Table of Contents
Choose between eDiscovery (Standard) and eDiscovery (Premium) based on an organization’s requirements
| Feature | Content Search | eDiscovery (Standard) | eDiscovery (Premium) |
|---|---|---|---|
| Search Capabilities | Basic | Basic | Basic |
| Export Results | Yes | Yes | Yes |
| Permissions | Role-based | N/A | N/A |
| Legal Features | – | Yes | Yes |
| Case Management | N/A | Yes | Yes |
| Legal Holds | N/A | Yes | Yes |
| Custodian Management | N/A | N/A | Yes |
| Hold Notifications | N/A | N/A | Yes |
| Advanced Review | – | – | Yes |
| Review Set Filtering | N/A | N/A | Yes |
| Tagging | N/A | N/A | Yes |
| Analytics | N/A | N/A | Yes |
| Predictive Coding | N/A | N/A | Yes |
Feature Breakdown
| Capability | Content search | eDiscovery (Standard) | eDiscovery (Premium) |
|---|---|---|---|
| Search for content |  | | |
| Keyword queries and search conditions | | | |
| Search statistics | | | |
| Export search results | | | |
| Role-based permissions | | | |
| Case management | | | |
| Place content locations on legal hold | | | |
| Custodian management | | ||
| Legal hold notifications | | ||
| Advanced indexing | | ||
| Error remediation | | ||
| Review sets | | ||
| Support for cloud attachments and SharePoint versions | | ||
| Optical character recognition | | ||
| Conversation threading | | ||
| Collection statistics and reports | | ||
| Review set filtering | | ||
| Tagging | | ||
| Analytics | | ||
| Predictive coding models | | ||
| Computed document metadata | | ||
| Transparency of long-running jobs | | ||
| Export to customer-owned Azure Storage location | |
Plan and implement eDiscovery
Standard
For full access to eDiscovery (Standard)’s view, filter, and search features, please ensure the following Enterprise apps are enabled in your Microsoft 365 or Office 365 organization:
| App | App ID |
|---|---|
| ComplianceWorkbenchApp | 92876b03-76a3-4da8-ad6a-0511ffdf8647 |
| Microsoft Exchange Online Protection | 00000007-0000-0ff1-ce00-000000000000 |
| Office365Zoom | 0d38933a-0bbd-41ca-9ebd-28c4b5ba7cb7 |
Using eDiscovery (Standard) Requires Permissions:
To use eDiscovery (Standard) features like creating cases or managing memberships, users need specific permissions. Assigning users to the eDiscovery Manager role group within the compliance portal grants them these permissions.
eDiscovery Manager Permissions:
- Create and manage eDiscovery (Standard) cases.
- Add and remove members from cases.
- Place legal holds on users.
- Create and edit search criteria.
- Export content from eDiscovery (Standard) cases.
eDiscovery Case Workflow in a Nutshell
Creating an eDiscovery hold (optional but recommended) preserves relevant content (emails, documents, etc.) during your investigation. You can choose to hold all content or target specific data with a query. This hold also streamlines searching content locations later.
Searching for content utilizes the built-in search tool to explore content locations. You can craft search queries using keywords, properties, and conditions. Tools are available to view search statistics, preview results, and refine your queries to pinpoint the most relevant data.
Exporting results allows you to export relevant data for external review. This is a two-step process:
- Copy search results to a secure Azure Storage location.
- Download content to a local computer using the eDiscovery Export tool.
Premium
Traditional eDiscovery often involved copying massive amounts of data out of Microsoft 365 and managing multiple tools, leading to:
- Increased Time: Finding relevant data took longer due to data sprawl.
- Higher Risk: Duplicating and managing data across platforms raised security concerns.
- Greater Cost: Multiple tools meant complex licensing and maintenance fees.
eDiscovery (Premium) addresses these issues by:
- Keeping Data In-Place: Search and collect data directly within Microsoft 365, eliminating the need for unnecessary copies.
