1️⃣ Connect-IPPSSession
2️⃣ New-ComplianceSearch
3️⃣ Start-ComplianceSearch
In Microsoft 365 E5 (which includes Microsoft Purview and Exchange Online), to identify phishing email messages using PowerShell, administrators can perform a compliance content search. The process requires connecting to the Microsoft Purview (Security & Compliance Center) PowerShell and then creating and running a compliance search.
Here’s the correct order and purpose of each cmdlet:
1️⃣ Connect-IPPSSession
This cmdlet establishes a remote PowerShell session to the Microsoft Purview Compliance Center (formerly Security & Compliance Center).
It’s required before executing any compliance-related PowerShell commands such as creating or starting a search.
Example:
Connect-IPPSSession
2️⃣ New-ComplianceSearch
After connecting, use this cmdlet to create a new compliance content search.
You can define parameters such as the search name, target locations (e.g., all mailboxes or specific users), and search query (for example, filtering by suspected phishing keywords or sender domains).
Example:
New-ComplianceSearch -Name "PhishingSearch" -ExchangeLocation All -ContentMatchQuery 'Subject:"phish" OR Subject:"urgent action required"'
3️⃣ Start-ComplianceSearch
Once the search is defined, this cmdlet initiates the compliance search to scan the selected mailboxes for phishing-related messages.
Other cmdlets explained:
Connect-ExchangeOnline is used for managing Exchange Online configuration, not compliance or content searches.
Search-UnifiedAuditLog searches the unified audit log, which is used for activity auditing, not email content searches.
✅ Final Correct Sequence:
New-ComplianceSearch
Start-ComplianceSearch
Submit