Easy Compliance Search PowerShell connection

Run gridviews and jobs that use the Security & Compliance PowerShell module without the need to log in.

Whenever you use sapio365 to access Purview’s Compliance Search, such as creating a new compliance search, a special PowerShell module is needed. You will be asked for authorization credentials the first time you attempt this during a user session.

If you are running any jobs or scheduled gridviews that need this information, the task will fail unless you are at the keyboard to provide this authorization. There is an easy workaround.

You just need to allow sapio365 to provide this authorization using a certificate. You can provide one of your own, or sapio365 can create one for you.

This applies to registered applications used in:

• Elevated sessions

• Role sessions using RBAC credentials

• App sessions

Required steps

1. Switch from secret-based authentication to certificate-based authentication.

2. Enable the application to use Exchange Online PowerShell.

3. In Entra, add the Graph API permission eDiscovery.ReadWrite.All to your application. Give consent.

How to add Graph API permission ‘eDiscovery.ReadWrite.All’ in Entra admin center

In the Entra admin center, select the sapio365 application from the registered apps list:

1. Go to API permissions blade.

2. Click Add a permission → select Microsoft Graph.

3. Select Application permissions.

4. Check eDiscovery.ReadWrite.All.

5. Click Grant admin consent.

4. Add the service principal of the app to the necessary Purview roles by running the job, or you can run the PowerShell script below.

Connect-IPPSSession -UseRPSSession:$false -ShowBanner:$false
New-ServicePrincipal -AppId $AppId -ObjectId $PrincipalId -DisplayName "sapio365 Elevated Your Name"
$SP = Get-ServicePrincipal -Identity $AppId
Add-RoleGroupMember -Identity "eDiscoveryManager" -Member $SP.Id
Add-eDiscoveryCaseAdmin -user $SP.Id