- Reduced Friction: Simplifies the process, avoiding missing content due to journaling delays.
- Enhanced Discovery: Provides native collection capabilities for various sources like Teams, SharePoint, OneDrive, and Exchange.
- Reconstructs Teams conversations for better context.
- Collects cloud-based shared content.
- Supports hundreds of file types (including non-Microsoft formats).
- Integrates with data connectors for third-party apps (Bloomberg, Facebook, Slack, Zoom).
Microsoft Purview offers seamless integration between Insider Risk Management and eDiscovery (Premium). This means:
- Escalate Quickly: Suspicious user activity identified in Risk Management can be swiftly transferred to eDiscovery (Premium) for further legal review.
- Streamlined Workflow: This tight integration boosts collaboration between risk and legal teams, improving efficiency.
- Complete Picture: Provides a comprehensive view of user activity under investigation.
As on optional step you can configure: attorney-client privilege detection. This machine learning model analyzes data in review sets, helping identify documents potentially protected by legal privilege.
See here more on the workflow
Delegate permissions to use eDiscovery and Content search
Assigning eDiscovery Permissions: Prerequisites
Only users with the following permissions can assign eDiscovery permissions in the compliance portal:
- Organization Management role group membership
- Role Management role
Adding Users via PowerShell:
The Add-RoleGroupMember cmdlet in Security & Compliance PowerShell lets you add mail-enabled security groups as members of the eDiscovery Managers subgroup within the eDiscovery Manager role group.
Important Note: This method cannot be used to add security groups to the eDiscovery Administrators subgroup.
eDiscovery Role-Based Access
| Role | Compliance Administrator | eDiscovery Manager & Administrator | Organization Management | Reviewer |
|---|---|---|---|---|
| Case Management |  | | | |
| Communication | | |||
| Compliance Search | | | | |
| Custodian | | |||
| Export | | |||
| Hold | | | | |
| Manage review set tags | | |||
| Preview | | |||
| Review | | | ||
| RMS Decrypt | | |||
| Search And Purge | |
eDiscovery Roles: Standard and Premium
Here’s a quick breakdown of key roles for both eDiscovery (Standard) and eDiscovery (Premium):
- Case Management (Standard & Premium): Create, manage, and control access to eDiscovery cases.
- Content Search (Standard & Premium): Run searches across various data sources (additional roles might be needed for preview/export in Premium).
- Export (Standard & Premium): Export search results for local storage or further analysis (may have limitations in Standard).
- Hold (Standard & Premium): Place legal holds on content in various locations (mailboxes, folders, etc.).
Additional Roles (Premium Only):
- Communication Management: Handle communications with custodians involved in a case (hold notices, etc.).
- Custodian Management: Identify and manage custodians, link data sources, and place legal holds.
Note: eDiscovery (Premium) may offer enhanced functionality or require specific roles for certain actions compared to Standard.
Perform searches and respond to results from eDiscovery
Search Content in eDiscovery (Standard) Cases
This article explains how to search for relevant content within an eDiscovery (Standard) case. Here are the key points:
- Searches are created and managed within the specific case they are associated with.
- Only case members can access these searches.
- You can search mailboxes, SharePoint sites, and public folders.
- Define your search using keywords, message properties, or document properties.
- Advanced options include complex queries and filtering with conditions.
- After the search completes, you can preview the results.
Benefits of eDiscovery (Premium) for finding relevant data
- Custodian Management: Identify and manage custodians (people potentially involved in a case) and associate their data sources. You can also place legal holds on this data to preserve it.
- Advanced Search: Search across various data sources, including those from non-custodians. Leverage machine learning to focus on the most relevant items and build more precise queries with conditions.
- Communication Management: Facilitate communication with custodians by sending legal hold notifications and managing access to the custodian portal.
In essence, eDiscovery (Premium) offers a more comprehensive approach to finding relevant data in legal investigations by providing advanced search capabilities, custodian management tools, and communication features.
