 365](/training/modules/describe-ediscovery-capabilities-of-microsoft-365).

-

- > ¹ As a result of recent changes to Microsoft Edge, ClickOnce support is no longer enabled by default. For instructions on enabling ClickOnce support in Edge, see [Use the eDiscovery Export Tool in Microsoft Edge](configure-edge-to-export-search-results.md). Also, Microsoft doesn't manufacture third-party extensions or add-ons for ClickOnce applications. Exporting search results using an unsupported browser with third-party extensions or add-ons isn't supported.

-2. On the **Actions** menu at the bottom of the search flyout page, click **Export report**.

-5. Click **Generate report**.

- You may have to click **Refresh** to update the list of export jobs so that it shows the export job you created. Export report jobs have the same name as the corresponding search with **_ReportsOnly** appended to the search name.

-3. On the **Export report** flyout page under **Export key**, click **Copy to clipboard**. You use this key in step 6 to download the search results.

-4. At the top of the flyout page, click **Download results**.

-5. If you're prompted to install the **eDiscovery Export Tool**, click **Install**.

- 2. Click **Browse** to specify the location where you want to download the search report files.

-7. Click **Start** to download the search results to your computer.

-

-

- > ¹ As a result of recent changes to Microsoft Edge, ClickOnce support is no longer enabled by default. For instructions on enabling ClickOnce support in Edge, see [Use the eDiscovery Export Tool in Microsoft Edge](configure-edge-to-export-search-results.md). Also, Microsoft doesn't manufacture third-party extensions or add-ons for ClickOnce applications. Exporting search results using an unsupported browser with third-party extensions or add-ons isn't supported.

-

-

-

-The first step is to prepare the search results for exporting. When you prepare results, they are uploaded to a Microsoft-provided Azure Storage location in the Microsoft cloud. Content from mailboxes and sites is uploaded at a maximum rate of 2 GB per hour.

-1. In the compliance portal, select the content search that you want to export results from.

-2. On the **Actions** menu at the bottom of the flyout page, click **Export results**.

-

-

-

-

-

-6. Click **Export** to start the export process. The search results are prepared for downloading, which means they're collected from the original content locations and then uploaded to an Azure Storage location in the Microsoft cloud. This may take several minutes.

-> [!NOTE]

- You may have to click **Refresh** to update the list of export jobs so that it shows the export job you created. Export jobs have the same name as the corresponding search with **_Export** appended to the search name.

-3. On the flyout page under **Export key**, click **Copy to clipboard**. You use this key in step 6 to download the search results.

-4. At the top of the flyout page, click **Download results**.

-5. If you're prompted to install the **eDiscovery Export Tool**, click **Install**.

- 1. Paste the export key that you copied in step 3 in the appropriate box.

- 2. Click **Browse** to specify the location where you want to download the search result files.

-7. Click **Start** to download the search results to your computer.

-[Export limits](#export-limits)

-

-[Export reports](#export-reports)

-

-[Exporting partially indexed items](#exporting-partially-indexed-items)

-[Exporting individual messages or PST files](#exporting-individual-messages-or-pst-files)

-[Decrypting RMS-protected email messages and encrypted file attachments](#decrypting-rms-protected-email-messages-and-encrypted-file-attachments)

-[Filenames of exported items](#filenames-of-exported-items)

-

-[Miscellaneous](#miscellaneous)

-

-

-

-

- - [File type exclusions](insider-risk-management-settings.md#file-type-exclusions)

- - [Minimum number of daily events to boost score for unusual activity](insider-risk-management-settings.md#minimum-number-of-daily-events-to-boost-score-for-unusual-activity)

- - [Alert volume level](insider-risk-management-settings.md#alert-volume)

- - [Microsoft Defender for Endpoint alert status](insider-risk-management-settings.md#microsoft-defender-for-endpoint-alert-statuses-preview)

- - [Domain settings](insider-risk-management-settings.md#domains)

-### File type exclusions

-### Minimum number of daily events to boost score for unusual activity

-With this setting, you define how many daily events are required to boost the risk score for activity that's considered unusual for a user. For example, let's say you enter 25 for this risk booster. If a user averages 10 file downloads over the past 30 days, but a policy detects they downloaded 20 files on one day, the score for that activity won't be boosted even though it's unusual for that user because the number of files they downloaded that day was less than the number you entered for this risk booster.

-### Microsoft Defender for Endpoint alert statuses (preview)

-### Site URL exclusions

-### Keyword exclusions

-| `attachmentdepth` <br/> |The content retriever and document parser found too many levels of attachments nested inside other attachments. Some of these attachments were not processed. <br/> |

-Error fields describe which fields are affected by the processing error listed in the Error Tags field. If you're searching a property such as `subject` or `participants`, errors in the body of the message won't impact the results of your search. This can be useful when determining exactly which partially indexed items you might need to further investigate.

-<!--

-## Using a PowerShell script to determine your organization's exposure to partially indexed email items

-The following steps show you how to run a PowerShell script that searches for all items in all Exchange mailboxes, and then generates a report about your organization's ratio of partially indexed email items (by count and by size) and displays the number of items (and their file type) for each indexing error that occurs. Use the error tag descriptions in the previous section to identify the indexing error.

