AB-900, Microsoft Certification

Search for files and emails by using Content Search in Microsoft Purview eDiscovery (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Search for files and emails by using Content Search in Microsoft Purview eDiscovery

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

This topic measures your understanding of how administrators and compliance professionals use Microsoft Purview eDiscovery Content Search to locate emails, documents, Teams conversations, and other Microsoft 365 content during investigations, audits, legal matters, and compliance activities.

For the AB-900 exam, you are not expected to become an eDiscovery specialist. Instead, you should understand:

  • The purpose of Content Search
  • What types of content can be searched
  • How searches work
  • Common search criteria
  • Permissions required
  • Typical use cases
  • How Content Search supports Microsoft 365 Copilot governance

What Is Microsoft Purview eDiscovery?

Microsoft Purview eDiscovery is a Microsoft Purview solution that helps organizations identify, preserve, search, review, and export electronically stored information (ESI).

It is commonly used for:

  • Internal investigations
  • Legal discovery
  • Regulatory compliance
  • Human resources investigations
  • Security investigations
  • Privacy requests
  • Audits

One of the most frequently used capabilities within eDiscovery is Content Search.

What Is Content Search?

Content Search allows administrators and investigators to search across Microsoft 365 for specific information without manually checking each user’s mailbox or files.

Instead of searching one mailbox at a time, Content Search can simultaneously search:

  • Exchange Online mailboxes
  • SharePoint Online sites
  • OneDrive accounts
  • Microsoft Teams messages
  • Viva Engage (Yammer) messages (where supported)
  • Microsoft 365 Groups
  • Copilot-related stored content (through underlying Microsoft 365 data)

Think of it as an enterprise-wide search engine designed for compliance investigations.

Why Organizations Use Content Search

Organizations perform Content Searches to:

  • Locate specific emails
  • Find confidential documents
  • Investigate insider threats
  • Respond to legal requests
  • Prepare evidence for court
  • Support compliance audits
  • Investigate data leaks
  • Review suspicious activity
  • Locate files related to AI-generated work

Where Content Search Is Located

Content Search is available in the Microsoft Purview portal under:

Microsoft Purview → eDiscovery

Administrators can:

  • Create searches
  • Edit searches
  • Run searches
  • Preview results
  • Export results (with appropriate permissions)

Content That Can Be Searched

Content Search supports many Microsoft 365 workloads.

Examples include:

Exchange Online

Searches include:

  • Emails
  • Calendar items
  • Contacts
  • Tasks
  • Attachments

Example:

Find every email containing a specific customer name.

SharePoint Online

Can search:

  • Documents
  • PDFs
  • Word files
  • Excel files
  • PowerPoint presentations
  • Lists

Example:

Locate every document containing a confidential project code.

OneDrive for Business

Searches users’ personal work files.

Example:

Find documents uploaded by an employee before they resigned.

Microsoft Teams

Can search:

  • Chat messages
  • Channel conversations
  • Shared files

Example:

Find Teams conversations discussing a confidential acquisition.

Microsoft 365 Groups

Includes:

  • Group mailboxes
  • Shared documents

How Content Search Works

A Content Search generally follows these steps.

Step 1

Create a search.

Step 2

Select locations.

Examples:

  • Specific mailbox
  • All mailboxes
  • OneDrive sites
  • SharePoint sites
  • Teams

Step 3

Define search conditions.

Examples:

  • Keywords
  • Dates
  • Senders
  • Recipients
  • File types

Step 4

Run the search.

Microsoft indexes the selected content and returns matching results.

Step 5

Review results.

Administrators can:

  • View statistics
  • Preview items
  • Refine search criteria

Step 6

Export results if necessary.

This is common during legal investigations.

Search Locations

Content Search allows searches across:

  • Individual mailboxes
  • Shared mailboxes
  • Distribution groups
  • SharePoint sites
  • OneDrive accounts
  • Microsoft Teams
  • Specific users
  • Entire organization

Common Search Criteria

Administrators can filter searches using many conditions.

