Section 12 – Plan and manage eDiscovery and Content search

Choose between eDiscovery (Standard) and eDiscovery (Premium) based on an organization’s requirements

FeatureContent SearcheDiscovery (Standard)eDiscovery (Premium)
Search CapabilitiesBasicBasicBasic
Export ResultsYesYesYes
PermissionsRole-basedN/AN/A
Legal FeaturesYesYes
Case ManagementN/AYesYes
Legal HoldsN/AYesYes
Custodian ManagementN/AN/AYes
Hold NotificationsN/AN/AYes
Advanced ReviewYes
Review Set FilteringN/AN/AYes
TaggingN/AN/AYes
AnalyticsN/AN/AYes
Predictive CodingN/AN/AYes

Feature Breakdown

CapabilityContent searcheDiscovery (Standard)eDiscovery (Premium)
Search for contentSupported.Supported.Supported.
Keyword queries and search conditionsSupported.Supported.Supported.
Search statisticsSupported.Supported.Supported.
Export search resultsSupported.Supported.Supported.
Role-based permissionsSupported.Supported.Supported.
Case managementSupported.Supported.
Place content locations on legal holdSupported.Supported.
Custodian managementSupported.
Legal hold notificationsSupported.
Advanced indexingSupported.
Error remediationSupported.
Review setsSupported.
Support for cloud attachments and SharePoint versionsSupported.
Optical character recognitionSupported.
Conversation threadingSupported.
Collection statistics and reportsSupported.
Review set filteringSupported.
TaggingSupported.
AnalyticsSupported.
Predictive coding modelsSupported.
Computed document metadataSupported.
Transparency of long-running jobsSupported.
Export to customer-owned Azure Storage locationSupported.

Plan and implement eDiscovery

Standard

For full access to eDiscovery (Standard)’s view, filter, and search features, please ensure the following Enterprise apps are enabled in your Microsoft 365 or Office 365 organization:

AppApp ID
ComplianceWorkbenchApp92876b03-76a3-4da8-ad6a-0511ffdf8647
Microsoft Exchange Online Protection00000007-0000-0ff1-ce00-000000000000
Office365Zoom0d38933a-0bbd-41ca-9ebd-28c4b5ba7cb7

Using eDiscovery (Standard) Requires Permissions:

To use eDiscovery (Standard) features like creating cases or managing memberships, users need specific permissions. Assigning users to the eDiscovery Manager role group within the compliance portal grants them these permissions.

eDiscovery Manager Permissions:

  • Create and manage eDiscovery (Standard) cases.
  • Add and remove members from cases.
  • Place legal holds on users.
  • Create and edit search criteria.
  • Export content from eDiscovery (Standard) cases.

eDiscovery Case Workflow in a Nutshell

Creating an eDiscovery hold (optional but recommended) preserves relevant content (emails, documents, etc.) during your investigation. You can choose to hold all content or target specific data with a query. This hold also streamlines searching content locations later.

Searching for content utilizes the built-in search tool to explore content locations. You can craft search queries using keywords, properties, and conditions. Tools are available to view search statistics, preview results, and refine your queries to pinpoint the most relevant data.

Exporting results allows you to export relevant data for external review. This is a two-step process:

  1. Copy search results to a secure Azure Storage location.
  2. Download content to a local computer using the eDiscovery Export tool.

Premium

Traditional eDiscovery often involved copying massive amounts of data out of Microsoft 365 and managing multiple tools, leading to:

  • Increased Time: Finding relevant data took longer due to data sprawl.
  • Higher Risk: Duplicating and managing data across platforms raised security concerns.
  • Greater Cost: Multiple tools meant complex licensing and maintenance fees.

eDiscovery (Premium) addresses these issues by:

  • Keeping Data In-Place: Search and collect data directly within Microsoft 365, eliminating the need for unnecessary copies.
  • Reduced Friction: Simplifies the process, avoiding missing content due to journaling delays.
  • Enhanced Discovery: Provides native collection capabilities for various sources like Teams, SharePoint, OneDrive, and Exchange.
    • Reconstructs Teams conversations for better context.
    • Collects cloud-based shared content.
    • Supports hundreds of file types (including non-Microsoft formats).
    • Integrates with data connectors for third-party apps (Bloomberg, Facebook, Slack, Zoom).