-

-1. Save the following text to a Windows PowerShell script file by using a filename suffix of .ps1; for example, `PartiallyIndexedItems.ps1`.

- ```powershell

- write-host "**************************************************"

- write-host " Security & Compliance PowerShell " -foregroundColor yellow -backgroundcolor darkgreen

- write-host " eDiscovery Partially Indexed Item Statistics " -foregroundColor yellow -backgroundcolor darkgreen

- write-host "**************************************************"

- " "

- # Create a search with Error Tags Refinders enabled

- Remove-ComplianceSearch "RefinerTest" -Confirm:$false -ErrorAction 'SilentlyContinue'

- New-ComplianceSearch -Name "RefinerTest" -ContentMatchQuery "size>0" -RefinerNames ErrorTags -ExchangeLocation ALL

- Start-ComplianceSearch "RefinerTest"

- # Loop while search is in progress

- do{

- Write-host "Waiting for search to complete..."

- Start-Sleep -s 5

- $complianceSearch = Get-ComplianceSearch "RefinerTest"

- }while ($complianceSearch.Status -ne 'Completed')

- $refiners = $complianceSearch.Refiners | ConvertFrom-Json

- $errorTagProperties = $refiners.Entries | Get-Member -MemberType NoteProperty

- $partiallyIndexedRatio = $complianceSearch.UnindexedItems / $complianceSearch.Items

- $partiallyIndexedSizeRatio = $complianceSearch.UnindexedSize / $complianceSearch.Size

- " "

- "===== Partially indexed items ====="

- " Total Ratio"

- "Count {0:N0}{1:P2}" -f $complianceSearch.Items.ToString("N0").PadRight(15, " "), $partiallyIndexedRatio

- "Size(GB) {0:N2}{1:P2}" -f ($complianceSearch.Size / 1GB).ToString("N2").PadRight(15, " "), $partiallyIndexedSizeRatio

- " "

- Write-Host ===== Reasons for partially indexed items =====

- foreach($errorTagProperty in $errorTagProperties)

- {

- $name = $refiners.Entries.($errorTagProperty.Name).Name

- $count = $refiners.Entries.($errorTagProperty.Name).TotalCount

- $frag = $name.Split("{_}")

- $errorTag = $frag[0]

- $fileType = $frag[1]

- if ($errorTag -ne $lastErrorTag)

- {

- $errorTag

- }

- " " + $fileType + " => " + $count

- $lastErrorTag = $errorTag

- }

- ```

-2. [Connect to Security & Compliance PowerShell](/powershell/exchange/exchange-online-powershell).

-3. In Security & Compliance PowerShell, go to the folder where you saved the script in step 1, and then run the script; for example:

- ```powershell

- .\PartiallyIndexedItems.ps1

- ```

-Here's an example fo the output returned by the script.

-

-

-> [!NOTE]

-> Note the following:

->

-> - The total number and size of email items, and your organization's ratio of partially indexed email items (by count and by size).

->

-> - A list error tags and the corresponding file types for which the error occurred.

-## See also

-[Partially indexed items in eDiscovery](partially-indexed-items-in-content-search.md)

-This article describes the email and document properties that you can search for in email items and Microsoft Teams chat conversations in Exchange Online, and documents stored on SharePoint and OneDrive for Business sites using the eDiscovery search tools in the Microsoft Purview compliance portal. This includes Content search, Microsoft Purview eDiscovery (Standard), and Microsoft Purview eDiscovery (Premium) (eDiscovery searches in eDiscovery (Premium) are called *collections*). You can also use the **\*-ComplianceSearch** cmdlets in Security & Compliance PowerShell to search for these properties. The article also describes:

-The following table lists email message properties that can be searched by using the eDiscovery search tools in the compliance portal or by using the **New-ComplianceSearch** or the **Set-ComplianceSearch** cmdlet. The table includes an example of the _property:value_ syntax for each property and a description of the search results returned by the examples. You can type these `property:value` pairs in the keywords box for an eDiscovery search.

-|AttachmentNames|The names of files attached to an email message.|`attachmentnames:annualreport.ppt` <p> `attachmentnames:annual*`|Messages that have an attached file named annualreport.ppt. In the second example, using the wildcard character ( * ) returns messages with the word "annual" in the file name of an attachment.¹

-|Bcc|The Bcc field of an email message.¹|`bcc:pilarp@contoso.com` <p> `bcc:pilarp` <p> `bcc:"Pilar Pinilla"`|All examples return messages with Pilar Pinilla included in the Bcc field.<br>([See Recipient Expansion](keyword-queries-and-search-conditions.md#recipient-expansion))|

-|Category|The categories to search. Categories can be defined by users by using Outlook or Outlook on the web (formerly known as Outlook Web App). The possible values are: <ul><li>blue<li>green<li>orange<li>purple<li>red<li>yellow</li></ul>|`category:"Red Category"`|Messages that have been assigned the red category in the source mailboxes.|

