How to Handle DSARs in SharePoint and Microsoft 365

Microsoft 365 Is Probably Your Biggest DSAR Challenge

If your organization runs on Microsoft 365, personal data is everywhere — email, SharePoint, OneDrive, Teams, Planner, Forms, and more. When a data subject access request arrives, you need to find one person's data across all of these services, review it for exemptions and third-party information, and deliver it within the legal deadline.

Microsoft provides tools to help with this, primarily through Microsoft Purview (formerly Microsoft 365 Compliance Center). But these tools have real limitations, and understanding both their capabilities and their gaps is essential for a complete DSAR response.

Where Personal Data Lives in Microsoft 365

Before you start searching, you need to understand the scope of the problem. Personal data in M365 is distributed across multiple services, each with its own storage and search characteristics.

Exchange Online (Email)

Email is typically the largest source of personal data in any M365 environment. A data subject's information may appear in:

• Their own mailbox — sent and received emails, calendar appointments, contacts, tasks
• Other people's mailboxes — emails they sent to or received from colleagues, external contacts who emailed them
• Shared mailboxes — group mailboxes, department inboxes, support queues
• Public folders — if your organization uses Exchange public folders
• Deleted items and recoverable items — emails the user deleted may still be in the recoverable items folder, depending on your retention policies
• Archive mailboxes — if you have enabled online archive mailboxes

SharePoint Online

SharePoint sites can contain personal data in:

• Documents — Word files, Excel spreadsheets, PDFs, and other files stored in document libraries
• List items — SharePoint lists that contain names, contact information, or other personal data
• Site metadata — author information, modification history, and version history
• Page content — if internal pages reference individuals by name

OneDrive for Business

Each user's OneDrive is essentially a personal SharePoint site. Personal data here includes:

• The data subject's own OneDrive — their personal files, which may contain personal data about themselves or others
• Files shared with or by the data subject — shared documents that reference the individual

Microsoft Teams

Teams is built on top of several other M365 services, which means data is scattered:

• Chat messages — one-to-one and group chats are stored in Exchange Online (in the users' mailboxes)
• Channel messages — stored in the associated SharePoint site's mailbox
• Files shared in Teams — stored in SharePoint (for channels) or OneDrive (for chats)
• Meeting recordings — stored in OneDrive or SharePoint, depending on configuration
• Meeting transcripts — if transcription is enabled
• Voicemail — if Teams Phone is configured

Other M365 Services

Depending on what your organization uses, personal data may also reside in:

• Microsoft Forms — survey and form responses
• Planner and To Do — task assignments and descriptions
• Power Automate — flow run histories that may contain personal data
• Yammer / Viva Engage — community posts and messages
• Dynamics 365 — if integrated, customer and contact records
• Azure Active Directory (Entra ID) — user profile information, sign-in logs, group memberships

Using Microsoft Purview for DSAR Searches

Microsoft Purview is the primary tool for handling DSARs in M365. The key feature for DSAR work is Content Search (and its more advanced companion, eDiscovery).

Accessing Purview

1. Sign in to the Microsoft Purview compliance portal (compliance.microsoft.com) or navigate to it from the Microsoft 365 admin center
2. You need appropriate permissions — specifically, the Compliance Administrator, eDiscovery Manager, or eDiscovery Administrator role
3. If you do not have these permissions, your global administrator will need to assign them

Step-by-Step: Running a Content Search for a DSAR

Step 1: Create a New Search

In the Purview portal, navigate to Content search (under Solutions). Select New search to create a search.

Give the search a meaningful name — for example, "DSAR — [Data Subject Name] — [Date]". This helps you track multiple DSAR searches over time.

Step 2: Define the Search Query

Build your search query to find the data subject's personal data. Common search approaches:

• By name: Search for the person's full name in quotation marks (e.g., "Jane Smith"). Be aware that common names may return a very high volume of results.
• By email address: Search for the person's email address. This is often more precise than a name search.
• Combined query: Use AND/OR operators to combine name, email, and other identifiers. For example: "Jane Smith" OR "[email protected]" OR "[email protected]"
• By sender/recipient: For email-specific searches, use the From: and To: fields to narrow results to messages sent or received by the data subject

Consider all variations of the person's name and any email addresses they may have used (including personal addresses they might have emailed from).

Step 3: Select Locations to Search

Choose which M365 locations to include in the search:

• Exchange mailboxes — select all mailboxes, or specific mailboxes if you know where the data subject's communications are likely to appear
• SharePoint sites — select all sites, or specific sites
• OneDrive accounts — select the data subject's OneDrive, plus any other accounts that may contain relevant data
• Exchange public folders — include if your organization uses them

For a comprehensive DSAR response, you should generally search all locations unless you have a specific reason to narrow the scope.

Step 4: Run the Search

Start the search and wait for it to complete. Search times vary depending on the volume of data and the complexity of the query. A search across a large M365 tenant can take minutes to several hours.

You can monitor progress in the Purview portal. The search will show an estimated number of items and total size when complete.

Step 5: Preview Results

Before exporting, preview the results to assess:

• Relevance — are the results actually related to the data subject, or has the search returned false positives?
• Volume — how many items were returned? If the number is very large, you may need to refine your query.
• Content types — what mix of emails, documents, and other items are included?