Microsoft Purview offers seamless integration between Insider Risk Management and eDiscovery (Premium). This means:

  • Escalate Quickly: Suspicious user activity identified in Risk Management can be swiftly transferred to eDiscovery (Premium) for further legal review.
  • Streamlined Workflow: This tight integration boosts collaboration between risk and legal teams, improving efficiency.
  • Complete Picture: Provides a comprehensive view of user activity under investigation.

As on optional step you can configure: attorney-client privilege detection. This machine learning model analyzes data in review sets, helping identify documents potentially protected by legal privilege.

See here more on the workflow

Delegate permissions to use eDiscovery and Content search

Assigning eDiscovery Permissions: Prerequisites

Only users with the following permissions can assign eDiscovery permissions in the compliance portal:

  • Organization Management role group membership
  • Role Management role

Adding Users via PowerShell:

The Add-RoleGroupMember cmdlet in Security & Compliance PowerShell lets you add mail-enabled security groups as members of the eDiscovery Managers subgroup within the eDiscovery Manager role group.

Important Note: This method cannot be used to add security groups to the eDiscovery Administrators subgroup.

eDiscovery Role-Based Access

RoleCompliance AdministratoreDiscovery Manager & AdministratorOrganization ManagementReviewer
Case ManagementCheck mark.Check mark.Check mark.
CommunicationCheck mark.
Compliance SearchCheck mark.Check mark.Check mark.
CustodianCheck mark.
ExportCheck mark.
HoldCheck mark.Check mark.Check mark.
Manage review set tagsCheck mark.
PreviewCheck mark.
ReviewCheck mark.Check mark
RMS DecryptCheck mark
Search And PurgeCheck mark

eDiscovery Roles: Standard and Premium

Here’s a quick breakdown of key roles for both eDiscovery (Standard) and eDiscovery (Premium):

  • Case Management (Standard & Premium): Create, manage, and control access to eDiscovery cases.
  • Content Search (Standard & Premium): Run searches across various data sources (additional roles might be needed for preview/export in Premium).
  • Export (Standard & Premium): Export search results for local storage or further analysis (may have limitations in Standard).
  • Hold (Standard & Premium): Place legal holds on content in various locations (mailboxes, folders, etc.).

Additional Roles (Premium Only):

  • Communication Management: Handle communications with custodians involved in a case (hold notices, etc.).
  • Custodian Management: Identify and manage custodians, link data sources, and place legal holds.

Note: eDiscovery (Premium) may offer enhanced functionality or require specific roles for certain actions compared to Standard.

Perform searches and respond to results from eDiscovery

Search Content in eDiscovery (Standard) Cases

This article explains how to search for relevant content within an eDiscovery (Standard) case. Here are the key points:

  • Searches are created and managed within the specific case they are associated with.
  • Only case members can access these searches.
  • You can search mailboxes, SharePoint sites, and public folders.
  • Define your search using keywords, message properties, or document properties.
  • Advanced options include complex queries and filtering with conditions.
  • After the search completes, you can preview the results.

Benefits of eDiscovery (Premium) for finding relevant data

  • Custodian Management: Identify and manage custodians (people potentially involved in a case) and associate their data sources. You can also place legal holds on this data to preserve it.
  • Advanced Search: Search across various data sources, including those from non-custodians. Leverage machine learning to focus on the most relevant items and build more precise queries with conditions.
  • Communication Management: Facilitate communication with custodians by sending legal hold notifications and managing access to the custodian portal.