-|Cc|The Cc field of an email message.¹|`cc:pilarp@contoso.com` <p> `cc:"Pilar Pinilla"`|In both examples, messages with Pilar Pinilla specified in the Cc field.<br>([See Recipient Expansion](keyword-queries-and-search-conditions.md#recipient-expansion))|

-|Folderid|The folder ID (GUID) of a specific mailbox folder. If you use this property, be sure to search the mailbox that the specified folder is located in. Only the specified folder will be searched. Any subfolders in the folder won't be searched. To search subfolders, you need to use the Folderid property for the subfolder you want to search. <p> For more information about searching for the Folderid property and using a script to obtain the folder IDs for a specific mailbox, see [Use Content search for targeted collections](use-content-search-for-targeted-collections.md).|`folderid:4D6DD7F943C29041A65787E30F02AD1F00000000013A0000` <p> `folderid:2370FB455F82FC44BE31397F47B632A70000000001160000 AND participants:garthf@contoso.com`|The first example returns all items in the specified mailbox folder. The second example returns all items in the specified mailbox folder that were sent or received by garthf@contoso.com.|

-|\*|cat\* <p> subject:set\*|Prefix searches (also called *prefix matching*) where a wildcard character ( * ) is placed at the end of a word in keywords or `property:value` queries. In prefix searches, the search returns results with terms that contain the word followed by zero or more characters. For example, ` Title: set*` returns documents that contain the word "set", "setup", and "setting" (and other words that start with "set") in the document title. <p> **Note:** You can use only prefix searches; for example, **cat\*** or **set\***. Suffix searches (**\*cat**), infix searches (**c\*t**), and substring searches (**\*cat\***) arenΓÇÖt supported. <p> Also, adding a period ( \. ) to a prefix search will change the results that are returned. That's because a period is treated as a stop word. For example, searching for **cat\*** and searching for **cat.\*** will return different results. We recommend not using a period in a prefix search.|

-|Type|The message class property for an email item. This is the same property as the ItemClass email property. It's also a multi-value condition. So to select multiple message classes, hold the **CTRL** key and then click two or more message classes in the drop-down list that you want to add to the condition. Each message class that you select in the list will be logically connected by the **OR** operator in the corresponding search query. <p> For a list of the message classes (and their corresponding message class ID) that are used by Exchange and that you can select in the **Message class** list, see [Item Types and Message Classes](/office/vba/outlook/Concepts/Forms/item-types-and-message-classes).|

- > You can't add multiple conditions (by clicking **Add condition** for the same property. Instead, you have to provide multiple values for the condition (separated by semi-colons), as shown in the previous example.

-Some special characters arenΓÇÖt included in the search index and therefore arenΓÇÖt searchable. This also includes the special characters that represent search operators in the search query. Here's a list of special characters that are either replaced by a blank space in the actual search query or cause a search error.

-You can also use eDiscovery search tools in the compliance center to search for documents stored on SharePoint and OneDrive for Business sites that have been shared with people outside of your organization. This can help you identify sensitive or proprietary information that's being shared outside your organization. You can do this by using the `ViewableByExternalUsers` property in a keyword query. This property returns documents or sites that have been shared with external users by using one of the following sharing methods:

-Documents must be explicitly shared with a specific user to be returned in search results when using the `SharedWithUsersOWSUser` property. For example, when a person shares a document in their OneDrive account, they have the option to share it with anyone (inside or outside the organization), share it only with people inside the organization, or share it with a specific person. Here's a screenshot of the **Share** window in OneDrive, that shows the three sharing options.

-ThereΓÇÖs a 4,000 character limit for search queries when searching for content in SharePoint sites and OneDrive accounts.

-HereΓÇÖs how the total number of characters in the search query are calculated:

-# Limits for eDiscovery search

-|Maximum amount of exportable data from a single search <p> **Note:** If the search results are larger than 2 TB, consider using date ranges or other types of filters to decrease the total size of the search results.|2 TB|

-|Maximum size of PST file that can be exported <p> **Note:** If the search results from a user's mailbox are larger than 10 GB, the search results for the mailbox will be exported in two (or more) separate PST files. If you choose to export all search results in a single PST file, the PST file will be spilt into additional PST files if the total size of the search results is larger than 10 GB. If you want to change this default size, you can edit the Windows Registry on the computer that you use to export the search results. See [Change the size of PST files when exporting eDiscovery search results](change-the-size-of-pst-files-when-exporting-results.md). The search results from a specific mailbox won't be divided among multiple PST files unless the content from a single mailbox is more than 10 GB. If you chose to export the search results in one PST file for that contains all messages in a single folder and the search results are larger than 10 GB, the items are still organized in chronological order, so they will be spilt into additional PST files based on the sent date.|10 GB|

-|Maximum annotation tokens|2 million|When an email message is indexed, each word is annotated with different processing instructions that specify how that word should be indexed. Each set of processing instructions is called an annotation token. To maintain the quality of service in Office 365, there is a limit of 2 million annotation tokens for an email message.|

-|Maximum unique tokens in body|1 million|As previously explained, tokens are the result of extracting text from content, removing punctuation and spaces, and then dividing it into words (called tokens) that are stored in the index. For example, the phrase `"cat, mouse, bird, dog, dog"` contains 5 tokens. But only 4 of these are unique tokens. There is a limit of 1 million unique tokens per email message, which helps prevent the index from getting too large with random tokens.|

-|||

-There are additional limits related to different aspects of searching for content, such as content indexing. For more information about these limits, see the following topics:

-description: "Learn about unindexed items in Exchange and SharePoint that you can include in an eDiscovery search that you run in the Microsoft Purview compliance portal."

