Link to home
Create AccountLog in
Avatar of jnordeng
jnordeng

asked on

How to find the actual SearchID within Purview to run a Purge

We are immersed in the M365 Environment.  We are running our first case within Purview today.  Reading all the references to purge content from a Teams Chat, I have been able to extract the info I need.  However; I am unable to find the EDiscoverySearchID and none of the documentation seems to shed light on what this value would be in the content.


https://learn.microsoft.com/en-us/graph/api/security-ediscoverysearch-get?view=graph-rest-1.0&tabs=http


I have gotten the correct results and can see my Case ID, a Job ID, Correlation ID.  To actually purge the content I need the Search ID.  Any idea where to find this value or another label for this value?  Seems it may be the Job ID?  Tried that and this fails so haven't been able to find the correct information to purge successfully.  


Thanks in advance.


Avatar of Jian An Lim
Jian An Lim
Flag of Australia image

you have issues to find 


GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}


so the first thing you need to do is to LIST it 


GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches 


This will get you the searchID as highlight in bold


For example


HTTP/1.1 200 OK
Content-Type: application/json


{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/searches",
    "value": [
        {
            "dataSourceScopes": "none",
            "description": "My first search",
            "lastModifiedDateTime": "2022-05-23T04:38:07.5787454Z",
            "contentQuery": "(Author=\"edison\")",
            "id": "46867792-68e6-41db-9cd0-f651c2290d91",
            "displayName": "My search 2",
            "createdDateTime": "2022-05-23T04:38:07.5787454Z",
            "lastModifiedBy": null,
            "createdBy": {
                "user": {
                    "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",
                    "displayName": "MOD Administrator",
                    "userPrincipalName": "admin@M365x809305.onmicrosoft.com"
                },
                "application": {
                    "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
                    "displayName": "Graph Explorer"
                }
            }
        },
        {
            "dataSourceScopes": "none",
            "description": "My first search",
            "lastModifiedDateTime": "2022-05-23T04:35:36.5424818Z",
            "contentQuery": "(Author=\"edison\")",
            "id": "80b9d59a-12a6-4273-a3d4-ab78f9a04ea5",
            "displayName": "My search 1",
            "createdDateTime": "2022-05-23T04:35:36.5424818Z",
            "lastModifiedBy": null,
            "createdBy": {
                "user": {
                    "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",
                    "displayName": "MOD Administrator",
                    "userPrincipalName": "admin@M365x809305.onmicrosoft.com"
                },
                "application": {
                    "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
                    "displayName": "Graph Explorer"
                }
            }
        }
    ]
}

Open in new window


Avatar of jnordeng
jnordeng

ASKER

Thank you for the response, I must still be missing something as when I do that and run the command to purge via Graph Explorer after signing into Graph, that I get a 401 error.  I have the Organization Management role and set that on Friday.  Would have thought it would propagate by now.  



https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/28d37dc0-0778-4c4e-b4c2-77a7cc7de67f/searches/4ea09e86c14447bf92a8e73e30d57355/purgeData


Error, User generated image


Additional Thoughts?


Thanks in advance.


refer to https://learn.microsoft.com/en-us/graph/api/security-ediscoverysearch-purgedata?view=graph-rest-1.0&tabs=http

assume you want to purge team message,  not all type of data. 


assuming you are e-discovery manager and administrator and Organization management


and assume, the user you want to delete have microsoft 365 e5 licence. 


and assume you have provided delegated access of eDiscovery.ReadWrite.All 



Can you manually search and destory via the UI? that will confirm whether you have the correct access



Thanks, yes, I was just looking for a specific chat message in a chat chain, not a teams chat otherwise the owner could have deleted.  I was trying via the Graph UI to destroy, but it was giving me the 401 error. So then tried via PowerShell, but no luck.   I am a Global Administrator and we have E5 licenses for the majority of our users, including me, but we also have a lot of F3 in our environment for our mobile workforce.  We do have retention on our Teams clients via the 365 suite, so not sure if that is preventing it as the search worked just fine and was narrowed down to specifically what I was trying to get rid of, which was an attachment in the chat.


Thanks for your suggestions, we are going to try to destroy a test message and see if we have better luck.  We had a need, but now we are using to create our process for future.


Thanks

Jennifer


ASKER CERTIFIED SOLUTION
Avatar of Jian An Lim
Jian An Lim
Flag of Australia image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account

Thanks - I think the retention is the issue here.  I'll rereview steps for future, I'm guessing somehow removing the retention policy from that one chat is what is needed.