In essence, eDiscovery (Premium) offers a more comprehensive approach to finding relevant data in legal investigations by providing advanced search capabilities, custodian management tools, and communication features.

Manage eDiscovery cases

Managing eDiscovery Cases in Standard and Premium Purview

Here’s a breakdown of how you can manage eDiscovery cases in both Standard and Premium versions of Microsoft Purview:

Common Actions (Standard & Premium):

  • Close Case: Mark a completed case as inactive. This disables associated eDiscovery holds but offers a 30-day grace period to retrieve content before permanent deletion. You can still edit closed cases (add/remove members, create searches, export results).
  • Reopen Case: Reactivate a previously closed case. Remember to manually re-enable eDiscovery holds after reopening.
  • Delete Case: Permanently remove a case. This requires deleting all associated eDiscovery holds first (including inactive ones). Deleted cases cannot be recovered.

Standard-Specific Actions:

  • Search & Export: Conduct basic keyword searches across data sources and export relevant results.

Premium-Specific Actions (Additional to Standard):

  • Upgrade Case (one-time): Upgrade an existing Standard case to Premium for advanced features (requires admin privileges).
  • Advanced Search: Leverage machine learning and build intricate queries with advanced conditions for more precise data identification.
  • Custodian Management: Identify and manage custodians (people involved) along with their data sources. Place legal holds to preserve relevant data.
  • Review Set Functionality: Organize and analyze collected data efficiently with improved review set features.
  • Communication Management: Facilitate communication with custodians by sending legal hold notifications and managing access to the custodian portal.

Choosing the Right Version:

  • Standard: Suitable for basic eDiscovery needs with straightforward searches and case management.
  • Premium: Ideal for complex investigations requiring advanced search, custodian management, streamlined review processes, and communication features.

See more from Learn

Benefits of Large Cases in eDiscovery (Premium)

StageBenefitDescription
CollectionUp to 1 TB per collectionGather massive amounts of data for comprehensive investigations.
Default cloud attachments & contextual contentCapture the full picture of digital communication, including Teams/Viva Engage chats.
Teams/Viva Engage transcript conversionConvert chat conversations into HTML transcripts for easier review and reduced data volume.
ReviewUp to 1 TB per review setManage large datasets efficiently within each review set.
Enhanced metadata for filteringUtilize additional details like Team/channel/conversation names for targeted filtering.
Time-based transcript contextGain context with pre and post-responsive content within transcripts.
Complete Channel conversationsCollect entire Channel conversations, including root post and all replies.
ExportUp to 5 million documents or 500 GBExport large content sets in a single job for streamlined processing.

Perform searches by using Content search

Requirements:

  • Access to the Microsoft Purview compliance portal.
  • Permissions to create and run Content Searches (may require eDiscovery Administrator privileges).

Steps:

  1. Navigate to Content Search:
    • Within the Purview compliance portal, locate eDiscovery and then Content Search.
  2. Define Search Criteria:
    • Name: Assign a descriptive name to your search (e.g., “Project Finance 2024”).
    • Locations: Choose the data sources you want to search (e.g., mailboxes, SharePoint sites).
    • Keywords: Enter relevant keywords or phrases to identify target data. Utilize quotation marks for exact phrases. Boolean operators (AND, OR, NOT) can be used to refine your search.
    • Filters: Apply additional filters to narrow down results. This can include dates, custodians (relevant individuals), file types, and other criteria.
    Advanced Options (Optional):
    • Exchange Parameters: Specify additional search settings for Exchange mailboxes (e.g., date range within a mailbox).
    • Source-Specific Criteria: Define criteria for searching specific content sources (e.g., public folders, OneDrive for Business).
    • Advanced Queries (KQL): Construct complex search queries using Keyword Query Language (KQL) for highly specific searches (requires KQL knowledge).
  3. Run the Search:
    • Carefully review your search parameters to ensure accuracy.
    • Click Search to initiate the content search process.
  4. Manage Search Results:
    • Once the search completes, you’ll see a list of results.
    • Utilize the search bar and filters to further refine your results.
    • You can export search results for further analysis or review.