-# Partially indexed items in eDiscovery

-An Microsoft Purview eDiscovery search that you run from the Microsoft Purview compliance portal automatically includes partially indexed items in the estimated search results when you run a search. Partially indexed items are Exchange mailbox items and documents on SharePoint and OneDrive for Business sites that for some reason weren't completely indexed for search. In Exchange, a partially indexed item typically contains a file (of a file type that can't be indexed) that is attached to an email message. Here are some other reasons why items can't be indexed for search and are returned as partially indexed items when you run an eDiscovery search:

-Certain types of files, such as Bitmap or MP3 files, don't contain content that can be indexed. As a result, the search indexing servers in Exchange and SharePoint don't perform full-text indexing on these types of files. These types of files are considered to be unsupported file types. There are also file types for which full-text indexing has been disabled, either by default or by an administrator. Unsupported and disabled file types are labeled as unindexed items in Content Searches. As previously stated, partially indexed items can be included in the set of search results when you run a search, export the search results to a local computer, or prepare search results for eDiscovery (Premium).

-For a list of supported and disabled file formats, see the following topics:

- Additionally, when you export search results and include partially indexed items in the export, partially indexed items from SharePoint items are exported to a folder named **Uncrawlable**. When you export partially indexed Exchange items, they are exported differently depending on whether or not the partially indexed items matched the search query and the configuration of the export settings.

-|:--|:--|:--|

-|Maximum annotation tokens <br/> |2 million <br/> |When an email message is indexed, each word is annotated with different processing instructions that specify how that word should be indexed. Each set of processing instructions is called an annotation token. To maintain the quality of service in Office 365, there is a limit of 2 million annotation tokens for an email message. <br/> |

-|Maximum unique tokens in body <br/> |1 million <br/> |As previously explained, tokens are the result of extracting text from content, removing punctuation and spaces, and then dividing it into words (called tokens) that are stored in the index. For example, the phrase `"cat, mouse, bird, dog, dog"` contains 5 tokens. But only 4 of these are unique tokens. There is a limit of 1 million unique tokens per email message, which helps prevent the index from getting too large with random tokens. <br/> |

-## See also

-[Investigating partially indexed items in eDiscovery](investigating-partially-indexed-items-in-ediscovery.md)

-You can use search permissions filtering to let an eDiscovery manager search only a subset of mailboxes and sites in your organization. You can also use permissions filtering to let that same eDiscovery manager search only for mailbox or site content that meets a specific search criteria. For example, you might let an eDiscovery manager search only the mailboxes of users in a specific location or department. You do this by creating a filter that uses a supported recipient filter to limit which mailboxes a specific user or group of users can search. You can also create a filter that specifies what mailbox content a user can search for. This is done by creating a filter that uses a searchable message property. Similarly, you can let an eDiscovery manager search only specific SharePoint sites in your organization. You do this by creating a filter that limits which site can be searched. You can also create a filter that specifies what site content can be searched. This is done by creating a filter that uses a searchable site property.

-The following four cmdlets in Security & Compliance PowerShell let you configure and manage search permissions filters:

-Before you can successfully run the script in this section, you have to download and install the Exchange Online PowerShell module. For information, see [Install and maintain the Exchange Online Powershell module](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exchange-online-powershell-module).

-This example allows the users donh and suzanf to search only the mailboxes and OneDrive accounts that have the value 'Marketing' for the CustomAttribute1 mailbox property.

-There is no limit to the number of search permissions filters that can be created in an organization. However, a search query can have a maximum of 100 conditions. In this case, a condition is defined as something that's connected to the query by a Boolean operator (such as **AND**, **OR**, and **NEAR**). The limit of the number of conditions includes the search query itself plus all search permissions filters that are applied to the user who runs the search. Therefore, the more search permissions filters you have (especially if these filters are applied to the same user or group of users), the better the chance of exceeding the maximum number of conditions for a search.

-Litigation holds, eDiscovery holds, and [Microsoft 365 retention policies](./retention.md) (created in the Microsoft Purview compliance portal) allow you to preserve mailbox content to meet regulatory compliance and eDiscovery requirements. Information about recipients directly addressed in the To and Cc fields of a message is included in all messages by default. But your organization may require the ability to search for and reproduce details about all recipients of a message. This includes:

-

-

-As stated earlier, information about Bcc'ed recipients is stored with the message in the sender's mailbox. This information is indexed and available to eDiscovery searches and holds.

-Information about expanded distribution group recipients is stored with the message after you place a mailbox on In-Place Hold or Litigation Hold. In Office 365, this information is also stored when a Microsoft 365 retention policy is applied to a mailbox. Distribution group membership is determined at the time the message is sent. The expanded recipients list stored with the message is not impacted by changes to membership of the group after the message is sent.

