Design a compliance content search in O365 to ONLY return a specific person and a specific domain

Question

I am attempting to do a content search through Exchange on O365 to return mail between user@domain.com and anyone at outsidedomain.com

I thought that this should work in the KQL:

(ParticipantDomains:outsidedomain.com) AND ((Sender:user@domain.com) OR (Recipients:user@domain.com))

However, this seems to include all mail to/from user@domain.com

• No matter who it is sent from/to
• Also if user@domain.com is in a group to whom it was sent.

What do I need to put, to only find direct email conversations between user@domain.com and anyone at outsidedomain.com?

Thanks

Answer 1

Another suggested answer, from outside this site was the following:

((senderauthor=user@domain.com) AND (Participants=outsidedomain.com) OR 
(Recipients=user@domain.com) AND (Participants=outsidedomain.com))

This appears to result in the data I was looking for.

Answer 2

Also if user@domain.com is in a group to whom it was sent.

To the best of my knowledge, it's not feasible to exclude this kind of mails from the results. A thought is to export the search result report file (.csv), open it in Excel to filter out mails sent to groups.

However, this seems to include all mail to/from user@domain.com

No matter who it is sent from/to

Although "participantdomains" looks like the most suitable property for your requirement, I cannot find any introduction about it in this official document. Also based on my test, I can reproduce that all mails would be included in the result when using "ParticipantDomains:outsidedomain.com".

Given this situation, I'd suggest using Partifipants:"outsidedomain.com" instead. You can choose to search within the user@domain.com's Exchange mailbox only so that no other conditions need to be included in the query.