I am attempting to automate the archival and deletion of emails that are exported from a Security and Compliance Content Search. I want to make sure I only manipulate the emails shown in the report so I figured the best approach is to key off of
the email identifiers. The problem is that the Content Search Export only contains identifiers "ExportItem ID" "Item Identity" and "Document ID", none of which match the properties for the same email that I can retrieve
using the powershell command Get-MessageTrace(which are MessageID, MessageTraceID). Ive also considered the powershell commandlet "Search-Mailbox" but it doesn't to allow for any of the identifiers above to be used in the query.
Ive determined that I cannot accomplish this via powershell alone and that I will have to use either Exchange Web Services or Microsoft Graph. Before I jump down one rabbit hole or another I want to make sure I can actually accomplish what I aim to do.
Again, to summarize the workflow:
1) Analysts produce an export of a Security and Compliance Content Search
2) Analysts refine the list manually removing many entries. Then produce a final edited list.
3) By the use of Powershell?/Graph?/EWS? I parse through the final list and do 2 things to each entry:
3a) move the email to a separate mailbox that is being used to archive these emails
3b) delete the original email from the source.
Here is another possible solution but it's very kludgy:
1) Analysts produce an export of a Security and Compliance Content Search(which is highly edited by them)
2) Analysts refine the list manually removing many entries. Then produce a final edited list.
3) I re-import their edited list as a "ID List Search"
4) Add "New-ComplianceSearchAction" to "-purge" and "-export" items as a PST.
5) Import all resulting PSTs into the target mailbox
Do any of you have any input on what the best approach would be?
Ive determined that I cannot accomplish this via powershell alone and that I will have to use either Exchange Web Services or Microsoft Graph. Before I jump down one rabbit hole or another I want to make sure I can actually accomplish what I aim to do.
Again, to summarize the workflow:
1) Analysts produce an export of a Security and Compliance Content Search
2) Analysts refine the list manually removing many entries. Then produce a final edited list.
3) By the use of Powershell?/Graph?/EWS? I parse through the final list and do 2 things to each entry:
3a) move the email to a separate mailbox that is being used to archive these emails
3b) delete the original email from the source.
Here is another possible solution but it's very kludgy:
1) Analysts produce an export of a Security and Compliance Content Search(which is highly edited by them)
2) Analysts refine the list manually removing many entries. Then produce a final edited list.
3) I re-import their edited list as a "ID List Search"
4) Add "New-ComplianceSearchAction" to "-purge" and "-export" items as a PST.
5) Import all resulting PSTs into the target mailbox
Do any of you have any input on what the best approach would be?