-|||||

-|To and Cc recipients|Message properties in the sender and recipients' mailboxes.|Yes|Sender, recipients, and compliance officers|

-|Bcc recipients|Message property in the sender's mailbox.|Yes|Sender and compliance officers|

-|Expanded distribution group recipients|Message properties in the sender's mailbox.|No. Expanded distribution group recipient information is stored after a mailbox is placed on In-Place Hold or Litigation Hold, or assigned to a Microsoft 365 retention policy.|Compliance officers|

-Scenario 1: John is a member of the US-Sales distribution group. This table shows eDiscovery search results when Bob sends a message to John directly or indirectly via a distribution group.

-|To:John|John on TO|Yes|

-|To:John|US-Sales on TO|Yes|

-|To:US-Sales|US-Sales on TO|Yes|

-|Cc:John|John on CC|Yes|

-|Cc:John|US-Sales on CC|Yes|

-|Cc:US-Sales|US-Sales on CC|Yes|

-Scenario 2: Bob sends an email to John (To/Cc) and Jack (Bcc directly, or indirectly via a distribution group). The table below shows eDiscovery search results.

-|Bob's mailbox|To/Cc:John|Yes|Presents an indication that Jack was Bcc'ed.|

-|Bob's mailbox|Bcc:Jack|Yes|Presents an indication that Jack was Bcc'ed.|

-|Bob's mailbox|Bcc:Jack (via distribution group)|Yes|List of members of the Bcc'ed distribution group, expanded when the message was sent, is visible in eDiscovery search preview, export, and logs.|

-|John's mailbox|To/Cc:John|Yes|No indication of Bcc recipients.|

-|John's mailbox|Bcc:Jack (directly or via distribution group)|No|Bcc information is not stored in the message delivered to recipients. You must search the sender's mailbox.|

-|Jack's mailbox|To/Cc:John (directly or via distribution group)|Yes|To/Cc information is included in message delivered to all recipients.|

-|Jack's mailbox|Bcc:Jack (directly or via distribution group)|No|Bcc information is not stored in the message delivered to recipients. You must search the sender's mailbox.|

- **Q. When and where is Bcc recipient information stored?**

-A. Bcc recipient information is preserved by default in the original message in sender's mailbox. If the Bcc recipient is a distribution group, distribution group membership is only expanded if the sender's mailbox is on hold or assigned to a Microsoft 365 retention policy.

- **Q. When and where is the list of expanded distribution group recipients stored?**

-A. Group membership is expanded at the time the message is sent. The list of expanded distribution group members is stored in the original message in the sender's mailbox. The sender's mailbox must be on In-Place Hold, Litigation Hold, or assigned to a Microsoft 365 retention policy.

- **Q. Can the To/Cc recipients see which recipients were Bcc'ed?**

-A. No. This information is not included in message headers, and isn't visible to To/Cc recipients. The sender can see the Bcc field stored in the original message stored in their mailbox. Compliance officers can see this information when searching the sender's mailbox.

- **Q. How can I ensure that expanded distribution group recipients are always preserved?**

-A. To ensure that expanded distribution group members are always preserved with a message, [Place all mailboxes on hold](/Exchange/policy-and-compliance/holds/place-all-mailboxes-on-hold) or create an organization-wide Microsoft 365 retention policy.

- **Q. Which types of groups are supported?**

-A. Distribution groups, mail-enabled security groups, and dynamic distribution groups are supported.

- **Q. Is there a limit on the number of distribution group recipients that are expanded and stored in the message?**

-A. Up to 10,000 members of a distribution group is preserved.

- **Q. Are nested distribution groups supported?**

-A. Yes, 25 levels of nested distribution groups are expanded.

- **Q. Where is the Bcc and expanded distribution group recipient information visible?**

-A. Bcc and expanded distribution group recipients information is visible to Compliance officers when performing an eDiscovery search. Bcc and expanded distribution group recipients are included in search results copied to a Discovery mailbox or exported to a PST file and in the eDiscovery log included in search results. Bcc recipient information is also available in search preview.

- **Q. What happens if a member of a distribution group is hidden from the organization's global address list (GAL)?**

-A. There's no impact. If recipients are hidden from the GAL, they are still included in the list of recipients for the expanded distribution group.

-1. In the Microsoft Purview compliance portal, go to the Content search page or a eDiscovery (Standard) case.

-3. On the bottom of the flyout page, click **Review sample**.

- 

-You can preview supported file types in the preview pane. If a file type isn't supported, you have to download a copy of the file to your local computer (by clicking **Download original item**). For .aspx Web pages, the URL for the page is included though you may not have permissions to access the page. Unindexed items aren't available for previewing.

-When you use Content Search in the security and compliance center to search a large number of mailboxes, you may get search errors that are similar to the error:

-These errors (with error codes of CS001-002, CS003-002, CS008-009, CS012-002, and other errors of the form CS0XX-0XX) indicate that Content Search failed to search specific content locations; in this example, two mailboxes weren't searched. These errors are displayed on the status details flyout page of the Content Search.

-Restarting the search will often result in similar errors on different servers. Instead of restarting the search, click the **Retry** button that is displayed at the top of the search results page.