Manage eDiscovery cases
Managing eDiscovery Cases in Standard and Premium Purview
Here’s a breakdown of how you can manage eDiscovery cases in both Standard and Premium versions of Microsoft Purview:
Common Actions (Standard & Premium):
- Close Case: Mark a completed case as inactive. This disables associated eDiscovery holds but offers a 30-day grace period to retrieve content before permanent deletion. You can still edit closed cases (add/remove members, create searches, export results).
- Reopen Case: Reactivate a previously closed case. Remember to manually re-enable eDiscovery holds after reopening.
- Delete Case: Permanently remove a case. This requires deleting all associated eDiscovery holds first (including inactive ones). Deleted cases cannot be recovered.
Standard-Specific Actions:
- Search & Export: Conduct basic keyword searches across data sources and export relevant results.
Premium-Specific Actions (Additional to Standard):
- Upgrade Case (one-time): Upgrade an existing Standard case to Premium for advanced features (requires admin privileges).
- Advanced Search: Leverage machine learning and build intricate queries with advanced conditions for more precise data identification.
- Custodian Management: Identify and manage custodians (people involved) along with their data sources. Place legal holds to preserve relevant data.
- Review Set Functionality: Organize and analyze collected data efficiently with improved review set features.
- Communication Management: Facilitate communication with custodians by sending legal hold notifications and managing access to the custodian portal.
Choosing the Right Version:
- Standard: Suitable for basic eDiscovery needs with straightforward searches and case management.
- Premium: Ideal for complex investigations requiring advanced search, custodian management, streamlined review processes, and communication features.
See more from Learn
Benefits of Large Cases in eDiscovery (Premium)
| Stage | Benefit | Description |
|---|---|---|
| Collection | Up to 1 TB per collection | Gather massive amounts of data for comprehensive investigations. |
| Default cloud attachments & contextual content | Capture the full picture of digital communication, including Teams/Viva Engage chats. | |
| Teams/Viva Engage transcript conversion | Convert chat conversations into HTML transcripts for easier review and reduced data volume. | |
| Review | Up to 1 TB per review set | Manage large datasets efficiently within each review set. |
| Enhanced metadata for filtering | Utilize additional details like Team/channel/conversation names for targeted filtering. | |
| Time-based transcript context | Gain context with pre and post-responsive content within transcripts. | |
| Complete Channel conversations | Collect entire Channel conversations, including root post and all replies. | |
| Export | Up to 5 million documents or 500 GB | Export large content sets in a single job for streamlined processing. |
Perform searches by using Content search
Requirements:
- Access to the Microsoft Purview compliance portal.
- Permissions to create and run Content Searches (may require eDiscovery Administrator privileges).
Steps:
- Navigate to Content Search:
- Within the Purview compliance portal, locate eDiscovery and then Content Search.
- Define Search Criteria:
- Name: Assign a descriptive name to your search (e.g., “Project Finance 2024”).
- Locations: Choose the data sources you want to search (e.g., mailboxes, SharePoint sites).
- Keywords: Enter relevant keywords or phrases to identify target data. Utilize quotation marks for exact phrases. Boolean operators (AND, OR, NOT) can be used to refine your search.
- Filters: Apply additional filters to narrow down results. This can include dates, custodians (relevant individuals), file types, and other criteria.
- Exchange Parameters: Specify additional search settings for Exchange mailboxes (e.g., date range within a mailbox).
- Source-Specific Criteria: Define criteria for searching specific content sources (e.g., public folders, OneDrive for Business).
- Advanced Queries (KQL): Construct complex search queries using Keyword Query Language (KQL) for highly specific searches (requires KQL knowledge).
- Run the Search:
- Carefully review your search parameters to ensure accuracy.
- Click Search to initiate the content search process.
- Manage Search Results:
- Once the search completes, you’ll see a list of results.
- Utilize the search bar and filters to further refine your results.
- You can export search results for further analysis or review.
Tips:
- Consider using the Preview feature to test your search criteria on a limited dataset before running the full search.