Step 6: Export the Results

Once you are satisfied with the search results, export them:

1. Select Export results from the search actions
2. Choose your export options:
   • All items — everything matched by the search
   • De-duplicated items — removes duplicate copies of the same item
3. The export generates a downloadable package that you can access using the eDiscovery Export Tool (a small application that runs on Windows)

The export typically includes:

• Email messages in PST or individual EML format
• SharePoint and OneDrive documents in their original format
• A results manifest and log files

Step 7: Review Before Disclosure

This is the most important step, and the one that cannot be automated. Before disclosing any data to the requester, you must review the exported results for:

• Third-party personal data — redact personal information about other identifiable individuals unless an exception applies (see our guide on DSAR exemptions)
• Legally privileged material — withhold communications covered by legal professional privilege
• Exemptions — check whether any other exemptions apply (crime prevention, management planning, negotiations, etc.)
• Sensitive business information — while you cannot withhold personal data simply because it is commercially sensitive, you should check for documents that may have been incorrectly captured by the search

This review process is manual and time-consuming for large result sets. Budget adequate time for it within your DSAR response deadline.

Limitations of Content Search for DSARs

Content Search is a powerful tool, but it has real limitations for DSAR purposes. Understanding these gaps is critical for a complete response.

It Does Not Cover Everything

Content Search covers Exchange, SharePoint, and OneDrive content well. It does not comprehensively cover:

• Teams chat messages — while Teams chats are stored in Exchange, searching them via Content Search can be inconsistent, and some message types (reactions, edited messages, inline images) may not be fully captured
• Azure AD / Entra ID data — user profile information, sign-in logs, and directory data are not searchable via Content Search; you need the Azure portal or admin center for this
• Microsoft Forms responses — form data is not indexed by Content Search
• Planner tasks — not searchable via Content Search
• Power Platform data — Power Automate flow run data, Power Apps data
• Audit logs — admin and user activity logs require a separate search in the Purview audit log

For a truly complete DSAR response, you will need to supplement Content Search with manual checks of these additional sources.

Search Accuracy

Content Search uses keyword matching and is subject to the same limitations as any text-based search:

• Common names produce a high volume of results, many of which may be false positives
• Variations in spelling (nicknames, maiden names, misspellings) require multiple search terms
• Data in images, handwritten notes, or scanned documents will not be found unless OCR (optical character recognition) has been applied
• Data in structured fields (such as metadata or custom SharePoint columns) may not be reliably captured by a keyword search

Retention and Deletion

The results you get depend on your organization's retention policies:

• If you have retention policies that delete content after a set period, data beyond that period will not be available
• If a user has permanently deleted items and they are past the recoverable items retention period, they are gone
• Litigation holds or retention holds preserve data that would otherwise be deleted — if you anticipate DSARs, consider whether you need holds in place

Licensing Requirements

The full Purview Content Search and eDiscovery capabilities require specific Microsoft 365 license tiers. Basic Content Search is available in most business plans, but advanced features (such as eDiscovery Premium with machine learning-based review) require E5 licensing or an add-on. Check your licensing before assuming you have access to all features.

The Data Subject Rights Request Feature

In addition to Content Search, Microsoft Purview includes a dedicated Data Subject Requests (DSR) feature (sometimes called "Subject Rights Requests") specifically designed for handling privacy requests.

This feature provides:

• A guided workflow for creating and tracking data subject requests
• Automated data discovery across M365 services
• Built-in review tools for assessing results before disclosure
• Collaboration features for involving multiple reviewers
• Audit trail for documenting the process

The DSR feature is more purpose-built for DSARs than raw Content Search, but it requires Microsoft Purview Compliance Manager or an equivalent license tier. If your organization handles DSARs regularly, this is worth evaluating.

Practical Tips for M365 DSARs

• Build a standard operating procedure. Document which M365 locations you search, which tools you use, and what review steps you follow. This ensures consistency and provides evidence of a thorough process if challenged.
• Search broadly, then narrow. Start with a wide search to ensure you capture everything, then refine during the review stage. Missing data is a bigger problem than having too many results.
• Keep search logs. Record your search queries, the locations searched, the number of results, and any refinements. This is part of your DSAR audit trail.
• Allow time for export and review. The search itself is the quick part. Exporting, downloading, and reviewing results — especially for redaction — is what takes the bulk of the time. Factor this into your DSAR response timeline.
• Check beyond M365. Your organization almost certainly holds personal data outside of Microsoft 365. CRM systems, HR platforms, accounting software, and other SaaS tools all need to be searched separately. Do not assume that an M365 search is a complete DSAR response.

For a complete DSAR workflow that covers all your systems (not just M365), see our DSAR workflow guide.

References

• Microsoft Purview Content Search: Official documentation. Microsoft Learn — Content Search
• Microsoft Purview Data Subject Requests: Official documentation. Microsoft Learn — Subject Rights Requests
• Microsoft 365 DSAR guidance: Microsoft Learn — Data Subject Requests for the GDPR and CCPA

Related Guides

• DSAR in Google Workspace — the Google equivalent
• DSAR and Email: Searching Inboxes — email-specific search strategies
• Building a DSAR Workflow — end-to-end process design