-

-If your organization has an Exchange hybrid deployment (or your organization synchronizes an on-premises Exchange organization with Office 365) and has enabled Microsoft Teams, on-premises users can use the Teams chat application for instant messaging. For a cloud-based user, Teams chat data (also called *1x1 or 1xN chats*) is saved to their primary cloud-based mailbox. When an on-premises user uses the Teams chat application, their chat messages can't be stored in their primary mailbox, which is located on-premises. To get around this limitation, Microsoft has released a new feature where a cloud-based storage area is created so that you use eDiscovery tools to search for and export Teams chat data for on-premises users.

-If a Microsoft Teams-enabled user has an on-premises mailbox and their user account/identity has been synched to the cloud, Microsoft creates cloud-based storage to associate the on-premises user's 1xN Teams chat data with. Teams chat data for on-premises users is indexed for search. This lets you Use Content search (and searches associated with Microsoft Purview eDiscovery (Standard) and Microsoft Purview eDiscovery (Premium) cases) to search, preview, and export Teams chat data for on-premises users. You can also use **\*ComplianceSearch** cmdlets in Security & Compliance PowerShell to search for Teams chat data for on-premises users.

-1. In the compliance portal, go to **Content search**.

-2. On the **Searches** tab, click **New search**, and name the new search.

-You can use the **New-ComplianceSearch** cmdlets in Security & Compliance PowerShell to search for Teams chat data for on-premises users. As previously explained, you don't have to submit a support request to use PowerShell to search for Teams chat data for on-premises users.

-1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell).

-**This article is for administrators. Are you trying to find items in your mailbox that you want to delete? See [Find a message or item with Instant Search](https://support.office.com/article/69748862-5976-47b9-98e8-ed179f1b9e4d)**.

- > The **Organization Management** role group exists in both Exchange Online and in the compliance portal. These are separate role groups that give different permissions. Being a member of **Organization Management** in Exchange Online does not grant the required permissions to delete email messages. If you aren't assigned the **Search And Purge** role in the compliance center (either directly or through a role group such as **Organization Management**), you'll receive an error in Step 3 when you run the **New-ComplianceSearchAction** cmdlet with the message "A parameter cannot be found that matches parameter name 'Purge'".

-The first step is to connect to Security & Compliance PowerShell for your organization. For step-by-step instructions, see [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell).

-The second step is to create and run a Content search to find the message that you want to remove from mailboxes in your organization. You can create the search by using the compliance portal or by running the **New-ComplianceSearch** and **Start-ComplianceSearch** cmdlets in Security & Compliance PowerShell. The messages that match the query for this search will be deleted by running the **New-ComplianceSearchAction -Purge** command in [Step 3](#step-3-delete-the-message). For information about creating a Content search and configuring search queries, see the following topics:

- (From:chatsuwloginsset12345@outlook.com) AND (Subject:"Update your account information")

-After you've created and refined a Content search to return the messages that you want to remove, the final step is to run the **New-ComplianceSearchAction -Purge** command in Security & Compliance PowerShell to delete the message. You can soft- or hard-delete the message. A soft-deleted message is moved to a user's Recoverable Items folder and retained until the deleted item retention period expires. Hard-deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant. If single item recovery is enabled for the mailbox, hard-deleted items will be permanently removed after the deleted item retention period expires. If a mailbox is placed on hold, deleted messages are preserved until the hold duration for the item expires or until the hold is removed from the mailbox.

-

-After you run a search and refine it as necessary, the next step is to do something with the results returned by the search. You can export and download the results to your local computer or in the case of a email attack on your organization, you can delete the results of a search from user mailboxes.

-

-Content search is easy to use, but it's also a powerful tool. Behind-the-scenes, there's a lot going on. The more you know about it and understand its behavior and its limitations, the more successful you'll be using it for your organization's search and investigation needs. Learn about:

-Sometimes you have to perform more advanced, complex, and repetitive content search tasks. In these cases, it's easier and faster to use commands in Security & Compliance PowerShell. To help make this easier, we've created a number of Security & Compliance PowerShell scripts to help you complete complex content search-related tasks.

-1. Go to <https://compliance.microsoft.com> and sign in using your work or school account.

-2. In the left navigation pane of the compliance portal, click **Audit**.

-3. In the **Activities** drop-down list, under **eDiscovery activities** or **eDiscovery (Premium) activities**, click one or more activities to search for.

-6. Click **Search** to run the search using your search criteria.

-7. After the search results are displayed, you can click **Filter results** to filter or sort the resulting activity records. Unfortunately, you can't use filtering to explicitly exclude certain activities.

-8. To view details about an activity, click the activity record in the list of search results.

- A **Details** fly out page is displayed that contains the detailed properties from the event record. To display additional details, click **More information**. For a description of these properties, see the [Detailed properties for eDiscovery activities](#detailed-properties-for-ediscovery-activities) section.

