Purview Targeted eDiscovery Shortcut: Why “DisplayName” is the King of Sent Items
When performing a search on a specific custodian’s mailbox within Purview, the goal is often to produce a comprehensive record of everything that person sent. However, users frequently have secondary aliases, departmental "Send As" addresses, or legacy SMTPs from before a merger or rebrand.
If you rely on a single SMTP address, you will miss data. If you use the DisplayName, you let the Microsoft 365 Substrate do the heavy lifting for you.
How it Works: The "Stamping" of Identity
The effectiveness of this search relies on how the Microsoft 365 Substrate (the data layer for Purview) indexes mail.
When an email is sent, it passes through the Exchange Transport pipeline. During this "ingestion" phase, the system performs Metadata Enrichment. It doesn't just look at the email address; it resolves the sender against the Global Address List (GAL).
Even if a user sends an email using a secondary alias (e.g., marketing@company.com) or a legacy X500 address, the Substrate "stamps" the user's official DisplayName (e.g., "Joe Blogs") onto the item in the index. This creates a permanent, searchable "human-readable" tag that is baked into the item's metadata at the moment of creation.
Bypassing the "Alias Trap"
In Microsoft Purview, "Recipient Expansion" is the feature meant to find a user's aliases. However, it has a significant limitation: it often fails to expand secondary proxy addresses.
If you search for sender:joe.blogs@company.com, the system may not automatically look for mail sent from j.blogs@company.com. But because the Substrate stamped "Joe Blogs" on both emails when they were sent, a search for sender:"Joe Blogs" will catch both. For a regulatory production where "missing data" is a compliance risk, this name-based approach ensures you capture the user's entire output across all their technical identities.
Important: Targeted Searches Only
It is critical to understand that this is a targeted mailbox strategy, not a tenant-wide strategy.
Why it works in a targeted search: If you have already narrowed your "Data Sources" to Joe Blogs's mailbox, searching for sender:"Joe Blogs" is incredibly accurate. You’ve already defined the "Where" (the specific mailbox); the name search simply ensures the "What" is comprehensive.
Why it fails tenant-wide: If you search your entire organization for sender:"Joe Blogs", you will return every "Joe Blogs" in the directory and potentially unrelated external hits. This strategy is for capturing the full history of a specific custodian.
Sender vs. Participants: Which is better?
When you are looking for what a custodian sent from their own mailbox, you should use the sender property rather than participants.
Sender="Joe Blogs": This is a precision tool. It targets only the items where the custodian is the author. This is the superior property for producing a user's "sent history."
Participants="Joe Blogs": This is a "wide net" tool that searches the Sender, To, Cc, and Bcc fields simultaneously. Using this within a custodian's mailbox would clutter your results with every email they received, making it difficult to isolate their outbound correspondence.
The "Name Change" Caveat
Because the display name is "stamped" on the item at the moment it is sent, it represents the user's identity at that point in time.
If a custodian has had a name change (for example, due to marriage or a preference change from "Joseph" to "Joe"), searching for their current name will not return items sent under their previous name. To ensure a truly defensible and comprehensive production, you must include any previous display names as "OR" terms in your query.
(For Purview prerequisites on tracking and identifying these historical name changes, please refer to this article)
Summary for eDiscovery Managers
Scope the search: Target the specific custodian mailbox as the data source.
Use the Name: Use sender:"Display Name" to bypass the "Proxy Address" gap and catch all aliases.
Include History: Add previous display names to the query to ensure you catch items sent before a name change.
Avoid SMTP-only: Don't rely on a single SMTP address, as Purview’s expansion may miss departmental or legacy aliases.
By leveraging the way the Substrate "stamps" names at the point of ingestion, you can produce a more accurate and defensible set of sent items with significantly less manual configuration.
