Microsoft has significantly changed the way admins export email in Office 365 are done by eliminating export tools in each application (Exchange, SharePoint, etc). There is now a single solution for exports, including Exchange PSTs, OneDrive, and SharePoint files. This central solution is the Security and Compliance center. Unfortunately, there isn’t much information on how to properly export data from Exchange Online now that the Compliance center in Exchange Admin is deprecated. As a result, the process is a good bit more complicated than is used to be. There are a few phases to exporting PSTs in Office 365 now; Set Permissions, Create a Content Search, then Export and Download. I’ve separated each piece of the process below.
1 – Set Permissions
The first thing you need to do before exporting PST data is set permissions. Global Admin rights in O365 are not sufficient. You will not be able to view anything other than reports if you don’t have the correct permissions. The process for granting PST exporting permission is also a little complicated because you have to set permissions in two places; Azure Active Directory, and the Compliance and Security portal. Once you’ve done this, you don’t have to do it again.
- Log in at https://portal.azure.com
- Click on the Azure Active Directory app in the directory. The icon looks like the snip below:
- Once the Azure AD blade opens, click on Roles and Administrators
- Select Compliance Administrator
- Click on the +Add Member option at the top of the screen, then select the user or group you would like to grant access to. This user or group will have permission to export files from the Compliance and Security admin portal in Office 365.
- Next, we’ll need to go to the Compliance and Security portal to set permissions there. Go to https://protection.office.com.
- Select Permissions to open the Permissions blade:
- In the list of permission roles available, select eDiscovery Manager.
- Scroll down to the eDiscovery Administrator section and click Edit.
- Click Choose eDiscovery Administrator.
- Wait a few moments for the list of users to populate in the blade that appears (or search for the user you want to add), then select the user and click Add, then Done, then Save to apply the permission change. The user will need to log out and back in before continuing to the next phase of the process.
2 – Create a Content Search
Once permissions are added, you can return to the root of the Compliance and Security portal. At the time I’m writing this (April, 2019) Microsoft is in the middle of changing the way this portal functions by separating the functions into a Security Admin Portal and a Compliance Admin Portal. This means there are a couple ways to access the tools you need to export PST files. To simplify things, you can go to https://protection.office.com to go to the right admin system. Once the portal is loaded, perform the following actions:
- Expand the Search menu, then select Content Search.
- Select +New Search. If you wish, you can choose the option to perform a Guided Search, but this post will not go over that process.
- In most situations, you will want to export full PST files for specific users, so this guide will go over that situation. However, you should be aware that the Content Search system is designed to allow file and PST export for any number of situations, from legal discovery to email exports to migrate away from Office 365. For exporting a single user’s mailbox, select Specific Locations and then click Modify…
- The blade that appears after clicking Modify will give you an opportunity to choose between searching through SharePoint-based data (OneDrive, SharePoint teamsites, etc) or Exchange-based data (User Mailboxes, group mailboxes, Skype for Business stored conversations, etc. For this guide, we’ll be choosing a user mailbox to export, so you will want to click on the Choose Users, Groups, or Teams button:
- The next blade will have a button that says…Choose Users, Groups, or Teams. Go ahead and push that button to open another blade that will have a search box in it. In the search box, enter at least 3 letters of the user’s name and the users, groups, or teams option below the search box will populate with possible selections as seen below:
- Click the Choose button at the bottom of this blade to accept the chosen selections, then click Done, then Save to apply the selected search configuration.
- This will bring you back to the blade from step 3. Click Save & Run, then give the search a name and click Save to begin searching through all organizational data associated with the user(s) you chose. You cannot have the same name as another search.
3 – Export and Download Files
Now for the final part of the export process (Finally! Told you it was a little complicated). Once you’ve completed step 7 of the last section, the search will take some time to complete, so go have a cup of hot chocolate (I hate coffee…Yes, I know I’m weird) or chat with your favorite coworker. One thing to note here, if you didn’t complete the first part of this whole thing (Where we assigned permissions) you’ll get a notice that says “To preview search results, please ask your Compliance Admin to grant you Preview permission.”:
If you see that notice, go back to section 1, step 1 and either grant the correct permissions or…wait. Sometimes it takes a while for permissions to apply. Once you are sure you have the right permissions (You can test this by selecting the search from the list of available searches and click the Export button. If it shows Export Results, you have the right permission). Most often, this issue is caused by permissions missing in Azure AD or the Compliance and Security portal. If you have the right permissions, we can move one.
- Here’s the annoying step. Are you using Internet Explorer or Edge? No? Well, you need to now because the export tool only works in those browsers. Fun, right? So, go open Internet Explorer or Edge. Don’t worry, I’ll wait.
- Once you are in the right browser, go to https://protection.office.com again and select Search, then Content Search, just like step 1 of phase 2. Once you’ve done that, you should see the search you created in the list of searches.
- A blade detailing the initial search statistics will appear. You can use this blade to go over your search settings and verify things are as desired. You can quickly modify the search and rerun it if you want, though that is outside the scope of this article. For this guide, click on the Export button, then select Export Results.
- A new blade will appear with some options for how to export the files and what items to export. Most of the time you’ll want to select All items under Output options. However, there may be some situations where you don’t want everything, so if you are in that situation, select the appropriate option there. The more important section for our purposes here is “Export Exchange content as:”. This will allow you to decide how the data will be exported. The options are fairly self explanatory, but the Enable de-duplication for Exchange Content box is not as obvious. This option will allow you to set the export so each email is only exported once. This is very important for the last three Export options because failing to de-duplicate will result in a single email message for each recipient of the original message. De-duplicating will export only one email for each PST file. So if you choose the first option, it will download one one copy of a message for each mailbox. For this guide, select One PST file containing all messages in a single folder, and check the de-duplication option. Click Export to start the export job.
- Now you will need to wait a while for the export to complete. The bigger the export, the longer this will take. Regardless, if you’re performing steps 1-4 and doing the export in the same login session, you will need to click Export, then Refresh for the export to show.
- Select the export and a new blade will appear. If the export creation is still running, you’ll see a progress meter. You can choose to wait til this completes, or start the export download immediately. Either way, you’ll still have to wait, as the download won’t start until the export job is done. You’ll also see a long string of letters and numbers above the progress meter. This is the unique export identifier you’ll need to download the exported data. You’ll need to copy this to the clipboard, either by highlighting it and copying or clicking Copy to Clipboard. Once that’s done, click Download Results to start the download.
- If you’ve never run an export on the computer before, a small applet will install that will manage the download. This will prompt you to enter the string from step 6, then provide a download location. Enter both of these and click start to begin the download. Note that the export will create a folder with the same name of the export shown in step 5 of this phase.
- Finally! The final step! Once you click Start in step 6 of this phase, the download manager will begin. Just let this go. The progress bar is very inaccurate and it may not look like it’s doing anything when it is. Just be patient.
So there it is. A good deal more complicated than it used to be, but the Compliance and Security portal is significantly more powerful than the tools available in Exchange Online and other systems, plus there is no need for users to have any level of admin access to each service, if that is something important to your organization. With the correct permissions, you can export anything you want from Office 365. From single mailboxes to everything you’ve got in any service anywhere. Feel free to play around with it. I’ll be writing some more guides on the Compliance and Security portal in the future, so keep your eyes peeled.