eDiscovery in Microsoft 365

eDiscovery tool is offered to organizations to search and export content from Microsoft 365 or Office 365 including Exchange Online mailboxes, Office 365 groups, Microsoft Teams chats, and SharePoint sites. eDiscovery was previously a part of the Security and Compliance Center. But since April 2022, Microsoft 365 Compliance was moved under Microsoft Purview.

Purview brings Azure Purview, data governance from Microsoft Data and AI, together with Microsoft Security’s compliance and risk management under one great, big solution umbrella, which includes eDiscovery tools.

Azure Purview provides three eDiscovery Categories

Content search:

This is the backbone tool that allows content searches across Microsoft 365 data sources, as well as the allows to export the results to a local computer. The tool is built up to take keyword queries and search conditions to do the search based on them. Also, allow the use of role-based access (RBAC) permissions to control what eDiscovery-related tasks different users can perform.

eDiscovery (Standard):

The eDiscovery Standard tool builds upon the capabilities allowed in Content search, additionally enabling users to create eDiscovery cases and assign eDiscovery managers to cases. Standard also allows you to associate different searches and exports with specific cases, as well as place an eDiscovery hold on content locations relevant to a given case.

eDiscovery (Premium):

The eDiscovery Premium tool goes even further than eDiscovery Standard, allowing for an end-to-end workflow and the power to identify, preserve, collect, review, analyze, and export content. It provides analytics and machine learning-based predictive coding models to further narrow the scope of an investigation. It allows legal teams to manage and communicate with custodians involved in each case. It allows users to gather and copy data from the live service into review sets, rendering the culling of irrelevant data much simpler.

How to Use eDiscovery?

1. Verify and assign a license

The organization should have one of the following license types:

  • Exchange online Plan 2.
  • Microsoft 365 E3 or higher.
  • Office 365 E3 subscription or higher.
  • Microsoft 365 Frontline organizations must have an F5.

On a user level, to place an eDiscovery hold on mailboxes and sites, users must be assigned one of the following licenses, depending on your organization’s subscription:

  • Exchange online Plan 2 license.
  • Microsoft 365 E3 or Office 365 E3 license or higher.
  • Office 365 E1 license with an Exchange Online Plan 2 or Exchange Online Archiving add-on license.
  • Microsoft 365 Frontline F5 Compliance or F5 Security & Compliance add-on license.
  • Office 365 E1 license with a SharePoint Online Plan 2 or OneDrive for Business Plan 2 add-on license.

2. Assign eDiscovery permissions

user must be added as a member of the eDiscovery Manager role group in the compliance portal. Members of this role group can create and manage eDiscovery (Standard) cases. They can add and remove members, place an eDiscovery hold on users, create and edit searches, and export content from eDiscovery (Standard) case.

3. Create a case

Complete the process to create a case and add members. The user who creates the case is automatically added as a member.

4. Add members to eDiscovery (Standard) case (Optional)

If you create a case in Step 3 and you’re the only person who will use the case, then you don’t have to perform this step. You can start using the case to create eDiscovery holds, search for content, and export search results. Perform this step if you want to give other users (or roles group) access to the case.

Explore the eDiscovery (Standard) workflow

To get you started using eDiscovery (Standard), here’s a simple workflow of creating eDiscovery holds for people of interest, searching for content that is relevant to your investigation, and then exporting that data for further review.

 eDiscovery Microsoft 365 compliance

1. Create an eDiscovery hold:

Placing a hold (also called an eDiscovery hold) on the content locations of the people of interest in your investigation. This step is optional, creating an eDiscovery hold preserves content that may be relevant to the case during the investigation. When you create an eDiscovery hold, you can preserve all content in specific content locations, or you can create a query-based hold to preserve only the content that matches a hold query. In addition to preserving content, another good reason to create eDiscovery holds to quickly search the content locations on hold (instead of having to select each location to search) when you create and run searches in the next step. After you complete your investigation, you can release any hold that you created.

2.    Search for content:

After you create eDiscovery holds, use the built-in search tool to search the content locations on hold. You can also search other content locations for data that may be relevant to the case. You can create and run different searches that are associated with the case. You use keywords, properties, and conditions to build search queries that return search results with the data that’s most likely relevant to the case. You can also:

  • View search statistics that may help you refine a search query to narrow the results.
  • Preview the search results to quickly verify whether the relevant data is being found.
  • Revise a query and rerun the search.

3.    Export and download search results:

After you search for and find data that’s relevant to your investigation, you can export it out of Office 365 for review by people outside of the investigation team. Exporting data is a two-step process. The first step is to export the results of a search in the case out of Office 365. This is accomplished by copying the results of a search to a Microsoft-provided Azure Storage location. The next step is to use the eDiscovery Export tool to download the content to a local computer. In addition to the exported data files, the export package contains an export report, a summary report, and an error report.

eDiscovery is a crucial component of any organization’s information management strategy.

eDiscovery or Electronic Discovery is the process of identifying, reviewing, analyzing, tagging, and preserving ESI (Electronically Stored Information) to be presented as potential evidence in a legal case. ESI can be documents, emails, instant messages, chats, accounting data, websites, etc. that could be presented

eDiscovery should be considered a crucial component of any organization’s information management strategy.

Resources:

https://learn.microsoft.com/en-us/azure/purview/overview

https://percipient.co/microsoft-365-ediscovery-subscription/

https://www.sherweb.com/blog/office-365/ediscovery-microsoft-365/

https://www.syscloud.com/saas-data-protection-center/microsoft-365/ediscovery/