Keywords

Search for:

  • Customer names
  • Project names
  • Product codes
  • Sensitive terms

Example:

Confidential

Sender

Locate messages sent by:

john@contoso.com

Recipient

Locate emails received by:

finance@contoso.com

Date Range

Example:

January 1 through March 31.

Useful during investigations.

File Type

Examples:

  • PDF
  • DOCX
  • XLSX
  • PPTX

File Name

Search for a specific document.

Example:

Budget2026.xlsx

Sensitive Information

When combined with Microsoft Purview classifications, administrators can search for:

  • Credit card numbers
  • Social Security numbers
  • Passport numbers
  • Financial records

Keyword Query Language (KQL)

Content Search uses Keyword Query Language (KQL).

Administrators can build more advanced searches.

Examples include:

  • AND
  • OR
  • NOT
  • Parentheses
  • Property filters

Example:

Project AND Budget

Example:

Budget OR Forecast

Example:

Confidential NOT Draft

The AB-900 exam only expects a basic understanding that KQL enables more precise searches.

Search Results

After a search completes, administrators receive:

  • Number of matching items
  • Number of locations searched
  • Total estimated size
  • Search statistics
  • Preview of matching items

The search does not automatically change or delete content.

Previewing Results

Before exporting data, investigators can preview:

  • Emails
  • Documents
  • Teams conversations

Previewing helps determine whether additional filtering is needed.

Exporting Results

Authorized users can export search results.

Exports may include:

  • PST files
  • Native Office documents
  • PDFs
  • Metadata
  • Reports

Exporting is commonly used for:

  • Courts
  • Attorneys
  • Regulatory agencies
  • Internal investigations

Permissions Required

Not every administrator can perform Content Searches.

Organizations typically assign permissions using Microsoft Purview role groups.

Common roles include:

  • eDiscovery Manager
  • eDiscovery Administrator
  • Compliance Administrator

Least privilege should always be followed.

Content Search vs eDiscovery Cases

These concepts are related but different.

Content SearcheDiscovery Case
Searches contentManages investigations
Can be run independentlyOrganizes legal matters
Finds informationStores searches, holds, reviewers, exports
Useful for quick investigationsUseful for complete legal workflows

Think of Content Search as one tool inside the broader eDiscovery process.

How Content Search Supports Microsoft 365 Copilot

Microsoft 365 Copilot retrieves information users already have permission to access.

If sensitive information exists within Microsoft 365:

  • Copilot may surface it to authorized users.
  • Administrators can use Content Search to identify where sensitive information is stored.
  • This helps organizations improve governance before deploying AI widely.

Examples include:

  • Confidential HR files
  • Financial reports
  • Intellectual property
  • Legal documents

Relationship with Other Microsoft Purview Features

Content Search works alongside many Purview capabilities.

Sensitivity Labels

Search labeled documents.

Data Loss Prevention (DLP)

Investigate DLP incidents.

Retention Policies

Locate retained content.

Insider Risk Management

Search content involved in investigations.

Audit

Correlate search results with user activities.

eDiscovery Premium

Use Content Search as part of advanced legal investigations.

Best Practices

Microsoft recommends that organizations:

  • Search only necessary locations.
  • Use descriptive search names.
  • Apply precise filters.
  • Limit access using least privilege.
  • Preview results before exporting.
  • Protect exported evidence.
  • Maintain audit logs.
  • Regularly review permissions.
  • Use Content Search together with retention and sensitivity labels.
  • Govern sensitive data before deploying Microsoft 365 Copilot broadly.

Key Exam Tips

Remember these important points for the AB-900 exam:

  • Content Search is part of Microsoft Purview eDiscovery.
  • It searches across Microsoft 365 services from one interface.
  • It can search Exchange, SharePoint, OneDrive, Teams, and other supported workloads.
  • Searches can be filtered by keywords, users, dates, file types, and other properties.
  • Search results can be previewed before export.
  • Appropriate permissions are required to perform searches.
  • Content Search helps organizations investigate compliance, legal, and security incidents.
  • It supports Microsoft 365 Copilot governance by helping organizations identify where sensitive information exists.

