This article is primarily targeted at Czech state institutions and is based on recommendations of the Czech authority. However,...
How to setup eDiscovery boundaries
Office 365 offers eDiscovery, which is the search for information across the tenant. This enables selected users to search virtually all the data in Office 365, which means, for example, user mailboxes. This is useful when it is necessary, for example, to search for some information for a courtroom.
For some larger organizations, however, it may be a problem if these selected users could actually search the entire tenant across all of the data and all user mailboxes. It may therefore be necessary to limit such searches, for example, so that a compliance manager from the Czech Republic can search only across Czech users, but not across the tenant and therefore users from other countries. Or it may be limited by business departments.
Microsoft therefore offers so-called eDiscovery boundaries, which is the ability to specify, which users (or user groups) can search what data, or what mailboxes.
Setting eDiscovery boundaries
The settings can be done partially in the GUI (roles in Exchange Online, a roles in the Security & Compliance Center), but because not everything is available via GUI, I will use PowerShell in this tutorial.
User groups definition
First, you need to define user groups that can be searched by one group of administrators. This may be all users from one country or one department. For this we can use Azure Active Directory (AAD) attributes Company , CountryCode , CustomAttribute1 – CustomAttribute15 , Department or Office .
In this example, I use the attribute value CustomAttribute8 , which in my case takes on values czech , usa , denmark .
Creating role groups in Security & Compliance Center
The next step is to create Role Groups for each group of administrators who can search over one group of users defined by one AAD attribute.
You can assign these role groups to specific users or to security groups. Importantly, each group of users, in this case each group of administrators for each country, must have their own role group.
These role groups are then required to give rights to the search itself, which is best done by copying the predefined eDiscovery Managers role group.
In my case, I’m creating three new role groups ( Local Compliance Managers - Czech , Local Compliance Managers - USA and Local Compliance Managers - Denmark ) with rights copied from eDiscovery Managers.
First you need to connect to Security & Compliance Center
1 2 | $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection |
We can then create new role groups
1 2 3 | $RoleGroup = Get-RoleGroup "eDiscovery Managers"; New-RoleGroup "Local Compliance Managers - Czech" -Roles $RoleGroup.Roles -Members Lukas, Martin $RoleGroup = Get-RoleGroup "eDiscovery Managers"; New-RoleGroup "Local Compliance Managers - USA" -Roles $RoleGroup.Roles -Members John, Freddie $RoleGroup = Get-RoleGroup "eDiscovery Managers"; New-RoleGroup "Local Compliance Managers - Denmark" -Roles $RoleGroup.Roles -Members Abel, Knud |
Create role groups in Exchange Online
In Exchange Online, we no longer need to have an extra role group for each group of users, but one role group is sufficient for all users or user groups.
First, connect to Exchange Online PowerShell
1 2 | $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection |
We can then create a new group of Local Compliance Managers with the necessary rights Legal Hold and Mailbox Search .
1 | New-RoleGroup -Name "Local Compliance Managers" -Roles "Mailbox Search", "Legal Hold" -Members Lukas, Martin, John, Freddie, Abel, Knud |
Create a compliance filter
The final step is to create a filter itself that will “map” the compliance managers’ rights to users. This filter will allow compliance manager to search only those mailboxes that belong to the defined user group specified by CustomAttribute8.
We do this again through Security & Compliance Center PowerShell
1 2 3 | New-ComplianceSecurityFilter -FilterName "Local Compliance Managers Czech Filter" -Users "Local Compliance Managers - Czech" -Filters "Mailbox_CustomAttribute8 -eq 'czech'" -Action ALL New-ComplianceSecurityFilter -FilterName "Local Compliance Managers USA Filter" -Users "Local Compliance Managers - USA" -Filters "Mailbox_CustomAttribute8 -eq 'usa'" -Action ALL New-ComplianceSecurityFilter -FilterName "Local Compliance Managers Denmark Filter" -Users "Local Compliance Managers - Denmark" -Filters "Mailbox_CustomAttribute8 -eq 'denmark'" -Action ALL |
This is it. At this point, the settings are already applied and active.