Tips:

  • Consider using the Preview feature to test your search criteria on a limited dataset before running the full search.
  • Utilize the Estimated Results feature to get a sense of the potential volume of data your search might return.
  • Leverage saved searches for frequently used queries to save time and maintain consistency.

Closure

FeatureContent SearcheDiscovery (Standard)eDiscovery (Premium)
Search CapabilitiesBasicBasicBasic
Export ResultsYesYesYes
PermissionsRole-basedN/AN/A
Legal FeaturesYesYes
Case ManagementN/AYesYes
Legal HoldsN/AYesYes
Custodian ManagementN/AN/AYes
Hold NotificationsN/AN/AYes
Advanced ReviewYes
Review Set FilteringN/AN/AYes
TaggingN/AN/AYes
AnalyticsN/AN/AYes
Predictive CodingN/AN/AYes

For full access to eDiscovery (Standard)’s view, filter, and search features, please ensure the following Enterprise apps are enabled in your Microsoft 365 or Office 365 organization:

AppApp ID
ComplianceWorkbenchApp92876b03-76a3-4da8-ad6a-0511ffdf8647
Microsoft Exchange Online Protection00000007-0000-0ff1-ce00-000000000000
Office365Zoom0d38933a-0bbd-41ca-9ebd-28c4b5ba7cb7

Using eDiscovery (Standard) Requires Permissions:

To use eDiscovery (Standard) features like creating cases or managing memberships, users need specific permissions. Assigning users to the eDiscovery Manager role group within the compliance portal grants them these permissions.

Microsoft Purview offers seamless integration between Insider Risk Management and eDiscovery (Premium).

Assigning eDiscovery Permissions: Prerequisites

Only users with the following permissions can assign eDiscovery permissions in the compliance portal:

  • Organization Management role group membership
  • Role Management role

Adding Users via PowerShell:

The Add-RoleGroupMember cmdlet in Security & Compliance PowerShell lets you add mail-enabled security groups as members of the eDiscovery Managers subgroup within the eDiscovery Manager role group.

Important Note: This method cannot be used to add security groups to the eDiscovery Administrators subgroup.

Here’s a quick breakdown of key roles for both eDiscovery (Standard) and eDiscovery (Premium):

  • Case Management (Standard & Premium): Create, manage, and control access to eDiscovery cases.
  • Content Search (Standard & Premium): Run searches across various data sources (additional roles might be needed for preview/export in Premium).
  • Export (Standard & Premium): Export search results for local storage or further analysis (may have limitations in Standard).
  • Hold (Standard & Premium): Place legal holds on content in various locations (mailboxes, folders, etc.).

Additional Roles (Premium Only):

  • Communication Management: Handle communications with custodians involved in a case (hold notices, etc.).
  • Custodian Management: Identify and manage custodians, link data sources, and place legal holds.

Note: eDiscovery (Premium) may offer enhanced functionality or require specific roles for certain actions compared to Standard.

Benefits of eDiscovery (Premium) for finding relevant data

  • Custodian Management: Identify and manage custodians (people potentially involved in a case) and associate their data sources. You can also place legal holds on this data to preserve it.
  • Advanced Search: Search across various data sources, including those from non-custodians. Leverage machine learning to focus on the most relevant items and build more precise queries with conditions.
  • Communication Management: Facilitate communication with custodians by sending legal hold notifications and managing access to the custodian portal.

Choosing the Right Version:

  • Standard: Suitable for basic eDiscovery needs with straightforward searches and case management.
  • Premium: Ideal for complex investigations requiring advanced search, custodian management, streamlined review processes, and communication features.

Content search Requirements:

  • Access to the Microsoft Purview compliance portal.
  • Permissions to create and run Content Searches (may require eDiscovery Administrator privileges).

Link to main post

Author: Harri Jaakkonen