-|Added member to eDiscovery case <br/> |CaseMemberAdded <br/> |Add-ComplianceCaseMember <br/> |A user was added as a member of an eDiscovery case. As a member of a case, a user can perform various case-related tasks depending on whether they have been assigned the necessary permissions. <br/> |

-|(none)|CaseViewed|Get-ComplianceCase|A user viewed a eDiscovery (Standard) case in the compliance center. The audit record for this event includes the name of the case that was viewed. |

-|(none)|SearchViewed|Get-ComplianceSearch|A user viewed a Content search in the compliance center by accessing the search on the **Searches** tab in a eDiscovery (Standard) case or accessing it on the **Content search** page. The audit record for this event includes the identity of the search that was viewed.|

-|(none)|ViewedSearchExported|Get-ComplianceSearchAction -Export|A user viewed a Content search export in the compliance center by accessing the export on the **Exports** tab on the **Content search** page. This activity is also logged when a user views an export associated with a eDiscovery (Standard) case.|

-|(none)|ViewedSearchPreviewed|Get-ComplianceSearchAction -Preview|A user previewed the results of a Content search in the compliance center. This activity is also logged when a user previews the results of a search associated with a eDiscovery (Standard) case.|

-The following table lists the cmdlet audit log records that are logged when an administrator or user performs an eDiscovery-related activity by using the compliance center or by running the corresponding cmdlet in Security & Compliance PowerShell. The detailed information in the audit log record is different for the cmdlet activities listed in this table and the eDiscovery activities described in the previous section.

-|Added member to eDiscovery case <br/> |[Add-ComplianceCaseMember](/powershell/module/exchange/add-compliancecasemember) <br/> |A user was added as a member of an eDiscovery case. As a member of a case, a user can perform various case-related tasks depending on whether they have been assigned the necessary permissions. <br/> |

-|Started content search <br/> |[Start-ComplianceSearch](/powershell/module/exchange/start-compliancesearch) <br/> |A content search was started. When you create or change a content search by using the compliance center GUI, the search is automatically started. If you create or change a search by using the **New-ComplianceSearch** or **Set-ComplianceSearch** cmdlet, you have to run the **Start-ComplianceSearch** cmdlet to start the search. <br/> |

-|ClientApplication <br/> |eDiscovery cmdlet activities have a value of **EMC** for this property. This indicates the activity was performed by using the compliance center GUI or running the cmdlet in PowerShell. <br/> |

-|CmdletVersion <br/> |The build number for the version of the compliance center running in your organization. <br/> |

-|SecurityComplianceCenterEventType <br/> |Indicates that the activity was a compliance center event. All eDiscovery activities will have a value of **0** for this property. <br/> |

- - Detection of sensitive information as users type

-|[Let users assign permissions: <br /> - Prompt users for custom permissions (users, groups, and organizations)](encryption-sensitivity-labels.md#support-for-organization-wide-custom-permissions) |Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review | Under review |

-|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.49+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

-If a label is configured for a different color from one of the 10 default colors, you see a **Use previously assigned customer color** checkbox selected, and the standard color options aren't available. You can change the custom color to one of the standard colors by first clearing the checkbox, and then you can select one of the standard colors.

-You can also download search statistics to a CSV file. This lets you use the filtering and sorting features in Excel to compare results, and prepare reports for your search results.

-1. In the Microsoft Purview compliance portal, click **Show all**, and then do one of the following:

- - Click **Content search** and then select a search to display the flyout page.

- - Click **eDiscovery** > **eDiscovery (Standard)**, select a case, and then select a search on the **Searches** tab to display the flyout page.

-2. On the flyout page of the selected search, click the **Search statistics** tab.

-As previous explained, the **Condition report** section shows the search query and the number (and size) of items that match the query. If you use a keyword list when you create or edit a search query, you can get enhanced statistics that show how many items match each keyword or keyword phrase. This can help you quickly identify which parts of the query are the most (and least) effective. For example, if a keyword returns a large number of items, you might choose to refine the keyword query to narrow the search results.

-1. In the compliance portal, create a new Content search or a search associated with a eDiscovery (Standard) case.

-6. On the **Search statistics** tab, click the **Condition report** to display the keyword statistics for the search.

-A mailbox in Exchange Online is primarily used to store email-related items such as messages, calendar items, tasks, and notes. But that's changing as more cloud-based apps also store their data in a user's mailbox. One advantage of storing data in a mailbox is that you can use the search tools in content search, Microsoft Purview eDiscovery (Standard), and Microsoft Purview eDiscovery (Premium) to find, view, and export the data from these cloud-based apps. The data from some of these apps is stored in hidden folders located in a non-interpersonal message (non-IPM) subtree in the mailbox. Data from other cloud-based apps might not be stored _in_ the mailbox, but it's _associated with_ the mailbox, and is returned in searches (if that data matches the search query). Regardless of whether cloud-based data is stored in or associated with a user mailbox, the data is typically not visible in an email client when a user opens their mailbox.

-The following table lists the apps that either stores or associates data with a cloud-based mailbox. The table also describes the type of content that each app produces.

-<br>

-****

-|||

-| Set up device enrollment | Device enrollment to allow your tenant devices to enroll in Microsoft Endpoint Manager. This is done by setting up Auto Enrollment between Azure Active Directory and Microsoft Endpoint Manager. For more information about this baseline, see [Set up enrollment for Windows devices](/mem/intune/enrollment/windows-enroll). |

-Here's how to get Microsoft Defender for Business servers (preview):

-> [!NOTE]

-> **The ability to onboard a server is currently in preview**.