Practice Exam Questions

Question 1

An administrator needs to locate every email containing the phrase “Quarterly Budget” across the organization. Which Microsoft Purview feature should they use?

A. Communication Compliance

B. Content Search in eDiscovery

C. Insider Risk Management

D. Compliance Manager

Correct Answer: B

Explanation: Content Search enables administrators to search mailboxes, SharePoint sites, OneDrive, Teams, and other Microsoft 365 locations for keywords and other search criteria.

Question 2

Which Microsoft 365 workload can be searched by Microsoft Purview Content Search?

A. Exchange Online

B. Microsoft Teams

C. SharePoint Online

D. All of the above

Correct Answer: D

Explanation: Content Search supports multiple Microsoft 365 workloads, including Exchange Online, SharePoint Online, OneDrive, Teams, Microsoft 365 Groups, and more.

Question 3

Before exporting search results, what is the recommended action?

A. Delete duplicate items.

B. Apply a retention policy.

C. Preview the search results.

D. Disable auditing.

Correct Answer: C

Explanation: Previewing results helps verify that the search returned the intended items before exporting data.

Question 4

What is the primary purpose of Microsoft Purview Content Search?

A. Encrypt documents automatically.

B. Create sensitivity labels.

C. Monitor endpoint devices.

D. Locate content across Microsoft 365 for investigations and compliance.

Correct Answer: D

Explanation: Content Search is designed to find emails, files, chats, and other content across Microsoft 365 to support investigations, audits, and legal discovery.

Question 5

Which search criterion could an administrator use to narrow Content Search results?

A. Sender

B. File type

C. Date range

D. All of the above

Correct Answer: D

Explanation: Administrators can filter searches by numerous criteria, including sender, recipient, keywords, dates, and file types.

Question 6

Why is Content Search important for Microsoft 365 Copilot governance?

A. It trains Copilot models.

B. It identifies where sensitive information is stored so organizations can better govern AI access.

C. It automatically blocks Copilot prompts.

D. It creates Copilot licenses.

Correct Answer: B

Explanation: Understanding where sensitive information resides helps organizations apply appropriate governance before broad Copilot deployment.

Question 7

Which language provides advanced query capabilities for Content Search?

A. SQL

B. PowerShell

C. XPath

D. Keyword Query Language (KQL)

Correct Answer: D

Explanation: Content Search uses KQL to build advanced searches using keywords, logical operators, and property filters.

Question 8

Which statement about Content Search permissions is correct?

A. Every Microsoft 365 user can run organization-wide searches.

B. Only Global Administrators can perform Content Searches.

C. Appropriate Microsoft Purview roles are required to perform Content Searches.

D. Content Search requires no administrative permissions.

Correct Answer: C

Explanation: Organizations assign eDiscovery and compliance roles to authorized users who need to perform searches.

Question 9

A compliance investigator wants to search only documents stored in employees’ personal cloud storage. Which location should be selected?

A. Microsoft Teams

B. OneDrive for Business

C. Exchange Online

D. Microsoft Entra ID

Correct Answer: B

Explanation: OneDrive for Business stores users’ personal work files and can be targeted independently during a Content Search.

Question 10

Which statement best describes Microsoft Purview Content Search?

A. It permanently deletes search results after completion.

B. It automatically applies retention labels to matching items.

C. It searches Microsoft 365 content and allows authorized users to review and export matching results.

D. It encrypts all files matching the search query.

Correct Answer: C

Explanation: Content Search is a discovery tool that locates content across Microsoft 365, allowing investigators to preview and export results without modifying the original data.

Go to the AB-900 Exam Prep Hub main page

Leave a comment