- Utilize the Estimated Results feature to get a sense of the potential volume of data your search might return.
- Leverage saved searches for frequently used queries to save time and maintain consistency.
Closure
| Feature | Content Search | eDiscovery (Standard) | eDiscovery (Premium) |
|---|---|---|---|
| Search Capabilities | Basic | Basic | Basic |
| Export Results | Yes | Yes | Yes |
| Permissions | Role-based | N/A | N/A |
| Legal Features | – | Yes | Yes |
| Case Management | N/A | Yes | Yes |
| Legal Holds | N/A | Yes | Yes |
| Custodian Management | N/A | N/A | Yes |
| Hold Notifications | N/A | N/A | Yes |
| Advanced Review | – | – | Yes |
| Review Set Filtering | N/A | N/A | Yes |
| Tagging | N/A | N/A | Yes |
| Analytics | N/A | N/A | Yes |
| Predictive Coding | N/A | N/A | Yes |
For full access to eDiscovery (Standard)’s view, filter, and search features, please ensure the following Enterprise apps are enabled in your Microsoft 365 or Office 365 organization:
| App | App ID |
|---|---|
| ComplianceWorkbenchApp | 92876b03-76a3-4da8-ad6a-0511ffdf8647 |
| Microsoft Exchange Online Protection | 00000007-0000-0ff1-ce00-000000000000 |
| Office365Zoom | 0d38933a-0bbd-41ca-9ebd-28c4b5ba7cb7 |
Using eDiscovery (Standard) Requires Permissions:
To use eDiscovery (Standard) features like creating cases or managing memberships, users need specific permissions. Assigning users to the eDiscovery Manager role group within the compliance portal grants them these permissions.
Microsoft Purview offers seamless integration between Insider Risk Management and eDiscovery (Premium).
Assigning eDiscovery Permissions: Prerequisites
Only users with the following permissions can assign eDiscovery permissions in the compliance portal:
- Organization Management role group membership
- Role Management role
Adding Users via PowerShell:
The Add-RoleGroupMember cmdlet in Security & Compliance PowerShell lets you add mail-enabled security groups as members of the eDiscovery Managers subgroup within the eDiscovery Manager role group.
Important Note: This method cannot be used to add security groups to the eDiscovery Administrators subgroup.
Here’s a quick breakdown of key roles for both eDiscovery (Standard) and eDiscovery (Premium):
- Case Management (Standard & Premium): Create, manage, and control access to eDiscovery cases.
- Content Search (Standard & Premium): Run searches across various data sources (additional roles might be needed for preview/export in Premium).
- Export (Standard & Premium): Export search results for local storage or further analysis (may have limitations in Standard).
- Hold (Standard & Premium): Place legal holds on content in various locations (mailboxes, folders, etc.).
Additional Roles (Premium Only):
- Communication Management: Handle communications with custodians involved in a case (hold notices, etc.).
- Custodian Management: Identify and manage custodians, link data sources, and place legal holds.
Note: eDiscovery (Premium) may offer enhanced functionality or require specific roles for certain actions compared to Standard.
Benefits of eDiscovery (Premium) for finding relevant data
- Custodian Management: Identify and manage custodians (people potentially involved in a case) and associate their data sources. You can also place legal holds on this data to preserve it.
- Advanced Search: Search across various data sources, including those from non-custodians. Leverage machine learning to focus on the most relevant items and build more precise queries with conditions.
- Communication Management: Facilitate communication with custodians by sending legal hold notifications and managing access to the custodian portal.
Choosing the Right Version:
- Standard: Suitable for basic eDiscovery needs with straightforward searches and case management.
- Premium: Ideal for complex investigations requiring advanced search, custodian management, streamlined review processes, and communication features.
Content search Requirements:
- Access to the Microsoft Purview compliance portal.
- Permissions to create and run Content Searches (may require eDiscovery Administrator privileges).
Link to main post
RSS - Posts