-| Server requirements | If you're planning to onboard an instance of Windows Server or Linux Server, you must meet the following requirements: <ul><li>The **Preview features** setting is turned on. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Preview features**.</li><li>Enforcement scope for Windows Server is turned on. In the Microsoft 365 Defender portal, go to **Settings** > **Endpoints** > **Configuration management** > **Enforcement scope**. Select **Use MDE to enforce security configuration settings from MEM**, select **Windows Server**, and then select **Save**.</li><li>Linux Server endpoints meet the [prerequisites for Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md#prerequisites).</li></ul> |

-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar), and then, under **Manage settings** select **Virus & threat protection settings**.

-|Windows|[Microsoft Update](https://www.update.microsoft.com)|

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, choose **Settings** > **Web content filtering** > **+ Add policy**.

-keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack

-1. Once triage priority has been determined, an analyst begins an in-depth analysis by selecting the incident name. This page brings up the **Incident Summary** where data is displayed in tabs to assist with the analysis. Under the **Alerts** tab, the types of alerts are displayed. Analysts can click on each alert to drill down into the respective detection source.

- :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-summary-tab.png" alt-text="The Summary tab of an incident" lightbox="../../media/first-incident-analyze/first-incident-analyze-summary-tab.png":::

-keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack

-keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack

-Watch this short overview of incidents in Microsoft 365 Defender (4 minutes).

-<br>

->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Bzwz?]

-You manage incidents from **Incidents & alerts > Incidents** on the quick launch of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. Here's an example.

-Selecting an incident name displays a summary of the incident and provides access to tabs with additional information. Here's an example.

- A visual representation of the attack that connects the different suspicious entities that are part of the attack with their related assets such as users, devices, and mailboxes.

-Here's the relationship between an incident and its data and the tabs of an incident in the Microsoft 365 Defender portal.

- 1. View the summary of the incident to understand its scope and severity and what entities are affected with the **Summary** and **Graph** (Preview) tabs.

- 1. Begin analyzing the alerts to understand their origin, scope, and severity with the **Alerts** tab.

- 1. As needed, gather information on impacted devices, users, and mailboxes with the **Devices**, **Users**, and **Mailboxes** tabs.

-By default, only the most relevant alerts for the security operation center are enabled. If you want to get all AAD IP risk detections, you can change it in Microsoft 365 Defender setting page under **Alert service setting** section.

-keywords: incident, incidents, analyze, response, machines, devices, users, identities, mail, email, mailbox, investigation, graph, evidence

-Before diving into the details, take a look at the properties and summary of the incident.

-From here, you can select **Open incident page**. This opens the main page for the incident where you'll find more summary information and tabs for alerts, devices, users, investigations, and evidence.

-Use the **Summary** page to assess the relative importance of the incident and quickly access the associated alerts and impacted entities.

-The incident alert page has these sections:

- - What happened

- - Actions taken

- - Related events

-Not every alert will have all of the listed subsections in the **Alert story** section.

-## Graph (Preview)

-The **Graph** tab shows the full scope of the attack, how the attack spread through your network over time, where it started, and how far the attacker went. It connects the different suspicious entities that are part of the attack with their related assets such as users, devices, and mailboxes.

-From the **Graph** tab, you can:

-1. Play the alerts and the nodes on the graph as they occurred over time to understand the chronology of the attack.

- :::image type="content" source="../../media/investigate-incidents/incident-graph-play.gif" alt-text="The playing of the alerts and nodes on the Graph page":::

-

-2. Open an entity pane, allowing you to review the entity details and act on remediation actions, such as deleting a file or isolating a device.

-

- :::image type="content" source="../../media/investigate-incidents/incident-graph-entity-pane.png" alt-text="The entity pane on the Graph page in the Microsoft 365 Defender portal" lightbox="../../media/investigate-incidents/incident-graph-entity-pane.png":::

-3. Highlight the alerts based on the entity to which they are related.

-

- :::image type="content" source="../../media/investigate-incidents/incident-graph-alert.png" alt-text="An alert highlight on the Graph page" lightbox="../../media/investigate-incidents/incident-graph-alert.png":::

-keywords: incident, incidents, analyze, response, alerts, correlated alerts, assign, update, status, manage, classification, microsoft, 365, m365

-Watch this short video to learn how to use classification to increase triage efficiency.

-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4LHJq]

- > - In each anti-phishing policy, you can specify a maximum of 350 protected users (sender email addresses). You can't specify the same protected user in multiple policies.

- You can specify a maximum of 350 users, and you can't specify the same user in the user impersonation protection settings in multiple policies.

- > - In each anti-phishing policy, you can specify a maximum of 350 protected users (sender email addresses). You can't specify the same protected user in multiple policies. So, regardless of how many policies apply to a recipient, the maximum number of protected users (sender email addresses) for each individual recipient is 350. For more information about policy priority and how policy processing stops after the first policy is applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).