Exchange: How to Assign eDiscovery Permissions while Exporting Mailbox to PST?
In Exchange Server, you can export the required mailbox using the Exchange Admin Center (EAC), which is the graphical user interface of Exchange Server or the Exchange Management Shell (EMS) and executing the New-MailboxExportRequest. With the data protection policies in place, all companies should have a person in charge of data using the eDiscovery in the case of Office 365 and In-Place eDiscovery in the case of an on-premises Exchange.
For this to be in effect, you need to give the right permissions. For the authorized users to perform searches, preview, copy, export reports, or export the actual data, they must be added to the role group called Discovery Management. In this, the users will be given the Mailbox Search Role and the Legal Hold Role. The Mailbox Search Role allows the user to perform In-place eDiscovery search and the Legal Hold Role allows the user to place a mailbox in In-Place Hold and Litigation Hold.
If you are Exchange Server Administrator, this doesn’t mean that you can do the above operations as these permissions are not given by default to the administrators of the server. You will need to either add the users to the role manually or create a new role group and assign the administrator to it. If the user doing the In-Place eDiscovery or tries to put a mailbox on hold is not given the right permissions, the options will not be available and visible in the Exchange Admin Center (EAC). If the Exchange Management Shell (EMS) is used, the command in the prompt will not be available and will not work.
To assign permissions using the Exchange Admin Center (EAC), click on the Permissions page, click on Admin roles, click on Discovery Management role group, and then click on Edit.
As you would see from the right pane, any user added here will be given the Legal Hold and Mailbox Search roles.
Once the Edit button is clicked, you need to scroll until you get to the members area. Here, you can click on the plus button to add the users accordingly.
Once ready, click the save button. This will give the users, added here, the right permissions to create searches and put mailboxes on hold.
This process can be done using the Exchange Management Shell (EMS) with the Add-RoleGroupMember PowerShell command, as given below.
Add-RoleGroupMember -Identity "Discovery Management" -Member <user account>
You can confirm that the user has been added or see the members by using the Get-RoleGroupMember PowerShell command.
Get-RoleGroupMember -Identity "Discovery Management"
If a user is not given the export role and is exporting to PST, the user will get a 500 error on the screen or would not be allowed to export the search results on the mailbox or mailboxes. They could be given the permission to search, but not to download. This is done by giving the export permission to the user who should be given this authority. To do this, you can use the Exchange Admin Center (EAC) or the Exchange Management Shell (EMS).
To assign the role using the Exchange Admin Center (EAC), click on the Permissions page, click on Admin roles, and click on the plus button to create a new role.
Give the admin role a name, for example: Data Export/Import Role. Click on the plus button under the Roles area.
Find the role called Mailbox Import Export and click on the Add button. When ready, click on the OK button.
This will create a new admin role group and any user in the group will be given the permission to export to PST.
In the Exchange Management Shell (EMS), you need to use the PowerShell command as given below. Since it’s a new Admin Role Group that you are creating, you need to create the Role first and then add the users to it accordingly.
New-ManagementRoleAssignment –Role "Mailbox Import Export" –User "<Username>"
New-ManagementRoleAssignment -Role "Mailbox Import Export" -SecurityGroup "Organization Management" -Name "Import Export"
The above options are not immediately available as you need to wait for about 2 to 4 hours until the change in role is affected. If you assign the roles and immediately try to search or export mailboxes from the eDiscovery portal, it will not be visible or you will not be allowed to do it.
This only works if you have a working Exchange Server, all the Exchange Server services are running, and the database in question is mounted. If the Exchange Server fails and you need to export from Offline EDB files