There are times when counsel, auditors, regulators, etc. need to immediately conduct their own searches on broad or narrow subsets of your M365 tenant. In the legacy compliance center and other enterprise archives we set this up using custom case roles and a matter restricted to the scope. In the new unified Purview UI you will have to use compliance boundaries for relatively large sources or promote more selective search result sets to Review Sets with a Reviewer role (E5 license).
Compliance boundary implementation should be planned carefully to avoid inadvertent omissions or unexpected public content being swept into your results. Microsoft recommends creating TWO Purview role groups. One to designate the user(s) and the second to apply the search permission filter to restrict search sources. The Learn documentation is extensive and goes beyond basic functionality. Below I have commented on a few key points.
- Search permission filters only apply to search, they cannot be used to restrict Legal Holds or Add Sources.
- Do NOT rely on AI recommendations to create a custom role that excludes the Add Sources permission. Claude and Copilot seem to be relying on legacy documentation for this recommendation and I have confirmed that the new Purview UI does not support this.
- The search permission filters are set in PowerShell by someone with both Organization Management and eDiscovery Administrator roles. This may be uncommon in least permissive security environments where these roles are PIM accounts.
- When you add the search permission filter role group to a case its filters are added to all searches as conditions. <SearchQuery> AND (<PermissionsFilter1> OR <PermissionsFilter2> OR <PermissionsFilter3>…) Maximum of 100 search conditions and extensive filter lists may impact your total query characters and performance.
- Filters are based on mailbox or site KQL searchable properties or attributes. This makes sense as it is added as a search condition in Purview eDiscovery. I strongly recommend testing your filters extensively before they are applied as changing them will remove your role group from any cases. Docs push to apply a value to a custom attribute to avoid all the potential gotchas.
- Users can still use Add Sources for targets outside of the filters. However, the filter will exclude them when the search executes. It will NOT tell you that is what it is doing. This is also why you need to test your filter scope carefully to ensure that it only applies on every appropriate target.
- By default, User scope filters using the Mailbox parameter will target the mailbox and OneDrive. HOWEVER, if you add Site content filters you will need to explicitly include custodial OneDrives as targets. This is confusing, so again test before trusting.
- If you follow the recommendations to use custom or unique properties (department, geo-region, path, etc.) you need to verify that items within the Site have those properties. Per documentation, “In SharePoint, there isn’t a “site object” with properties, like there is with Exchange mailboxes. Therefore, the Pathproperty is stamped on the document and contains the URL of the site where the document is located. This design is why a Site filter is considered a content filter and not a content location filter.” A
- Public mailboxes cannot be excluded using filters. This means that content from public mailboxes will be in scope for ‘exclusion only’ filters.
As you can see, Compliance Boundary search permission filters are powerful and complicated. They are not something that the average legal department Purview eDiscovery manager will set up on the fly to meet a priority request. They can be used for long-term departmental, regional or other scenarios requiring restrictions between teams. The silent filter mechanism holds risk of inadvertent exclusion of responsive results. They seem best suited for a limited set of very clear filters for specific users applied to dedicated long term matters. Too many filters could get confusing and quickly run into the 100 condition or total character limits in Purview searches. Test your filters well and use them to meet critical requirements rather than as an ad hoc matter/investigation solution.
Greg Buckles wants your feedback, questions or project inquiries at Greg@eDJGroupInc.com. Reach out for a free 15 minute ‘Good Karma’ call if he has availability. He solves problems and creates eDiscovery solutions for enterprise and law firm clients.
Greg’s blog perspectives are personal opinions and should not be interpreted as a professional judgment or advice. Greg is no longer an investigative journalist and all perspectives are based on best public information. Blog content is neither approved nor reviewed by any providers prior to being published. Do you want to share your own perspective? Greg is looking for practical, professional informative perspectives free of marketing fluff, hidden agendas or personal/product bias. Outside blogs will clearly indicate the author, company and any relevant affiliations.
Greg’s latest nature, art and diving photographs on Instagram.
